north atlantic treaty organisation - nato reports/20130901... · north atlantic treaty organisation...
TRANSCRIPT
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED
NORTH ATLANTIC TREATY ORGANISATION
COLLABORATION SUPPORT OFFICE (CSO) BP 25, 92201 Neuilly-sur-Seine Cedex - France
CSO INTERNAL SECURITY INSTRUCTIONS
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 1
Table of content GENERAL SECURITY POLICY OF CSO ................................................................... 4
RESPONSIBLE OFFICE ................................................................................... 4 PURPOSE ............................................................................................. 4 SCOPE .................................................................................................. 4 REFERENCE ........................................................................................ 4
INTRODUCTION ............................................................................................... 4 RESPONSIBILITIES .......................................................................................... 6 APPLICABILITY ................................................................................................ 6
ANNEX 1 ORGANISATION ........................................................................................ 7 CSO Security Officer ............................................................................. 7
CSO Chief Security ............................................................................... 8
CSO INFOSEC Officer ........................................................................ 10
Division Chiefs and Executives............................................................ 10 CSO Personnel .................................................................................... 11 Security personnel ............................................................................... 11
ANNEX 2 PERSONNEL SECURITY ........................................................................ 12 General ................................................................................................ 12
Security Clearance .............................................................................. 12 Special NATO ID Card (NATO Agencies in France) ............................ 13
Contact with the press ......................................................................... 14 Unguarded Talk ................................................................................... 14
Security Violations/Infractions.............................................................. 14
Telephone, Telex and Telefax ............................................................. 15
Photocopiers........................................................................................ 15 Loss or Theft........................................................................................ 15
Anti-Terrorism/Social Contacts ............................................................ 15 Travel requiring prior authorization ...................................................... 16
Appendix 1 to ANNEX 2 NATO PERSONNEL SECURITY CLEARANCE CERTIFICATE ..................................................................................... 17
Appendix 2 to ANNEX 2 ATTESTATION OF SECURITY CLEARANCE ........ 18
Appendix 3 to ANNEX 2 CERTIFICATE OF ACKNOWLEDGEMENT OF RESPONSIBILITIES ............................................................................ 19
Appendix 4 to ANNEX 2 ATTESTATION OF PERSONNEL SECURITY CLEARANCE (for non-NATO national) ............................................... 20
ANNEX 3 PHYSICAL SECURITY ............................................................................. 21
Physical Security Measures ................................................................ 21 Passes/Visitors .................................................................................... 21
Carriage of Pistols or Revolvers .......................................................... 22 Photographic and Recording Equipment ............................................. 22 Keys .................................................................................................... 23 Staff Members Privately Owned Vehicles ............................................ 23 Visitors Vehicles .................................................................................. 23
Use of cellular phones ......................................................................... 23 Visits to NATO headquarters, NATO Commands and Agencies ......... 24
Appendix 1 to ANNEX 3 ACCESS OF CONTRACTING COMPANIES ........... 25
Appendix 2 to ANNEX 3 Guards’ security patrols ............................................ 26 General rules ....................................................................................... 26 Specific rules ....................................................................................... 26
Classified materials ............................................................................. 26 Safes and special rooms ..................................................................... 26
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 2
Interior of buildings .............................................................................. 27
Exterior of the buildings - courtyard ..................................................... 27 Appendix 3 to ANNEX 3 Letter of acceptance and confidentiality ................... 28
ANNEX 4 SECURITY OF INFORMATION................................................................ 29 INTRODUCTION ............................................................................................. 29
Scope .................................................................................................. 29 Personal Responsibility ....................................................................... 29
ROLE OF CLASSIFIED REGISTRY ................................................................ 29 CLASSIFICATION OF NATO INFORMATION ................................................ 29
General ................................................................................................ 29 Responsibility for classification ............................................................ 31
Markings .............................................................................................. 31
Other special markings ........................................................................ 33
Downgrading and declassification ....................................................... 33 PREPARATION AND REPRODUCTION OF DOCUMENTS .......................... 34
Preparation .......................................................................................... 34 Photographic material .......................................................................... 35 Tape recordings ................................................................................... 35
Magnetic media of all types ................................................................. 35 All other material .................................................................................. 35
Reproduction and Translation.............................................................. 35 DISTRIBUTION/RELEASE OF NATO INFORMATION ....................... 36
NATO CLASSIFIED information .......................................................... 36
NATO UNCLASSIFIED information ..................................................... 36
PROTECTION OF CLASSIFIED INFORMATION ........................................... 37 General ................................................................................................ 37
Custody of documents ......................................................................... 37 Keys and locks .................................................................................... 38 Recording equipment .......................................................................... 39
Checking of documents in event of transfer or departure of a staff member ............................................................................................... 39
Destruction .......................................................................................... 40 Emergency Destruction ....................................................................... 41 Telephone Communications ................................................................ 41
INVENTORY OF CLASSIFIED DOCUMENTS ................................................ 41 REGISTRATION OF CLASSIFIED DOCUMENTS .......................................... 42
Receipt & transfer of classified documents .......................................... 43 CARRIAGE/FORWARDING OF NATO CLASSIFIED DOCUMENTS ............. 43
Packaging ............................................................................................ 43 Document control ................................................................................ 44 Carriage inside the country .................................................................. 44 International Carriage .......................................................................... 45 Forwarding of Classified documents .................................................... 45
Personal carriage of classified documents .......................................... 45 Electronic Transmission ...................................................................... 46
ANNEX 5 CLASSIFIED CONFERENCES AND MEETINGS .................................... 47
General ................................................................................................ 47 Control of access ................................................................................. 47 Physical Security ................................................................................. 48
ANNEX 6 INFORMATION AND INTELLIGENCE SHARING WITH NON-NATO ENTITIES .................................................................................................................. 50
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 3
General ................................................................................................ 50
Recording requirements ...................................................................... 50 Appendix 1 to Annex 6 Decision taken by CSO Deputy Director Information &
Intelligence sharing with a Non-NATO Nation ..................................... 52 Appendix 2 to Annex 6 Annual Security Report on Information and Intelligence
Sharing with Non-NATO Entities ......................................................... 53 ANNEX 7 BREACHES OF SECURITY AND COMPROMISE OF NATO CLASSIFIED INFORMATION ......................................................................................................... 54
Scope .................................................................................................. 54 Definitions ............................................................................................ 54 Action on breaches of Security ............................................................ 55
Enquiry Report ..................................................................................... 55
Disciplinary or Judicial Action .............................................................. 56
ANNEX 8 INDUSTRIAL SECURITY ......................................................................... 57 ANNEX 9 DEFINITIONS ........................................................................................... 58
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 4
GENERAL SECURITY POLICY OF CSO RESPONSIBLE OFFICE
PURPOSE 1. These Instructions defines the chain of responsibility for security in the S&T
Organization Collaboration Support Office (CSO) and sets forth in relevant instructions the actions to be taken in order to safeguard security in accordance with the current NATO regulations. All personnel must be aware of its contents, upon taking up their duties. The Security Officer and/or Chief, Security/Classified Registry shall ensure that they have reread this instruction at least once a year.
SCOPE
2. This instruction applies to CSO. All CSO elements at Neuilly-sur-Seine,
France for which CSO exercises overall responsibility, constitute CSO. It also applies to all personnel not serving in the CSO but having to work in the CSO premises.
REFERENCE
3. The Security Procedures approved by the NATO Council in document C-M
(2002)49 in conjunction with C-M(2002)50, their supporting directives and updates constitute the basis of CSO’s internal security instructions and no detailed instruction may conflict with that document.
4. The security operating procedures for the CSO computer information system
are approved and published under a separate reference elaborated and maintained by the INFOSEC officer of the office.
5. The policy, directives and guidance concerning the NATO information
management are contained in the following documents: C-M(2007)0118 for the NATO information management policy (NIMP), C-M(2008)0113(INV) for the primary directive on IM (PDIM), C-M(2002)60 for the management of NATO non classified information and AC/35-D/1040-REV2 supporting document on Information and Intelligence Sharing with Non-NATO Entities (NNE).
6. The Security Alert Measures and the Personal Protection against Crime and
Terrorists Activities dated June2013 constitute the basis for the specific security measures to be taken by the CSO.
INTRODUCTION 7. The requirements and procedures in this document are designed to protect
NATO classified information, NATO personnel and its surroundings. 8. The term “NATO classified information” used throughout this document
embraces all classified (NATO RESTRICTED and above) information (military,
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 5
political and economic, scientific and technical) circulated within NATO; whether this information originates in the Office, other NATO commands and bodies, or is received from member nations, or from other international organizations.
9. NATO classified information may be circulated on the basis of the “need-to-
know” principle balanced with the “responsibility to share” principle to individuals who have been briefed on the relevant security procedures, and without reference to the originator. It should be emphasized that the information itself remains the property of the originator and shall be subject to originator control. Subject to the consent of the originator and in accordance with C-M (2002)49 in conjunction with C-M(2002)60 procedures, NATO classified information up to NATO SECRET shall only be released to non-NATO nations and organizations that have either signed a Security Agreement with NATO or that have provided a Security Assurance to NATO. The Security Officer of the Office holds the list of those Nations, which have signed such agreements.
10. NATO information which does not require a security classification (NATO
RESTRICTED and above) is known as NATO non-classified information and falls into two categories:
NATO UNCLASSIFIED: NATO UNCLASSIFIED information is sensitive and is subject to management and protection procedures detailed in the NATO Information Management Policy (NIMP). It is to be used for official purposes only. This information is not publicly accessible on the Internet, or other public networks.
Information releasable to the public: Such information is non-sensitive and does not carry any markings. It is not subject to any dissemination restrictions and is releasable to the public. This information may be publicly accessible on the Internet, or other public networks.
It includes:
information for the media – publications and any information intended
for dissemination outside the Alliance 11. Regardless of classifications and markings, all NATO information is also
subject to the provisions of the NATO Public Disclosure Policy. The policy provides for the disclosure of historically significant NATO information to the general public.
12. The requirements and procedures have been set out in convenient sections
so that all CSO members, who are required to handle NATO classified information, may be fully aware of their individual responsibility in fulfilling their particular security function. All cases/situations not covered by this instruction should be referred to the CSO Security Team for resolution.
NATO UNCLASSIFIED CSO/SEC(2013)01
September 2013
NATO UNCLASSIFIED 6
RESPONSIBILITIES 13. The CSO Director, as the Security Risk Owner (SRO), is responsible to the
North Atlantic Council for maintaining security within CSO. 14. The Deputy Director in his capacity as Security Officer is responsible to the
CSO Director for the implementation of the prescribed security procedures. 15. Division Chiefs and Executives are responsible to the CSO Director through
the Security Officer, for implementation of the Security Procedures within their areas of responsibility. They are responsible for ensuring that their staff complies with the security regulations established by NATO and CSO security officer. They will notify the Security Officer of any violations or incidents.
16. The CSO Chief Security shall assist the Security Officer in carrying out his
security responsibilities and be responsible for the classified registry functions and/or communications.
17. The Security officer shall appoint a Classified Registry Assistant. In the
absence of the Chief Security this individual shall be responsible for the classified registry functions.
18. The CSO Security Officer shall act as Principal Security Officer for CSO,
Neuilly-sur-Seine. APPLICABILITY
19. The requirements contained in this instruction are applicable to CSO and CSO
Staff members. This intent is equally valid at all CSO activities and meetings. In situations where the exact letter of these guidelines cannot be followed due to local rules or customs, the CSO Staff members are charged with compliance with intent of this instruction based on common sense and best judgment for the particular situation. Any deviation from these procedures must be brought to the attention of the Security Officer or the Chief Security. Mr. René LAROSE Director
NATO UNCLASSIFIED ANNEX 1 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 7
ANNEX 1 ORGANISATION
CSO Security Officer
20. In accordance with the instructions and by delegation of the CSO Director, the
CSO Security Officer shall implement all the provisions of the NATO Security Rules and Procedures. The Security Officer shall monitor and coordinate their proper application in all areas. In particular, this person shall be responsible:
(a) For the elaboration, dissemination and implementation of the CSO
internal security instructions, both inside the Office and outside the Office in external relations.
(b) For establishing and maintaining liaison with:
(1) The Security Officers of the various nations, permanent delegations
to NATO and of other NATO bodies
(2) The Security Officers of NATO entities located in France (3) Other international bodies when deemed in the best interest of this
Office
(4) The French National Security Authority (NSA) and other security related services within the framework of his/her responsibilities
(c) For instructing Office staff and other personnel as appropriate on
security matters when they take up their duties at the CSO.
(d) For inquiring into breaches of the NATO Security Rules.
(e) For reporting major breaches, infractions, and compromises to the NATO Office of Security (NOS).
(f) For preparing an annual program on security awareness training within
CSO.
(g) For providing advice on security matters, as and when required.
(h) For performing other duties, as directed by higher competent CSO/NATO Authorities.
