Read AFI31-406_USAFESUP1_I.pdf text version

BY ORDER OF THE SECRETARY OF THE AIR FORCE

AIR FORCE INSTRUCTION 31-406 29 JULY 2004 UNITED STATES AIR FORCES IN EUROPE Supplement 1 20 APRIL 2006 Incorporating Change 1, 17 March 2010 Certified current 23 January 2012 Security APPLYING NORTH ATLANTIC TREATY ORGANIZATION (NATO) PROTECTION STANDARDS

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY ACCESSIBILITY: Publications and forms are available on the e-Publishing website at www.e-publishing.af.mil for downloading or ordering. RELEASABILITY: There are no releasability restrictions on this publication. OPR: HQ USAF/XOFI (Mr Steven E. Harris) Supersedes: AFI 31-406, 1 April 2000 OPR: USAFE/IPO (USAFE) Certified by: USAFE/IPO (Ms. Sandra J. Kuypers) Pages:24 Certified by: HQ USAF/XOF (Brig General Richard A. Coleman) Pages: 65

This instruction contains Air Force (AF) unique guidance needed to implement AF Policy Directive (AFPD) 31-4, Information Security and supplement United States Security Authority for NATO Affairs (USSAN) Instruction 1-69, United States Implementation of NATO Security Procedures, 1982 and DoD Directive 5100.55, United States Security Authority for North Atlantic Treaty Organization Affairs, 21 April 1982. All these references together describe how to protect and handle NATO classified information and information releasable to NATO organizations. For user convenience, specific policy references are listed at the end of each paragraph where applicable. Maintain and dispose of all records created as a result of processes prescribed in this instruction in accordance with AFMAN 37-139, Records Disposition Schedule. HQ USAF/XOF is delegated approval authority for revisions to this AFI. (USAFE) AFI 31-406, 29 July 2004, is supplemented as follows: This supplement applies to all United States Air Forces in Europe (USAFE) units, including assigned or attached Air Force Reserve Command (AFRC) and Air National Guard (ANG) units and personnel as appropriate.

2

AFI31-406_USAFESUP1_I 20 APRIL 2006

This supplement does not apply to regular Air Force Reserve Command (AFRC) or Air National Guard (ANG) units. Ensure that all records created as a result of processes prescribed in this publication are maintained in accordance with AFMAN 37-123, Management of Records and disposed of in accordance with the Air Force Records Disposition Schedule (RDS) located at: https://afrims.amc.af.mil. and AFI 33-332, Privacy Act Program. SUMMARY OF CHANGES This revision incorporates Interim Change IC2004-1. This change revises the timeframe for periodic re-investigations for Secret information from 5 years to 10 years. Requires submission at the nine year mark. (USAFE) This interim change (IC) reflects new guidelines that clarify requirements for the command and unit NATO security program; transfers responsibility of NATO security program from HQ USAFE/A7SXI to HQ USAFE/IP.

Chapter 1--POLICY AND PROGRAM MANAGEMENT 1.1. 1.2. 1.3. 1.4. 1.5. 1.5. 1.6. 1.6. 1.7. 1.8. 1.8. 1.9. 1.9. 2.1. 2.2. 2.3. 2.4. 2.5. Policy. ................................................................................................................ Applicability. ...................................................................................................... Program Management. ........................................................................................ Types of Information. ......................................................................................... Changes to Policy. .............................................................................................. (USAFE) Changes to Policy. .............................................................................. Waivers. ............................................................................................................. (USAFE) Waivers. ............................................................................................. Inspections. ........................................................................................................ Security Education. ............................................................................................. (USAFE) Security Education. ............................................................................. Release of US Classified or Sensitive Unclassified Information to NATO. .......... (USAFE) Release of US Classified or Sensitive Unclassified Information to NATO. General. .............................................................................................................. Derivative Classification. .................................................................................... Challenges to Classification. ............................................................................... Downgrade or Declassification. .......................................................................... Reviewing CTS Documents. ...............................................................................

6 6 6 6 7 7 7 7 7 7 8 8 8 9 10 10 10 10 10 10

Chapter 2--CLASSIFICATION MANAGEMENT

AFI31-406_USAFESUP_I 20 APRIL 2006

2.5. 2.6. 2.6. 3.1. 3.2. 3.3. 3.4. 3.5. 3.5. 3.6. 4.1. 4.2. 4.3. 4.3. 4.4. 4.5. 4.6. 4.7. 4.8. 4.8. 4.9. 4.9. 4.10. 4.11. 4.12. 4.13. 5.1. 5.1. 5.2. (USAFE) Reviewing CTS documents. ................................................................ Reviewing NATO Secret/Confidential Documents. ............................................. (USAFE) Reviewing NATO Secret/confidential Documents. .............................. General. .............................................................................................................. Documents Released into NATO. ....................................................................... Electronically Transmitted Messages. ................................................................. NATO Extracted Information in US Documents. ................................................ NATO Restricted. ............................................................................................... (USAFE) NATO Restricted. ............................................................................... Subjects and Titles. ............................................................................................. General. .............................................................................................................. NATO Access Granting Authority. ..................................................................... NATO Restricted. ............................................................................................... (USAFE) NATO Restricted. ............................................................................... Extracts of NATO Classified Information in US Classified Documents. .............. Access by Non-US Nationals. .............................................................................

3

10 11 11 12 12 12 12 13 14 14 14 15 15 15 15 15 15 15

Chapter 3--MARKING

Chapter 4--ACCESS

Temporary Duty (TDY) Assignments Requiring Access to NATO Classified Information. ............................................................................................................................. 16 Security Clearance Certificates. .......................................................................... Contractors. ........................................................................................................ (USAFE) Contractors. ........................................................................................ Briefings. ........................................................................................................... (USAFE) Briefings. ............................................................................................ Debriefing. ......................................................................................................... Refusal to Sign a Termination Statement. ........................................................... Temporary Access. ............................................................................................. NATO Billets. .................................................................................................... Storage. .............................................................................................................. (USAFE) Storage. .............................................................................................. NATO Restricted. ............................................................................................... 16 16 16 16 16 17 17 17 18 19 19 19 20

Chapter 5--SAFEGUARDING

4

5.2. 5.3. 5.4. 5.5. 5.6. 5.7. 5.8. 5.9. 5.10. 5.11. 5.11. 5.12. 5.12. 5.13. 5.14. 5.14. 5.15. 5.16. 5.17. 6.1. 6.2. 6.3. 6.3. 6.4. 6.5. 6.6. 6.7. 7.1. 7.2. 7.3. 7.4.

AFI31-406_USAFESUP1_I 20 APRIL 2006

(USAFE) NATO Restricted. ............................................................................... Combinations. .................................................................................................... Cover Sheets. ..................................................................................................... NATO Extracts. .................................................................................................. Document Control: ............................................................................................. Document Control: ............................................................................................. Document Control: ............................................................................................. Document Control: ............................................................................................. Page Changes. .................................................................................................... Reproduction. ..................................................................................................... (USAFE) Reproduction. ..................................................................................... Destruction. ........................................................................................................ (USAFE) Destruction. ........................................................................................ Emergency Planning. .......................................................................................... Classified Meetings and Conferences. ................................................................. (USAFE) Classified Meetings and Conferences. ................................................. Information Systems (IS). ................................................................................... Technical Surveys. ............................................................................................. Emission Security. .............................................................................................. General. .............................................................................................................. NATO Confidential. ........................................................................................... NATO Restricted. ............................................................................................... (USAFE) NATO Restricted. ............................................................................... Inner Container. .................................................................................................. Receipts. ............................................................................................................. Handcarrying. ..................................................................................................... NATO Cryptographic Material. .......................................................................... Subregistry. ........................................................................................................ Control Point. ..................................................................................................... User. .................................................................................................................. Communication Centers. .................................................................................... 20 20 20 21 21 21 21 22 22 22 22 23 23 23 24 24 24 24 24 25 25 25 25 25 25 25 25 26 27 27 28 28

Chapter 6--TRANSMISSION

Chapter 7--SUBREGISTRIES, CONTROL POINTS, AND COMMUNICATIONS CENTERS 27

AFI31-406_USAFESUP_I 20 APRIL 2006

Chapter 8--SECURITY INCIDENTS 8.1. 8.1. 8.2. 8.3. 8.3. 8.4. 8.5. Reporting. .......................................................................................................... (USAFE) Reporting. ........................................................................................... Investigations. .................................................................................................... NATO Restricted. ............................................................................................... (USAFE) NATO Restricted. ............................................................................... Cryptographic Material. ...................................................................................... ((Added)(USAFE)) Forms/IMTs adopted: ..........................................................

5

29 29 29 29 29 29 29 30 34

Attachment 1--GLOSSARY OF REFERENCE AND SUPPORTING INFORMATION

Attachment 1--(USAFE) GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION 34 Attachment 2--SAMPLE NATO SECURITY CLEARANCE CERTIFICATION CERTIFICATE 36 Attachment 3--SAMPLE AF FORM 2583 Attachment 3--(USAFE) SAMPLE AF IMT 2583. Attachment 4--SAMPLE INITIAL NATO SECURITY BRIEFING Attachment 5--SAMPLE ATOMAL BRIEFING Attachment 6--SAMPLE NATO ACCESS DEBRIEFING Attachment 7--INTERIM CHANGE 2004-1 TO AFI 31-406 Attachment 8--(Added-USAFE) NATO RESTRICTED Attachment 9--(Added-USAFE) NATO UNCLASSIFIED Attachment 10--(Added-USAFE) USAFE SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET) ACCREDITATION FOR NATO CLASSIFIED INFORMATION 39 39 40 43 45 46 50 56

60

6

AFI31-406_USAFESUP1_I 20 APRIL 2006

Chapter 1 POLICY AND PROGRAM MANAGEMENT 1.1. Policy. It is Air Force policy to identify, derivatively classify, downgrade, declassify, mark, protect, and destroy classified NATO information and material in its possession as required by NATO policies. This general policy statement also applies to NATO unclassified information consistent with relevant statutes, regulations and directives. 1.2. Applicability. This instruction governs the Air Force NATO Safeguarding Program and takes precedence over all instructions affecting NATO classified material in the possession of Air Force units. 1.3. Program Management. [Reference USSAN 1-69, ATT 1, paragraph 17]. 1.3.1. The Administrative Assistant to the Secretary of the Air Force (SAF/AA) is the senior Air Force official for the NATO security system within the Air Force, referred to as the Air Force NATO Safeguarding Program. 1.3.2. The Deputy Under Secretary of the Air Force, International Affairs, (SAF/IA) oversees the release of Air Force classified information to foreign governments, persons, and international organizations. 1.3.3. The Chief, Information Security Division (HQ USAF/XOFI) is responsible for formulating policy, resource advocacy, and oversight of the Air Force NATO Safeguarding Program. 1.3.4. Headquarters United States Air Forces in Europe, Security Forces Directorate, Security Programs Division (HQ USAFE/SFI), is the AF lead office for the NATO Safeguarding Program and as such advises USAF/ XOFI on policy, coordinates directives, instructions, and handbooks, and, in conjunction with HQ USAF/XOFI, represents the Air Force at NATO meetings and interagency forums. 1.3.4.(USAFE) USAFE, Security Forces Directorate, Installation and Mission Support Directorate, Security Forces Division, Operations Support Branch, Information Security Section (HQ USAFE/A7SXI) is changed to USAFE, Information Protection Directorate (HQ USAFE/IP). 1.3.5. Commanders of MAJCOMs, direct reporting units (DRU), field operating agencies (FOA), and installations are responsible for establishing a NATO Safeguarding Program, identifying requirements, and executing their programs to comply with this memo within their activities. 1.3.6. The Information Security Program Manager (ISPM), appointed under AFI 31-401, Information Security Program Management, chapter 1, provides policy, guidance, and oversees the activity or installation NATO Safeguarding Program. This responsibility does not include management oversight of the local subregistry. 1.3.7. Commanders of organizations with subregistries are responsible for the overall operation of their subregistries and control points. The unit responsible for Information Management normally manages the local subregistry.

AFI31-406_USAFESUP_I 20 APRIL 2006

7

1.3.7. (USAFE) . Commanders will establish a unit control point with the servicing Sub Registry if their organization routinely maintains in excess of 10 or more North Atlantic Treaty Organization (NATO) classified documents or has 10 or more Security Internet Protocol Router Network (SIPRNet) terminals, or a combination thereof. Commanders of organizations that have less that 10 SIPRNet terminals and/or do not maintain NATO classified information will appoint in writing, a user to control and account for NATO classified within the organization. See Attachment 10 (Added) for additional information. 1.3.8. NATO classified material stored inside a Sensitive Compartmented Information Facility (SCIF) is subject to the provisions of this instruction. 1.4. Types of Information. 1.4.1. NATO. The "NATO" marking means the information is the property of NATO requiring the NATO originator's consent for dissemination outside of NATO and is subject to the security protection in this instruction. 1.4.2. ATOMAL. Refers to atomic information provided by the governments of the United States and/or United Kingdom to NATO under the Agreement Between the Parties to the North Atlantic Treaty Organization for Co-Operation Regarding Atomic Information. 1.4.3. COMSIC Top Secret (CTS). COSMIC is a NATO marking and designation that is synonymous with Top Secret and is applied exclusively to all copies of Top Secret documents prepared for circulation within NATO. CTS will be applied only to information that the unauthorized disclosure would result in exceptionally grave damage to NATO. 1.4.4. NATO Secret (NS). Applied only to information the unauthorized disclosure of which would result in serious damage to NATO. 1.4.5. NATO Confidential (NC). Applied only to information the unauthorized disclosure of which would result in damage to NATO. 1.4.6. NATO Restricted (NR). The US does not have a security classification equivalent to NATO Restricted. NATO information classified as Restricted shall be safeguarded in a manner that shall prevent disclosure to non-Governmental personnel. 1.4.7. NATO Unclassified (NU). NATO unclassified information may not be released to non-NATO nations, organizations, and individuals without approval of NATO. [Reference USSAN 1-69, ATT 1, paragraph 4.1]. 1.4.7. (USAFE) NATO Unclassified (NU). Refer to Attachment 9. (Added). 1.5. Changes to Policy. Submit recommended changes to this guidance or USSAN 1-69 through ISPM channels to HQ USAF/XOFI. [Reference USSAN 1-69, ATT 1, paragraph 20]. 1.5. (USAFE) Changes to Policy. Within USAFE, recommended changes are submitted by the Information Security Program Manager (ISPM) to HQ USAFE/IP. 1.6. Waivers. Send requests for waivers or exceptions through ISPM channels to HQ USAF/XOFI. 1.6. (USAFE) Waivers. Within USAFE, requests for waivers or exceptions are submitted by the ISPM to HQ USAFE/IP. 1.7. Inspections.

8

AFI31-406_USAFESUP1_I 20 APRIL 2006 1.7.1. Include the NATO Safeguarding Program in self-inspections, program reviews, staff assistant visits, and Inspector General inspection/reviews as explained in DoD 5200.1-R, Information Security Program, chapter 1, and AFI 31-401, chapter 1. 1.7.1.1. ISPMs will review subregistries when performing program reviews of the servicing unit. ISPM reviews of control points can be used to meet the requirement of paragraph 1.7.2 below. 1.7.2. Subregistries will inspect their control points at least once every 18 months. As explained in paragraph 1.7.1.1, ISPM reviews may be used to fulfill this requirement. [Reference USSAN 1-69, ATT 1, paragraph 120]. 1.7.2. (USAFE) ISPMs should inspect unit control points during annual program reviews. 1.7.3. The Central United States Registry (CUSR) inspects Air Force CTS, ATOMAL, and NATO Secret subregistries and control points. The CUSR provides written results of the inspection to the activity concerned. Subregistries and control points will forward a copy of CUSR inspection reports to their servicing ISPM. Commanders of subregistries and control points return reports of corrective action directly to the CUSR with an information copy to their servicing ISPM. Recommend local or MAJCOM ISPMs accompany CUSR inspectors during their inspection. [Reference USSAN 1-69, ATT 1, paragraph 18d, 120, and ATT 2, paragraph 56]. 1.7.3. (USAFE) ISPMs will: 1.7.3.1. (Added-USAFE) Forward a copy of Central United States Registry (CUSR) inspection reports to HQ USAFE/IP not later than 10 duty days following receipt of the inspection report. 1.7.3.2. (Added-USAFE) Forward a copy of the corrective action report to HQ USAFE/IP not later than 30 calendar days following receipt of the inspection report. For corrective actions that cannot be completed within 30 calendar days, subsequent reports will be forwarded every 30 calendar days to HQ USAFE/IP.

