ISOO Directive No. 1

Overview
ISOO Directive No. 1 (32 CFR Part 2001) provides further direction for agencies with responsibilities for safeguarding classified information. Section 2001.41 states:

Authorized persons who have access to classified information are responsible for: (a) Protecting it from persons without authorized access to that information, to include securing it in approved equipment or facilities whenever it is not under the direct control of an authorized person; (b) Meeting safeguarding requirements prescribed by the agency head; and (c) Ensuring that classified information is not communicated over unsecured voice or data circuits, in public conveyances or places, or in any other manner that permits interception by unauthorized persons.

Section 2001.45 of ISOO Directive No. 1 requires agency heads to establish a system of appropriate control measures to limit access to classified information to authorized persons. Section 2001.46 requires that classified information is transmitted and received in an authorized manner that facilitates detection of tampering and precludes inadvertent access. Persons who transmit classified information are responsible for ensuring that the intended recipients are authorized to receive classified information and have the capacity to store classified information appropriately. Documents classified “Top Secret” that are physically transmitted outside secure facilities must be properly marked and wrapped in two layers to conceal the contents, and must remain under the constant and continuous protection of an authorized courier. In addition to the methods prescribed for the outside transmittal of Top Secret documents, documents classified at Secret or Confidential levels may be mailed in accordance with the prescribed procedures.

Agency heads are required to establish procedures for receiving classified information in a manner that precludes unauthorized access, provides for detection of tampering and confirmation of contents, and ensures the timely acknowledgment of the receipt (in the case of Top Secret and Secret information).

Section 2001.48 prescribes measures to be taken in the event of loss, possible compromise, or unauthorized disclosure. It states: “Any person who has knowledge that classified information has been or may have been lost, possibly compromised or disclosed to an unauthorized person(s) shall immediately report the circumstances to an official designated for this purpose.”

Agency heads are required to establish appropriate procedures to conduct an inquiry or investigation into the loss, possible compromise or unauthorized disclosure of classified information, in order to implement “appropriate corrective actions” and to “ascertain the degree of damage to national security.” The department or agency in which the compromise occurred must also advise any other government agency or foreign government agency whose interests are involved of the circumstances and findings that affect their information or interests. Agency heads are to establish procedures to ensure coordination with legal counsel in any case where a formal disciplinary action beyond a reprimand is contemplated against a person believed responsible for the unauthorized disclosure of classified information. Whenever a criminal violation appears to have occurred and a criminal prosecution is contemplated, agency heads are to ensure coordination with the Department of Justice and the legal counsel of the agency where the individual believed to be responsible is assigned or employed. Violators are generally subject to imprisonment or fine, and in some cases, loss of retirement or other benefits.