(i) For carrying out inspections during work
(j) For handling security aspects for contracts involving classified
information
NATO UNCLASSIFIED ANNEX 1 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 8
(k) For providing the facilities management section with appropriate advice on security aspects when new buildings are to be erected; alterations made to existing ones and when material is to be purchased.
(l) For ensuring that appropriate physical security measures are in place
to protect CSO assets (people, buildings and/or information of all types.)
(m) For periodically checking that the alarm systems are operating
correctly.
(n) For preparing/reviewing annually, specific instructions, detailing the measures to be taken in periods of emergency and alert.
(o) For performing fire alarm exercises or evacuation exercises twice a
year.
(p) For scheduling, once a year or after changes have occurred, an awareness briefing for staff members on office security.
(q) For staffing and controlling the release of classified information to Non-
NATO Entities. (r) For supervising the work of the INFOSEC Officer.
CSO Chief Security
21. In accordance with the instructions of the Security Officer, the Chief Security
shall implement the Security Rules and Procedures and monitor their proper application. This person shall be responsible:
(a) For carrying out the duties explained in 20(c) through 20(p) in
conjunction with and in the absence of the Security Officer.
(b) For obtaining and keeping up-to-date Personal Security Clearance
Certificates (PSC) for persons employed by CSO.
(c) For briefing/debriefing and instructing personnel on security policy and instructions when they take up their duties or depart at/from the Office.
(1) Staff members shall sign a statement acknowledging that they
have been briefed on the NATO Security Regulations and are fully aware of their responsibilities vis-à-vis NATO and CSO with respect to security. This statement will then be maintained in the individual's security file.
(2) Staff members leaving CSO permanently shall sign a statement
whereby they recognize that they have been reminded of the obligations they accepted on appointment. The e-mail account
NATO UNCLASSIFIED ANNEX 1 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 9
of departing staff members shall be cancelled immediately prior to departure. (REF: CSO Computer Information System Security Operating Procedures (CIS SecOPs))
(3) Periodic (preferably annual) re-briefings shall be addressed,
including written acknowledgements!
(e) For inquiring into breaches of the NATO Security Rules. (f) For drawing up, checking every year and physically verifying the annual
inventory of NATO SECRET documents held in other sections.
(g) For establishing a record of classified documents at the NATO SECRET and NATO CONFIDENTIAL levels.
(h) For protecting all classified documents (including all forms, electronic
media and archived files) and material in the possession of the staff.
(i) For maintaining a record of personnel authorized to have access to NATO documents and material classified NATO CONFIDENTIAL and above.
(j) For registering and circulating NATO classified documents. (k) For staffing and controlling the release of classified information to Non-
NATO Entities..
(l) For correctly applying the procedure for the destruction of classified documents and material.
(m) For maintaining records of the combinations of safes, padlocks and
door combinations and of the persons authorized to know these combinations.
(m) For supervising and inspecting the recording, handling, reproduction,
translation and destruction of NATO classified documents and/or material for which CSO is responsible.
(n) For assisting the OPR (Office of Primary Responsibility) in the
preparation of classified conferences or meetings.
(o) For inspecting all security containers in which documents to be safeguarded are kept and ensuring that all security requirements are met when these containers are purchased and delivered.
NATO UNCLASSIFIED ANNEX 1 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 10
(p) For distributing and inspecting combination locks and padlocks.
(q) For periodically checking that the intrusion detection systems are operating correctly.
(r) For preparing (reviewing annually), in specific instructions, the
measures to be taken in periods of terrorist threat.
(s) For supervising and inspecting the parking areas inside the CSO facility.
(t) For carrying out security inquiries in event of the loss or disappearance
of accountable documents. (Accountable documents are those which have to be registered and controlled.)
(u) For carrying out periodic inspections and spot checks of NATO
CONFIDENTIAL and NATO SECRET documents and the procedures of accounting for documents in classified holding areas and in individual offices.
(v) For supervising the work carried out by the security guards.
CSO INFOSEC Officer
22. The Information Management and Systems branch head shall be responsible, as INFOSEC Officer, for the application of the security measures to protect information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability. He will ensure the creation of a secure environment for the operation of the CSO electronic systems.
23. The INFOSEC Officer shall also be responsible for the elaboration of the
Security Operating Procedures for the CSO Computer Information System in accordance with the NATO INFOSEC management, and INFOSEC technical and implementation directives.
Division Chiefs and Executives
24. Division Chiefs and Executives shall be responsible for the following:
(a) For ensuring that their staff complies with the security regulations and policies established by NATO and the CSO.
(b) For strictly controlling all visitors to the Office in their own areas of
responsibility, in particular when they need to be escorted.
(c) For protecting all classified documents (including all forms of electronic media) and material in the possession of the staff of their elements.
NATO UNCLASSIFIED ANNEX 1 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 11
(d) For maintaining appropriate contact with the CSO Security Officer or the Chief, Security. Ensure Non-NATO Entities attendees complete appropriate enrollment forms.
(e) For reporting any breach of security detected to the Security Officer
and/or the Chief, Security.
(f) For organizing within their areas of activity and responsibility a permanent supervisory and control system with regard to the safeguarding of NATO information.
CSO Personnel
25. All CSO personnel, in accordance with security instructions, will ensure that at
the end of each day’s office hours:
(a) All possible means of entry are made secure (i.e. doors (if secure area), windows)
(b) All security containers are properly closed/secured and all classified
documents or material locked up.
(c) Desk is cleared of all sensitive information (i.e. NATO RESTRICTED, Classified documents, diskettes, CD-ROMs....)
(d) All computers are shutdown. (Instructions for shutting down the
computers are addressed in the CIS SecOPs).
(e) Keys that give access to security containers or offices have been secured (i.e. turning keys into the CSO Guard post). Keys to any security containers or offices should at no time be freely accessible. At no time should padlocks be left unsecured.
Security personnel
26. All security personnel will be in addition responsible for:
(a) Implementing and enforcing the security instructions related to the physical security of the Office.
(b) Reporting to the security officer and the Chief Security any breach in
the application of those instructions.
(c) Reporting to the security officer and the Chief Security any security incident.
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 12
ANNEX 2 PERSONNEL SECURITY
General
27. Access to NATO classified information must only be granted to persons
whose duties require it and who, after an enquiry, have been given clearance to have access to such information. The expression “classified information” is understood to mean:
(a) any piece of information on a classified matter, be it an oral
communication or the electrical or electronic transmission of a classified message, or be it “material” (defined in the next paragraph) determined to require protection against unauthorized disclosure, which has been so designated by security classification.
(b) the word “material” includes “document” as defined below and also any
item or machinery or equipment whether completed or in the process of manufacture.
(c) the word “document” denotes any letter, note, minute, report,
memorandum, signal/message, sketch, photograph, film, map, chart, plan, notebook, stencil, carbon, other form of recorded information (e.g. magnetic recording, punched card, tape, diskette, CD-ROM, hard disk), or any other means to preserve a copy/copies of electronic information.
Security Clearance
28. No person shall be entitled to have access to NATO classified information
solely by virtue of rank, appointment or security clearance.
The “NEED-TO-KNOW” is established in all cases by the Director or Deputy Director/Security Officer.
29. Every staff member prior to taking up duties at CSO shall hold a NATO
Personal Security Clearance (PSC) issued by the National Security Authority or other competent authority of the country of which he/she is a citizen (see Appendix 1 to this Annex). The level of this clearance, which shall depend on the functions of the post that the staff member is to hold, shall be laid down in the relevant job description, but shall not be lower than NATO SECRET.
30. Every staff member, upon taking up duties at CSO or when leaving the CSO,
must sign a letter of acknowledgement of responsibilities, a template of which is at appendix 3 to this annex.
31. The period of validity of the security clearance shall be determined by the
issuing National Security Authority. One year prior to expiration, the procedure for requesting renewal of the certificate shall be set in motion by the CSO Chief, Security.
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 13
32. Any member of the staff planning to marry or intending to live under a marital relationship must inform the Security Officer at least three months before the intended date of marriage. In this case, the National Security Authority shall be requested to revalidate the security Clearance certificate and the future spouse shall be required to fill in the forms required to conduct the renewal procedure.
33. Any staff member, who is required to deal with “outsiders” (non-Science and
Technology Organization (STO) members) on information pertaining to CSO on classified matters, shall ensure that such persons hold a security clearance of a level permitting access to the information involved, and inform the CSO Security Officer and/or Chief, Security accordingly. In case of doubt, access to classified information is to be refused.
34. No information classified NATO CONFIDENTIAL or above may be passed on
to persons who are not security cleared. NATO RESTRICTED information may be passed on to persons on a “NEED-TO-KNOW” basis and who have attended an awareness briefing. The “NEED-TO-KNOW” may be assessed simply by the appointment of the person by a National official for NATO members. For Non-NATO Entities there must be a existing security agreement between the said entity and NATO.
35. In event of withdrawal, downgrading or delays in renewal of the security
clearance issued to a CSO staff member, the Chief, Security shall inform the Security Officer (Deputy Director) who shall then inform the CSO Director. The CSO Director shall then take the appropriate action. (Reference: NATO Civilian Personnel Regulations).
36. The release of classified information to non-NATO Entities is subject to
confirmation that the person(s) having access to this information is in possession of a Personal Security Clearance (PSC) certificate to the level of the classified information being released.
(a) This may be done after the requesting entity(s) has/have submitted a
request through proper channels for the release of classified information, and the potential releaser has established a “need-to-know” on the part of the requestor.
(b) A Security Agreement must also have been established between
NATO and the nation/entity before release of any such information.
(c) All information and intelligence sharing with non-NATO entities have to follow guidance established in AC/35-D/1040-REV2. However, if a scenario is not governed by this supporting document, Enclosure “E” of C-M(2002)49 in conjunction with AC/35-D/2002-REV4 shall be consulted.
Special NATO ID Card (NATO Agencies in France)
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 14
37. The CSO Human Resources and Support branch will distribute a Special NATO ID Card to CSO staff members who are holders of a valid NATO SECRET or above Personal Security Clearance (PSC) certificate and who have received the mandatory security training. It may be used as an access document, and shall constitute valid proof of identity within the Office.
38. The CSO Human Resources and Support branch will distribute a CSO special
security pass to every staff member that will be only used to access the office and as a proof of physical presence in the facilities for safety purposes.
39. The CSO Special NATO ID Card may also be used as an access/exchange
document into NATO Entities in France and in other NATO entities outside France, including NATO HQ.
40. For safety purposes, one of these means of identification (Special NATO ID,
or CSO security pass or any other ID document) shall be given to the guard on duty each time one enters the premises and picked up from the guard each time one leaves the premises.
41. The CSO Special NATO ID Card and the CSO security pass may only be
used by the person to whom they are issued and must be returned to the CSO Security Office when the employee leaves the organization.
42. Any loss or theft of the ID Card or security pass has to be reported
immediately in writing to the Chief, Security giving details of the circumstances in which the loss or theft occurred. A copy of the declaration of loss/theft made at a Gendarmerie or Police Station (if applicable) must accompany the written notification.
Contact with the press
43. Only official representatives of CSO who have been appointed for this
purpose by the CSO Director may be authorized to make statements to the Press. All requests for contact with the Press must be coordinated with the Deputy Director. All correspondence or telephone calls from journalists or Press Agencies must be passed to the Security Officer.
Unguarded Talk
44. Classified matters must not be discussed in non-secure areas, whether
outside CSO (e.g. public transportation, vehicles, restaurants, cafes etc.) or in non-secure areas inside the Office’s facilities (e.g. hallways, courtyard). “Free Talk” is a major contributor to security violations, and proven to be a valuable source of hostile intelligence collection.
Security Violations/Infractions
45. Any contravention of the provisions of these regulations is termed a security
violation/infraction. This term includes contravention’s respecting security of personnel, security of documents (e.g. loss of classified documents), and
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 15
physical security (e.g. failure to lock a security container, leaving classified out in full view). It is the duty of any individual who becomes aware of a security violation/infraction to report the matter to the Security Officer or Chief, Security. All violation/infractions are to be reported to the Director and/or the Deputy Director.
Telephone, Telex and Telefax
46. The above-mentioned communication systems are not secure/not tempest
approved. Therefore the passing of classified information (NATO RESTRICTED and above) through these networks is forbidden.
Photocopiers
47. Each photocopier is labeled to the level authorized for reproduction.
Loss or Theft The procedures outlined below apply equally to all family members of CSO staff members
48. Any loss or theft of classified documents, CSO/NATO ID Cards, French
Identity cards, passports, theft of car or diplomatic license plates, laptops or any CSO equipment is to be reported immediately to the Security Officer or to the Chief, Security. Further instructions will then be given.
Anti-Terrorism/Social Contacts
49. Any Staff Member who, in social contacts with persons from outside the
Office, believes to having been exposed or contacted by a member of any organization or country whose intelligence services targets the Alliance and its member nations by violent, subversive or other unlawful means, is required to inform the CSO Security Officer without delay.