1.8. Security Education. Include procedures for safeguarding NATO classified information with the required training contained in DoD 5200.1-R, chapter 9, and AFI 31-401, chapter 8. 1.8. (USAFE) Security Education. Ensure all personnel receive NATO training to include identification of NATO materiel and requirement to safeguard any information found until it can be controlled by an indoctrinated person. 1.8.1. Foreign Contact/Travel Briefing. For training requirements or briefings pertaining to counter intelligence activities relating to foreign travel or foreign attendance, contact the servicing Air Force Office of Special Investigations (AFOSI) Detachment. [Reference USSAN 1-69, ATT 1, paragraph 36 & 37]. 1.9. Release of US Classified or Sensitive Unclassified Information to NATO. Do not release US classified information or sensitive unclassified information to NATO without approval from the supporting foreign disclosure office. See AFI 16-201, Foreign Disclosure of Classified and Unclassified Military Information to Foreign Governments and International Organizations. [Reference USSAN 1-69, ATT 1, paragraph 3a].

AFI31-406_USAFESUP_I 20 APRIL 2006

9

1.9. (USAFE) Release of US Classified or Sensitive Unclassified Information to NATO. Do not release United States (U.S.) classified information or sensitive unclassified information to NATO without approval from the Intelligence Directorate, Applications/Security Operation (HQ USAFE/A2A), command foreign disclosure office (FDO).

10

AFI31-406_USAFESUP1_I 20 APRIL 2006

Chapter 2 CLASSIFICATION MANAGEMENT 2.1. General. Air Force original classification authorities (OCAs) do not originally classify NATO information, but rather U.S. information under the guidelines set forth in DoD 5200.1-R, Chapter 2 and AFI31-401, Chapter 2. 2.1.1. The principle of classification, marking, downgrading, etc., as outlined in DoD 5200.1-R and AFI 31-401, apply to NATO classified material.[Reference USSAN 1-69, ATT 1, paragraphs 68-74]. 2.1.2. For AF officials that hold both AF positions and NATO positions, DoD 5200.1-R and AFI31-401 pertain to information classified for exclusive US use and applicable NATO security regulations pertain to information classified for exclusive NATO use. These officials derive NATO classification authority through HQ SHAPE as a result of their position in NATO and not the Department of Defense. 2.2. Derivative Classification. Responsibility for derivative application of NATO classification marking rests with the individuals who include, paraphrase, restate, or generate in new form, information already classified by NATO authorities, or apply classification markings based on guidance from a NATO original classification authority (OCA). Persons who apply derivative classification markings must: [Reference USSAN 1-69, ATT 1, paragraph 93 and 94]. 2.2.1. Carry forward the NATO classification marking. 2.2.2. Carry forward the assigned date or event of declassification and any other additional markings. 2.3. Challenges to Classification. Challenge the classification of information when a substantial reason to believe the information is classified improperly or unnecessarily exists. [Reference USSAN 1-69, ATT 1, paragraph 74]. 2.3.1. Send challenges to NATO classified information through ISPM channels to HQ USAF/XOFI. HQ USAF/XOFI will forward challenges to the CUSR for appropriate action. 2.3.1. (USAFE) Within USAFE, classification challenges are submitted by the ISPM to HQ USAFE/IP. 2.4. Downgrade or Declassification. Air Force personnel may not downgrade or declassify NATO information without the specific consent of the NATO originator. This also applies to extracted NATO classified information in US documents. [Reference USSAN 1-69, ATT 1, paragraph 76]. 2.5. Reviewing CTS Documents. Annual inventory and "clean out day" under DoD 5200.1-R and AFI 31-401 satisfies this requirement. [Reference USSAN 1-69, ATT 1, paragraph 77 and 112]. 2.5. (USAFE) Reviewing CTS documents. Within USAFE, the second Wednesday of February is the USAFE annual clean-out day.

AFI31-406_USAFESUP_I 20 APRIL 2006

11

2.6. Reviewing NATO Secret/Confidential Documents. Annual "clean out day" under DoD 5200.1-R and AFI 31-401 satisfies this requirement. [Reference USSAN 1-69, ATT 1, paragraph 77.2 and 112]. 2.6. (USAFE) Reviewing NATO Secret/confidential Documents. Within USAFE, the second Wednesday of February is the USAFE annual clean-out day.

12

AFI31-406_USAFESUP1_I 20 APRIL 2006

Chapter 3 MARKING 3.1. General. Classified material containing the words "COSMIC" or "NATO" before the classification marking indicates the material belongs to NATO. This includes material received from NATO in which the US has original classification authority. [Reference USSAN 1-69, ATT 1, paragraph 2, 3, and 27]. 3.2. Documents Released into NATO. Before an activity releases a classified or sensitive unclassified document to NATO, the last US activity having custody of the material must apply NATO security markings. Additionally, markings identified in AFI 16-201, chapter 3, will be applied, if applicable. Copies of these documents that stay in US channels are marked as US documents and controlled according to DoD 5200.1-R and AFI 31-401. Mark the file copies with the appropriate statement reflecting releasability, see paragraph 1.9 of this instruction and AFI 16-201. [Reference USSAN 1-69, ATT 1, paragraph 78a]. 3.2.1. Reference Numbers. When a US classified document is released into NATO as CTS, NS, or ATOMAL, the servicing subregistry or control point officer assigns a sequential reference number to the document. For electronic messages, include the reference number before downgrading or declassification instruction at the end of the message text. Do not place numbers on copies kept in US channels, treat these as US documents of equivalent classification. Develop reference numbers by using the organizations address symbol, classification abbreviation, a sequential document number, and calendar year (for example: 786CS/NS/01/99). [Reference USSAN 1-69, ATT 1, paragraph 81 and ATT 2, paragraph 38(e)]. 3.2.2. Copy Numbers. Place a copy number on the outside cover or first page for each Top Secret or Secret document released to NATO. These copy numbers deal with the total number of copies released to NATO (for example, two copies of the same document are released - Copy 1 of 2 or Copy 2 of 2). [Reference USSAN 1-69, ATT 1, paragraph 81 and 89(a)]. 3.2.3. Page Numbers. Each page of a classified document released to NATO carries a page number. Do not consider pages without printed text as a page. [Reference USSAN 1-69, ATT 1, paragraph 85]. 3.2.4. Restricted Data and Formerly Restricted Data. Restricted Data and Formerly Restricted Data released into NATO will include the following statement "This document contains United States ATOMIC information (Restricted Data or Formerly Restricted Data) made available pursuant to the NATO Agreement Between the Parties to the North Atlantic Treaty for Co-operation Regarding ATOMIC Information dated June 18, 1964, and will be safeguarded accordingly." [Reference USSAN 1-69, ATT 2, paragraph 38(b)(1)]. 3.3. Electronically Transmitted Messages. Address messages intended for NATO to a US element, include the following statement on the first line of text after the US classification "RELEASABLE TO NATO AS NATO (classification)." [Reference USSAN 1-69, ATT 1, paragraph 78b].

AFI31-406_USAFESUP_I 20 APRIL 2006

13

3.3.1. When necessary to transmit an electronic message directly to a NATO organization, include the following statement on the first line of text after the US classification, "NATO (classification) FOR NATO ADDRESSEES". 3.3.2. The last line of text of a classified message to NATO shows appropriate reference numbers (Top Secret and Secret), the date or event of downgrading (if applicable), and the date or event of declassification. 3.4. NATO Extracted Information in US Documents. Identify NATO classified information by applying portion marking to the extracted information. Apply US classification or unclassified marking only to portions of the document containing US classified information. Show the overall page marking of documents containing NATO extracts with the US classification designation equivalent. Place the statement "This Document Contains NATO (classification) Information" on the face of the document. [Reference USSAN 1-69, ATT 1, paragraph 93 and 94]. 3.4.1. Show the source of classification in the "Derived From" line. If the only classified source is NATO information, the "Derived From" line identifies the NATO source as the classification authority. If there is US and NATO classified sources, the "Derived From" line identifies both US and NATO sources or the statement "Multiple Sources". When "Multiple Sources" is used, list each source of classification on the file or record copy of the document. 3.4.2. The "Declassify On" line for AF documents containing NATO classified information will reflect both US and NATO declassification instruction as appropriate. If the NATO information does not contain a declassification instruction, the information falls under one of the exemption rules for automatic declassification under DoD 5200.1-R. The following are exemptions that would be used for NATO information; X5 (reveal foreign government information), 25X6 (reveal information that would seriously and demonstrably impair relations between the US and a foreign government), or 25X9 (Violate a statute, treaty, or international agreement). Other exemptions may also apply. [Reference USSAN 1-69, ATT 1, paragraph 76, 93 and 94]. 3.4.2. (USAFE) Based on Executive Order 12958, as Amended, Classified National Security Information, dated 25 March 2003, and Information Security Oversight Office (ISOO) Classified National Security Information Directive No. 1, dated 22 September 2003, the exemption rules for automatic declassification have changed. Continue to properly apply the appropriate declassification instruction for U.S. and NATO classified information in the "Declassify On" line. If the NATO information does not contain a declassification instruction, the following exemptions will be applied: 3.4.2.1. (Added-USAFE) 25X6 (reveal information, including foreign government information that would seriously and demonstrably impair relations between the United States and a foreign government, or seriously and demonstrably undermine ongoing diplomatic activities of the United States). 3.4.2.2. (Added-USAFE) 25X9 (violate a statute, treaty, or international agreement). 3.4.3. ATOMAL Extracts. When extracting ATOMAL information into US documents: [Reference USSAN 1-69, ATT 2, paragraph 46].

14

AFI31-406_USAFESUP1_I 20 APRIL 2006 3.4.3.1. Portion mark the sections containing the ATOMAL information (i.e. NCA, NSA, CTSA). 3.4.3.2. Mark top and bottom of each page containing an ATOMAL extract with the US equivalent security classification. 3.4.3.3. Mark the cover, or in the absence of a cover, the first page, with the Restricted Data or Formerly Restricted Data warning notice (see DoD 5200.1-R, paragraph 5-208) and the statement "This Document Contains NATO (classification) ATOMAL Information". 3.4.3.4. Include a "Derived From" line but not a declassification date.

3.5. NATO Restricted. When NATO Restricted information is included in an otherwise Unclassified AF document, the following statement shall be affixed to the top and bottom of the cover, or in the absence of a cover, the first page, with "This Document Contains NATO Restricted Information, Safeguarded in Accordance with USSAN Instruction 1 -69" and all portions must be marked to identify the information as NATO Restricted (NR), NATO Unclassified (NU), or Unclassified (U). [Reference USSAN 1-69, ATT 1, paragraph 78c]. 3.5. (USAFE) NATO Restricted. Based on clarification guidance from the U.S. Central Registry, the NATO Restricted (NR) statement affixed to the top and bottom of the cover, or in the absence of the cover, the first page, is changed to "This page contains NATO RESTRICTED information and should be safeguarded in accordance with AFI 31-406." Refer to Attachment 8 (Added) for additional information and guidance on NATO Restricted. 3.5.1. The first line of an otherwise Unclassified AF electronic message containing NATO Restricted extracts will contain "This message contains NATO Restricted information. Safeguard IAW USSAN 1-69." All portions must be marked to identify the information as NATO Restricted (NR), NATO Unclassified (NU), or Unclassified (U). 3.5.1. (USAFE) The first line of unclassified Air Force (AF) electronic messages containing NATO Restricted (NR) extracts will state "This message contains NATO Restricted information. Safeguard according to AFI 31-406". All portions must be marked to identify the information as NATO Restricted (NR), NATO Unclassified (NU), or Unclassified (U). 3.6. Subjects and Titles. When subjects and titles are classified, include an unclassified short title. When no unclassified title is provided, use the first letter of each word of the classified subject to make an unclassified title. [Reference USSAN 1-69, ATT 1, paragraph 80].

AFI31-406_USAFESUP_I 20 APRIL 2006

15

Chapter 4 ACCESS 4.1. General. To grant access to NATO classified information (NC, NS, CTS) three elements must be met. [Reference USSAN 1-69, ATT 1, paragraph 29, 30, and 39]. 4.1.1. Individual must have a current US security clearance equal to or greater than the classification level of the NATO information and meet all requirements for access to US classified information. 4.1.1.1. (Added-USAFE) Utilize Joint Personnel Adjudication System (JPAS) to verify whether or not individual has been granted access to NATO. 4.1.2. Individual must have a need-to-know. 4.1.3. Individual must have been briefed and granted access to the appropriate level in accordance with paragraph 4.9 of this instruction. 4.2. NATO Access Granting Authority. Commanders and staff agency chiefs designate officials in their headquarters, unit, or activity to grant access to NATO classified information, including ATOMAL information. The access granting authority need not have access to NATO classified information. [Reference USSAN 1-69, ATT 1, paragraph 30]. 4.2.1. Access granting officials must annually review authorization for access to ATOMAL, see paragraph 4.9.1 of this instruction. [Reference USSAN 1-69, ATT 2, paragraph 40c]. 4.3. NATO Restricted. Persons requiring access to NATO Restricted documents do not require a security clearance or granted access by a granting authority; however determine the person's need-to-know. Before disclosing NATO Restricted information, inform the person of security protection requirements for safeguarding the information and the consequence of negligent handling. [Reference USSAN 1-69, ATT 1, paragraph 33]. 4.3. (USAFE) NATO Restricted. Refer to Attachment 8 (Added) for additional information and guidance on NATO Restricted. 4.4. Extracts of NATO Classified Information in US Classified Documents. A US security clearance equal to or greater than the classification level of the information is needing to access this type of document. A NATO access authorization is not required for access to these documents. [Reference USSAN 1-69, ATT 1, paragraph 93]. 4.5. Access by Non-US Nationals. 4.5.1. Cleared nationals of NATO member nations may have access to NATO classified based upon a written assurance from their appropriate government authority that they have been granted access to NATO classified and a clear need-to-know exists. The final need-toknow determination is always made by the person in possession of the information, although there are times when a government or contract document will include these statements. 4.5.2. Nationals of NATO member nations employed by the AF may be granted access to NATO classified, provided the government of the country which the individual is a citizen has given assurance that the person is authorized and has been granted such access. The home country of the individual grants NATO access. The only time US authorities can grant

16

AFI31-406_USAFESUP1_I 20 APRIL 2006 NATO access to a non-US national is when the individual has an Limited Access Authorization (LAA) as covered in para 4.5.3. 4.5.3. Non-US citizens with an approved LAA, based on a favorable Single Scope Background Investigation (SSBI), who are citizens of NATO member nations may be granted access to NATO classified, by US authorities, to the level of their LAA, provided a NATO mission essential need-to-know exists. 4.5.4. Non-US citizens who are citizens of non-NATO member nations will not be granted access to NATO classified information.

