Foreign National (FN) Administrative Controls - Written Procedures and Employee Training

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-245768	FN-05.02.01	SV-245768r822829_rule		Medium

Description
Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what information FN employees or partners have access to and what they are excluded from having, what physical access limitations and allowances are in place, how to recognize a FN (badges, uniforms, etc.), steps to take to sanitize a work area before a FN can access the area, etc. are an essential part of controlling FN access. Just as important as development of policy and procedure is the training/familiarization of both employees and assigned FNs with the rules of interaction. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 5, 6.f.(1), 9.b., 10., 27.a, 27.b., 27.c., 27.e. (8) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, PL-1, PL-4, AT-1, AT-2, AT-3, PE-2(1), PE-2(3) and PE-3 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 3, para 5.b. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f.; Encl 7 DoD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals

Description

Failure to limit access for Foreign Nationals to classified information can result in the loss or compromise of NOFORN information. Documented local policies and procedures concerning what information FN employees or partners have access to and what they are excluded from having, what physical access limitations and allowances are in place, how to recognize a FN (badges, uniforms, etc.), steps to take to sanitize a work area before a FN can access the area, etc. are an essential part of controlling FN access. Just as important as development of policy and procedure is the training/familiarization of both employees and assigned FNs with the rules of interaction. REFERENCES: National Disclosure Policy - 1 (NDP-l) National Security Directive 42, "National Policy for the Security of National Security Telecommunications and Information Systems DODD 5230.11, Disclosure of Classified Military Information to Foreign Governments and International Organizations SPECIAL NOTE: Enclosure 3 to DODD 5230.11 establishes specific criteria for the disclosure of classified information. Use guidance on sharing information with REL Partners on SIPRNET at http://www.ssc.smil.mil/ - follow Policy/Guidance&Documentation link and then SIPRNet Information Sharing... DODD 5230.20; Visits, Assignments, and Exchanges of Foreign Nationals CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Encl C, paragraphs 5, 6.f.(1), 9.b., 10., 27.a, 27.b., 27.c., 27.e. (8) and 27.f. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-1, PL-1, PL-4, AT-1, AT-2, AT-3, PE-2(1), PE-2(3) and PE-3 DoDI 8500.01, SUBJECT: Cybersecurity, March 14, 2014 , Enclosure 3, paragraph 11. DoD Manual 5200.02, Procedures for the DoD Personnel Security Program (PSP), 3 April 2017 DoD Manual 5200.01, Volume 1, SUBJECT: DoD Information Security Program: Overview, Classification, and Declassification, Encl 3, para 5.b. DoD Manual 5200.01, Volume 3, SUBJECT: DoD Information Security Program: Protection of Classified Information, Encl 3, para 5; Encl 4, para 2.c.; Appendix to Encl 4, para 1.f.; Encl 7 DoD 8570.01-M, Information Assurance Workforce Improvement Program, para C.3.2.4.8.2, C.8.2.7 & AP1.19 DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, CHAPTER 10 International Security Requirements, Section 5. International Visits and Control of Foreign Nationals

STIG	Date
Traditional Security Checklist	2022-09-22

Details

Check Text ( C-49199r769964_chk )
Check to ensure that US employees clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. This can only be done if there are written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. It is recommended that employees sign an acknowledgement that they understand their responsibilities for sharing information, but this is not to be required. This particular check should be validated by specifically checking for written procedures and training records. This subject can be included in the initial and annual site security awareness training but must be clearly detailed as having been properly completed. The effectiveness of the program can be validated by conducting random employee interviews concerning their understanding of rules covering sharing classified and sensitive information with FN partners assigned to or visiting their organization/site. Any one of the following three items: Lack of written procedures, lack of training, or evidence employees are not familiar with the rules for information sharing will result in a finding. TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to US Systems

Check Text ( C-49199r769964_chk )

Check to ensure that US employees clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. This can only be done if there are written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners.

It is recommended that employees sign an acknowledgement that they understand their responsibilities for sharing information, but this is not to be required.

This particular check should be validated by specifically checking for written procedures and training records.

This subject can be included in the initial and annual site security awareness training but must be clearly detailed as having been properly completed.

The effectiveness of the program can be validated by conducting random employee interviews concerning their understanding of rules covering sharing classified and sensitive information with FN partners assigned to or visiting their organization/site.

Any one of the following three items: Lack of written procedures, lack of training, or evidence employees are not familiar with the rules for information sharing will result in a finding.

TACTICAL ENVIRONMENT: This check is applicable where REL partners/LN/FN are employed in a tactical environment with access to US Systems

Fix Text (F-49154r769965_fix)
BACKGROUND: US employees must clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners. In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners. REQUIREMENT: There must be written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners. This topic must be included in the initial and annual site security awareness training. Any one of the following three items will result in a finding: 1. Lack of written procedures, 2. Lack of training, or 3. Clear evidence employees are not familiar with the rules for information sharing.

Fix Text (F-49154r769965_fix)

BACKGROUND: US employees must clearly understand the differences and limitations between REL Officers, other NATO partners, Non-NATO partners and Coalition Partners.

In a mixed US/FN partner environment the US personnel must know exactly what information can be shared and what cannot be shared or how to readily determine this information. For example the restrictions and cautions for partners from Belgium, Germany, France will be significantly greater relative to viewing anything on SIPRNet work stations versus the Australia, Canada, Great Britain partners.

REQUIREMENT: There must be written local procedures and initial/recurring (at least annual) employee training to ensure familiarization with the rules for sharing classified and sensitive information with our partners.

This topic must be included in the initial and annual site security awareness training.

Any one of the following three items will result in a finding:

1. Lack of written procedures,
2. Lack of training, or
3. Clear evidence employees are not familiar with the rules for information sharing.