50. Any Staff Member who observes activity, which could be inferred to be of a
suspicious or hostile nature against CSO Personnel, activities, or assets, should report that information to the CSO Security Officer. If such activities occur at a location outside of the Paris region, the suspicious behavior should also be reported to the STO local coordinator in charge of that distinct location.
51. Staff members should be particularly alert of people who appear to be
lingering around and studying the patterns and time schedule of CSO people or activities.
52. Situations that could lead to inappropriate contacts might be invitations to
cocktail parties or dinners, invitations to take part in cultural or recreational activities, attempts by individual nationals to establish and/or renew relationship or the exchange of correspondence through such means as a “Pen Pal” club. The proliferation of information technology has multiplied the
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 16
possibilities of external contacts; hence extreme caution must be exercised, especially while communicating through social networks like “facebook, twitter, etc…”.
Travel requiring prior authorization
53. The NATO Office of Security (NOS) no longer publishes a list of countries that
pose a special security risk. However, common sense should prevail and the following precautions taken:
(a) Confirm with your National Security Authority that there are no national
objections for your planned travels. The Chief Security can assist you on verifying/identifying a good source of point of contact.
(b) Notify the CSO Security Officer in writing of your travel plans, as a
safety precaution, in case of an incident/unusual occurrence during your travels.
(c) Report any incident/unusual occurrence to the CSO Security Officer
upon your return. 54. As a general rule, avoid travel to countries where there is an imminent threat.
If in doubt, contact an official who is knowledgeable in personal security matters either within CSO or externally (such as your responsible National Security Authority).
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 17
Appendix 1 to ANNEX 2 NATO PERSONNEL SECURITY CLEARANCE CERTIFICATE
1. Certification is hereby given that:
Full Name:
…………………………………………………………………………………………………..
Date and Place of Birth:
…………………………………………………………………………………………………..
has been granted a personnel security clearance by the Government of:
…………………………………………………………………………………………………..
In accordance with current NATO regulations, including the Security Annex to C-M(64)39 in the case of ATOMAL information, and is, therefore, declared suitable to be entrusted with information classified up to and including:1
…………………………………………………………………………………………………..
…………………………………………………………………………………………………..
…………………………………………………………………………………………………..
2. The validity of this certificate will expire not later than2
…………………………………………………………………………………………………..
…………………………………………………………………………………………………..
Signed:
Title: Official Government stamp Date of Issue:
Contact details of the issuing authority (Phone, e-mail, fax):
To be sent via official registered mail to: CSO Security Officer
BP 25 92201 Neuilly / Seine cedex
France
Note: the marking on this page is not part of the template
1 Insert, as appropriate, one or more of the following:
(a) COSMIC TOP SECRET (d) COSMIC TOP SECRET ATOMAL (b) NATO SECRET (e) NATO SECRET ATOMAL (c) NATO CONFIDENTIAL (f) NATO CONFIDENTIAL ATOMAL 2 The date of expiry shall conform with the provisions of paragraph 18 of the Directive on Personnel
Security.
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 18
Appendix 2 to ANNEX 2 ATTESTATION OF SECURITY CLEARANCE
Issued by……………………………………………………………………………………….
(Member Nation or NATO civil or military body)
Date and Place of issue………………………………………………………………………
Valid until……………………………………………………………………………………….
This is to certify that:
Full Name………………………………………………………………………………………
Date of Birth…………………………………………………………………………………...
Place of Birth…………………………………………………………………………………..
Nationality………………………………………………………………………………………
Where employed………………………………………………………………………………
Purpose and Duration of Visit………………………………………………………………..
……………………………………………………………………………………………………………………………………………………………………………………………………
Holder of Passport / Identity Card No………………………………………………………
Issued at………………………………..Dated……………………………………………….
Military Rank and Number (where applicable)……………………………………………..
has been granted access to NATO information classified up to and including
………………………………………………..in accordance with current NATO security regulations, including the Security annex to C-M(64)39 in the case of ATOMAL information, and has been briefed accordingly by
…………………………………………………………………………………………………..
Signed:
Title: Official Government stamp (optional)
Date:
To be sent via official registered mail or protected e-mail to3:
CSO Security Officer BP25
92201 Neuilly / Seine cedex France
or [email protected] (NS network)
or, exceptionally, to be hand carried to the location of the activity. Note: the marking on this page is not part of the template
3 NOTE: This certificate must be handled in accordance with the provisions of NATO Security Policy
and its supporting directives.
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 19
Appendix 3 to ANNEX 2 CERTIFICATE OF ACKNOWLEDGEMENT OF RESPONSIBILITIES
TO BE SIGNED BY MEMBERS OF CSO OF THE NORTH ATLANTIC TREATY ORGANIZATION
I understand:
(1) that I am responsible for preserving the security of all classified information which may be imparted to me as a result of my employment with the North Atlantic Treaty Organization and undertake to comply with such regulations concerning security as may from time to time be laid down;
(2) that I must not divulge any information gained by me as a result of my employment to any unauthorized person, orally or in writing, without the previous sanction of the CSO Director;
(3) that I must not, without the authority of the Director, publish any information which I have acquired or to which I have had access owing to my official position as a member of the Organization, whether orally or in any document, article, book, play, film or otherwise;
(4) that on leaving the organization, I should surrender any sketch, plan, model, article, note or document made or acquired by me in the course of my official duties, save such as I have been duly authorized to retain by the Director.
I certify:
That I am aware of my responsibility for safeguarding NATO classified information, and will abide by the CSO Security Regulations.
I understand:
that the provisions of this certificate apply not only during the period of my employment, but also after my employment with the organization has ceased and that I am liable to prosecution if either by intent or negligence I allow classified information to pass into unauthorized hands.
NAME : DATE
NATO UNCLASSIFIED ANNEX 2 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 20
Appendix 4 to ANNEX 2 ATTESTATION OF PERSONNEL SECURITY CLEARANCE
(for non-NATO national) 1. Attestation is hereby given that:
Full Name (Last Name, First Name):
…………………………………………………………………………………………
Date and Place of Birth:
…………………………………………………………………………………………
Where employed:
…………………………………………………………………………………………
Purpose and Duration:
…………………………………………………………………………………………
…………………………………………………………………………………………
Holder of Passport/Identity Card No :……………………………………………..
Issued at :……………………………………………………………………………
Dated …………………………………………………………………………………
Has been granted a Personnel Security clearance for NATO classified information in accordance with security requirements no less stringent than those of NATO, has been briefed on the security regulations for the protection of NATO information and the legal and disciplinary consequences of infraction/breaches of those regulations, and is, therefore, declared suitable to be entrusted with information classified up to and including:
NATO SECRET4 NATO CONFIDENTIAL5
2. The validity of the attestation will expire no later than:
…………………………………………………………………………………………
3. Issued by:
Name and address of the issuing authority:
……………………………………………………………………………………………………………………………………………………………………………………
Contact details of the issuing authority (Phone, e-mail, fax):
…………………………………………………………………………………………
Full Name (Last Name, First Name):
Title:
Signature: Official stamp
Note: the marking on this page is not part of the template To be sent by registered mail to: CSO Security Officer – BP 25 – 92201 Neuilly/Seine cedex - France
4 Delete as appropriate
5 Delete as appropriate
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 21
ANNEX 3 PHYSICAL SECURITY
Physical Security Measures
55. The aim of physical security measures is to prevent an unauthorized person
from gaining access to NATO Classified information and to avoid any “bad act” and/or terrorism act.
56. The Office will be officially opened during working days (Monday thru Friday)
from 07h30 to 20h30. During these opening hours the access is free for CSO staff. Outside the opening hours the access for both the pedestrians and the vehicles has to be requested to the Chief Security or the Security Officer.
57. At all times the gate and the barrier shall remained closed and positive
identification shall be made by the guard to let either the person or the car access to the site.
(a) When security alert state is “ALPHA”: during working days, between
08h00 and 09h00, the main gate may be opened and barrier lowered. After positive identification of the driver and the passengers the guard on duty will raise the barrier. He will proceed the same way in the evening between 17h00 and 18h00.
(b) When security alert state is “BRAVO” and above: the gates and the
barrier shall remain closed at all times and are opened to allow access to those positively identified persons and/or vehicles.
Passes/Visitors
58. CSO Staff are admitted onto CSO premises based on personal recognition.
Upon entering they will leave their NATO pass or ID card with the guard and upon exiting the premises will pick it up.
59. Visitor definition: somebody who is not member of the CSO staff but has
something to deal with at the CSO (official visit, activity team members, workers, consultants, contractors, retirees, 1st level relatives).
60. All visitors to CSO who are NATO members from other NATO entities will
exchange their NATO Pass or ID card for an CSO badge which states: “VISITOR, NO ESCORT REQUIRED”
61. Family members (with the exception of children under age of 18) will be given
a badge “VISITOR, ESCORT REQUIRED” and must leave a form of identity card with the guard. The visited staff member will permanently escort them. Children shall be under the supervision of their parents at all times and are not allowed inside the buildings without the staff member.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 22
62. All other visitors, including contractors after they have been cleared and retirees from other NATO bodies, will leave a form of identity card with the guard and be issued a badge, which states:
“VISITOR, ESCORT REQUIRED”
The CSO staff member being visited will be responsible for escorting the visitor on the premises. At no time shall the visitor be left unattended.
63. CSO Staff members will inform the guards and/or the Security Office when
there is to be a/or visitor/visitors, with the name(s), date and time of arrival, ID card or passport number, type and plaque number of vehicle.6
64. AGARD/RTA/CSO Retirees visiting the Office will leave a form of identity card
with the guard and be issued a badge which states:
“ARAR, CSO (Retiree’s name)”
This badge allows the retirees access but restricted only to non-sensitive areas within CSO premises. This badge does not allow the AGARD/RTA/CSO retirees to escort other visitors.
65. If a non scheduled visitor requests to visit a staff member, the guard will:
(a) Let the visitor access the waiting room,
(b) Collect information on the purpose of visit and name of the visited staff member,
(c) Coordinate with the requested member,
(d) Either authorize the access under escort of the visited staff member or
request the visitor to plan another appointment with the staff member.
Carriage of Pistols or Revolvers 66. Visitors armed with pistols or revolvers will inform the guards. Guards shall
inform the Security Officer. Decision of removal or carriage will be on a case-by-case basis.
Photographic and Recording Equipment
67. Visitors are not allowed to bring cameras or recording equipment into offices
without the official approval of the Security Officer or the Chief, Security. The use of personal computers to process classified NATO data is also forbidden unless specifically approved by the Security Officer. For further details, reference CIS SecOps.
6 This does not pertain to visitors attending a meeting to be held at the Office. See Annex 3
“Classified Conferences and Meetings” for instructions.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 23
Keys
68. The guards are responsible for the control of the keys to offices. Keys will be
checked in and out from the guards on a daily basis.
Staff Members Privately Owned Vehicles 69. Due to a limited number of parking spaces, members are only allowed one
vehicle on the premises per family, the second and third vehicle will be parked outside, unless room is available and the Security Officer or the Chief, Security has given authorization. Only the Director or Deputy Director has authority to waive this rule for specific reasons; such as security.
70. Upon entering the Office, staff members will park their vehicles facing forward,
and leave their vehicle keys visible inside the vehicle (during working hours). Making sure to turn off all codes and informing the guards if there is a code to start the vehicle.
71. Staff members wanting to station their vehicle after business hours must have
approval from the Chief Security and park in the far back region of the courtyard (facing forward) (leave the vehicle unlocked and keys at the guard post).
72. Staff members will not leave their vehicles while on leave or for personal reasons unless approved by the security officer.
73. Due to density of traffic in rue Ancelle at specific times of the day (morning
and evening), drivers must pay particular attention when entering or exiting the Office. Priority will always be given to entering vehicles. Upon exiting, risks of accident are increased, the guard will ensure, before raising the barrier that no pedestrian on the sidewalk is approaching to the gate. The entry of vehicles into rue Ancelle will rest on drivers’ responsibility.
Visitors Vehicles
74. The staff member being visited must first acquire approval from the Security
Officer or the Chief, Security for visitors wanting to park their vehicle within the premises of the Office. Upon acquiring approval, information on the make, model, color and license plate number must be provided.
Use of cellular phones
75. The use of cellular phones is prohibited in conference and meeting rooms.
They shall be put in the OFF mode. If classified talks are supposed to take place then the cellular phones should be collected, locked in a safe place and given back at the end of the meeting.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 24
76. The use of cellular phones is tolerated in offices as long as they are not used, even in stand-by mode, while dealing with classified information. They shall then be put in the OFF mode.
77. Cellular phones with cameras shall not be used to take pictures in the Office be it inside or outside the building.
Visits to NATO headquarters, NATO Commands and Agencies
78. Such visits are understood to mean visits to facilities under another security
jurisdiction and which involves access to information classified NATO CONFIDENTIAL and above. Security jurisdiction in terms of this instruction means the area of security responsibility of a National Authority or of NATO. All NATO entities come within the security jurisdiction of NATO.