4.6. Temporary Duty (TDY) Assignments Requiring Access to NATO Classified Information. Parent organizations grant NATO access before a TDY. Include NATO access authorizations in DD Form 1610, Request and Authorization for TDY Travel of DoD Personnel. When NATO access requirements arise during a TDY, host commanders assume the responsibility of providing initial and termination briefings. 4.7. Security Clearance Certificates. Access granting authorities must provide security clearance certificates when AF personnel are assigned to a NATO billet, on TDY to a NATO organization, or when requested. See Attachment 2 or USSAN 1-69, ATT 3, section VII. A. for a sample certificate. [Reference USSAN 1-69, ATT 1, paragraph 31]. 4.8. Contractors. The Air Force grants its contractors access to NATO classified information via the DD Form 254, DoD Contract Security Classification Specification, block 10g. The contractor is responsible for approving access authorizations for its employees, to include providing initial briefings, rebriefings and debriefings. The Air Force may also conduct these briefings. This should be clearly stated in either the contract Statement of Work, DD Form 254, or Visitor Group Security Agreement. When approved by an Air Force official, contractor access authorizations will be annotated in accordance with paragraphs 4.9 and 4.10 below. 4.8. (USAFE) Contractors. Contractor access to NATO will be recorded on the individual's Joint Personnel Adjudication System (JPAS) Person Summary Indoctrination screen. 4.8.1. Visits. For NATO Production and Logistics Organization (NPLO) security clearance and visit procedures see DoD 5220.22-M, National Industrial Security Operating Manual (NISPOM), chapter 10. [Reference USSAN 1-69, ATT 1, paragraph 40 & 41]. 4.8.2. (Added-USAFE) U.S. contractors that require access to the USAFE Secret Internet Protocol Router Network (SIPRNet) must be indoctrinated into NATO. 4.9. Briefings. Personnel must be given a NATO security briefing before access to NATO classified information is granted. A sample NATO briefing is at Attachment 4. NATO granting authorities designate individuals to give NATO briefings. Record briefings on AF Form 2583, Request for Personnel Security Action. A sample AF Form 2583 is at Attachment 3. The person receiving the briefing signs in the remarks section of the AF Form 2583. Maintain AF Form 2583 or computer generated roster on file at the unit of assignment until there is no longer a need for the access. Do not transfer it upon permanent change of station (PCS) or permanent change of assignment (PCA). [Reference USSAN 1-69, ATT 1, paragraph 33c]. 4.9. (USAFE) Briefings. Utilize the electronic AFI 31-406, Attachment 4, Sample Initial NATO Security Indoctrination, the indoctrination guide located on the U.S. Central Registry web site, https://secureweb.hqda.pentagon.mil/cusr/, or the USAFE NATO Power Point Security

AFI31-406_USAFESUP_I 20 APRIL 2006

17

Training Program. The AF IMT 2583, Request for Personnel Security Action must be maintained on file at the unit of assignment according to the Air Force Records Information Management System (AFRIMS) Records Disposition Schedule (RDS). The security manager will record the NATO indoctrination and access level on the individual's JPAS Person Summary Indoctrination screen. 4.9.1. Personnel requiring access to ATOMAL information must receive an ATOMAL briefing prior to access and annually thereafter. A sample ATOMAL briefing is at Attachment 5. Record annual rebriefings on the AF Form 2583. [Reference USSAN 1-69, ATT 2, paragraph 53]. 4.9.2. A computer generated roster may be used in lieu of AF Form 2583 to record NATO access when a large number of personnel need access to NATO classified information (i.e., mobility deployment). As a minimum, the information required in blocks 1, 2, 3, 4, and 9 of the AF Form 2583 must be present on the roster. The briefer and those being briefed must sign the roster acknowledging the briefing. 4.9.2. (USAFE) Computer generated rosters will only be used for mobility and or deployment purposes. Granted NATO access must still be entered into the Joint Personnel Adjudication System (JPAS) and the computer generated roster must be maintained on file at the unit of assignment according to the AFRIMS Records Disposition Schedule. 4.10. Debriefing. Commanders and staff agency chiefs shall appoint officials to debrief personnel who no longer require access to NATO classified information. If an individual's US security clearance eligibility is suspended, removed, or revoked, their access to NATO classified information must be immediately removed and the individual debriefed. Record debriefings on AF Form 2587, Security Termination Statement. The AF Form 2587 shall be retained in accordance with AFMAN 37-139, Records Disposition Schedule. See Attachment 6 for a sample debrief. [Reference USSAN 1-69, ATT 1, paragraph 33c(3)]. 4.11. Refusal to Sign a Termination Statement. When an individual refuses to execute an AF Form 2587, the supervisor, in the presence of a witness: 4.11.1. Debriefs the individual. 4.11.2. Records the fact that the individual refused to execute the termination statement and was debriefed. 4.11.3. Ensures the individual no longer has access to NATO classified information (i.e. notify co-workers, change combinations to security containers, deny access to secure/sensitive areas, etc.). 4.11.4. Forwards a copy to the servicing ISPM who advises the commander on security information file (SIF) considerations. Refer to AFI 31-501, Personnel Security Program Management, chapter 8, for SIF guidance. 4.11.4. (USAFE) Commanders will establish a security information file (SIF) if an individual refuses to execute an AF IMT 2587. 4.12. Temporary Access. During wartime, periods of mounting international tension, international contingency operations, or in peacetime during deployments or on-call/exercise duty when emergency measures require, commanders may grant temporary access to CTS information based on a final U.S. Secret clearance and issuance of an interim US Top Secret

18

AFI31-406_USAFESUP1_I 20 APRIL 2006

clearance eligibility, pending completion of an SSBI or the issuance of a final US Top Secret clearance eligibility. The temporary access will be rescinded if unfavorable information is identified in the course of the investigation, see paragraph 4.10 of this instruction. Refer to AFI 31-501, chapter 3. [Reference USSAN 1-69, ATT 1, paragraph 45 - 47]. 4.13. NATO Billets. [Reference USSAN 1-69, ATT 1, paragraph 30 ­ 32, C-M(2002)49, and NATO Directive AC/35-D/2000]. 4.13.1. Personnel assigned to a NATO billet, who require access to CTS or COSMIC Top Secret ATOMAL (CTSA), require a SSBI or SSBI periodic reinvestigation (SBPR) within five years. 4.13.2. Air Force members assigned to a NATO billet who require access to NS, NATO Secret ATOMAL (NSA), NATO Confidential (NC), or NATO Confidential ATOMAL (NCA) require a National Agency Check (NAC) submitted prior to 10 May 1999, National Agency Check, Local Agency Checks and Credit Check (NACLC) if submitted 10 May 1999 or after, or a Secret periodic reinvestigation (PRS), which are less than ten years old. 4.13.3. Civilian employees assigned to a NATO billet who require access to NS, NSA, NC, or NCA require a National Agency Check with Written Inquiries (NACI) submitted prior to 10 May 1999, Access National Agency Check with Written Inquiries and Credit Check (ANACI) if submitted 10 May 1999 or after, or National Agency Check with Written Inquiries and Credit Checks (NACIC) if it was conducted prior to3 May 1999 and secret clearance eligibility was granted by the Air Force Central Adjudication Facility (AFCAF), which are less than ten years old. 4.13.4. Verification of an individual's previous investigation is required before assignment to a NATO billet if there is a break in service and or employment of 12 months or longer. Utilize the Joint Personnel Adjudication System (JPAS) for verfication. [Reference AC/35D/2000, paragraph 16]. 4.13.5. Air Force and civilian personnel assigned to NATO billets requiring access to NATO CTS or COSMIC Top Secret ATOMAL (CTSA) classified information require periodic reinvestigations every five years. Submit periodic reinvestigation requests when the previous investigation is four years old (48 months) in accordance with AFI 31-501. [Reference NATO Directive AC/35-D/2000, paragraph 17]. 4.13.6. Air Force and civilian personnel assigned to NATO billets requiring access to NS, NATO Secret ATOMAL (NSA), NATO Confidential (NC), or NATO Confidential ATOMAL (NCA) classified information require periodic reinvestigations every ten years. Submit periodic reinvestigation requests when the previous investigation is nine years old (108 months) in accordance with AFI31-501. [NATO Directive AC/35-D/2000, paragraph 17].

AFI31-406_USAFESUP_I 20 APRIL 2006

19

Chapter 5 SAFEGUARDING 5.1. Storage. Storage requirements for NATO classified information parallel those for US classified of the same level in accordance with DoD 5200.1-R and AFI 31-401. NATO material can be stored in the same security container as non-NATO information provided the NATO material is physically separated from non-NATO material by at least a file divider. [Reference USSAN 1-69, ATT 1, paragraph 56a and b]. 5.1. (USAFE) Storage. Commanders will ensure procedures are in place to prevent access to NATO classified information by unauthorized personnel. 5.1.1. NATO classified may be turned over to facilities designated for overnight storage of US information. Facility personnel do not need formal access to NATO classified as long as the NATO documents are placed in a sealed container. 5.1.2. (Added-USAFE) COSMIC Top Secret (CTS) information will be stored by one of the following methods: (Reference C-M(2002)49, Security within the North Atlantic Treaty Organization (NATO), ENCLOSURE D). 5.1.2.1. (Added-USAFE) In a General Services Administration (GSA) approved modular vault, vault, or approved secure room (open storage area) equipped with a combination lock meeting Federal Specification FF-L-2740 Locks, Combination and constructed in accordance with DOD 5200.1-R, Information Security Program, Appendix 7, and equipped with an Intrusion Detection system (IDS) with the personnel responding to the alarm within 15 minutes of the alarm annunciation if the area is covered by security-in-depth, or a 5 minute alarm response time if the area is not covered by security-in-depth. 5.1.2.2. (Added-USAFE) In a GSA approved security container in an area subject to continuous protection by cleared guard or duty personnel. 5.1.3. (Added-USAFE) NATO Secret (NS) information will be stored by one of the following methods: (Reference C-M(2002)49, ENCLOSURE D). 5.1.3.1. (Added-USAFE) In the same manner as prescribed for CTS information, above. 5.1.3.2. (Added-USAFE) In a GSA-approved security container or vault equipped with a combination lock meeting Federal Specification FF-L-2740. 5.1.3.3. (Added-USAFE) In an approved secure room (open storage area) constructed in accordance with DOD 5200.1-R, Appendix 7 and equipped with a combination lock meeting Federal Specification FF-L-2740, subject to continuous protection by cleared guard or duty personnel. NOTE: The 1 October 1995 exclusion for supplemental controls prescribed in DOD 5200.1-R does not apply for secure rooms approved to store NS and above. 5.1.4. (Added-USAFE) NATO Confidential (NC) information will be stored in the same manner as prescribed for CTS or NS information except that supplemental controls are not required. (Reference C-M(2002)49, ENCLOSURE D).

20

AFI31-406_USAFESUP1_I 20 APRIL 2006

5.2. NATO Restricted. NATO Restricted information may be protected similar to "For Official Use Only" and must be safeguarded in a manner that shall prevent disclosure to non-government personnel. [Reference USSAN 1-69, ATT 1, paragraph 24]. 5.2. (USAFE) NATO Restricted. Refer to Attachment 8 (Added), for additional information and guidance on NATO Restricted. 5.2.1. NATO Restricted may be stored in filing cabinets, desks or other containers, which are located in rooms where AF or AF contractor internal building security is provided during non-duty hours. Where such internal security is not available, locked buildings or rooms will provide adequate protection as long as AF or AF contractors control the keys/combinations. [Reference USSAN 1-69, ATT 1, paragraph 56c]. 5.3. Combinations. If combinations to security containers holding NATO classified information are recorded, use Standard Form (SF) 700, Security Container Information, Part 2. If the container only stores NATO classified, mark the SF 700, Part 2 with the highest NATO classification therein and control it as a NATO document. If the container contains both US and NATO classified, mark the SF 700, Part 2 with the highest classification contained and the statement "NATO Access Required" and control as a US document. Every individual having access to a security container, in which NATO information classified Confidential and above is stored, must have been granted access to NATO information at the appropriate level. Procedures outlined in paragraph 5.1.1 are an exception to this policy. [Reference USSAN 1-69, ATT 1, paragraph 59]. 5.3.1. Combinations to security containers that store any NATO classified will be changed annually. See DoD 5200.1-R, para 6-404b, for additional requirements. [Reference USSAN 1-69, ATT 1, paragraph 60]. 5.3.1. (USAFE) Combination change requirements also apply to vaults and/or secure rooms approved for the open storage of NATO classified information. 5.4. Cover Sheets. For NATO classified documents removed from security containers use the following cover sheets: AF Form 144, Top Secret Access Record and Cover Sheet, for CTS and CTSA, SF 704, Secret Cover Sheet, for NATO Secret and NSA, and SF 705, Confidential Cover Sheet, for NATO Confidential and NCA. Write the word "COSMIC", "ATOMAL", or "NATO," as appropriate, on cover sheets. When the originator deems a disclosure record is necessary and places special limitations on NSA and NCA documents, a AF Form 144 will be used. In these cases, cross out the "Top Secret" and replace with appropriate classification (CTSA, NSA, or NCA). 5.4.1. (Added-USAFE) In addition to the coversheet information outlined in AFI 31-406, paragraph 5.4., NATO coversheets located on the CUSR web site at https://secureweb.hqda.pentagon,mil/cusr/FB_coversheets.aspor the USAFE/IP Community of Practice (CoP) web site athttps://afkm.wpafb.af.mil/ASPs/docman/DOCMain.asp?Tab=0&FolderID=OO-SFFE-20-1-2&Filter=OO-SF-FE-20, may also be used. 5.4.2. (Added-USAFE) For NATO Restricted, utilize the CUSR NATO Restricted coversheet located on the CUSR or USAFE Information Security web site.

AFI31-406_USAFESUP_I 20 APRIL 2006

21

5.4.3. (Added-USAFE) The use of NATO Allied Command Europe (ACE) forms, labels and stickers is prohibited. 5.5. NATO Extracts. Control and protect US generated documents containing NATO extracts as a US document in accordance with DoD 5200.1-R and AFI 31-401. See paragraph 3.4 of this instruction for marking requirements. 5.6. Document Control: CTS. Distribute and control CTS documents, including messages, through the AF NATO Registry System. Use AF Top Secret control procedures for accountability for CTS, see AFI31-401, chapter 5. Keep CTS accountability records separate from US Top Secret records. 5.6.1. Use AF Form 143, Top Secret Register Page, or equivalent automated form to maintain records for each document, see AFI 31-401, chapter 5. [Reference USSAN 1-69, ATT 1, paragraph 127(f)]. 5.6.1.1. Do not prepare accountability records for CTS messages kept in telecommunication facilities on a transitory basis for less than 30 days. Use the telecommunication facility accountability register for this function. 5.6.2. Use AF Form 144 as a disclosure record. All individuals who gain knowledge of the information will sign and print their name. Only one entry per individual is required. [Reference USSAN 1-69, ATT 1, paragraph 99]. 5.6.3. File inactive AF Forms 143, AF Forms 144, AF Form 310, Document Receipt and Destruction Certificate, or other records used reflecting disposition in accordance with AFMAN 37-139. [Reference USSAN 1-69, ATT 1, paragraph 113(b)]. 5.6.4. Commanders of subregistries and control points appoint one or more properly cleared, disinterested person(s) to conduct an annual inventory of all holdings. Each newly appointed control officer also conducts an inventory before assuming the account. [Reference USSAN 1-69, ATT 1, paragraph 128]. 5.6.4.1. Subregistry or control point commanders must endorse reports of inventory. Control points send the report to their subregistry. Subregistries send the report to the CUSR. The subregistry will provide a copy of the report to the servicing ISPM. [Reference USSAN 1-69, ATT 1, paragraph 129]. 5.7. Document Control: ATOMAL. CTSA is controlled in a similar manner to CTS, while NSA and NCA are treated similar to NATO Secret. When the originator deems more control is necessary and places special limitations on NSA and NCA documents, treat and account for those documents as CTSA. Keep ATOMAL accountability records and inventory reports separate from non-ATOMAL records. [Reference USSAN 1-69, ATT 2, paragraph 42 and 54]. 5.8. Document Control: NATO Secret. Distribute NS documents through the AF NATO Registry System. Action offices will administratively control all NS documents by maintaining an active accountability record on each document. An AF Form 310 or general-purpose work sheet may be used for this purpose. The record must identify the document by showing reference numbers, originator of the document, unclassified subject or short title, date of the document, date received or transferred, and the individual or agency the document was transferred to. The communication center will notify the servicing subregistry or control point of

