OFFICE OF SECURITY POLICY DEFINITION CONCERNING SECURITY VIOLATIONS AND THEIR REPORTING BY CIA DOMESTIC INDUSTRIAL CONTRACTOR FACILITIES

Approved For Releases 2001/11 -RDP96B01172RO01 Q_01 50007-9 21501-78 25X1A opy5of6 17 JAN 1978 MEMORANDUM FOR: Director of Security Security (PTOS) SUBJECT: Office of Security Policy Definition Concerning Security Violations and Their Reporting by CIA Domestic Industrial Contractor Facilities 1. Action Requested: It is requested that you sign Attachment '"fit ne anAttachment Two forwarded with this memorandum, and that you forward Attachment One to the Director of Logistics and Attachment Two to the Director, NRO, together with exemplars of the Security Violation Report Form. 2. Bac round: The DCI, when commenting on the Security Review Task Force Report of the Moore and Boyce/Lee Cases, expressed concern that not all security violations were being reported to tars as required in Section I, Paragraph 6a(3) of the ndustrial Security Manual. Agency regulations cur ntain no definition of a security violation. Attachments One and Two contain a definition of what constitutes a reportable security violation. Also included is a reporting form which would be used by Agency contractors to report such violations to Headquarters in a noncompartmented format. 3. Staff Position: This new definition of a reportable security v o-at on represents the coordinated position of this Office, of the Security Staffs of the Office of Develop- ment and Engineering, the Office of Communications, the Office of Logistics, and of the NRO, as well as of the Special Security Center. The Security Violation Report Form was designed by the Office of Development and Engineering and meets with the approval of the other Offices concerned. The Office of Communications has requested a copy of the two attachments and the Security Violation Report Form. We propose to forward them as requested following your signature of Attachments One and Two. ' ` ivsl I rVE r iK ` ~ OIJ rFS -, D METHODS INVOLVED RWNDUt yr 2RO0A% 0 ase 2041b1v1fR8L rS 117 SECRET'  Approved For Releas?g 2001/11/08: CI 01172R001L00150007-9 112501.78 25X1A 4. Recommendation: It is recommended that you sign and forwa the attached memoranda to the Director of Logistics and to the Director, NRO, along with copies of the Security Violation Report Form for further dissemination to the Director of Logistics and the appropriate NRQ Program Offices. 25X1A Approved For Release 2001/11/08 : CIA-RDP96B0l172R001000150007-9 11 CRET  Approved For Release 2001/11/08 : G -A 6B01172R001U09150007-9 6 FEB 1978 MEMORANDUM FOR: Director of Logistics FROM: Robert W. Gambino Director of Security SUBJECT: Security Violations Occurring at CIA Funded Contractor Facilities -- Definition of and Reporting Procedures (U/AIUO) I. (S) During security audits conducted at Agency- funded and non-Agency-funded contractors as a result of the Boyce/Lee Case, it has become apparent that some contractors have not been reporting security violations to Headquarters. It is recognized that such reports have not been required in the past with respect to collateral classified contracts, and that it was only in the SCI area that reporting of security violations was mandatory. Many contractors have adopted the policy of reporting only violations which have, in their judgment, resulted in compromise or which they felt could potentially result in compromise. They have not uniformly reported other matters such as open safes or unsecured classified material found by guards, preferring to regard them simply as security "discrepancies" rather than as violations. 2. (U/AIUO) The Director of Central Intelligence has expressed concern regarding this situation and agrees that such a lack of reporting is unacceptable. The following policy will, therefore, apply with regard to all contracts under the cognizance of the Central Intelligence Agency: (UTAIUO) "SECURITY VIOLATION: Any breach of securit regulat ens, requ rerents, procedures or guides by an individual which subjects classified or sensitive material or "formation to -compromise to unauthorized persons,;,or which places it in- jeopardy where a conprogiise could result, constitutes a reportable security. flioration. --Such a breach OS 7 5216 Approved For Release 2001/11/08: CIA-RDP96B01172R00OOO0t5flOQ2.;9---  Approved For Release 2001/11/08: CIAS6B01172R001000150007-9 includes both acts of omission such as failure to properly secure classified or sensitive material and acts of commission such as discussion of classified or sensitive information over nonsecure telephone circuits. The information and materials referred to in this definition comprise Collateral classified, SCI classified, and those materials and information which are sensitive because they involve intelligence sources and methods." 3. (U/AIUO) It is requested that you disseminate the definition as shown above to all of your contractors. 4. (U/AIUO) Along with the definition, please forward a copy of the attached Security Violation Report Form. It may be reproduced locally by each contractor as necessary. Please inform your contractors that the Security Violation Report Forms, when filled in, are to be classified SECRET if they relate to SCI contracts, and CONFIDENTIAL if they relate to Collateral-type contracts. The contractor is to submit these forms in duplicate to the Cognizant Headquarters Security Officer (CHSO). The CHSO will maintain one copy in Office of Logistics files as a record of security violations pertaining to that particular contract for review during contract award fee negotiations. The C}ISO will send the second copy to the Office of Security for inclusion in the individual's security file. Full Program names should not be used in reporting SCI violations on this Security Violation Report Form because the forms will ultimately be stored in a noncompartmented area. If it is necessary for the contractor to report SCI details of a violation, the facts should be separately stated in an attachment which will be detached upon receipt at Headquarters and maintained under SCI control. S. (U/AIUO) It is recognized that the Office of Communications has already established procedures under which contractors report certain types of COMSEC violations to Headquarters. This new procedure is a supplementary requirement. (U/AID Please advise this Office when the actions 25X1A in paragraphs 3 and 4 ha Attachment Distribution: Orig Adse Approved Pt iSM lease 20 / 1 - DD/PTOS ISB 1 - OS/Reg IDP96B01172R001000150007-9 25X1 A ca (29 Dec 77, retyped 9 Jan 78)  25X1A Approved For Release 2001/11/08 : CIA-RDP96B01172RO01000150007-9 Next 1 Page(s) In Document Exempt Approved For Release 2001/11/08 : CIA-RDP96BOl 172RO01 000150007-9