79. A CSO employee, who is to undertake official international travel in the
framework of CSO activities to a NATO Entity involving access to, or communication of NATO classified information, or access to facilities which may only be entered by persons who are holders of valid NATO security clearances, must make a request to the CSO Chief Security to provide a attestation of his/her security clearance (see Appendix 2 to Annex 2). When possible and required, the Chief Security shall send this attestation to the Security Authority of the body or command to be visited. In exceptional cases, the employee concerned may hand carry the attestation letter (see Appendix 2 to Annex 2) and present it to the relevant authority.
80. Any copy of an attestation of security clearance issued to a staff member, for
the purpose of proof of identity, must be returned to the Chief, Security after the staff member has returned from his official travel.
81. The Security Office must be informed no later than 5 working days before the
date of departure of any international travel involving access to NATO classified information, in order that the authority to be visited may take the appropriate action.
82. The following data are required for completion of the attestation letter:
(a) Passport number
(b) The specific purpose of the official travel provided in sufficient details in order to justify to the approving security authority the official need to conduct this visit.
(c) The place and the exact address of the meeting; name of Point-of-
Contact, telephone number, e-mail address (optional); the dates and the duration of the trip.
(d) The name, fax and telephone number of the Security Authority
requesting the information.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 25
Appendix 1 to ANNEX 3 ACCESS OF CONTRACTING COMPANIES
CLEANING COMPANY
83. During Working Days: between 08h00 and 11h00 two members of the
cleaning company have access to the CSO in order to execute cleaning tasks in the buildings.
84. These personnel will be issued a visitor pass after provision of their ID
document. They should have been subject to French records check (“Contrôle élémentaire”).
85. These personnel will be at all times during their presence within the premises
under the overall supervision of the General Services of the Office. Each staff member has the responsibility to ensure that during the cleaning of their office no classified information could be accessible to these personnel.
86. Cleaning will not start before the guard on duty has checked all rooms for
inadvertently left classified materials. 87. In case the cleaning company has to plan and perform heavy duties (such as
carpet cleaning), it shall advise the Office of the designated personnel well in advance in order to coordinate the access (letter to the general services office). General services will ensure that copies of ID cards are provided to the Chief, Security.
88. The cleaning company must comply with CSO security rules and signed a
letter of acceptation and confidentiality as provided in appendix 3 to this annex.
MAINTENANCE COMPANIES
89. In case construction works and/or maintenance of the CSO buildings are
scheduled, the contracted company shall provide the Office with a complete list of the workers along with copies of ID cards at least two weeks before the beginning of the works.
90. Members of the team will be positively identified upon arrival and shall leave a
form of identity card and their mobile phones with the guard. A staff member of the Facilities Management branch shall escort them.
91. Staff members from the maintenance company that will be entering CSO
premises or dealing with CSO staff must comply with CSO security rules and sign a letter of acceptance and confidentiality with those rules as provided in appendix 3 to this annex.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 26
Appendix 2 to ANNEX 3 Guards’ security patrols
General rules 92. At all times, during their patrols, the guards shall carry with them the mobile
telephone and the PTI (“Protection Travailleur Isolé”) device. 93. During their duty the guards must pay due attention to their main task, which
is to deter and repel any unauthorized access to the Office. 94. Upon leaving the guard post, night and day, outside opening hours, the duty
guard must lock the door and activate the night ring, be it for a security patrol or for a short absence. During opening hours, the duty guard must seek the replacement by the Chief Security, the chief registry or the general services technician.
95. At least, three security patrols shall be realized at random times after business
hours and after the last CSO member has left the Office. They will be reported in the guard post log book.
96. Every opening day, a security check of all floors and the basement of both
buildings shall be performed. 97. The guard post log book will be checked weekly by the Chief Security and at
random times by the Security Officer. Specific rules
Classified materials 98. During his security patrols the guard shall ensure that no classified material
(document or equipment) has been left on a desk. 99. In such a case, he must inform the Chief, Security, or in his absence the
Security Officer of the CSO. The guard will place the document or material in the appropriate safe in the guard post. It will be reported in the log book.
100. The document or material will be issued to the Chief, Security the next
working day.
Safes and special rooms 101. During his inspections the guard shall verify that safes in the various offices,
the archives and the special rooms (crypto room and tempest room) are properly secured and locked. After checking he must report on the appropriate sheet at his disposal on the safe or the special rooms’ door.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 27
102. In case a safe is found unsecure or unlocked, the guard will immediately inform the Chief, Security or the Security Officer of the CSO. He shall mention it in the log book.
Interior of buildings
103. During his inspections, the guard shall ensure that all windows are closed, all
electrical equipments (coffee machines, heating plaques, printers, copiers) are shut down and all the water taps are shut off.
104. The doors of following offices shall be locked outside working hours: A013
(Chief Human Resources and Support), A101 (Director of CSO) and Room 4 Annex B building (Publications Assistant).
105. The door of the boiler room shall remain locked at all times. Only Facilities
Management personnel of the CSO and the guards have access to this room. A visual control of the boiler room shall be performed every day by the duty guard and reported in the log book.
106. A visual inspection of all the offices shall be performed and any anomaly
reported in writing to the Facilities Management of the CSO for maintenance.
Exterior of the buildings - courtyard 107. A visual inspection of the exterior of the buildings, the fences, gates, exterior
lights and cameras shall be performed regularly and randomly (4 times a day) by the guard during his duty and reported in the log book. Any anomaly shall be reported in writing to the Chief, Security and/or to the Facilities Management for maintenance.
108. Outside opening hours both buildings A and B shall remain locked and
secure. Controls of the securing system are in the guard post.
NATO UNCLASSIFIED ANNEX 3 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 28
Appendix 3 to ANNEX 3 Letter of acceptance and confidentiality
ENGAGEMENT DE CONFIDENTIALITÉ
(À joindre à votre proposition)
Je soussigné, ……………………………….…., représentant la société………………………………………………………….., m’engage à ce qu’aucune information, protégée ou non, ne soit communiquée sous quelque forme que ce soit à d’autres personnes que celles qui ont besoin d’y avoir accès dans le cadre de leur activité professionnelle en rapport avec le contrat en objet. à ……………………………………le [date], Fonction dans l’entreprise : Signature : cachet commercial de l’entreprise : L’attention des sociétés sollicitées est attirée sur le fait qu’il leur sera demandé de fournir les détails d’état-civil Nom Prénom Date et lieu de naissance Nationalité Adresse Numéro de pièce d’identité (+ copie) De chacun des intervenants sur le site de la CSO, dix (10) jours ouvrables avant la date prévue de l’intervention.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 29
ANNEX 4 SECURITY OF INFORMATION
INTRODUCTION
Scope 109. This Annex sets forth the basic principles and the minimum security standards
to be applied in CSO for the protection of NATO classified information.
Personal Responsibility 110. THE BEST-WRITTEN SECURITY PLANS AND REGULATIONS ARE
WORTHLESS IF EACH AND EVERY STAFF MEMBER DOES NOT PAY DUE ATTENTION TO SECURITY.
(a) It is the duty of every CSO staff member to apply the rules set forth in this Annex with common sense and judgment, and to inform the CSO Security Officer and/or Chief, Security of any breach of security in each division. (b) All staff members should act in accordance with the spirit of this Annex in any situation not expressly covered within. (c) In addition, all staff members are required to inform their supervisor & the Security Officer or the Chief, Security of anything that might indicate an attempt at espionage or subversion. (d) Finally, all staff members are invited to propose any practical steps that could be taken in order to strengthen security in his/her area of responsibility.
ROLE OF CLASSIFIED REGISTRY 111. The role of the classified registry is to carry out the registration, handling,
reproduction, distribution, forwarding, archiving, and destruction of classified documents in accordance with the security rules laid down in document AC/35-D/2002-Rev3 with updates, AC/35-D/1032 “Guidelines on Security of Information”, and in this Annex.
112. The Chief, Security is responsible for the classified registry functions in the
CSO. CLASSIFICATION OF NATO INFORMATION
General 113. Markings should indicate information ownership, protection, access and
handling requirements. The ways and means of protecting, distributing and providing access to information are determined by relevant NATO policies and procedures.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 30
114. Principles (a) Information Sharing: information shall be managed with an emphasis
on the ‘responsibility-to-share’ balanced by the security principle of ‘need-to-know’, and managed to facilitate access, optimize information sharing and re-use, and reduce duplication, all in accordance with security, legal and privacy obligations.
(b) Information Protection: NATO Security Policy5 requires that access to and release of NATO classified information be controlled. NATO classified information should be clearly marked to identify the required level of protection and to indicate releasability where appropriate
(c) Consistency of Marking: Markings on information items should be consistent to enable information sharing, cooperation, and effective and efficient processes. Consistent markings should be used on both NATO classified and NATO unclassified information.
(d) Public NATO Information: NATO Information which from its inception is intended to be communicated to the public as part of NATO’s public diplomacy and outreach activities, e.g. a press release, shall be presented in conformity to the NATO Visual Identity Guidelines and should not carry standard NATO markings. NATO Information being made available to the public as a result of public disclosure should retain the original markings, with annotations indicating its change of categorization6. This applies equally for NATO information released to a specific public entity such as a court, parliamentary commission, or similar.
115. It is impossible to draw up a complete set of instructions on security classifications. In any case, such instructions should not substitute for the judgment and reasoning which, taking the circumstances into account, make it possible to select an appropriate security classification.
116. One of the fundamental rules to be followed is that every document must be
classified according to its own contents and according to the security classification of the document to which it refers or the file in which it is registered.
117. Before selecting the security classification to be given to a document, the
originator must always consider whether the unauthorized disclosure of the information would have the consequences mentioned in the definitions of the various categories.
118. Particular care should be taken not to over-classify or under-classify
information. The level of security that is required for any given information shall determine the level of classification. If the information is sensitive for reasons other than security then it shall be given a specific marking as detailed above.
119. A cover note/sheet must be given the same overall classification category as
that given to the documents attached to it. The originator must indicate – on the cover sheet - if the classification has authorization to be downgraded to a given level when separated from its attachment.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 31
120. References to classified documents need no classification, unless they
themselves contain or reveal classified information. However, to avoid endangering the protection of classified information, such references should be as few in number as possible.
121. Collated information can often acquire a requirement for a higher classification
than its component parts because of the greater intelligence value of a comprehensive picture.
122. The overall classification of a document must be at least as high as that of its
most highly classified component. 123. The recipient must bring cases of apparent over-classification or under-
classification to the attention of the originator. If the originator decides to reclassify the document, all addressees shall be informed accordingly.
Responsibility for classification
124. The originator of a document within CSO shall be responsible for determining
its appropriate security classification up to NATO CONFIDENTIAL. 125. The originators, within CSO, responsible for determining the classification for
NATO SECRET documents shall be the Director, Deputy Director, Panel Executives, SPB, and OCD. If necessary, the originator shall ask for advice from his/her superior, or the Security Officer (Deputy Director). If the document has technical content, the advice of a specialist is required.
Markings
126. NATO information falls into three categories: Classified, Unclassified and
Public. All NATO classified and unclassified information should carry a marking indicating its classification.
127. The NATO marking shall be applied to all copies of NATO SECRET, NATO CONFIDENTIAL and NATO RESTRICTED documents prepared for circulation within the NORTH ATLANTIC TREATY ORGANIZATION. The NATO marking may also be applied to UNCLASSIFIED documents. When applied to a document, the marking NATO means: the document is the property of NATO and that the information contained therein remains the property of the originator. NATO Information may carry additional marking showing the collective ownership of the document (e.g. NATO / EAPC, NATO / PfP, …); they shall only be used to show the joint production of the information and not its releasability.
128. Rules for application of security classification categories:
(a) NATO TOP SECRET (COSMIC) – This security classification shall only be applied to information the unauthorized disclosure of which would result in exceptionally grave damage to the North Atlantic Treaty Organization.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 32
(b) NATO SECRET – This security classification shall only be applied to
information the unauthorized disclosure of which would result in grave damage to NATO.
(c) NATO CONFIDENTIAL – This security classification shall only be
applied to information the unauthorized disclosure of which would be prejudicial to the interests of NATO.
(d) NATO RESTRICTED – This security classification shall be applied to
information the unauthorized disclosure of which would be undesirable to the interests of NATO.
129. COSMIC – this marking shall be applied exclusively to all copies of TOP
SECRET documents to be distributed within NATO and which are to be given special protection.
130. Releasability: In support of information sharing, it may be necessary to
release some NATO information beyond the information domain to which it would typically be available. In this case, the originator should indicate such releasability when the document is ready for collaboration and/or publication. The releasability marking should be clear and complete. Originators should take both current and anticipated information sharing requirements into consideration when applying the relevant elements of the marking.
131. Dissemination Limitation: Contrary to releasability markings, dissemination limitation markings are used to indicate that dissemination and access of the information is limited to only some of the entities that would be implicit in the initial domain marking.
132. The markings listed below may also be applied by the originator to NATO
UNCLASSIFIED information to control dissemination of that information to specific groups and individuals. They may only be modified by or with the consent of, the originator. They include:
(a) PERSONAL/IN-CONFIDENCE – information to be seen only by (the
originator and) the individual to whom it is addressed.