22

AFI31-406_USAFESUP1_I 20 APRIL 2006

these incoming NS messages as outlined in para 7.4.2 of this instruction. [Reference USSAN 169, ATT 1, paragraph 100]. 5.8.1. NS exercise messages kept less then 30 days are exempt from active accountability. If NS exercise messages are kept for more than 30 days, the message will be entered into the administrative control system. Non-exercise NS messages received directly from the communications center will be placed into the action office's administrative control system. 5.8.2. File inactive accountability, destruction, and transmission certificates in accordance with AFMAN 37-139. [Reference USSAN 1-69, ATT 1, paragraph 113(d)]. 5.8.3. Recommend commanders of subregistries and control points appoint one or more properly cleared, disinterested persons to conduct an annual inventory of all NS holdings. Also recommend each newly appointed control officer conduct an inventory before assuming the account. 5.9. Document Control: NATO Confidential and Restricted. NATO Confidential and Restri cted information may flow from action office to action office. Recipients do not keep active accountability records for the document unless required by the NATO originator. 5.10. Page Changes. When making page changes to accountable NATO documents use an AF Form 1565, Entry, Receipt, and Destruction Certificate, AF Form 143, or AF Form 310 for a receipt, accountability, and destruction certificate for the pages being changed. 5.11. Reproduction. Unit commanders and heads of staff offices designate people to exercise reproduction authority for classified material in their activities. For copiers, facsimile machines, scanners, or any other machines with copying capability determine if they retain any latent images when copying classified, and how to clear them when they do. Any products produced during clearing procedures must be destroyed as NATO classified waste. [Reference USSAN 169, ATT 1, paragraph 63]. 5.11. (USAFE) Reproduction. NR, NC, NATO Confidential Atomal (NCA), and NATO Secret Atomal (NSA) may only be reproduced on equipment approved for the reproduction of U.S. classified information. 5.11.1. Air Force units, which need additional copies of CTS and CTSA documents, should get them from the NATO originator. [Reference USSAN 1-69, ATT 1, paragraph 89]. 5.11.1. (USAFE) NATO sub-registries must track and document all reproductions of CTS documents. 5.11.1.1. If not practical, the subregistry may authorize reproduction of CTS documents. The subregistry must report the reproduction to the CUSR. The CUSR must approve reproduction of CTSA. Ensure all reproductions are entered into the Air Force accountability and control system, and reporting requirements are met. [Reference USSAN 1-69, ATT 2, paragraph 43]. 5.11.1.2. All reproductions must be annotated with "Reproduced (date) by authority of (CUSR/ subregistry). Reproduced copy of copies." [Reference USSAN 1-69, ATT 1, paragraph 89]. 5.11.2. NSA and NCA may be reproduced at the subregistry or control point with subregistry approval. The CUSR must be notified of all ATOMAL reproductions. Users

AFI31-406_USAFESUP_I 20 APRIL 2006

23

may only reproduce ATOMAL information with approval of the subregistry. [Reference USSAN 1-69, ATT 2, paragraph 43]. 5.11.3. Holders of NATO Secret and below documents may reproduce the document without specific approval of the NATO originator, subregistry, or control point. Record the number of reproductions on the document from which the reproduction was made and place the statement: "Reproduced Copy of copies." Enter reproductions of NATO Secret documents into the administrative control system. [Reference USSAN 1-69, ATT 1, paragraph 92]. 5.11.3. (USAFE) Recording and controlling the number of reproductions is only required for NS information. NC and NR information may be reproduced without the approval of the NATO originator, Sub-registry, or control point, and does not require recording the reproduction and or document control. (Reference C-M(2002)49). 5.11.3.1. (Added-USAFE) Each reproduced copy of NS information must have the statement "Reproduced Copy _____ of _____ copies" applied to the cover or, in the absence of a cover, the first page. 5.12. Destruction. NATO classified information will be destroyed in the same manner as US classified material of the same level. Include NATO classified information with the annual "clean out day". Destroy US documents with NATO extracts contained within as a US document. See DoD 5200.1-R, chapter 6, and AFI 31-401, chapter 5 for specific requirements. [Reference USSAN 1-69, ATT 1, paragraph 112a]. 5.12. (USAFE) Destruction. NATO classified information may only be destroyed on equipment approved and currently listed on the National Security Agency (NSA) Evaluated Products List of High Security Crosscut Shredders. 5.12.1. CTS. Two persons and a destruction record is required for the destruction of CTS. AF Form 143, 310, or 1565 can be used for the destruction certificate. Return CTS material and disclosure records to the subregistry for destruction. Subregistries may authorize control points to destroy CTS material. In this case, forward a copy of the destruction certificate and disclosure record to the subregistry. File destruction certificates in accordance with AFMAN 37-139. [Reference USSAN 1-69, ATT 1, paragraph 113(a), 113(b), and 113(c)]. 5.12.2. NATO Secret. Two persons and a destruction record is required for the destruction of NATO Secret. AF Form 310, or 1556 can be used for the destruction certificate. File destruction certificates in accordance with AFMAN 37-139. [Reference USSAN 1-69, ATT 1, paragraph 113(d)]. 5.12.3. ATOMAL. ATOMAL information will be returned to the subregistry or CUSR for destruction. Subregistries may destroy ATOMAL information by the same method as nonATOMAL NATO information of the same level. [Reference USSAN 1-69, ATT 2, paragraph 33(f)]. 5.12.4. NATO Confidential and Restricted. Only one person and no destruction certificate is needed unless required by the originator. [Reference USSAN 1-69, ATT 1, paragraph 113(e)]. 5.13. Emergency Planning. NATO classified information will be included in emergency protection, removal, and destruction as described in DoD 5200.1-R, chapter 6. [Reference USSAN 1-69, ATT 1, paragraph 114].

24

AFI31-406_USAFESUP1_I 20 APRIL 2006

5.14. Classified Meetings and Conferences. See DoD 5200.1-R, chapter 6, AFI 31-401, chapter 5, and AFI 61-205, Sponsoring or Cosponsoring, Conducting and Presenting DoD Related Scientific Papers at Unclassified and Classified Conferences, Symposia, and Other Similar Meetings. [Reference USSAN 1-69, ATT 1, paragraph 131]. 5.14. (USAFE) Classified Meetings and Conferences. Activities hosting and or conducting meetings or conferences involving NATO classified information must ensure: 5.14.1. (Added-USAFE) Appropriate security measures are taken to protect the NATO classified information discussed and provided to the attendees, to include but not limited to documents, recordings, audiovisual material, notes, and other materials created, distributed, or used during the meeting or conference. 5.14.2. (Added-USAFE) Access to the meeting or conference is limited to personnel who have been granted access to NATO classified information. Utilize appropriate visit clearance procedures to ensure individual access. 5.15. Information Systems (IS). See AFI 33-202, Computer Security. [Reference USSAN 169, ATT 1, paragraph 165]. 5.15.1. Treat extracted NATO information in IS as US classified information of the same level. Mark the material as explained in Chapter 3 of this instruction. 5.15.2. Individuals accessing IS's, that are approved to process NATO classified information, must have been formally authorized access in accordance with paragraph 4.9 of this instruction. 5.15.3. IS machines and media (i.e., diskettes, compact discs, removable hard drives) containing NATO classified information will be stored, marked, handled, and accounted for as other NATO material of the same level according to USSAN 1-69 and this instruction. Do not put actual NATO documents/messages and non-NATO information on the same IS machine or media unless the machine and media is handled as NATO material, the internal files are clearly marked, and everyone having access has been granted access to NATO information. Do not put ATOMAL and non-ATOMAL NATO information on the same IS machine or media unless the machine and media is handled as ATOMAL, material the internal files are clearly marked, and everyone having access has been granted access to NATO information. 5.16. Technical Surveys. Request electronic counter intelligence technical surveys in accord with AFI71-101, Volume 3, Technical Surveillance Countermeasures (TSCM) Program. [Reference USSAN 1-69, ATT 1, paragraph 65.3 & 136]. 5.17. Emission Security. Follow the requirements of AFI 33-203, The Air Force Emission Security Program. [Reference USSAN 1-69, ATT1, paragraph 65.4].

AFI31-406_USAFESUP_I 20 APRIL 2006

25

Chapter 6 TRANSMISSION 6.1. General. Handle US documents containing NATO extracts in accordance with DoD 5200.1-R, chapter 7 and AFI 31-401, chapter 6. Transmit CTS, ATOMAL, and NATO Secret documents within the NATO registry system. Apply packaging and mailing restrictions IAW DoD 5200.1-R, chapter 7, and AFI 31-401, chapter 6. 6.2. NATO Confidential. Transmit NATO Confidential information by any means approved for NATO Secret. NATO Confidential can be sent via US Postal Service (USPS) First Class Mail to DoD and US Government organizations within the CONUS. Alaskan, Hawaiian, and APO/FPO addresses are NOT within CONUS. To ensure continuous control by US personnel, transmission outside the CONUS will be through USPS Registered Mail. Geographical addresses and international mail channels will not be used. The same packaging and mailing restriction apply as in the case of US Confidential. 6.3. NATO Restricted. Send NATO Restricted information over secure communication lines.Documents classified NATO Restricted shall be packaged and mailed through USPS First Class Mail and may be single wrapped. To ensure continuous control by US personnel, transmission outside the US will be through USPS First Class Mail through the services' APO/FPO addresses. Geographical addresses and international mail channels will not be used. [Reference USSAN 1-69, ATT 1, paragraph 97b and 106]. 6.3. (USAFE) NATO Restricted. Refer to Attachment 8 (Added), for additional guidance on NATO Restricted information. 6.4. Inner Container. Do not enclose US and NATO, or ATOMAL and non-ATOMAL classified in the same inner container. 6.5. Receipts. A receipt is required when sending CTS, ATOMAL, or NATO Secret outside the unit or activity. AF Form 143, 310, or 1565 will satisfy receipt requirements for NATO material. Keep NATO receipt files separate from US receipt files and ATOMAL receipt files separate from non-ATOMAL receipt files. Receipts are not required for NATO Confidential or NATO Restricted unless required by the originator. File receipts in accordance with AFMAN 37-139. 6.6. Handcarrying. Ensure individuals that handcarry NATO classified information are familiar with the procedures and have all appropriate paperwork. Information in USSAN 1 -69, ATT 3 to ENCL 2, Section III or DoD 5200.1-R, chapter 7 and AFI 31-401, chapter 6 may be used for briefing and courier certificate requirements. CTS and CTSA material may only be transported across international borders by approved DoD Couriers or diplomatic pouch. Courier letters will be written in English, and if possible, the languages of all other countries the courier will pass through. Installation commanders authorize appropriately cleared couriers to handcarry NATO classified material, to include the use of commercial flights. (This authority may be delegated no lower than unit commanders or staff agency chiefs.) The home unit will maintain a list of all documents being handcarried. [Reference USSAN 1-69, ATT 1, paragraph 108]. 6.6.1. Military operations. Military commanders may authorize alternate procedures to meet mission requirements in accordance with DoD 5200.1-R, para 1-400; however, mission

26

AFI31-406_USAFESUP1_I 20 APRIL 2006 impact must be demonstrable. In doing so, consideration must be given to risk management factors such as criticality, sensitivity, and value of the information; analysis of the threats both known and anticipated; and vulnerability to exploitation.

6.7. NATO Cryptographic Material. NATO cryptographic material is distributed through COMSEC channels, not through registry channels and remains in the custody of the COMSEC Manager. [Reference USSAN 1-69, ATT 1, paragraph 109.1].

AFI31-406_USAFESUP_I 20 APRIL 2006

27

Chapter 7 SUBREGISTRIES, CONTROL POINTS, AND COMMUNICATIONS CENTERS 7.1. Subregistry. As an extension of the CUSR, Air Force Subregistries distribute all CTS, ATOMAL, and NATO Secret documents within the activities they service. Designate subregistries either CTSA, CTS, NSA, or NATO Secret. 7.1.1. Installation commanders may delegate appointing authority of subregistries control officer and alternate(s) to the commander or staff agency chief responsible for management of the subregistry. Appoint in writing one subregistry control officer and at least one alternate for each subregistry. [Reference USSAN 1-69, ATT 1, paragraph 116 & ATT 2, paragraph 27]. 7.1.1. (USAFE) Utilize the Headquarters, Department of the Army (DAAG) Form 29, Subregistry/Control Point Signature List to appoint primary and alternate sub-registry or control point primary and alternate custodians and forward a copy to the CUSR. 7.1.2. Requests to establish and disestablish AF subregistries must be sent through ISPM channels to HQ USAF/XOFI. A survey report from the local ISPM must be included in the request for establishment. HQ USAF/XOFI forwards the request to the CUSR. [Reference USSAN 1-69, ATT 1, paragraph 118 & ATT 2, paragraph 30]. 7.1.2. (USAFE) Within USAFE, requests to establish and disestablish AF sub-registries are submitted by the ISPM to HQ USAFE/IP. 7.1.3. ATOMAL subregistries are authorized to request, receive, and transmit any level of NATO classified. CTS subregistries are authorized to receive CTS and below but not ATOMAL documents. NATO Secret subregistries are authorized to receive NATO Secret and below but not ATOMAL documents. 7.1.4. Subregistries keep a list of names and clearances of control point officers and action officers who routinely receive NATO classified information through them. A duplicate AF Form 2583 may be used. Commanders must notify the subregistry when there is any change in an individual's access. [Reference USSAN 1-69, ATT 1, paragraph 127(b) & ATT 2, paragraph 31(f)]. 7.1.5. CTS and ATOMAL subregistry control officer may authorize remote or deployed control points to destroy CTS documents. A copy of the destruction certificate and disclosure records will be forwarded to the subregistry immediately after destruction. [Reference USSAN 1-69, ATT 1, paragraph 113(c)]. 7.2. Control Point. Air Force control points are an extension of their parent subregistry and distribute all CTS , ATOMAL, and NATO Secret documents within the activities they service. A control point designation can not be higher then their parent subregistry. Designate control points either CTSA, CTS, NSA, or NATO Secret. 7.2.1. Commanders will send requests for establishment and disestablishment of control points to the servicing subregistry. A survey report from the local ISPM must be included in the request for establishment. The subregistry commander is the authorization authority.

28

AFI31-406_USAFESUP1_I 20 APRIL 2006 The CUSR must be notified of all ATOMAL control points. [Reference USSAN 1-69, ATT 1, paragraph 120 & ATT 2, paragraph 32]. 7.2.2. Unit commanders or staff agency chiefs appoint, in writing, one control point officer and at least one alternate for each control point. A copy of the appointment letter will be provided to the servicing subregistry. [Reference USSAN 1-69, ATT 1, paragraph 116 & ATT 2, paragraph 27]. 7.2.2. (USAFE) Utilize DAAG Form 29 to appoint primary and alternate control point officers and forward a copy to the servicing sub-registry. 7.2.3. Control points keep a list of names and clearances of action officers who routinely receive NATO classified information through them. A duplicate AF Form 2583 may be used. [Reference USSAN 1-69, ATT 1, paragraph 127(b) & ATT 2, paragraph 31(f)].

7.3. User. An Air Force NATO user is any office, agency, or individual serviced by a subregistry or control point who requires and is authorized access to NATO classified information to perform assigned missions. Users must protect NATO classified documents in their possession according to the USSAN 1-69 and this instruction. 7.3.1. Subregistries or control points may issue a User CTS and CTSA documents for up to six months. Additional retention shall be justified in writing. [Reference USSAN 1-69, ATT 1, paragraph 124]. 7.4. Communication Centers. 7.4.1. Brief and grant NATO access to personnel assigned to the level of the material the center handles. Briefings will be accomplished in accordance with paragraphs 4.9 and 4.10 of this instruction. 7.4.2. Release CTS and ATOMAL messages to established subregistry or control points for accountability purposes. NS messages may be released directly to addressees with notification to the subregistry. Notification to the subregistry may be made monthly with a copy of the communication center's message log. NATO Confidential/Restricted may go directly to the addressee, no subregistry notification required. 7.4.3. Record copies of non-ATOMAL NATO classified messages may be maintained with other non-record US classified messages according to the communications center's controlling directive. 7.4.4. Communication centers supporting ATOMAL subregistries and control points must maintain, and implement Allied Communications Publication (ACP) 122 NATO Supplement 2A, Handling of ATOMAL Information with Classified Communication Centers, and establish written procedures for handling of ATOMAL messages within the communication center. 7.4.4.1. Maintain record copies of ATOMAL messages separate from all other US and NATO messages. Record the destruction of these messages, as appropriate, according to ACP 122, NATO Supplement 2A. 7.4.4.2. Maintain a separate ATOMAL log listing all ATOMAL documents.

AFI31-406_USAFESUP_I 20 APRIL 2006

29

Chapter 8 SECURITY INCIDENTS 8.1. Reporting. Anyone discovering a security violation involving NATO classified information must immediately report it to their supervisor, security manager, or commander. The incident must be reported to the servicing ISPM by the end of the first duty day. [Reference USSAN 1-69, ATT 1, paragraph 150]. 8.1. (USAFE) Reporting. Within USAFE, notify HQ USAFE/IP within one duty day of the incident. 8.1.1. When there is a compromise or loss of NATO classified information, immediately notify HQ USAF/XOFI through ISPM channels. HQ USAF/XOFI will notify the CUSR. [Reference USSAN 1-69, ATT 1, paragraph 151]. 8.1.1.1. Before a security investigation report of a compromise or loss is closed, the report must be sent through ISPM channels to HQ USAF/XOFI for review within 40 calendar days from the date of notification. If the investigative report will not reach HQ USAF/XOFI within 40 days, provide a written status report with an estimated completion date. HQ USAF/XOFI will forward a copy of completed reports to the CUSR. [Reference USSAN 1-69, ATT 1, paragraph 156b, 156c, & ATT 2, paragraph 61]. 8.1.1.1. (USAFE) Within USAFE, security investigation report of a compromise or loss are submitted by the ISPM to HQ USAFE/IP. The report will be sent forward to SAF/AAP. 8.1.2. Immediately notify the supporting AFOSI activity when there are any indications or suspicions of espionage or criminal activity. [Reference USSAN 1-69, ATT 1, paragraph 154(b)]. 8.2. Investigations. Conduct investigations of security incidents involving NATO information in accordance with DoD 5200.1-R, chapter 10 and AFI 31-401, chapter 9. [Reference USSAN 169, ATT 1, paragraph 150]. 8.2.1. Investigations must be directed by the commander of the organization in which the incident occurred. If the commander is involved, his or her supervisor will initiate the investigation. 8.2.2. The ISPM, and the unit will maintain a copy of security incident reports involving NATO information. If the incident involves CTS, ATOMAL, or NATO Secret information provide a copy of the report to the servicing subregistry. Retain security incident reports in accordance with AFMAN37-139. [Reference USSAN 1-69, ATT 1, paragraph 152]. 8.3. NATO Restricted. MAJCOM ISPMs establish procedures for reporting, processing, and closing incidents involving NATO Restricted. Incidents involving espionage and deliberate compromise will be reported IAW para 8.1 of this instruction. 8.3. (USAFE) NATO Restricted. Security violations involving NATO Restricted information are security incidents and will be investigated as prescribed in AFI 31-401, Chapter 9. 8.4. Cryptographic Material. See AFI 33-212, Reporting COMSEC Deviations.

30

AFI31-406_USAFESUP1_I 20 APRIL 2006

8.5. ((Added)(USAFE)) Forms/IMTs adopted: AF IMT 310, Document Receipt and Destruction Certificate; AF IMT 2583, Request for Personnel Security Action; AF IMT 2587, Security Termination Statement; AF IMT 3132, General Purpose; DD Form 1610, Request and Authorization for TDY Travel of DOD Personnel; SF Form 707, Secret (Label); Optional Form 65 series, U.S. Government Messenger Envelopes; DAAG Form 29, Subregistry/Control Point Signature List; ACE Form 142, NATO Restricted Label; ACE Form 143, NATO Confidential Label; ACE Form 144, NATO Secret Label.

RONALD E. KEYS, Lt General, USAF DCS/Air & Space Operations (USAFE) DANNY K. GARDNER, Brigadier General, USAF Director, Installation and Mission Support

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 1 GLOSSARY OF REFERENCE AND SUPPORTING INFORMATION References AC/35-D/2000, Directive on Personnel Security C-M(2002)49, Security within the North Atlantic Treaty Organization (NATO)

31

DoDD 5100.55, United States Security Authority for North Atlantic Treaty Organization Affairs DoD 5200.1-R, Information Security Program DoD 5200.22-M, National Industrial Security Operating Manual (NISPOM) USSAN 1-69, United States Implementation of NATO Security Procedures AFI 16-201, Foreign Disclosure of Classified and Unclassified Military Information to Foreign Governments and International Organizations AFPD 31-4, Information Security Program AFI 31-401, Managing the Information Security Program AFI 31-501, Personnel Security Program Management AFI 33-202, Network and Computer Security AFI 33-203, Emission Security Program AFI 33-212, Reporting COMSEC Deviations AFI 61-205, Sponsoring or Cosponsoring, Conducting and Presenting DoD Related Scientific and Technical Papers at Unclassified and Classified Conferences, Symposia, and Other Similar Meetings AFI 71-101, Volume 3, Technical Surveillance Countermeasures (TSCM) Program AFMAN 37-139, Records Disposition Schedule Abbreviations and Acronyms ACP--Allied Communications Publication AF--Air Force AFCAF--Air Force Central Adjudication Facility (formerly 497 IG/INS) AFI--Air Force Instruction AFOSI--Air Force Office of Special Investigation AFPD--Air Force Policy Directive AFR--Air Force Regulation ANACI--Access National Agency Check with Written Inquires and Credit Check API--Advance Planning Information CONUS--Continental United States CTSA--COMIC Top Secret ATOMAL

32 CTS--COSMIC Top Secret CUSR--Central United States Registry DRU--Direct Reporting Units FOA--Field Operating Agencies FDR--Formerly Restricted Data

AFI31-406_USAFESUP1_I 20 APRIL 2006

HQ USAF/XOFI--Headquarters Air Force, Chief Information Security Division HQ USAFE/SFI--Headquarters United States Air Forces in Europe, Directorate of Security Forces, Security Programs Division IS--Information Systems ISPM--Information Security Program Manager JPAS--Joint Personnel Adjudication System LAA--Limited Access Authorization MAJCOM--Major Command NAC--National Agency Check NACIC--National Agency Check with Written Inquiries and Credit Checks NACLC--National Agency Check, Local Agency Checks and Credit Check NATO--North Atlantic Treaty Organization NCA--NATO Confidential ATOMAL NISPOM--National Industrial Security Operating Manual NPLONATO--Production and logistics Organization NR--NATO Restricted NS--NATO Secret NSA--NATO Secret ATOMAL OCA--Original Classification Authority PCS--Permanent Change of Station PRS--Periodic Reinvestigation Secret SAF/AA--Administrative Assistant to the Secretary of the Air Force SAF/IA--Deputy Under Secretary of the Air Force, International Affairs SBPR--Periodic Reinvestigation Top Secret SCIF--Sensitive Compartmented Information Facilities SIF--Security Information File SF--Standard Form SSBI--Single Scope Background Investigation

AFI31-406_USAFESUP_I 20 APRIL 2006 TDY--Temporary Duty TSCM--Technical Surveillance Countermeasures U--Unclassified USPS--United States Postal Service USSAN--United States Security Authority for NATO Affairs

33

34

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 1 (USAFE) GLOSSARY OF REFERENCES AND SUPPORTING INFORMATION

References (USAFE) Executive Order 12958, as Amended, Classified National Security Information, dated 25 March 2003 (USAFE) AFI 33-119, Air Force Messaging (USAFE) AFI 33-332, Privacy Act Program (USAFE) AFMAN 37-123, Management of Records (USAFE) C-M(2002)49, Security within the North Atlantic Treaty Organization (NATO) (USAFE) C-M(2002)60, The Management of Non-Classified NATO Information, dated 11 July 2002 (USAFE) ISSO Directive 1, Information Security Oversight Office, Classified National Security Information Directive, 22 September 2003. (USAFE) Federal Specification FF-L-2740, Locks, Combination (USAFE) U.S. Central Registry web site: https://secureweb.hqda.pentagon.mil/cusr/ (USAFE) CUSR web site at: https://secureweb.hqda.pentagon.mil/cusr/FB_coversheets.asp (USAFE)USAFE Information Protection CoP site: https://afkm.wpafb.af.mil/ASPs/CoP/OpenCoP.asp?Filter=OO-SF-FE-20 (USAFE) USSAN Instruction 1-07, Implementation of North Atlantic Treaty Organization Security Requirements Abbreviations and Acronyms (USAFE) AFRC---Air Force Reserve Command (USAFE) AFRIMS---Air Force Records Information Management System (USAFE) ANG---Air National Guard (USAFE) APO---Army Post Office Overseas (USAFE) BITS---Base Information Transfer System (USAFE) CoP--Community of Practice (USAFE) DAA---Designated Approving Authority (USAFE) DoD---Department of Defense (USAFE) DoDIM---Department of Defense Intra Theater Mail (USAFE) FOUO---For Official Use Only (USAFE) FPO---Fleet Post Office (USAFE) GSA---General Services Administration

AFI31-406_USAFESUP_I 20 APRIL 2006 (USAFE) IDS---Intra Theater Delivery Service (USAFE) IDS---Intrusion Detection System (USAFE)IP-- Information Protection (USAFE) NC---NATO Confidential (USAFE) ---Non-Secure Internet Protocol Router Network (USAFE) NU---NATO Unclassified (USAFE) PCA---Permanent Change of Assignment (USAFE) PCS---Permanent Change of Station (USAFE) PKI---Public Key Infrastructure (USAFE) RDS---Records Disposition Schedule (USAFE) ---Secure Internet Protocol Router Network (USAFE) ---United States (USAFE) USAFE---United States Air Forces in Europe (USAFE) USEUCOM---United States European Command

35

36

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 2 SAMPLE NATO SECURITY CLEARANCE CERTIFICATION CERTIFICATE

(Official Letter Head) MEMORANDUM FOR FROM: SUBJECT: NATO Security Clearance Certificate 1. Full Name: Date and Place of Birth: Has been granted a security clearance by the Government of the United States of America, in accordance with current NATO regulations, including the Security Annex to C-M(64)39, in the case of ATOMAL information, and is therefore declared suitable to be entrusted with information classified up to and including (level of classification). 2. The validity of this certificate will expire not later than (no more than five years from the date of the individual's inspection).

(signature block of a NATO access granting authority) NOTE: classification will be: a. COSMIC Top Secret b. COSMIC Top Secret ATOMAL c. NATO Secret d. NATO Secret ATOMAL e. NATO Confidential f. NATO Confidential ATOMAL

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 3 SAMPLE AF FORM 2583

37

38

AFI31-406_USAFESUP1_I 20 APRIL 2006

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 3 (USAFE) SAMPLE AF IMT 2583.

39

A3.1. (Added-USAFE) USAFE Requirements. The AF IMT 2583 completion requirements for recording NATO have changed; specifically: A3.1.1. (Added-USAFE) The unit security manager information in block 12, 13, and 14 is no longer required. A3.1.2. (Added-USAFE) The supervisor will verify the requirement for indoctrination using blocks 24, 25, and 26. The NATO access granting authority will verify indoctrination using blocks 27, 28, and 29. A3.1.3. (Added-USAFE) Place the statement "Indoctrinated according to AFI 31-406 on (date of indoctrination)." in Section VII, Remarks. The individual will sign and date the document in the block 30. Figure A3.1. (USAFE) DELETED

40

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 4 SAMPLE INITIAL NATO SECURITY BRIEFING

1. NATO Defined: a. On April 4, 1949, the North Atlantic Treaty was signed and the North Atlantic Treaty Organization (NATO) was formed. The North Atlantic Treaty is the framework for wide cooperation among its members. NATO is more than a military alliance formed to prevent aggression, or to repel aggression forces should the need arise. It also provides for continuing joint action in the political, economic, and social fields. b. The total membership of NATO includes: Belgium, Canada, Czech Republic, Denmark, France, Germany, Greece, Hungary, Iceland, Italy, Luxembourg, Netherlands, Norway, Poland, Portugal, Spain, Turkey, United Kingdom, and the United States. 2. Air Force Instruction and Implementing United States Security Authority for NATO Affairs Instruction: The following publications contain requirements for safeguarding and handling NATO classified material. Consult these directives for detailed procedures on safeguarding and handling NATO classified material. a. USSAN Instruction 1-69, Safeguarding NATO Classified Information. b. AFI 31-406, Applying NATO Protection Standards. 3. USSAN Instruction 1-69: The USSAN Instruction 1-69 is the basic NATO security procedures for protecting NATO classified information. The left column contains NATO protection and handling requirements while the right column contains the DoD clarification or implementing instructions. Neither the left or right columns should be used separately without reference to the corresponding column. 4. AFI 31-406: Air Force Instruction 31-406 contains Air Force unique guidance needed to supplement USSAN 1-69 and DoD Directive 5100.55. All these references together describe how to protect and handle NATO classified information and information releasable to NATO organizations. 5. Granting Access to NATO Classified: a. Access to NATO classified information must be limited to a need-to-know and minimum number of individuals. b. Individuals granted NATO access must have a US security clearance equal to the level of NATO classified information to which access is being granted. c. Access granting authorities record access authorization on AF Form 2583. 6. Dissemination of Material: NATO material can be disclosed only to personnel authorized such access. Holders of NATO material are responsible for determining if individuals requiring access have been properly cleared.

AFI31-406_USAFESUP_I 20 APRIL 2006

41

7. Types and Classification of NATO Information: a. NATO Marking. The word NATO is a marking that signifies the information: (1) Is the property of NATO and may not be passed outside of the NATO organization except by the originator or with the originator's consent. (2) Is subject to the security protection set forth in NATO security regulations. (3) Normally, only the last US organization having custody of the document is authorized to apply the NATO markings before it is released to a NATO organization. b. Classification of NATO Information. NATO information is classified COSMIC Top Secret (CTS), NATO Secret (NS), NATO Confidential (NC), and NATO Restricted (NR). The definitions of the first three classification levels are similar to those of US classifications. NR is a security classification applied by only NATO to information and material that requires a degree of protection, similar to that for "For Official Use Only". c. ATOMAL. ATOMAL is a term used to designate "Restricted Data" or "Formerly Restricted Data" provided by the US and the United Kingdom to NATO Components. ATOMAL information is classified COSMIC Top Secret ATOMAL (CTSA), NATO Secret ATOMAL (NSA), or NATO Confidential ATOMAL (NCA). 8. Breaches of Security. It is very important that any breach of security that may come to an individual's attention is at once reported to a supervisor or security manager and all classified information gets immediately controlled. 9. Procedural Requirements. Requirements already specified for US classified information apply to NATO material. There are additional requirements for NATO to ensure that people do not gain unauthorized access to it. 10. Extracts. Mark in the same manner required for other NATO classified extracts. Identify the source NATO document the extract was taken from on the "Derived From" line and include any declassification/ downgrading instruction. 11. Reproduction. Limit reproduction of NS, NSA, NC, and NCA documents only to quantities sufficient to meet current mission requirements, when there are no reproduction limitations imposed. Do not reproduce CTS or CTSA documents. 12. Control. Designated NATO subregistries and control points receive, record, handle, and distribute NS and above information. 13. Accountability. COSMIC subregistries and control points keep records of origination, receipt, transmission, change of classification or declassification, and destruction of all CTS documents.

42

AFI31-406_USAFESUP1_I 20 APRIL 2006

14. Excerpts of US Code. Excerpts from the following US Codes apply to NATO material: a. Title 18 U.S.C. Section 793, Gathering, Transmitting, or Losing Defense Information. b. Title 18 U.S.C. Section 794, Gathering or Delivering Defense Information to Aid Foreign Governments. c. Title 50 U.S.C. Section 783 Offenses.

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 5 SAMPLE ATOMAL BRIEFING Use to conduct initial and annual rebriefing for personnel who have ATOMAL access, regardless of the level. Record this annual briefing on AF Form 2583, block 30. 1. ATOMAL Information. The words "Atomic Information" refer to information designated by the US Government as "Restricted Data" or "Formerly Restricted Data" in accordance with the Atomic Energy Act of 1954. The word "ATOMAL" refers to atomic information communicated by the Governments of the United States and the United Kingdom to NATO under the Agreement Between the Parties to the North Atlantic Treaty for Co-Operation Regarding Atomic Information. 2. Classification. ATOMAL information may be classified as COSMIC Top Secret ATOMAL (CTSA), NATO Secret ATOMAL (NSA), or NATO Confidential ATOMAL (NCA).