(b) COMERCIALLY-SENSITIVE – information concerning NATO commercial processes, contracts or financial affairs.
(c) MANAGEMENT – information concerning advice on policy and
planning affecting the interests of NATO.
(d) MEDICAL/IN-CONFIDENCE - information concerning medical reports and related material on personnel and units.
(e) STAFF/IN-CONFIDENCE - information containing references to named
or identifiable staff or personal confidences entrusted by staff to management.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 33
Other special markings
133. National security classifications and their NATO equivalent are shown at of
Annex 1 to AC/35-D/1002(revised). 134. The following are examples of correctly presented markings:
(a) Basic Marking: NATO UNCLASSIFIED
(b) Marking combined with Administrative/Category Marking: NATO UNCLASSIFIED – STAFF
(c) Marking with Releasability Marking denoting specific countries: NATO RESTRICTED
Releasable to Japan, Switzerland, Ukraine
(d) Marking with Releasability Marking denoting a community of countries: NATO/EAPC CONFIDENTIAL
Releasable to ISAF
(e) Marking with Dissemination Limitation NATO/KFOR CONFIDENTIAL
NATO, Ireland, Sweden, Ukraine Only
Downgrading and declassification 135. NATO classified documents may only be downgraded or declassified by the
originator. The originator may make this decision by:
(a) Reviewing at least annually to ascertain whether the original security classification is still applicable, and/or whether they are to be downgraded or declassified. The security system must not be overloaded with documents whose contents no longer require their original level of classification.
(b) Ensuring that all original addressees of those documents are notified
promptly of their downgrading or declassification. Original and subsequent addressees, who have given further dissemination to the documents, shall be responsible for ensuring that the holders of those copies are informed promptly that the documents have been downgraded or declassified.
(c) Making a statement on the document which states the date when the
document may be destroyed, downgraded or declassified 136. In all cases, action to re-mark documents shall be taken immediately by the
holders of those documents for which a downgrading or declassification notice has been received.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 34
137. Wherever possible, the originator shall, when issuing a document, indicate the level to which it may be downgraded in given circumstances, as for example, on a certain date, and/or on the happening of a specific event.
PREPARATION AND REPRODUCTION OF DOCUMENTS
Preparation 138. Documents marked NATO are subject to the control and protection set forth in
the NATO security procedures. It is the responsibility of each person to become familiar with these policies and guidance.
139. Documents classified NATO RESTRICTED and above shall be typed,
translated and reproduced only by persons with the appropriate level of security clearance, at least to the level of classification of the document to be handled. The only authorized locations for classified work NATO CONFIDENTIAL and above are at the TEMPEST-approved workstations.
140. The security classification and the marking NATO must be conspicuously stamped, typed, printed or hand-written at the top and bottom of each hand-written or printed page of the document. Paragraphs must be marked with appropriate classification. The classification and the marking shall, whenever possible, be indicated in larger letters than those used in the text of the document. In no case shall they be smaller.
141. Paragraphs above also apply to working papers. 142. All NATO classified documents shall bear a reference number and date on the
first page. Each NATO SECRET document shall bear the reference number on each page and a copy number of the first page.
(a) A new Annex or Appendix added to a COSMIC TOP SECRET or NATO
SECRET document or designed to replace a portion of an existing COSMIC TOP SECRET or NATO SECRET document shall state on the first page:
(1) The reference number of the original document with its date of issue and (2) The purpose of the new text, as for example an addition or substitution
(b) The original date of a NATO SECRET document should be retained
even though amendments are made to it, unless it is the subject of fundamental revision and re-issue.
(c) The first page of a NATO classified document or its index or table of
contents shall include a complete list of Annexes and Appendices.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 35
(d) Each hand-written or printed page of a document shall be numbered. The total number of pages of NATO SECRET documents shall be stated on the first page. To facilitate the checking of the completeness of a NATO SECRET document when it consists of more than one component (e.g. Enclosures, Annexes, Appendices, etc.) a list of effective pages must be included in the document.
(e) When a document is downgraded or declassified by its originator, the
original NATO classification on the first page shall be lined through. The new classification or NATO UNCLASSIFIED, as the case may be, will be shown immediately above or under it, together with the authority for such action, as well as the date and initials of the person effecting the amendment.
Photographic material 143. Photographs, films (including negatives and positives) and their spools and
containers, shall be marked in such a manner as to ensure that any recipient or viewer will know that classified information of a specified level is involved.
Tape recordings
144. The spools containing tapes (i.e. cassette tapes), including videotapes on
which classified information has been recorded must be clearly marked with the highest classification of information recorded thereon. (See also CIS SecOPs)
Magnetic media of all types
145. The classification of magnetic media such as a diskette, tape back-ups, hard
drives and/or other computer-generated media on which classified information has been recorded, must be clearly marked with the highest classification of information contained thereon and shall be accounted for. (See also CIS SecOPs).
All other material
146. The assigned security classification and, where appropriate, downgrading and
declassification instructions, shall be conspicuously stamped, printed, hand-written, painted or affixed by means of a tag, sticker, decal or similar device on classified material other than described above.
Reproduction and Translation
147. Reproduction of classified documents by the addressee shall be controlled in
a manner to deter unauthorized access. Approval for reproduction of documents NATO CONFIDENTIAL and above must first be acquired through the Chief Security.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 36
148. Reproductions (see Annex 2, paragraph 14) and translations of classified documents may be produced by the addressee under strict observation of the “NEED-TO-KNOW” principle. Security measures laid down for the original document shall be applied to such reproductions and/or translations. If classified NATO SECRET, documents must be marked with identifying copy numbers. Before the reproduction and/or translation of NATO SECRET documents, the CSO Chief Security must be informed and the copy numbers and number of copies made must be recorded. Requests for translation of NATO SECRET documents must also pass through the CSO Chief Security office.
DISTRIBUTION/RELEASE OF NATO INFORMATION
149. Distribution/release of NATO classified or NATO unclassified documents shall
be on a “NEED-TO-KNOW” balanced with the “responsibility to share” principles.
NATO CLASSIFIED information
150. The initial distribution of documents classified NATO RESTRICTED and above should be specified by the originator. The addressee may authorize such wider distribution, as he/she may consider necessary in accordance with the principle of the NEED-TO-KNOW.
151. Documents classified NATO CONFIDENTIAL and above shall be limited to
persons currently authorized to have access to such information. 152. Classified information:
(a) may not be passed outside the North Atlantic Treaty Organization, except under the condition laid down below and that it is subject to the security protection outlined in these procedures:
(b) may be circulated, in accordance with the NEED-TO-KNOW principle
and without reference to the originator, within NATO. It should be emphasized that the information itself remains the property of the originator.
(c) may not be given to any non-NATO nations entity except by the
originator or as set out in AC/35-D/2002-Rev3 and updates and the supporting directives, especially AC/35-D/1040 and updates. The CSO Security Officer is the delegated authority appointed to manage the security risks within the CSO with respect to this matter.
NATO UNCLASSIFIED information
153. In accordance with the NATO Information Management Policy (NIMP),
information marked NATO UNCLASSIFIED may be released to non-NATO nations and organizations only when such release would not be against the interests of NATO.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 37
154. Responsibility for the release of information marked NATO UNCLASSIFIED
has been delegated by the North Atlantic Council and Military Committee to the Director of the CSO.
155. NATO information marked NATO UNCLASSIFIED is to be used only for official NATO purposes.
156. When it is determined that NATO UNCLASSIFIED information is releasable to the public, all markings shall be removed.
157. When NATO UNCLASSIFIED information is released to Non NATO entities other than the public, the NATO markings shall be retained as an indication that this information is subject to security arrangements in place for the exchange of information with the entity concerned.
PROTECTION OF CLASSIFIED INFORMATION
General 158. The places in which NATO classified material is stored range from strong
rooms to lockable containers. The protective measures vary accordingly.
(a) The purpose of physical security measures is to prevent unauthorized persons from having access to NATO classified information.
(b) Places in which NATO classified material is kept must be protected
against unlawful entry through the windows, doors, roofs, and/or other openings. The protection shall be enhanced by the presence of guards, patrols, intrusion detection systems and/or alarms.
(c) By studying and evaluating the components of the protection system
such as the security of the building, premises and containers, it is possible to determine how long a trained intruder would take to gain surreptitious access to protected information. This time element shall dictate the frequency of inspection by the guard or patrol or the requirement for an on-site permanent guard post. A continuous “Risk Assessment” process will assist to determine current vulnerabilities, and will propose several options for the most economical allocation of resources to meet existing vulnerabilities.
(d) Places in which NATO information classified CONFIDENTIAL or above
is stored must be inspected after normal working hours to ensure that safes, cabinets, and/or other authorized storage containers are locked, and classified documents and waste securely housed.
Custody of documents
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 38
159. COSMIC TOP SECRET materials or documents shall be stored in a nationally approved security container placed in an area equipped with an Intrusion Detection System and under permanent supervision of the guard force.
160. NATO SECRET and NATO CONFIDENTIAL documents shall be stored in a nationally approved security container.
161. Security facilities and equipment shall be subject to periodic inspection. 162. NATO RESTRICTED documents shall be placed in premises not open to
members of the public and which, unless other security precautions are taken, are to be locked/secured after working hours in cupboards, cabinets or desks.
163. NATO SECRET and NATO CONFIDENTIAL documents must not be left
unattended in an office during normal working hours. When offices are vacated, even temporarily, NATO SECRET and CONFIDENTIAL documents shall be safeguarded in accordance with the provisions listed above.
164. NON-CLASSIFIED documents that are not locked up must:
(a) either be clearly marked NATO UNCLASSIFIED (b) or be placed in a container or on a shelf not containing any NATO classified documents. This container or shelf shall then be marked: “This cabinet/shelf or storage area … does not contain any NATO classified documents.” When this is indicated, the occupant of the office is responsible for any breaches of security discovered during inspections (c) or be placed in a room marked: “This room does not contain any NATO classified information”. In this case, the responsibility for ensuring that no classified documents are in the room falls on its occupant, even if the latter is temporarily absent.
165. Any classified document not properly secured in accordance with the
paragraphs above, and found by the security guard during the inspection, shall be locked up and a report made the next day to the Security Officer and/or Chief Security. The latter will then inform the staff member responsible of such incident. (See also ANNEX 6 for further details.)
Keys and locks
166. Staff members are not allowed to retain keys to security containers outside
normal duty hours. Combination settings to security containers shall be committed to memory by persons with a “need-to-know”. Spare keys and a written record of each setting for use in emergency, should be held in a sealed envelope by the Chief Security. Keys and special records of combination settings to security containers shall be given security protection no less stringent than the material to which they give access. In exceptional cases when authorized by the Security Officer, keys may remain in the personal custody of the user if the container is secured both with a key and a combination lock.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 39
167. Knowledge of combination settings of security containers shall be restricted to
the smallest possible number of persons. Settings shall be changed:
(a) Every twelve months (for containers holding NATO CONFIDENTIAL and above); (b) Whenever a permanent change of personnel occurs; (c) Whenever a compromise has occurred or is suspected
168. The Chief security will perform the action outlined above. Only the Chief
Security or in his/her absence, the Principal Assistant (Human Resources and Facilities Management) can give individuals, on a “need-to-know” basis, the combinations to security containers.
Recording equipment
169. During storage, all dicta-phone disks and magnetic tapes shall be handled in
the same way as documents of the same classification. (See also CIS SecOPs)
170. The use of voice-recording apparatus other than that belonging to CSO and
used for official recording is prohibited. Such devices may not be brought into the CSO facility without the prior authorization of the Director and/or Security Officer.
171. Disks and tapes used for classified recordings must be marked with the
security classification of their contents, and stored in the same way as documents of equivalent classification. (See also SecOps)
(a) These disks and tapes must be stored as mentioned, and then retained at their proper level of classification. (b) Classified disks and tapes (NATO SECRET and above), even when erased, must not be used for NATO UNCLASSIFIED recordings. Such disks and tapes shall be destroyed according to the SecOps.
Checking of documents in event of transfer or departure of a staff member
172. Before a CSO employee is transferred or leaves, the Chief Security shall carry
out an inventory of all NATO SECRET documents held by the staff member, if applicable. This check shall take place not more than two weeks before a transfer, and not more than one month before a departure. After the inventory has been performed, the Chief Security shall draw up a certificate for the Security files. When the case arises, documents found to be missing shall be listed in an annex to the certificate. If documents are missing, the staff member concerned shall be requested to provide a written explanation. (See ANNEX 4 for further details)
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 40
Destruction
173. To prevent unnecessary accumulation, superseded documents and
documents no longer needed shall be destroyed as soon as practicable. It is not necessary to await destruction instructions from the originator.. Holders of NATO CONFIDENTIAL and above documents shall maintain a continuing review of them to determine whether they can be destroyed and inform the Chief Security prior to destruction for appropriate instructions.