43

3. Markings. Place the "ATOMAL" after the appropriate NATO classification designation at the top and bottom of each page containing ATOMAL information. The last custodian before transmission to NATO is responsible for the ATOMAL marking. 4. Extracts. Mark in the same manner required for other NATO classified extracts. Identify the source NATO document the extract was taken from on the "Derived From" line and write the Restricted Data or Formerly Restricted Data warning notice (see DoD 5200.1-R, paragraph 5-208) and the statement "This Document Contains (classification) ATOMAL Information". 5. Reproduction. Limit reproduction of NSA and NCA documents only to quantities sufficient to meet current mission requirements, when there are no reproduction limitations imposed. Do not reproduce CTSA documents. 6. Disclosure. Before disclosing ATOMAL information, ensure the person has a need-to-know the information, and is properly cleared for the level of material involved. Ensure a disclosure record is attached to each accountable ATOMAL document. Use AF Form 144; remove it from the document before transfer or destruction. 7. Packaging. Use the same receipt form required for other NATO classified documents. Prepare for transmission using the "double opaque" concept. 8. Control. Designated ATOMAL subregistries and control points receive, record, handle, and distribute ATOMAL documents. 9. Accountability. ATOMAL subregistries and control points keep records of origination, receipt, transmission, change of classification or declassification, and destruction of all ATOMAL documents.

44

AFI31-406_USAFESUP1_I 20 APRIL 2006

10. Excerpts From the Atomic Energy Act of 1954. a. Title 42 U.S.C. Section 2274, Communication of Restricted Data. b. Title 42 U.S.C. Section 2275, Receipt of Restricted Data. c. Title 42 U.S.C. Section 2276, Tampering With Restricted Data. d. Title 42 U.S.C. Section 2277, Disclosure of Restricted Data.

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 6 SAMPLE NATO ACCESS DEBRIEFING 1. Now that your access to is being terminated, you must return all NATO classified documents you have in your possession. Return these documents to .

45

2. Your responsibility does not end with the turn-in of NATO classified materials. You no longer have a reason or authority to discuss NATO classified information with anyone, to include persons you know to be properly cleared. Do not discuss your past work. 3. You are required by law to immediately report any attempt by an unauthorized individual to solicit NATO information from you. Report such an attempt to the nearest Air Force Office of Special Investigations (AFOSI). If you are being separated from military or civil service, report attempts to the nearest office of the Federal Bureau of Investigations (FBI). 4. If you prepare material for public release that may or might contain NATO classified information, you should submit the material for a security review of the nearest Air Force Public Affairs Office or the Secretary of the Air Force, Public Affairs Secretary. 5. (For ATOMAL) You have had access to information relating to the national defense (including Restricted Data) which is protected by statute. These statutes make it a crime to unlawfully communicate information of national defense to any person when there is reason to believe that the information will be used to the injury of the United States or to the advantage of a foreign government. The penalties prescribed for violations of these statutes, through willful acts or gross negligence, vary according to the statute, the circumstances, and the information involved. 6. In a few moments you will sign AF Form 2587 officially terminating your NATO access. You will acknowledge that any unauthorized disclosure of NATO classified information is prohibited and punishable by law.

46

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 7

INTERIM CHANGE 2004-1 TO AFI 31-406, APPLYING NORTH ATLANTIC TREATY ORGANIZATION (NATO) PROTECTION STANDARDS 29 JULY 2004 SUMMARY OF REVISIONS This revision incorporates Interim Change IC2004-1. This change revises the timeframe for periodic reinvestigations for Secret information from 5 years to 10 years. Requires submission at the nine year mark. 4.13. NATO Billets. [Reference USSAN 1-69, ATT 1, paragraph 30 ­ 32, C-M(2002)49, and NATO Directive AC/35-D/2000] 4.13.1. Personnel assigned to a NATO billet, who require access to CTS or COSMIC Top Secret ATOMAL (CTSA), require a SSBI or SSBI periodic reinvestigation (SBPR) within five years. 4.13.2. Air Force members assigned to a NATO billet who require access to NS, NATO Secret ATOMAL (NSA), NATO Confidential (NC), or NATO Confidential ATOMAL (NCA) require a National Agency Check (NAC) submitted prior to 10 May 1999, National Agency Check, Local Agency Checks and Credit Check (NACLC) if submitted 10 May 1999 or after, or a Secret periodic reinvestigation (PRS), which are less than ten years old. 4.13.3. Civilian employees assigned to a NATO billet who require access to NS, NSA, NC, or NCA require a National Agency Check with Written Inquiries (NACI) submitted prior to 10 May 1999, Access National Agency Check with Written Inquiries and Credit Check (ANACI) if submitted 10 May 1999 or after, or National Agency Check with Written Inquiries and Credit Checks (NACIC) if it was conducted prior to 3 May 1999 and secret clearance eligibility was granted by the Air Force Central Adjudication Facility (AFCAF), which are less than ten years old. 4.13.4. Verification of an individual's previous investigation is required before assignment to a NATO billet if there is a break in service and or employment of 12 months or longer. Utilize the Joint Personnel Adjudication System (JPAS) for verfication. [Reference AC/35D/2000, paragraph 16]. 4.13.5. Air Force and civilian personnel assigned to NATO billets requiring access to NATO CTS or COSMIC Top Secret ATOMAL (CTSA) classified information require periodic reinvestigations every five years. Submit periodic reinvestigation requests when the previous investigation is four years old (48 months) in accordance with AFI 31-501. [Reference NATO Directive AC/35-D/2000, paragraph 17]. 4.13.6. Air Force and civilian personnel assigned to NATO billets requiring access to NS, NATO Secret ATOMAL (NSA), NATO Confidential (NC), or NATO Confidential ATOMAL (NCA) classified information require periodic reinvestigations every ten years. Submit periodic reinvestigation requests when the previous investigation is nine years old (108 months) in accordance with AFI 31-501. [NATO Directive AC/35-D/2000, paragraph 17].

AFI31-406_USAFESUP_I 20 APRIL 2006 Attachment 1, Glossary of Reference and Supporting Information. References AC/35-D/2000, Directive on Personnel Security C-M(2002)49, Security within the North Atlantic Treaty Organization (NATO)

47

DoDD 5100.55, United States Security Authority for North Atlantic Treaty Organization Affairs DoD 5200.1-R, Information Security Program DoD 5200.22-M, National Industrial Security Operating Manual (NISPOM) USSAN 1-69, United States Implementation of NATO Security Procedures AFI 16-201, Foreign Disclosure of Classified and Unclassified Military Information to Foreign Governments and International Organizations AFPD 31-4, Information Security Program AFI 31-401, Managing the Information Security Program AFI 31-501, Personnel Security Program Management AFI 33-202, Network and Computer Security AFI 33-203, Emission Security Program AFI 33-212, Reporting COMSEC Deviations AFI 61-205, Sponsoring or Cosponsoring, Conducting and Presenting DoD Related Scientific and Technical Papers at Unclassified and Classified Conferences, Symposia, and Other Similar Meetings AFI 71-101, Volume 3, Technical Surveillance Countermeasures (TSCM) Program AFMAN 37-139, Records Disposition Schedule Abbreviations and Acronyms ACP--Allied Communications Publication AF--Air Force AFCAF--Air Force Central Adjudication Facility (formerly 497 IG/INS) AFI--Air Force Instruction AFOSI--Air Force Office of Special Investigation AFPD--Air Force Policy Directive AFR--Air Force Regulation ANACI--Access National Agency Check with Written Inquires and Credit Check API--Advance Planning Information

48 CONUS--Continental United States CTSA--COMIC Top Secret ATOMAL CTS--COSMIC Top Secret CUSR--Central United States Registry DRU--Direct Reporting Units FOA--Field Operating Agencies FDR--Formerly Restricted Data

AFI31-406_USAFESUP1_I 20 APRIL 2006

HQ USAF/XOFI--Headquarters Air Force, Chief Information Security Division HQ USAFE/SFI--Headquarters United States Air Forces in Europe, Directorate of Security Forces, Security Programs Division IS--Information Systems ISPM--Information Security Program Manager JPAS--Joint Personnel Adjudication System LAA--Limited Access Authorization MAJCOM--Major Command NAC--National Agency Check NACIC--National Agency Check with Written Inquiries and Credit Checks NACLC--National Agency Check, Local Agency Checks and Credit Check NATO--North Atlantic Treaty Organization NCA--NATO Confidential ATOMAL NISPOM--National Industrial Security Operating Manual NPLO--NATO Production and logistics Organization NR--NATO Restricted NS--NATO Secret NSA--NATO Secret ATOMAL OCA--Original Classification Authority PCS--Permanent Change of Station PRS--Periodic Reinvestigation Secret SAF/AA--Administrative Assistant to the Secretary of the Air Force SAF/IA--Deputy Under Secretary of the Air Force, International Affairs SBPR--Periodic Reinvestigation Top Secret SCIF--Sensitive Compartmented Information Facilities

AFI31-406_USAFESUP_I 20 APRIL 2006 SIF--Security Information File SF--Standard Form SSBI--Single Scope Background Investigation TDY--Temporary Duty TSCM--Technical Surveillance Countermeasures U--Unclassified USPS--United States Postal Service USSAN--United States Security Authority for NATO Affairs

49

50

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 8 (Added-USAFE) NATO RESTRICTED

A8.1. (Added-USAFE) General. NATO Restricted (NR) is the fourth level of classification for NATO information, and since the U.S. does not have an equivalent security classification, confusion, issues, and concerns often arise pertaining to access, protection, transmission, etc. We are obligated to protect NR information at the U.S. CONFIDENTIAL level. The CUSR obtained relief from the U.S. CONFIDENTIAL storage requirements, allowing us to store NR materiel outside of GSA approved security containers (see A8.4 (Added) Safeguarding, below). This attachment outlines the policies, procedures, and requirements associated with NR. For ease of reference and to provide better clarification, several policies, procedures, and requirements are repeated from AFI 31-406 and this supplement. A8.2. (USAFE) Access: A8.2.1. (Added-USAFE) U.S. Personnel. While personnel requiring access to NR do not need to have a U.S. security clearance or eligibility, nor must they be in-briefed into NATO, certain access restrictions and requirements do apply; specifically, personnel must: A8.2.1.1. (Added-USAFE) As a minimum, have a favorably completed National Agency Check (NAC) or higher investigation. Personnel with a clearance eligibility of Action Pending established by the Central Adjudication Facility (CAF) or Security Information File (SIF) established by the commander or staff agency chief and access to U.S. classified information has been suspended cannot access NR information. A8.2.1.2. (Added-USAFE) Have valid need-to-know, be trustworthy and reliable, and the access to the NR information must be in the best interests of NATO. A8.2.1.3. (Added-USAFE) Be informed of the appropriate NATO security directives, security protection requirements for safeguarding NR information, and the consequence of negligent handling. While indoctrination into NATO is not required for access to NR and since no formal type indoctrination governing NATO security directives, security protection requirements for safeguarding NR information, and the consequence of negligent handling exists, it is recommended personnel be briefed utilizing the AFI 31 406, Attachment 4, Sample Initial NATO Security Briefing, or the indoctrination guide located on the U.S. Central Registry web site, https://secureweb.hqda.pentagon.mil/cusr/. Documentation of a NATO for NR access is not required. A8.2.2. (Added-USAFE) Non-U.S. Personnel. Members of NATO nations, to include NATO military personnel, and local nationals of NATO member nations employed by the AF may have access to NR information provided they have been granted access by their host government and have a need-to-know. A8.3. (Added-USAFE) Marking. While most NR received is already properly marked, when new documents, etc., containing NATO classified information are derived from other NATO classified sources, they must be properly marked; specifically: A8.3.1. (Added-USAFE) Page, portion, and paragraph markings.

AFI31-406_USAFESUP_I 20 APRIL 2006

51

A8.3.2. (Added-USAFE) Derivative source or sources (utilize the guidance outlined in paragraph A8.4 (Added)). A8.3.3. (Added-USAFE) Declassification information (utilize the guidance outlined in paragraph A8.4.4 (Added)). A8.4. (Added-USAFE) Safeguarding: A8.4.1. (Added-USAFE) Storage. As outlined AFI 31-406, paragraph 5.2., NR must be protected similar to For Official Use Only (FOUO) and in such a manner to prevent disclosure to non-government personnel and from public access and release. During duty hours, NR must be in the possession of authorized personnel and or protected at all times to minimize the risk of unauthorized access. During non-duty hours or periods when a building or room is left unattended: A8.4.1.1. (Added-USAFE) NR must be stored in a filing cabinet, desk, security container, or other similar type container which are located in rooms where AF or AF contractor internal building security is provided during non-duty hours; or: A8.4.1.2. (Added-USAFE) Where such internal security is not available, locked buildings or rooms will provide adequate protection as long as AF or AF contractors control the keys/combinations. A8.4.1.3. (Added-USAFE) NR information must be stored separately from non-NATO information. If it is stored in a security container, it must be separated in the same manner as NS; specifically, in a separate container, different drawers of the same container, or as a minimum, in the same drawer with a clear division between the NATO and U.S. material. A8.4.2. (Added-USAFE) Combinations. Combinations to GSA approved security containers, vaults, or rooms, areas, and or buildings approved for the open storage of classified information that store only NR information do not require annual combination changes. A8.4.3. (Added-USAFE) Coversheets. The U.S. does not have a coversheet similar to NR. Utilize the CUSR NATO Restricted coversheet located on the CUSR web site at https://secureweb.hqda.pentagon.mil/cusr/ or a plain piece of bond paper with NATO Restricted written or printed in bold letters at the top and bottom of the paper. A8.4.4. (Added-USAFE) Extracts. When NR is extracted and included in a U.S. document, the following requirements must be met: A8.4.4.1. (Added-USAFE) U.S. Unclassified Document: A8.4.4.1.1. (Added-USAFE) The cover, or in the absence of a cover, the first page must be marked with the statement "This Document Contains NATO RESTRICTED Information." A8.4.4.1.2. (Added-USAFE) The cover, or in the absence of a cover, the first page must include a "Derived From" line that identifies the title and date of the NR source. If the NR information is extracted from more than one NR source, place "Multiple Sources" on the "Derived From" line and identify the title, date, and author (when

52

AFI31-406_USAFESUP1_I 20 APRIL 2006 applicable) of each NR source on the file or record copy of the document. Include the most restrictive declassification instruction in your new document. A8.4.4.1.3. (Added-USAFE) The cover or, in the absence of a cover, the first page must include a "Declassify On" line that reflects when the NR information is scheduled for declassification by the NATO originator. If the NR source does not contain a declassification instruction, leave it blank. A8.4.4.1.4. (Added-USAFE) The statement "This Page Contains NATO RESTRICTED Information, Safeguard in Accordance with AFI 31-406" must be placed at the top and bottom of each page that contains the NR information. A8.4.4.1.5. (Added-USAFE) The NR extracted material (paragraph, diagrams, graphs, pictures, etc.) must be portion-marked with "NR." Apply the U.S. unclassified marking only to the portions of the document containing U.S. unclassified information. Any NATO unclassified information will be portion marked "NU." A8.4.4.2. (Added-USAFE) U.S. Classified Document: A8.4.4.2.1. (Added-USAFE) The cover, or in the absence of a cover, the first page must be marked with the highest classification level of U.S. information contained in the document and the statement "This Document Contains NATO RESTRICTED Information." A8.4.4.2.2. (Added-USAFE) The cover, or in the absence of a cover, the first page must include a "Derived From" line that identifies the title, date, and author (when applicable) of both the U.S. classification and NR sources. If the U.S. and or NR information is extracted from more than one source, place "Multiple Sources" on the "Derived From" line and identify the title, date, and author (when applicable) of each U.S. classification and NR source on the file or record copy of the document. A8.4.4.2.3. (Added-USAFE) The cover, or in the absence of a cover, the first page must include a "Declassify On" line that reflects both U.S. declassification instructions and when the NR information is scheduled for declassification by the NATO originator. Include the most restrictive declassification instruction in your new document. A8.4.4.2.4. (Added-USAFE) The highest classification level of U.S. information must be marked on the top and bottom of each page of the document, and the statement "This Page Contains NATO RESTRICTED Information, Safeguard in Accordance with AFI 31-406" must be placed at the top and bottom of each page that contains the NR information. A8.4.4.2.5. (Added-USAFE) The NR extracted material (paragraph, diagrams, graphs, pictures, etc.) must be portion-marked with "NR." Apply the U.S. classification or unclassified marking only to the portions of the document containing U.S. classified information. Any NATO unclassified information will be portion marked "NU."

AFI31-406_USAFESUP_I 20 APRIL 2006

53

A8.4.5. (Added-USAFE) Document Control. NR does not require document control unless prescribed by the NATO originator, in which case it will be controlled in the same manner as NS. A8.4.6. (Added-USAFE) Reproduction : A8.4.6.1. (Added-USAFE) NR information may be reproduced without the approval of the NATO originator, subregistry, or control point, does not require documentation and or recording of the reproduction, and does not require document control. A8.4.6.2. (Added-USAFE) NR only be reproduced on equipment approved by the commander for the reproduction of U.S. classified information. A8.4.7. (Added-USAFE) Destruction: A8.4.7.1. (Added-USAFE) NR may be destroyed by one individual and accountability and or a destruction certificate is not needed unless required by the NATO originator, in which case it will be destroyed in the same manner as NS (refer to AFI 31 -406, paragraph 5.12.2.). A8.4.7.2. (Added-USAFE) NR must be destroyed on equipment approved for the destruction of U.S. classified information. If the destruction equipment is not currently listed on the National Security Agency (NSA) Evaluated Products List of High Security Crosscut Shredders, additional destruction measures must be completed; specifically, burning, dispersing the waste (emptying the contents of the shredder bag into a dumpster or similar large sized waste container versus placing the sealed bag in a dumpster), wet pulping the shredded material, or converting it to paper mache by mixing the shredded material with water and a small quantity of liquid soap. A8.4.8. (Added-USAFE) Meetings and Conferences. Activities hosting conducting meetings and conference involving NR information must ensure: and or

A8.4.8.1. (Added-USAFE) Appropriate security measures are taken to protect the NR information discussed and provided to the attendees, to include but not limited to documents, recordings, audiovisual material, notes, and other materials created, distributed, or used during the meeting or conference. A8.4.8.2. (Added-USAFE) Access to the meeting or conference is limited to personnel with a need-to-know the NR information. A8.5. (Added-USAFE) Transmission and Information Systems (IS): A8.5.1. (Added-USAFE) Telephone and Fax. NR may only be discussed over a telephone and or transmitted by a fax that has been approved for the transmission of U.S. classified information. A8.5.2. (Added-USAFE) Postal Mail: A8.5.2.1. (Added-USAFE) NR must be sent as U.S. Postal Service First Class mail and only through the Army Post Office Overseas (APO) or Fleet Post Office (FPO) mail system. Sending NR to a civilian address or through international mail channels, the Base Information Transfer System (BITS), to include using any Optional Form 65 series, U.S. Government Messenger Envelopes (commonly referred to as a Holey Joe), Intratheater Delivery Service (IDS), or Intra-theater Mail (DODIM) is prohibited.

54

AFI31-406_USAFESUP1_I 20 APRIL 2006 A8.5.2.2. (Added-USAFE) Package NR in a single opaque, sealed envelope, wrapping, or container, durable enough to properly protect the material from accidental exposure and facilitate detection of tampering. The envelope, wrapper, etc., will bear the proper delivery address, endorsed with "Return Service Requested" instead of "POSTMASTER: Do Not Forward," and must not be marked in any manner that indicates the contents are NR or that the package contains NR information. A8.5.2.3. (Added-USAFE) NR must not be enclosed in the same inner envelope, wrapper, etc., with U.S. classified information. A8.5.2.4. (Added-USAFE) Receipts are not required for NR unless required by the originator, in which case receipting will be in the same manner as NS. A8.5.3. (Added-USAFE) Courier . As with any classified information, U.S. or NATO, NR should only be hand-carried as a last resort and when all other means of getting the NR information to the appropriate destination have been exhausted. Specific requirements for hand-carrying NR are outlined below: A8.5.3.1. (Added-USAFE) Squadron commanders and above, or staff agency chiefs must authorize personnel to hand carry NR information off the installation by any means, to include commercial flights. This authorization cannot be delegated. A8.5.3.2. (Added-USAFE) Authorization is not required when hand carrying NR information to activities within the installation. Follow local classified courier procedures to hand carry within the local military community. EXCEPTION: Authorization to hand carry NR information off the installation and within an established military community during increased Force Protection conditions may be restricted. Consult local instructions and or guidance. A8.5.3.3. (Added-USAFE) Written authorization to hand carry NR information must be in memorandum format meeting the requirements of DOD 5200.1-R, paragraph 7.302a., signed by the squadron commander or above, or staff agency chief, and written in English and if possible, in the language of the countries through which the courier is traveling. A8.5.3.4. (Added-USAFE) All handcarried NR information, to include NR information handcarried off the installation, within the installation, and or an established military community must be properly packaged. A8.5.3.5. (Added-USAFE) Personnel authorized to hand carry NR information must be in possession of the appropriate Department of Defense (DoD) identification card, the original copy of the authorization memorandum, and sufficient copies of the authorization memorandum in case it is necessary to provide a copy to airlines, etc. A8.5.4. (Added-USAFE) Laptop Computers. Laptop Computers are considered high risk because of their commercial value. When using a laptop computer to hand carry NR information, the following requirements must be met: A8.5.4.1. (Added-USAFE) The individual must be authorized to hand carry the laptop computer (refer to AFI 31-401, paragraph 6.7.). A8.5.4.2. (Added-USAFE) The laptop computer and any disks must be password protected.

AFI31-406_USAFESUP_I 20 APRIL 2006

55

A8.5.4.3. (Added-USAFE) The laptop computer and any disks must be properly marked to reflect the highest level of classification contained on the computer and or disks. A8.5.4.4. (Added-USAFE) Laptop computers must be properly packaged (refer to paragraph A8.5.2.2 (Added)). A laptop computer case or container satisfies the outer packaging requirement. A8.5.4.5. (Added-USAFE) Disks must be physically separated from the laptop computer and properly packaged (refer to paragraph A8.5.2.2 (Added)). A8.5.4.6. (Added-USAFE) Laptop computers and any disks must be kept under constant observation and or surveillance. A8.5.5. (Added-USAFE) Information Systems (IS). NR may only be stored, transmitted, and or received on IS systems that are approved for NATO classified information. A8.5.5.1. (Added-USAFE) Within USAFE, NR may be received, stored, and or transmitted on a computer system connected to the USAFE SIPRNet. (Reference APPENDIX 6 to ANNEX to AC/35-D2002, Directive on Personnel Security). A8.5.5.2. (Added-USAFE) The receipt, storage, and or transmission of NR on any NIPRNet computer system is prohibited. Any violation of this prohibition is a security incident. A8.5.5.3. (Added-USAFE) Within USAFE, NR may only be posted on a USAFE SIPRNet web site or bulletin board. A8.5.5.4. (Added-USAFE) The posting of NR on any NIPRNet and or unclassified web site or bulletin board is prohibited. Any violation of this prohibition is a security incident. (Reference APPENDIX 6 to ANNEX to AC/35-D2002). A8.6. (Added-USAFE) Security Incidents. Security incidents involving NR information will be investigated in the same manner as incidents involving U.S. classified information (refer to AFI 31-401, Chapter 9).

56

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 9 (Added-USAFE) NATO UNCLASSIFIED

A9.1. (Added-USAFE) General. C-M(2002)60, The Management of Non-Classified NATO Information, dated 11 July 2002, outlines specific procedures, processes, and requirements involving NATO Unclassified (NU), and in many cases, this information and guidance is significantly different than the procedures, processes, and requirements involving U.S. unclassified information. While efforts to clarify certain C-M(2002)60 issues have been initiated with DoD, to date, no guidance has been issued. Until such time as DoD guidance is issued and depending on the information in that guidance, the provisions of C-M(2002)60 apply as written. This attachment outlines the policies, procedures, and requirements associated with NU. A9.2. (USAFE) Access. Personnel requiring access to NU information must have valid needto-know, be trustworthy and reliable, and the access to the NU information must be for official NATO purposes and in the best interests of NATO. A9.3. (USAFE) Marking. While most NU received is already properly marked, when new documents, etc., containing NU information are derived from other NU, they must be properly marked; specifically: A9.3.1. (Added-USAFE) Page, portion, and paragraph markings. A9.3.2. (Added-USAFE) Derivative source or sources (utilize the guidance outlined in AFI 31-401, paragraph 2.3.). A9.3.3. (Added-USAFE) Since information is not required. the information is not classified, declassification

A9.4. (Added-USAFE) Safeguarding: A9.4.1. (Added-USAFE) Storage. NU must be protected in such a manner to prevent unauthorized access, to include public access and release. Essentially, protection of NU is very similar to U.S. For Official Use Only (FOUO) information. During duty hours, NU must be in the possession of authorized personnel and or protected at all times to minimize the risk of unauthorized access. During non-duty hours or periods when a building or room is left unattended: A9.4.1.1. (Added-USAFE) NU must be stored in a locked filing cabinet, desk, security container, or other similar type lockable container; and: A9.4.1.2. (Added-USAFE) The locked filing cabinet, desk, security container, or other similar type lockable container must be located inside of a locked building or room on the installation; and: A9.4.1.3. (Added-USAFE) The locked building or room must be under the control of the government; specifically, government personnel and or government contractors control the keys or combinations to such buildings or rooms. A9.4.1.4. (Added-USAFE) While there is no requirement to store NU separately from non-NATO information, it is recommended to ensure proper accountability and protection.

AFI31-406_USAFESUP_I 20 APRIL 2006

57

A9.4.2. (Added-USAFE) Combinations. Combinations to GSA approved security containers, vaults, or rooms, areas, and or buildings approved for the open storage of classified information that store only NU information do not require annual combination changes. A9.4.3. (Added-USAFE) Coversheets. Coversheets for NU are not required. A9.4.4. (Added-USAFE) Extracts. When NU is extracted and included in a U.S. document, the following requirements must be met: A9.4.4.1. (Added-USAFE) U.S. Unclassified Document: A9.4.4.1.1. (Added-USAFE) The cover or, in the absence of a cover, the first page must be marked with the statement "This Document Contains NATO UNCLASSIFIED Information." A9.4.4.1.2. (Added-USAFE) The cover or, in the absence of a cover, the first page must include a "Derived From" line that identifies the title and date of the NU source. If the NU information is extracted from more than one NU source, place "Multiple Sources" on the "Derived From" line and identify the title, date, and author (when applicable) of each NU source on the file or record copy of the document. A9.4.4.1.3. (Added-USAFE) Since the information is not classified, a "Declassify On" line is not required. A9.4.4.1.4. (Added-USAFE) The statement "This Page Contains NATO UNCLASSIFIED Information" must be placed at the top and bottom of each page that contains the NU information. A9.4.4.1.5. (Added-USAFE) The NU extracted material (paragraph, diagrams, graphs, pictures, etc.) must be portion-marked with "NU." Apply the U.S. unclassified marking only to the portions of the document containing U.S. unclassified information. A9.4.4.2. (Added-USAFE) U.S. Classified Document: A9.4.4.2.1. (Added-USAFE) The cover or, in the absence of a cover, the first page must be marked with the highest classification level of U.S. information contained in the document and the statement "This Document Contains NATO UNCLASSIFIED Information." A9.4.4.2.2. (Added-USAFE) The cover or, in the absence of a cover, the first page must include a "Derived From" line that identifies the title, date, and author (when applicable) of both the U.S. classification and NU sources. If the U.S. and or NU information is extracted from more than one source, place "Multiple Sources" on the "Derived From" line and identify the title, date, and author (when applicable) of each U.S. classification and NU source on the file or record copy of the document. A9.4.4.2.3. (Added-USAFE) The cover or, in the absence of a cover, the first page must include a "Declassify On" line only for the U.S. declassification instructions. Include the most restrictive declassification instruction in your new document. Since NU is not classified information, declassification instructions are not required.

58

AFI31-406_USAFESUP1_I 20 APRIL 2006 A9.4.4.2.4. (Added-USAFE) The highest classification level of U.S. information must be marked on the top and bottom of each page of the document, and the statement "This Page Contains NATO UNCLASSIFIED Information" must be placed at the top and bottom of each page that contains the NU information. A9.4.4.2.5. (Added-USAFE) The NU extracted material (paragraph, diagrams, graphs, pictures, etc.) must be portion-marked with "NU." Apply the U.S. classification or unclassified marking only to the portions of the document containing U.S. classified information. A9.4.5. (Added-USAFE) Document Control. NU does not require document control. A9.4.6. (Added-USAFE) Reproduction. NU information may be reproduced unclassified reproduction equipment and without the approval of the NATO originator. on

A9.4.7. (Added-USAFE) Destruction. NU information may be destroyed on any shredder; however, it is recommended it be destroyed on shredders approved for the destruction of classified information since the shredded byproduct is smaller and helps prevent recognition or reconstruction. A9.4.8. (Added-USAFE) Meetings and Conferences. Activities hosting conducting meetings and conference involving NU information must ensure: and or

A9.4.8.1. (Added-USAFE) Appropriate measures are taken to protect the NU information discussed and provided to the attendees, to include but not limited to documents, recordings, audiovisual material, notes, and other materials created, distributed, or used during the meeting or conference. A9.4.8.2. (Added-USAFE) Access to the meeting or conference is limited to personnel with a need-to-know the NU information. A9.5. (Added-USAFE) Transmission and Information Systems (IS): A9.5.1. (Added-USAFE) Telephone and Fax. NU may be discussed over any unclassified telephone and or transmitted by unclassified fax equipment. A9.5.2. (Added-USAFE) Postal Mail: A9.5.2.1. (Added-USAFE) NU may be sent by any class of U.S. Postal Service mail within the APO or FPO mail system, Intra-theater Delivery Service (IDS), Intra-theather Mail (DODIM). It may also be sent through the Base Information Transfer System (BITS), provided the NU information is not visible, especially when using any Optional Form 65 series, U.S. Government Messenger Envelope (commonly referred to as a Holey Joe). A9.5.2.2. (Added-USAFE) Package NU in a single opaque sealed envelope, wrapping, or container, durable enough to properly protect the material from accidental exposure. A9.5.2.3. (Added-USAFE) Receipts are not required for NU. A9.5.3. (Added-USAFE) Hand carrying. NU information may be hand carried on or off an installation and or within an establish USAFE military community without approval authorization; however, it must be appropriately wrapped and protected against unauthorized exposure and or release.

AFI31-406_USAFESUP_I 20 APRIL 2006

59

A9.5.4. (Added-USAFE) Laptop Computers . NU information may be transported on laptop computers and or computer disks without approval authority; however, the information must be protected against unauthorized exposure and or release. A9.5.5. (Added-USAFE) Information Systems (IS). C-M(2002)60 mandates that NU may only be posted, stored, transmitted, and or received on a IS system that is deemed a "secure environment". Coordination with the Office of the Secretary of Defense (OSD), International Security Program (NATO Policy) confirmed that within DoD, a "secure environment" is essentially defined as a classified IS system (SIPRNet) or any unclassified IS system (Non-Secure Internet Protocol Router Network (NIPRNet)) that utilizes the DoD Public Key Infrastructure (PKI) encryption. Within USAFE: A9.5.5.1. (Added-USAFE) NU may be received, stored, and or transmitted on a computer system connected to the USAFE SIPRNet (refer to Attachment 10 (Added); or: A9.5.5.2. (Added-USAFE) NU may be received, stored, and or transmitted on a computer system connected to the NIPRNet computer system utilizing DOD PKI encryption; specifically: A9.5.5.2.1. (Added-USAFE) Access to the NIPRNet computer system is gained using the Common Access Card (CAC) and DOD PKI certificates; and: A9.5.5.2.2. (Added-USAFE) Transmission of NU on a NIPRNet computer system is permitted ONLY if the e-mail containing the NU (within the body of the e-mail or as and attachment) is digitally signed and encrypted using DOD PKI. The transmission of NU on a NIPRNet computer system without DOD PKI encryption is prohibited. A9.5.5.3. (Added-USAFE) Within USAFE, NU may only be posted on a USAFE SIPRNet web site or bulletin board (refer to Attachment 10 (Added); or: A9.5.5.4. (Added-USAFE) On an unclassified DoD web site or bulletin board that requires the use of DoD PKI Certificates for access. The posting of NU on any DoD unclassified web site or bulletin board without DoD PKI encryption is prohibited. A9.6. (Added-USAFE) Security Incidents. Incidents involving NU do not require investigation; however, commanders and staff agency chiefs will take appropriate action in cases involving knowing, willful or negligent disregard for the provisions outlined in this attachment; to include but not limited to disciplinary action, suspension of NIPRNet access, etc.