174. Copies of NATO RESTRICTED and CONFIDENTIAL documents that are no
longer required may be destroyed. CONFIDENTIAL documents must be destroyed under the supervision and control of the CSO Chief Security. NATO RESTRICTED documents may be destroyed within each section by using an approved shredder. In both cases, the CSO Chief Unclassified Registry (for NATO RESTRICTED) and the CSO Chief Security/Classified Registry (for NATO CONFIDENTIAL) must be informed of the control number of the documents in question so that these items can be recorded as “destroyed” in the Registry Unclassified/Classified log books.
175. NATO SECRET documents to be destroyed must be recorded in a
Destruction Certificate or letter in accordance with the following procedure:
(a) The office concerned shall inform the Chief Security/Classified Registry of the documents to be destroyed. The Chief Security shall record or have recorded the documents to be destroyed in the Destruction Certificate.
(b) The copy number of the classified documents to be destroyed must be
written in the letter.
(c) The individual concerned will accompany the Chief Security for destruction of the documents. Both of them shall be appropriately cleared and authorized to have access to NS information.
(d) Documents will only be destroyed in the shredder located in the Chief
Security’s office.
(e) After the classified documents have been destroyed, the Chief Security and one independent witness will sign the destruction certificate. The destruction certificate along with the document log sheet shall then be filed and retained at least ten years in the Destruction Certificate folder located in the Classified Registry.
(f) As soon as the Destruction Certificate/letter is received, the Register of
NATO SECRET documents shall be modified reflecting such destruction. Referencing the letter in the block marked “Destroyed date and signature” shall do this.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 41
(g) A destruction letter is not required for NATO RESTRICTED / NATO CONFIDENTIAL documents.
(h) A destruction letter is not required for classified working drafts, papers,
and carbons. Such material is to be turned over to the Chief Security, who will carry out their destruction.
176. Surplus or superseded classified documents, including all classified waste
such as: spoilt copies, working drafts, shorthand notes, carbon paper, etc… shall be destroyed by means approved by the Host Nations laws and procedures.
Emergency Destruction
177. In an emergency and when so decided by the CSO Director, the offices shall
hand all NATO CONFIDENTIAL and above files to the Chief Security for immediate destruction. (See also CSO Emergency and Evacuation Procedures)
Telephone Communications
178. CSO telephone lines are not protected or secure. Consequently,
conversations whether internally between two phone extensions or with the outside, can be overheard by unauthorized persons.
179. It is therefore forbidden to discuss classified information over the telephone. It
is also forbidden to use codes or paraphrases that may be easily deciphered. INVENTORY OF CLASSIFIED DOCUMENTS 180. An inventory of all NATO SECRET documents shall be taken every year and
reflect current holdings.
(a) The Chief Security shall give an inspection letter to each office holding NATO CONFIDENTIAL and above documents, stating if it is an annual inventory or spot check to be done. Upon receiving the letter the following shall be done:
(1) The individual concerned for safeguarding classified shall request
the assistance of a CSO Staff member for the inventory to be done.
(2) The individuals shall verify that all documents listed on the letter are still on hand. Any discrepancies found will be noted on the form. Both individuals will sign and date the document and return it to the Chief Security by the suspense date for verification.
(3) The completed inventory form must be classified NATO RESTRICTED.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 42
(4) The form will then be filed in the “Spot-check” or “Annual Inventory” files located in the Classified Registry.
(5) Spot checks may also be carried out by the Security Officer.
REGISTRATION OF CLASSIFIED DOCUMENTS 181. Classified information/material NATO CONFIDENTIAL and above will be
logged in a ledger kept in the Classified Registry office (Chief Security office). NATO RESTRICTED and below documents will be recorded on a appropriate system held in the unclassified registry office. Prior to accessing the classified document, the individual requesting the document shall sign for the document on the appropriate form. The Chief Security/Classified Registry will fill date checked in and date checked out.
182. The Classified Registry shall keep an electronic log. In this log items will be
separated according to their classification level. This log will contain the following information:
Heading will consist of the following: CNTRL NO: a chronological serial (control number) which shall be written on the bottom right hand corner of the document. DATE RCVD: this is the date the document was received by the Chief Security. CLASSIFICATION: this is the classification of the document. When a document is downgraded, the letter corresponding to the new classification shall replace the previous one and be noted in the logbook. ORIGIN: the originator of the document (i.e. NATO HQ, NC3B, TSCO NATO, RTO, etc.) DOCUMENT the reference number and subject of the document (for NATO REF & SUBJECT: Documents) and the publication number (for CSO Publications) DOC DATE: the date of the document COPY NO: copy number located on the document DESTRUCTION DATE : this column is to be used for the reference Destruction Certificate and date of destruction and where filed. SAFE: location of the mentioned documents with room and safe number (e.g. Registry #10, CAVE #1) DATE OUT: date that an individual checks out a document
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 43
DATE RTND: date that an individual has returned the document. INVENTORY DATE: most recent inventory date
Receipt & transfer of classified documents 183. When classified documents are received, the Chief Security/Classified
Registry shall enter them in the control log. The document will then be placed in a special folder marked with the classification of the document and handed to the addressee or to the Deputy Director, who shall determine dissemination of the document. The recipient shall sign the control register for NATO SECRET and NATO CONFIDENTIAL documents and be held responsible for them until returned to the Classified Registry.
184. The Chief Security/Classified Registry having signed for receipt of the
documents shall be held responsible for them. Prior to leaving the Office, he/she will perform an inventory with his/her replacement (if possible) or with the Principal Assistant (Human Resources and Facilities Management) to transfer all documents. This shall be documented in an official letter stating the transfer of such documents to the new occupant.
185. Each document shall have a removable log sheet attached to it. If an individual needs to see a document the Chief Security shall have them sign and date the log sheet. Upon return the log sheet will be annotated and reattached to the document.
186. Hard copy documents received by the CSO Unclassified Registry at the “NR”
level will be distributed through normal channels in a separate envelope, but without a need of a signature from the recipient(s). Accountability and the physical security of “NR” media are detailed in the CIS SecOPs.
CARRIAGE/FORWARDING OF NATO CLASSIFIED DOCUMENTS 187. The personal carriage of documents classified COSMIC TOP SECRET is
forbidden. 188. The procedures described below for the personal carriage of documents
classified NATO CONFIDENTIAL and NATO SECRET should be resorted to only when individuals are required to travel at short notice or when time does not permit such documents to be sent by approved secure means and when copies cannot be made available locally at the traveler’s destination.
Packaging
189. The Chief Security or Principal Assistant Deputy (Human Resources and
Facilities Management) are the authorizing officials and shall do all classified packaging for NATO CONFIDENTIAL and above.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 44
190. Documents classified NATO CONFIDENTIAL and NATO SECRET shall be transmitted by diplomatic pouch through embassies or the CEPS Programme Office Classified Registry or by personal carriage. The documents shall be prepared in accordance with NATO rules and shall carry a courier certificate (see appendix 1 to Annex 1 to AC/35-D2002-REV4).
191. When staff members carry NATO classified documents between offices of the
same building and enclosed group of buildings; they shall be covered in such a way as to prevent observation of their contents.
Document control
192. When NATO CONFIDENTIAL and above documents are forwarded, a receipt
must be placed in the inner cover. The dated and signed receipt must be returned immediately to the CSO Chief Security/Classified Registry.
193. If the receipt is not returned to CSO within three/four weeks, the Classified
Registry shall send a copy of the document search form to the addressee. If the latter has not received the document, the Classified Registry shall inform the Security Officer and an enquiry shall be carried out in accordance with the current NATO regulations. The originator shall be informed of the results of the enquiry.
194. NATO RESTRICTED documents shall be packaged in accordance with the
rules applicable to NATO SECRET and CONFIDENTIAL documents. However, no receipt is required unless the originator wishes to receive one.
(a) These documents may be sent by registered mail and a receipt
obtained for them.
(b) The receipt, which requires no security classification, shall quote only the reference number, date, copy number and language of the document and not its title.
195. For NATO CONFIDENTIAL documents and above, couriers and messengers
shall obtain receipts against package numbers. Receipts for packages, containing NATO CONFIDENTIAL documents are only required if carried outside the confines of the Office premises.
Carriage inside the country
196. The French national regulations permit classified documents to be sent by
post within the territories of France. However, it is preferred inside the Paris area, that the transport of documents classified NATO CONFIDENTIAL and above should be performed by personal carriage . the individual performing such carriage should have been briefed on his security responsibilities, possess a written authorization, and be provided with a NATO courier certificate (see appendix 1 to Annex 1 to AC/35-D2002-REV4).
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 45
197. Whenever a messenger service is used for the carriage of documents classified NATO CONFIDENTIAL and above outside the confines of the CSO premises, the packaging and the receipting provisions contained in Paragraphs above shall be complied with.
International Carriage
198. The international carriage of documents classified NATO CONFIDENTIAL and
above shall be realized by diplomatic pouch or military courier service. Exceptionally, the personal carriage of NATO SECRET and NATO CONFIDENTIAL documents internationally may be permitted provided that all the provisions of section PERSONAL CARRIAGE OF CLASSIFIED DOCUMENTS mentioned below are complied with.
Forwarding of Classified documents
199. In France, the transmission of NATO RESTRICTED and up to and including
NATO SECRET documents, inside the country through the French Postal Service (PTT) is authorized by national regulations. Such items will be sent by registered mail in double cover with return receipt requested.
200. Documents classified NATO CONFIDENTIAL and above will go through the
Chief Security for proper dissemination.
Personal carriage of classified documents 201. The carriage of classified documents by persons other than couriers or
messengers shall be subject to the following conditions:
(a) The bearer must be cleared for access to at least the level of classification of the documents carried.
(b) A record must be kept in the Chief Security office when NATO
SECRET or CONFIDENTIAL documents are carried. The receipt for the documents or actual documents, if returned, must be checked against this record.
(c) The documents must be carried in a locked container or sealed
envelope, which must bear a label with an identification and instruction to the finder in event of loss.
(d) The documents must not leave the possession of the bearer unless
they are housed in accordance with the provisions for safe custody of classified documents (see paragraphs 153-159.). (i.e., the documents must not be left unattended in hotels and vehicles or stored in hotel safes or luggage lockers).
(e) The documents must not be read in public places such as in an aircraft,
trains, or other means of public transportation.
NATO UNCLASSIFIED ANNEX 4 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 46
202. When international carriage is involved:
(a) an official seal to prevent Customs examination shall cover the container or document package;
(b) the bearer must carry a courier certificate recognized by all NATO
nations and authorizing him/her to carry the package as identified;
(c) the bearer shall not travel through or over non-NATO nations nor use any mean of transportation carrier registered in a non-NATO nation, to which any of the criteria listed below applied :
(1) the government of a nation :
has given evidence by word or deed of an attitude hostile to
NATO and/or NATO nations
is not able to give a generally agreed level of protection to the life and/or personal belongings of its residents and/or visiting foreigners; or
has given evidence that it does not respect at all times the
immunity of a diplomatic seal;
(2) the intelligence servicers of the nation target NATO and/or NATO nations; or
(3) the nation is at war, or subject to serious civil strife.
(d) the bearer must be instructed on the matter, by the Chief Security, and
be aware of his obligations with respect to the safeguarding of the documents entrusted to him/her.
Electronic Transmission
203. Within the S&T Organization Collaboration Support Office, Neuilly-sur-Seine,
France there is at the moment only one mean (NS WAN workstation at the basement) to transmit NATO RESTRICTED and above electronically.
204. All means of electronic transmission of NATO documents must follow the CIS
SecOPs maintained by the INFOSEC Officer.
NATO UNCLASSIFIED ANNEX 5 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 47
ANNEX 5 CLASSIFIED CONFERENCES AND MEETINGS
General 205. All conferences or meetings at which NATO classified information is to be
discussed must be held in a security area or area that has been designated as secure.
In the CSO facility, there are three conference facilities considered as security areas, (the blue, red, and V.K. conference rooms).
Control of access
206. Technical, maintenance (contractors) and cleaning staff that are required to
enter the security areas must have an adequate security clearance or be accompanied by the CSO staff member requesting the assistance of the mentioned above.
207. The Chief Security or Principal Assistant Deputy (Human Resources and
Facilities Management) shall ensure that the required security arrangements are complied with before, during and after meetings.
208. The prime responsibility for the application of the security rules (with the
respect to the control of attendees and the protection of classified material) is the organizer/chairperson of the conference/meeting, in co-ordination with the Chief Security.
209. Classified information discussed at meetings is considered properly
safeguarded if all those present:
(a) if a NATO Nation’s citizen, provide, or exceptionally hand carry, a valid Certificate of Security Clearance (see Appendix 2 to Annex 2) of a level corresponding at least to the highest security classification of the documents to be discussed during the meeting;
(b) if Non-NATO Nationals, are designated as representatives of their organization, have been personnel security cleared in accordance with NATO standards, and provide an Attestation of Security Clearance in accordance with the template at Annex 2 – Appendix 4. They still require to be escorted even if they provide this attestation which does not constitute a NATO security clearance.