60

AFI31-406_USAFESUP1_I 20 APRIL 2006 Attachment 10 (Added-USAFE) USAFE SECRET INTERNET PROTOCOL ROUTER NETWORK (SIPRNET) ACCREDITATION FOR NATO CLASSIFIED INFORMATION

A10.1. (Added-USAFE) General. The USAFE Designated Approving Authority (DAA) accredited the USAFE SIPRNET for NATO classified on 1 Aug 03; however, it remains a "U.S. ONLY" system and access by NATO members or foreign nationals is prohibited. This attachment outlines the policies, procedures, and requirements associated with the SIPRNET accreditation. For ease of reference and to provide better clarification, several policies, procedures, and requirements are repeated from AFI 31-406 and this supplement. A10.2. (USAFE) Access Requirements. U.S. personnel requiring access to the USAFE SIPRNET must meet the NATO access requirements outlined in AFI 31 -406, Applying North Atlantic Treaty Organization (NATO) Protection Standards; specifically: A10.2.1. (Added-USAFE) Possess a current U.S. security clearance equal to or greater than the classification level of the NATO information and meet all requirements for access to U.S. classified information. A10.2.1.1. (Added-USAFE) A "current" U.S. security clearance is defined as one that is to the appropriate level and the "investigation" is within the required scope; specifically, the investigation granting Secret eligibility is not 10 years old or older, the investigation granting Top Secret or Director of Central Intelligence Directive (DCID) 6/4 eligibility is not 5 years old or older, or the investigation is out of scope but the required periodic reinvestigation has been submitted by an Authorized Requestor to the investigative agency provider. A10.2.2. (Added-USAFE) Have a need-to-know the NATO classified information. A10.2.3. (Added-USAFE) Be briefed and granted access to NATO classified by the commander, staff agency chief or their designee. A10.2.3.1. (Added-USAFE) Retain the AF IMT 2583 or computer generated roster on file at the unit of assignment according to the AFRIMS Records Disposition Schedule. A10.2.4. (Added-USAFE) NATO access does not transfer upon permanent change of station (PCS). Personnel who arrive via PCS and require access to NATO classified must be briefed and granted access to NATO classified. A10.3. (Added-USAFE) Debriefing: A10.3.1. (Added-USAFE) Personnel must be debriefed from NATO access if their U.S. security clearance eligibility is suspended, removed, revoked, or upon PCS. Personnel departing permanent change of assignment (PCA) must also be debriefed from NATO access unless: A10.3.2. (Added-USAFE) The NATO access was granted solely for SIPRNET access; and: A10.3.3. (Added-USAFE) The requirement for continued SIPRNET access exists at the gaining organization; and:

AFI31-406_USAFESUP_I 20 APRIL 2006

61

A10.3.4. (Added-USAFE) The PCA was to an organization within in same SIPRNET domain (Example: PCA from an "@ramstein.smil.mil to another @ramstein.smil.mil organization, etc.). A10.3.5. (Added-USAFE) Debriefings will be recorded on the AF IMT 2587 and retained according to the AFRIMS Records Disposition Schedule. A10.4. (Added-USAFE) Temporary Duty (TDY) Assignments Requiring NATO Access. When personnel TDY to USAFE require access to NATO classified information, the parent organization will grant NATO access before a TDY, include the authorization in the DD Form 1610, Request and Authorization for TDY Travel of DoD Personnel or other official TDY orders, and ensure the access is entered into JPAS. When NATO access requirements arise during a TDY, the host USAFE commander or staff agency chief is responsible for providing initial and termination briefings, and the appropriate entries into JPAS. A10.5. (USAFE) Transmitting NATO Classified on the SIPRNET. NATO Cosmic Top Secret (CTS) and all levels of NATO Atomal (CTS Atomal (CTSA), NATO Secret Atomal (NSA), and NATO Confidential Atomal (NCA)) are PROHIBITED from transmission on any accredited SIPRNET. NATO Secret (NS), NATO Confidential (NC), and NATO Restricted (NR) information may only be transmitted on the SIPRNET if the "senders'" SIPRNET has been accredited for NATO and the "sender" has verified following requirements have been met: A10.5.1. (Added-USAFE) The "receiver's" SIPRNET has been accredited for NATO classified by the appropriate DAA. A listing of SIPRNETs accredited for NATO classified is posted on the U.S. Central Registry web site, https://secureweb.hqda.pentagon.mil/cusr/. A10.5.2. (Added-USAFE) The receiver has been briefed into NATO as outlined in paragraph A10.2 (Added) above. Within USAFE, the entire USAFE SIPRNET is accredited for NATO and all SIPRNET users are briefed into NATO. This may not be the case with other SIPRNET addresses outside of USAFE. Unless the sender can verify all users of an accredited SIPRNET have been briefed into NATO, the sender must confirm the NATO access status of each potential recipient using JPAS. If JPAS does not properly reflect the NATO access and or there is question as to its validity, the sender must contact each recipient and or the recipient's security manager to verify NATO access. A10.5.3. (Added-USAFE) All recipients have a "need to know" the NATO classified information. While there is no prohibition of sending NATO classified information to a SIPRNET organizational distribution box, it is strongly recommended senders refrain from this option "unless" they have verified that every member of the distribution box have a valid "need to know". A10.6. (Added-USAFE) Marking NATO Classified Information on an Accredited SIPRNET. NATO classified information transmitted on an accredited SIPRNET must be appropriately marked in accordance with AFI 33-119, Air Force Messaging, and AFI 31-401, Information Security Program Management, paragraph 4.11. Additionally, all e-mail attachments containing NATO classified information and NATO information posted on accredited SIPRNET web pages must be properly marked, to include but not limited to page, portion, and paragraph markings, and classified by, reason, and declassify lines. A10.7. (USAFE) SIPRNET Web Site and Bulletin Board Access Control. SIPRNET web sites and bulletin boards that contain NATO classified information must be password protected

62

AFI31-406_USAFESUP1_I 20 APRIL 2006

to prevent unauthorized access by personnel not hosted on a SIPRNET accredited for NATO classified information. A10.7.1. (Added-USAFE) For USAFE personnel with approved SIPRNET access, the system log-on is considered the access control mechanism. A10.7.2. (Added-USAFE) Passwords used to prevent unauthorized access to SIPRNET web sites and bulleting boards that contain NATO classified information shall be protected as NATO Secret. Passwords do not require accountability with the supporting NATO subregistry or NATO unit control point. A10.8. (Added-USAFE) Labeling SIPRNET Equipment. All equipment (i.e. desktops, laptops, servers, removable hard drives, monitors, printers, etc.) connected to an accredited SIPRNET will be labeled IAW USSAN Instruction 1-07, 7.9. In addition to the SF Form 707, Secret (Label) currently required for SIPRNET equipment, affix a USEUCOM SIPRNET U.S./NATO SECRET label. The use of the NATO Ace Form 144, NATO Secret Label or any other NATO media marking forms or stickers is prohibited. A10.9. (USAFE) Marking Removable Computer Storage Media and Documents. NATO classified information transferred from the SIPRNET to removable computer storage media, such as computer diskettes, ZIP diskettes, CD-ROMs, etc., and printed hard copy documents will be properly marked as outlined below. A10.9.1. (Added-USAFE) Apply the United States European Command (USEUCOM) SIPRNET U.S./NATO SECRET label to Automated Information System (AIS), removable hard drives, diskettes, ZIP diskettes, CD ROMs etc. A10.9.2. (Added-USAFE) Individual NS, NC, and NR e-mails, files, or documents printed from the SIPRNET or removable computer storage media must be correctly marked to the highest level of classified NATO information contained in the document. A10.9.3. (Added-USAFE) The use of NATO Ace Forms 144, ACE Form 143, NATO Confidential Label, and ACE Form142, NATO Restricted Label or any other NATO media marking forms or stickers is prohibited. A10.10. (Added-USAFE) Media and Document Control: A10.10.1. (Added-USAFE) All SIPRNET media used to receive, store, or process NS classified information must be controlled and registered with the supporting NATO subregistry or unit control point. Examples of storage media are: A10.10.1.1. (Added-USAFE) Removable hard drives, file servers, and portable computing devices, to include but not limited to laptops, electronic notebooks, palmtops, palm pilots, personal digital assistants (PDA), etc., with fixed hard discs or drives (or other non-volatile storage media), operating either in stand-alone mode or as networked configurations. A10.10.1.2. (Added-USAFE) Fixed hard drives. For SIPRNET computers with fixed hard drives, utilize the Central Processing Unit (CPU) serial number for accountability purposes. If at any time the fixed hard drive is removed from the CPU, it must be accounted for separately by its serial number for the duration the hard drive remains removed from the CPU, until destruction, or reinserted into the CPU.

AFI31-406_USAFESUP_I 20 APRIL 2006

63

A10.10.1.3. (Added-USAFE) Removable computer storage media, to include but not limited to diskettes, ZIP diskettes, CD-ROMs, etc. A10.10.2. (Added-USAFE) NS e-mails, files or documents that are received, stored, and processed on an accredited SIPRNET or transferred to removable computer storage media (computer diskettes, ZIP diskettes, CD-ROMs, etc.) do not require individual control or registration unless printed in hard copy form (refer to AFI 31-406, paragraph 5.8.). These files in their electronic state must already have proper control (via the accredited SIPRNET), but once these files are printed out in hard copy they have lost that required control/registration. A10.10.3. (Added-USAFE) Individual NS e-mails, files, or documents printed from the SIPRNET or removable computer storage media must be controlled and registered with the supporting NATO subregistry or unit control point. A10.10.4. (Added-USAFE) All SIPRNET media used to receive, store, or process NC and NR classified information, and printed hard copies of individual e-mails, files or documents that contain NC or NR information do not require control or registration with the supporting NATO Subregistry or unit control point unless required by the NATO originator. A10.11. (Added-USAFE) NATO Unit Control Points and NATO Users: A10.11.1. (Added-USAFE) Commanders will establish a NATO unit control point if their organization possess 10 or more SIPRNET terminals and or routinely maintain 10 or more NATO classified documents. Follow the procedures outlined in AFI 31-406, paragraph 7.2. A10.11.2. (Added-USAFE) Commanders of organizations that possess less than 10 SIPRNET terminals and or do not routinely process NATO classified information will appoint, in writing, a NATO user to control and account for NATO classified within the organization. A10.12. (Added-USAFE) Accounting For and Controlling NS Media. The NATO subregistry, NATO unit control points, or NATO users are responsible for the accountability and control of NS media as prescribed below: A10.12.1. (Added-USAFE) NS media accountability and control will be documented on the AF IMT 3132, General Purpose. The worksheet must include the unit/organization and separate columns to reflect the document reference number, unclassified subject or short title, reference or serial number (as appropriate), originator, date of document, date received, date transferred (if applicable), agency transferred to, and date destroyed. Automated programs may be used in lieu of AF IMT 3132. While AFI 31-406 does authorize the use of the AF IMT 310, Document Receipt and Destruction Certificate for accountability, this option is not recommended since a separate AF IMT 310 is required for each NS media. A10.12.2. (Added-USAFE) NATO subregistries and NATO unit control points will develop and utilize reference or control numbers to account for and control NS media. The reference or control number will include the organizations address symbol, classification abbreviation, a sequential document number, and calendar year (for example: 776CS/NS/01/03, USAFE LG/NS/01/03). A10.12.3. (Added-USAFE) NATO subregistries are responsible for providing reference or control numbers to NATO users.

64

AFI31-406_USAFESUP1_I 20 APRIL 2006 A10.12.4. (Added-USAFE) NATO unit control points are responsible for providing reference or control number to account for and control NS media within their unit or organization. A10.12.5. (Added-USAFE) NATO unit control points and users are responsible for "active" accountability of their NATO classified information and material. NATO unit control points and users will provide copies of their active and inactive NS media accountability to the NATO subregistry upon request and not later than 15 January each year (for the previous calendar year); specifically, copies of the AF IMT 3132 and AF IMT 310.

A10.13. (Added-USAFE) Document Storage. E-mails, files or documents received on an accredited SIPRNET and contain NS, NC, or NR may be placed, stored, and or maintained in the same accredited SIPRNET file, folder, and or directory as non-NATO information; however, this intermingled of NATO and non-NATO information will be of the same functional area of interest or subject matter. While intermingling is permitted, it is recommended that NATO classified information be stored separately for better accountability. If removed from an accredited SIPRNET as outlined in A10.10.3 (Added), the storage separation requirements prescribed in AFI 31-406, paragraph 5.1. apply. A10.14. (USAFE) Reproduction of NATO Classified. Reproduction of printed hard copies of individual e-mails, files or documents that contain NS, NC, and NR information and are received, stored, and processed on an accredited SIPRNET is permitted without specific approval from NATO, the supporting subregistry, or unit control point. Refer to AFI 31-406, paragraph 5.11. A10.15. (USAFE) Destruction of NATO classified. NATO classified information, to include media and hard copy documents will be destroyed in the same manner as U.S. classified material of the same level. NS must be destroyed by two persons and the destruction properly recorded. Use an AF IMT 310 to record the destruction retain on file according to the AFRIMS Records Disposition Schedule. Destruction of media and hard copy documents containing NC and NR requires only one person and a destruction certificate is not needed unless required by the NATO originator. A10.16. (USAFE) Marking and Safeguarding Printed NATO Documents. Printed hard copy NATO classified documents must be: A10.16.1. (Added-USAFE) Appropriately marked as prescribed in AFI 31-406, Chapter 3. A10.16.2. (Added-USAFE) Safeguarded utilizing the procedures outlined in AFI 31-406, paragraph 5.4. A10.17. (Added-USAFE) Security Incidents Involving NATO Classified Information. Any security incident involving NS, NC, and NR information received, stored, and processed on an accredited SIPRNET must be me immediately reported to the appropriate supervisor, security manager, or commander, and to the Information Security Program Manager (ISPM) by the end of the first duty day. Security incidents involving NS, NC, and NR will also be investigated as prescribed in AFI 31-401, Information Security Program Management. Compromise or loss of NS, NC, and NR will be reported to SAF/AAP through HQ USAFE/IP. Examples of security incidents include but are not limited to:

AFI31-406_USAFESUP_I 20 APRIL 2006

65

A10.17.1. (Added-USAFE) Unauthorized access to a SIPRNET accredited for NATO classified information; specifically, accessing the network without a current U.S. security clearance equal to or greater than the classification level of the NATO information or accessing the network without having first been briefed and granted access to NATO classified by the commander, staff agency chief or their designee. A10.17.2. (Added-USAFE) The transmission or posting of NS, NC, or NR classified information to a SIPRNET that has not been accredited for NATO classified. A10.17.3. (Added-USAFE) The transmission or posting of CTS, CTSA, NSA, or NCA classified information on any SIPRNET, regardless of whether the network has been accredited for NATO classified information. A10.17.4. (Added-USAFE) Transmitting NS, NC, or NR classified information to any individual without first verifying they meet the NATO access requirements prescribed in paragraph A10.2 (Added) specifically, not verifying the individual's current U.S. security clearance equal to or greater than the classification level of the NATO information, the individual has the "need to know", and the individual has been briefed and granted access to NATO classified by the commander, staff agency chief or their designee. A10.17.5. (Added-USAFE) Not properly marking NS, NC, or NR classified information transmitted or posted on an accredited SIPRNET. A10.17.6. (Added-USAFE) Not properly labeling all equipment connected to an accredited SIPRNET. A10.17.7. (Added-USAFE) Not properly labeling removable computer storage media. A10.17.8. (Added-USAFE) Not properly controlling and registering media and documents containing NS classified information.

Information

65 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate

385346


You might also be interested in

BETA