(c) Have a “need-to-know” of the contents of the documents provided to them.
210. Chairpersons of meetings during which classified information is to be
discussed shall ensure that all participants have an appropriate security clearance and “need-to-know” well in advance prior to the meeting (minimum of two weeks prior). For this purpose, they shall, through the CSO Panel Assistant or CSO Staff member in charge of the meeting:
NATO UNCLASSIFIED ANNEX 5 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 48
(a) Provide a list of individuals to attend the meeting to the CSO Chief Security, or in his/her absence to the Principal Assistant Deputy (Human Resources and Facilities Management), for verification that a current NATO Security Clearance is in the database.
(b) Upon verification, the Chief Security or Principal Assistant Deputy
(Human Resources and Facilities Management) will then notify the CSO staff member/Panel Assistant of those individuals whom do not have a clearance on file. It shall then be the responsibility of the CSO staff member/Panel Assistant to request those individuals provide a valid Certificate of Security Clearance (see Appendix 2 to Annex 2), prior to the meeting or exceptionally to hand carry a certificate.
211. For unclassified meetings held at CSO a list of attendees must be provided to
the Security Office. The CSO premises are a RESTRICTED area, and if an individual does not have a clearance on file, he/she may attend the meeting but must be escorted by the Panel Executive Assistant or someone attending the meeting who has a green badge. Only those individuals holding a valid NATO security clearance will be allowed to have unescorted access to the CSO. During the meeting the Chairperson shall be the escort of said individuals. That is why it is pertinent that the Chairperson holds a valid Security Clearance.
212. Authorized Non-NATO personnel may attend meetings on the CSO premises
but must be escorted at all times. 213. At the beginning of the meeting the Chairperson shall draw the attention of the
participants to the security rules mentioned above 214. For classified meetings held at the CSO, the Panel Assistant or individual in
charge of setting up the meeting will obtain a list of persons nominated to attend. This list will then be given to the Chief Security 2 weeks in advance for verification of clearances. The Chief Security or Security Assistant will then take the necessary measures to control access to the conference room where the meeting is to be held.
215. For classified meetings held outside the Office, the above rules shall still be
adhered to. In addition the CSO Security Office shall work with the National/Local Coordinator through the Panel Executive/Panel Assistant on providing the necessary security measures.
Physical Security
216. In the event of a classified meeting (within the CSO or outside), the following
shall be complied with:
(a) A cleared classified computer shall be connected directly to the projector by the CSO CIS support staff.
NATO UNCLASSIFIED ANNEX 5 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 49
(b) The use of voice-recording apparatus other than that used for official recording is prohibited. No such equipment may be taken into the conference room.
(c) Neither still nor movie-cameras may be brought into a security area.
(d) During and after meetings, suitable arrangements are to be made for
the storage of all classified material.
(e) After each meeting, the conference room and the security area must be thoroughly searched for any forgotten documents.
(f) Classified waste shall be collected and handed over to the Chief
Security for destruction.
(g) All mobile phones and/or other portable devices must be in the “OFF” position prior to entering any CSO conference facility/room. During conferences at the “NATO SECRET” and “NATO CONFIDENTIAL” levels, all mobile phones and/or other portable devices will be surrendered to the CSO meeting coordination team for safekeeping or during classified meetings in or outside of the Office, to the Registration desk.
(h) Each person, in possession of a laptop computer and/or any other
portable device is responsible for providing the necessary level of protection to the device, to include its electronic contents, to the level of highest classification contained therein. All laptop computers must be cleared for the classification level of the meeting, be from an “official” origin, and may not be privately owned. Before entering the Conference Meeting Room (inside the Office or outside) the laptop will be shown to the Chief Security for verification of the level of classification. (See also CIS SecOps for further instructions). In the event that the laptop is not cleared or of a personal nature it shall be held outside the conference room by the CSO staff.
(i) On regular intervals a “sweep” of the conference rooms and
surrounding areas will be carried out. Such inspections will be carried out in coordination with the appropriate NATO services.
NATO UNCLASSIFIED ANNEX 6 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 50
ANNEX 6 INFORMATION AND INTELLIGENCE SHARING WITH NON-NATO ENTITIES
(ref: AC/35-D/1040-REV2)
General 217. The supporting document on Information and Intelligence sharing (I&IS) with
non-NATO entities (NNE) established provisions, mechanisms and procedures to supplement NATO Security Policy for classified information and intelligence sharing in order to support Operations, Training, Exercises, Transformation and Cooperation activities at all NATO levels. I&IS with NNE shall occur only when the NNE has the need-to-know, balanced by the responsibility to share.
218. The CSO Deputy Director has been delegated the authority, by the CSO
Director, to manage the security risks within the CSO and its related activities, and to take all security decisions with regard to I&IS with NNEs.
219. There are 7 categories of NNE. In addition of non-NATO Nations (NNN), I&IS is considered with: Contractors, Governmental Organizations (GO), Host Nations (HN), International Organizations (IO), Non-Governmental Organizations (NGO), and Non-NATO Multinational Forces (NNMF).
220. Each of the above categories is concerned with specific procedures for I&IS.
These procedures are detailed in the above document which is detained by the security officer of the CSO who is also responsible for their implementation.
221. Specific procedures apply to subset of the NNN:
(a) The 7 Non-NATO Nations as defined in the Directive on Personnel Security; specifically Australia, Austria, Finland, Ireland, New Zeland, Sweden and Switzerland.
(b) Non-NATO Troop Contributing Nations (NNTCN) (c) All other NNNs
Recording requirements 222. Decisions made by the Deputy Director with regard to I&IS with NNEs shall be
recorded on the applicable template, dependent on the category of NNE. 223. The template at Appendix 1 to this annex shall be used by the Chief Security,
CSO, to document decisions made for access or release of NATO classified Information and Intelligence to NNNs. The panels support offices and the MSCO will document this form before seeking the decision from the Deputy Director for I&IS.
224. For the other categories, the templates can be found in the reference
document. Should the CSO have the need to share classified information with NNEs other than the NNN, they will be used to document decisions.
NATO UNCLASSIFIED ANNEX 6 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 51
225. The completed copies of Appendix 1 shall be maintained by the CSO Chief Security for a minimum of 5 years, and shall be made available during inspections by higher security authorities.
226. Appendix 2 to this Annex contains the template which shall be used by the Chief Security to compile annual Security Report on access to and release of NATO Information and Intelligence to NNEs. This report, signed by the Deputy Director, will be provided to the CSO Director.
NATO UNCLASSIFIED ANNEX 6 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 52
Appendix 1 to Annex 6 Decision taken by CSO Deputy Director
Information & Intelligence sharing with a Non-NATO Nation 1. Type of access approved
Physical:
NATO Class II NATO Class I
CIS:
NATO/<X><classification> CIS: NATO <classification> CIS:
Access to Non-Released NATO
classified Information
NATO Classified Information released
2. Access granted to:
Last Name
First Name
Rank
Passport / ID Card No
Nation Issuing PSC
Nationality
Security clearance Level
Security Clearance expiry date
Access start date
Access end date
3. Justification for Access or Release:
4. Details for Released Documents:
Title Reference Number Classification
5. The Principal Security Advisor has confirmed the NNN has a security agreement or
security assurance applicable with the level of NATO information/intelligence accessed or released
6. I have consulted with the Principal Security Advisor and confirm the NNN meets all
requirements specified in the Supporting Document on Information and Intelligence Sharing with Non-NATO Entities. The access(es) specified above are granted in NATO’s interest.
Delegated Authority Details:
Name and Rank
Post/Title
Signature Date
NATO UNCLASSIFIED ANNEX 6 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 53
Appendix 2 to Annex 6 Annual Security Report on
Information and Intelligence Sharing with Non-NATO Entities
1. General State of security:
Comment on implementation of the Supporting Document on I&IS with NNEs over the reporting period
Current/future scenarios not covered by the Supporting Document on I&IS with NNEs
Brief details of incidents/investigations involving NNEs
Recommended changes to the Supporting Document on I&IS with NNEs
2. Statistical Data for Access Granted to and release to NNEs during <insert period of time>:
# of NATO documents released
NNE, by Nation or Organization Class II Area Class I Area NATO Classified
CIS NATO Classified
REL X CIS NR NC NS
Delegated Authority Details:
Name & Rank Post/Title
Signature Date
NATO UNCLASSIFIED ANNEX 7 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 54
ANNEX 7 BREACHES OF SECURITY AND COMPROMISE OF NATO CLASSIFIED
INFORMATION
Scope
227. The protection of NATO classified information depends on the design of
appropriate security regulations and on the effective implementation of these regulations by education and supervision backed up by disciplinary and, in extreme cases, legal sanctions.
Definitions
228. Breach of Security: an act or omission contrary to existing NATO general or
local security regulations, the results of which may endanger or subject to compromise NATO classified information.
229. Compromise: NATO classified information is compromised when knowledge
of it has, in whole or in part, passed to unauthorized persons, i.e. individuals without appropriate NATO security clearance or authority to have such access, or when it has been subject to risk of such passing. Thus, classified information lost, even temporarily, outside a security area is to be presumed compromised. Also, classified information lost, even temporarily, inside a security area, including documents which cannot be located at periodic inventories, is to be presumed compromised until an investigation proves otherwise.
230. Security Incident/Infractions: The mishandling of classified material,
information or not abiding by CSO Security Policies/Instructions. The following are some examples of security incidents:
(a) Failing to properly escort uncleared visitors or allowing improper access
to CSO controlled facilities.
(b) Failing to leave an Identity card at the guard post upon entering or failing to recuperate identity card upon departing.
(c) Taking classified material out of the building without proper double-
wrap protection.
(d) Crossing international borders with classified material without courier authorization.
(e) Failing to secure containers with classified material.
(f) Storing classified materials in desk drawers or other improper
containers.
(g) Failing to secure classified computer hard drives.
NATO UNCLASSIFIED ANNEX 7 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 55
(h) Reading classified documents in any public area
(i) Transmitting classified information on unclassified fax or copy machines.
(j) Losing control of classified material by leaving it in a non-secure area.
(k) Placing classified information on unclassified computers.
(l) Discussing classified information on unsecured telephones.
231. In any event of a security incident or infraction, the Security Office shall be
informed and the incident recorded. (See also Annex 1, paragraph 22) 232. Recorded minor incidents/infractions for repeat offenders shall be placed in
the individual’s Security Personnel File.
Action on breaches of Security 233. All breaches of security must be reported immediately to the Security
Officers. The importance of speed, especially when a leak is suspected cannot be over-emphasized.
234. Each reported breach of security shall be investigated by persons who have
security and investigative experience, if possible, and who are independent of those persons immediately concerned with the breach.
235. In the event of a breach of security, where the possibility of compromise is so
remote that it can reasonably be ruled out, the matter will be dealt with by the CSO Security Officer in coordination with the CSO Director.
236. In the event of a breach of security where the possibility of compromise
cannot be reasonably ruled out, the CSO Security Officer is to be informed and he shall report to the NATO Office of Security (NOS). Initial reports shall be forwarded immediately in cases where it has been determined that:
(a) CTS or NS information is involved; or
(b) there are indications or suspicions of espionage; or
(c) Unauthorized disclosure to the press/media has occurred.
In other cases of compromise a detail report has to be forwarded when the investigation has been completed.
In all cases of reportable compromise the final report, or a progress report, of the investigation shall be with the NOS within 90 days of the initial report
Enquiry Report
NATO UNCLASSIFIED ANNEX 7 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 56
237. The enquiry report forwarded to the CSO Director through the CSO Security Officer must be concise and give all available information, including:
(a) a brief description of the circumstances of the breach, the date or period
during which it may have been committed, the date and place it was discovered and the name of the persons who noticed it, and reported the facts;
(b) details on the information/material involved, security classification,
originator, references, date, and/or other pertinent details; abbreviations are to be avoided unless they are readily understandable;
(c) an assessment of the risk of compromise, such as, “certain”, “probable”,
“possible”, or “improbable”; (d) whether or not the originator of the document has been informed of the
breach (if applicable).
Disciplinary or Judicial Action 238. Appropriate disciplinary action, in accordance with the NATO Personnel
Regulations and National Security Regulations may be taken with respect to an offending staff member, if the Director considers that the circumstances and the seriousness of the breach committed justify such action.
NATO UNCLASSIFIED ANNEX 8 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 57
ANNEX 8 INDUSTRIAL SECURITY
239. This annex deals with security aspects of industrial operations that are unique
to the negotiation of NATO classified contracts and their performance by industry, including the release of classified information during pre-contract negotiations. This annex refers to NATO security committee provisions on industrial security: AC/35-D/2003-REVISED
240. Industrial security is the application of protective measures and procedures to
prevent, detect and recover from the loss or compromise of classified information handled by industry in contracts. NATO classified information disseminated to industry, generated as a result of a contract with industry, and contracts involving classified information shall be protected in accordance with NATO Security Policy and supporting directives.
Currently, the CSO has established a contract involving classified information with the company dealing with the editorial services related to the technical reports. Some of these reports are classified up to the level of NATO SECRET. A Security Aspect Letter as described in the above referenced document has been attached to the contract and an acknowledgement certificate was delivered by the contractor. All the classified reports at NR level and above will be processed within the premises of the CSO on dedicated workstation accessible to the editorial company personnel after a valid NATO Security Clearance at NATO SECRET level has been shown up.
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 58
ANNEX 9 DEFINITIONS
Availability The property of information being accessible and usable upon demand by an authorised individual or entity
Accountable Information All information classified CTS and NS, all ATOMAL information, and other NATO classified information to which access controls or dissemination controls have been applied
Background Information Information that has been developed outside of a programme/project.
Breach of security A breach of security is an act or omission contrary to NATO Security Policy and supporting directives that results in the actual or possible compromise of NATO classified information (including, for example, classified information lost while being transported; classified information left in an unsecured area where uncleared persons have unescorted access; an accountable document cannot be found). US suggested to add at the end of this definition: “…cannot be found; classified information has been subjected to unauthorised modification; destroyed in an unauthorised manner; or, for CIS, there is a denial of service”.
Cargo Handling Company
(may include a freight forwarder or a transportation agent) A commercial firm that is chartered to receive, process and ship material
Classified Information Any information (namely, knowledge that can be communicated in any form) determined to require protection against unauthorised disclosure and which has been so designated by a security classification
Classified Material as Freight
Consignments of such size, weight, or configuration that they cannot be hand carried, transmitted by diplomatic pouch service, or military courier service
Commercial Carrier Any private company authorised by law or regulation to provide the required transportation service
Commercial Courier Service
A private company that is organised and incorporated to hand-carry material
Compromise NATO classified information is compromised when knowledge of it has, in whole, or in part, passed to unauthorised individuals, i.e. individuals without an appropriate NATO security clearance and authority to have such access. Classified information lost, even temporarily, outside a secure area is to be presumed compromised. NATO classified information is also compromised if it has been subject to unauthorised modification or destruction and/or denial of service
Communication and Information System
An area which contains one or more computers, their local peripheral and storage
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 59
(CIS) area units, control units and dedicated network and communications equipment
Confidentiality The property that information is not made available or disclosed to unauthorised individuals or entities.
Consignee The contractor, facility or other organisation receiving material from the consignor
Consignor The contractor, facility or other organisation responsible for organising and dispatching material.
Consortium An association of several companies that is organised to accomplish a specific purpose
Container A NSA/DSA approved large receptacle of solid construction with lockable opening, capable of being carried on an aircraft, by a road vehicle or trailer, by rail car, or in a ship’s hold or on deck
Contract A legally enforceable agreement to provide goods or services
Contractor An industrial, commercial or other entity that agrees to provide goods or services
Contract Manager The duly appointed representative of a facility who has the authority to negotiate, let, and administers contracts on behalf of the facility
Contracting Officer The duly appointed representative of a government department or Office of a NATO nation, or of a NATO civil or military body, who has the authority to negotiate, let and administer prime contracts on behalf of the nation or NATO body
Courier A person officially assigned to hand-carry material
Deliberate Compromise Deliberate compromise occurs when NATO classified information has intentionally been disclosed to unauthorised individuals, including through espionage or unauthorised disclosure to the media
Designated Security Authority (DSA)
An authority subordinate to the National Security Authority (NSA) of a NATO nation who is responsible for communicating to industry the national policy in all matters of NATO industrial security policy and for providing direction and assistance in its implementation. In some countries, the function of a DSA may be carried out by the NSA.
Designated Security Representative
An individual designated at a contractor facility, by the NSA/DSA, who approves the international dispatch of a classified consignments and is authorised by the NSA/DSA to receive such consignments
Document Any recorded information regardless of its physical form or characteristics
Equipment/Components Equipment/Components – The words “equipment/components” designate any item of machinery, equipment, or weapons, either manufactured or in the process of manufacture.
Facility An installation, plant, factory, laboratory, office, university or other educational Institution, or commercial
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 60
undertaking, including any associated warehouses, storage areas, utilities and components which, when related by function and location, form an operating entity.
Foreground Information Information developed in the performance of a programme/project
Host Nation General: the nation in which a NATO civil or military body is located. Industrial security : the nation designated by an official body of NATO to act as the governmental Office to contract for the performance of a NATO prime contract. Nations in which sub-contracts are performed are not referred to as host nations.
Information Knowledge that can be communicated in any form
INFOSEC The application of security measures to protect information processed, stored or transmitted in communication, information and other electronic systems against loss of confidentiality, integrity or availability, whether accidental or intentional, and to prevent loss of integrity or availability of the systems themselves. INFOSEC measures include those of computer, transmission, emission and cryptographic security. Such measures also include detection, documentation and countering of threats to information and to the systems.
Infraction A security infraction is an act or omission contrary to NATO Security Policy and supporting directives that does not result in the actual or possible compromise of NATO classified information. (e.g. classified information left unsecured inside a secure facility where all persons are appropriately cleared, failure to double wrap classified information, etc.)
Infrastructure The NATO term denoting all those installations which are necessary for the deployment and operations of modern armed forces, for example: airfields, signals, communications, military headquarters, fuel tanks and pipelines, radar warning and navigational aid systems, and port installations
International Visits Visits made by individuals subject to one NSA/DSA or belonging a NATO body, to facilities or bodies subject to another NSA/DSA or to NATO, which will require, or may give rise to access to NATO classified information or where, regardless of the level of classification involved, national legislation governing the establishment or body to be visited in support of NATO approved related activities requires that such visits shall be approved by the relevant NSA/DSA. All NATO civil and military bodies fall within the security jurisdiction of NATO
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 61
Integrity The property that information (including data, such as cipher text) has not been altered or destroyed in an unauthorised manner
Joint Venture A commercial enterprise undertaken by two or more entities jointly and for a specific purpose, e.g., a limited partnership
Life-cycle Life cycle of information encompasses the stages of planning, collection, creation or generation of information; its organisation, retrieval, use, accessibility and transmission; its storage and protection; and, finally, its disposition through transfer to archives or destruction
Major Programme/Project
A programme or project of major significance, normally involving more than two nations and security measures that extend beyond the normal basic requirements described in NATO Security Policy
Material The word “material” includes documents and equipment/components
Nation of Origin The nation in which a contractor is registered or incorporated to do business and which characterises the nationality of the facility.
NATO “NATO” denotes the North Atlantic Treaty Organisation and the bodies governed either by the Agreement on the status of the North Atlantic Treaty Organisation, National Representatives and International Staff, signed in Ottawa on 20th September, 1951 or by the Protocol on the status of International Military Headquarters set up pursuant to the North Atlantic Treaty, signed in Paris on 28th August, 1952.
NATO asset Anything of value deemed critical to the fulfilment of a NATO mission. This may include installations/services/capabilities. The value of a NATO asset can be assessed in terms of the function performed in the NATO mission or the impact on the Alliance’s reputation and credibility
NATO Classified Contract
Any contract issued by a NATO civil or military body or a NATO member nation in support of a NATO funded or administered programme/project that will require access to or generate NATO classified information
NATO Classified Information
information means knowledge that can be communicated in any form; classified information means information or material determined to require protection against unauthorised disclosure which has been so designated by a security classification; the word “material” includes documents and also any items of machinery or equipment or weapons either manufactured or in the process of manufacture;
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 62
the word “document” means any recordedinformation regardless of its physical form or characteristics, including, without limitation, written or printed matter, data processing cards and tapes, maps, charts, photographs, paintings, drawings, engravings, sketches, working notes and papers, carbon copies or ink ribbons, or reproductions by any means or process, and sound, voice, magnetic or electronic or optical or video recordings in any form, and portable ADP equipment with resident computer storage media, and removable computer storage media
Facility Security Clearance (FSC)
An administrative determination by a NSA/DSA that, from a security viewpoint, a facility can afford adequate security protection to NATO classified information of a specified classification or below, and its personnel who require access to NATO classified information have been properly cleared and briefed on NATO security requirements necessary to perform on the NATO classified contracts.
NATO Production and Logistics Organisation (NPLO)
A subsidiary body, created within the framework of NATO for the implementation of tasks arising from that Treaty, to which North Atlantic Council grants clearly defined organisational, administrative and financial independence. It shall be comprised of a board of directors; and an executive body, composed of a General Manager and staff.
NATO Programme A Council approved programme that is administered by a NATO management Office/office under NATO regulations
NATO Project A Council approved project that is administered by a NATO management agency/office under NATO regulations
NATO Project Manager The manager responsible for any NATO project/programme or contract.
NATO Project Management Agency
The executive body of a NPLO
NATO Statements of Criticality
VERY HIGH level Statements: these shall be applied to those NATO assets whose unavailability would result in exceptionally grave impact on the NATO mission. Such assets shall be protected under conditions which ensure that only individuals who are entitled have access to them; that any attempts to compromise, modify, destroy, or deny service shall be detected, and those responsible identified. HIGH level Statements: these shall be applied to those NATO assets whose unavailability would result in serious impact on the NATO mission. Such assets shall be protected under conditions which make it highly unlikely that individuals who are not entitled have access to them; that any attempts to compromise,
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 63
modify, destroy, or deny service shall be detected and that those responsible shall be identified MEDIUM level Statements: these shall be applied to those NATO assets whose unavailability would be damaging to the interests of the NATO mission. Such assets shall be protected under conditions that inhibit access by individuals not entitled to it; and that any attempts to compromise, modify, destroy, or deny service are likely to be identified LOW level Statements: these shall be applied to those NATO assets whose unavailability would hinder the effectiveness of the NATO mission. Such assets shall be protected under conditions which inhibit access by individuals not entitled to it
Need-to-know A positive determination that a prospective recipient has a requirement for access to, knowledge of , or possession of information in order to perform official tasks or services
Negotiations The term encompasses all aspects of awarding a contract or sub-contract from the initial “notification of intention to call for bids” to the final decision to let a contract or sub-contract
Originator The nation or international organisation under whose authority information has been produced or introduced into NATO
Parent Nation The nation of an individual’s citizenship or permanent residence
Programme/Project Security Instruction (PSI)
A compilation of security regulations/procedures, based upon NATO Security Policy and supporting directives, which are applied to a specific project/programme. The PSI also constitutes an Annex to the main contract, and may be revised throughout the program lifecycle. For sub-contracts let within the program, the PSI constitutes the basis for the SAL
Programme/Project Security Classification Guide
Part of the program (project) security instructions (PSI) which identifies the elements of the program that are classified, specifying the security classification levels. The security classification guide may be expanded throughout the program life cycle, and the elements of information may be re-classified or downgraded
Prime Contract The initial contract led by a NATO Project Management/Agency/Office for a Programme/project
Prime Contractor An industrial, commercial or other entity of a member nation which has contracted with a NATO Project Management Agency/Office to perform a service, or manufacture a product, in the framework of a NATO project, and which, in turn, may subcontract with potential sub-contractors as approved
Programme/Project Manager
The official designated by a programme/project management office to supervise the technical aspects of
NATO UNCLASSIFIED ANNEX 9 to
CSO/SEC(2013)01 September 2013
NATO UNCLASSIFIED 64
the programme/project, ensuring that the programme/project is completed on schedule, within costs, and with technical specifications
Risk The combination of the value of the NATO classified information or NATO asset, and of the threats to and vulnerabilities of the information or asset; that is the probability or likelihood or an attack succeeding and of the damage being sustained as a result of a compromise/loss of the NATO classified information or NATO asset
Risk management A systematic approach to determining which security safeguards (counter-measures) are required to protect NATO classified information and NATO assets, through the analysis of threats to them and their vulnerabilities and the resulting reduction of any risk to an acceptable level.
Security Classification Check List
Part of a security aspect letter (SAL) which describes the elements of a contract that are classified, specifying the security classification levels. In case of contracts let within a program/project, such elements of information derive from the programme (project) security instructions issued for that programme
Security Aspects Letter (SAL)
A document, issued by the appropriate authority, as part of any NATO classified contract or sub-contract, other than Major Programmes/Projects, identifying the security requirements or those elements thereof requiring security protection
Security Escorts Armed or unarmed national police, military, or other government personnel. Their function would be to facilitate the secure movement of the material, but they would not have direct responsibility in matters of the protection of the material itself
Security Guards Civilian (Government or participating contractor employees) or military personnel who may be armed or unarmed. They may be assigned for security duties only or may combine security guard duties with other duties
Sub-contract A contract entered into by a prime contractor with another contractor (i.e., the sub-contractor) for the furnishing of goods or services
Sub-contractor A contractor to whom a prime contractor lets a sub-contract
Threat The potential for the accidental or deliberate compromise/loss of NATO classified information or NATO assets. A threat may be defined by its source, motivation or result; it may be deliberate or accidental, violent or surreptitious, external or internal.
Vulnerability A weakness or lack of control that would allow or facilitate a threat actuation against NATO classified information or NATO assets