APEX INDUSTRIAL SECURITY MANUAL (Sanitized)

UNCIASSI IF ED PgroINARNAk Release 2004/05/12 MA-M8flya4fpRE0001000n1VcRET E ONLY . ROUTING AND RECORD SHEET ? 2sgikJE1cr: (Optional) APEX Industrial Security Manual FROM: 25X1 EXTENSION NO. DATE 21 March 1979 TO: (Officer designation, room number, and building) DATE OFFICER'S INITIALS COMMENTS (Number each comment to show from whom to whom. Draw a line across column after each comment.) RECEIVED FORWARDED 1. 25X1 C/PPG/OS 4E70 HDQS 22 ';1:71) d? 2t 23 MAR 1979 2. I it. 5.' 6. T 8. 9. 10. ' 11. 12. 13. 14. 15. ORM 610 USE PREVIOUSINTERNAL -62 EDITIONS fl SECRET El CONFIDENTIAL [I] USE ONLY fl UNCLASSIFIED Approved For Release 201321105t12 -.-01A7RPR85,T00788R000100060015-2 21 March 1979 MEMORANDUM FOR: Deputy Director of Security (PSI) Chief, Security Staff, ODE Chief, Security Staff, OL Chief, Technical Security Division, OS Chief, Information Review Group, OS Chief, Special Security Center, OS Chief, Information Systems Security Group, OS Associate General Counsel, OL Chief, Policy and Plans Group, OS Chief, Communications Security Staff, OC Chief, Industrial Security Branch, OS 25X1 FROM: CIA Member, Industrial Security Manual Working Group SUBJECT: APEX Industrial Security Manual 1. Attached for your review and comment is a draft industrial security manual prepared by the Community Security Group, DCI Security Committee, which describes the proposed Special Access Program system, known as APEX, and which provides "standard procedures and guidance" to contractors for the control and protection of Sensitive Compartmented Information (SCI). The industrial security manual represents the follow up to an APEX Control System Manual governing the control of SCI within government. 2. Addressees will probably note that the attached draft lacks the procedural details spelled out in the recently coordinated "Standard Security Procedures for Contractors" governing Agency collateral classified contracting activities and that in many areas the two manuals lack uniformity. You may want to bear this in mind during your review, and comment 25X1 as you deem appropriate. 3. In addition to a substantive review, you are requested to consider whether or not the manual should be , _ Approved For Release 2604/050 :,qIAFkDP85T 25 25 25 25 00788R000100060015-2 7, n Approved For Releet`?e'4404105P1-2;:-b TO0788R000100060015-2 classified (and if so, at what level). You will note that for the present time the current draft is classified CONFIDENTIAL. Please explain your rationale in either case. 4. Please submit your responses to me by the close of business 30 March 1979. All responses will be reviewed, consolidated and presented as the Agency position before the Manual Preparation Working Group. Should you have questions, you can reach me on Attachment Approved For Releas4=2004/05112-:' AIRDP4511-00788R000100060015-2 25 25 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 I. INTRODUCTION This Manual describes the Special Access Program system known as APEX, which is herewith established under authority of the National Security Act of 1947, Executive Order 12036 and Executive Order 12065 to-provide standard procedures and guidance to contractors on the control and protection of Sensitive Compartmented Information (SCI) defined as Special, Access Programs within the category of national security information called National Foreign Intelligence. This Manual will serve as the authoritative guide for the security and control of Sensitive Compartmented Information This Manual is not, however, intended to intrude on the author of government Program Managervho will continue to prescrne basic operational direction, classification guidance and policy on dissemination for programs under their cognizance. The term APEX, APEX Security Control System, its project codewords and product categories are all unclassified when standing alone or not connected to their intelligence activitie or intelligence information. However, by nature of individual contracts? the connection of a contractor to APEX activity may require that such Connection be treated as "association 1 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 II. ORGANIZATIONAL STRUCTURE ? Senior Intelligence Officers (SIO's) of the U.S. Govern- ment Departments and Agencies represented on the National Foreign Intelligence Board (NFIB) Directors of designated sensitive collection programs, Government Contracting Officers and industrial contractors engaged in Special Access Programs are responsible for enforcing the policy and implementing the procedures outlined in this Manual. To fulfill their responsibilities government officials may provide additional implementing guidance to contractors under their cognizance as necessary)as long as such guidance is in consonance with this Manual. Although the above-named government and industrial offici must have the overall responsibility for policy compliance and implementation of pertinent procedures, adherence to the security and control procedures outlined in this Manual is als the personal responsibility of each person indoctrinated into the APEX Security Control System. 2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 To assist in carrying out the precepts dictated by the APEX Security Control System, the designated responsible officials will appoint or cause to be appointed APEX Control Officers (ACO's), and APEX Security Officers (ASO's), with alternates, to administer the system within contracting firms. ACO's and ASO's shall be appointed within each firm at whatever levels may be appropriate. Their responsibility is to actively administer the APEX System within their firms and to ensure full compliance with the provisions of this Manual and any subsequent supplemental APEX directives as may be issued. . It Is preferable that the ACO and ASO positions not be held by the same individual unless management, operational and organizational considerations clearly dictate otherwise. In that case, the ACO may also be appointed to serve as the ASO. SIO's and Program Managers/Directors are responsible for the establishment of APEX Control Facilities (ACF's) within industry for the control, storage and use of APEX materials. These facilities will be centralized or decentralized within industrial firms depending on joint security-management concerns. Approved For Release 2Q04/05/12: CIA-RDP851-00788R000100060015-2 . . ? Approved For Release 2004/05/12 : CIA-RDP85T0078814000100060015-2 All APEX information will be transmitted and maintained within the APEX Security Control System. Compartmentation within the system will be denoted by the use of terms identi- fying categories or prOduct 'information and by project words which refer to collection activities. , ? N.. ; ? Approved For Releaset2004/05/12,:td 5T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 III. DESCRIPTION OF SYSTEM a. General: The APEX Security Control System provides a single system for controlling access to selected intelli- gence information and programs requiring extra amounts of protection. Within this unified system there are distinct means of controlling access to operational data, as well as access to the product of generic sources of intelligence in- formation and finished product by the establishment of discipl' balanced threshold criteria that allow only sensitive data to be placed inside compartmented access control. b. Access to APEX Security Control System: Three steps are necessary for access to the APEX Security Control System: I. Certification by the SIO, or Govern- ment Project Manager or contracting officer of needitoiknowdespecific aspects of the APEX Security Control System (operational projects, operational subcompartments,. generic products). In the case of access to operational projects, nominees need-to-know will be jointly certified by the SIO and the individual Agency's Program Manager/Director. .1 (10i%t ;- )11\1T1[1.1 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 tiL ? . Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 2. Favorable adjudication that the nominee meets uniform personnel security criteria and investigative requirements set forth in this Manual. 3. Security Indoctrination and execution of a Non-Disclosure Agreement as a condition of access to APEX material. The security indoctrination will provide the individual with sufficient specific information so that he will know what he is to protect, his responsibilities in doing so, and general information about the APEX Security Control System so that he will know how the system is to be used in carrying out this responsibility. If additional access approvals are required the processing steps enumerated above will be repeated. Upon indoctrination for any access to APEX material, the individual's name and all approvals held will be recorded in the Central Access Approval Registry. c. Revalidation of Access: In January of each year, SIO' and Program Managers/Directors in both Government and industry, will review all extant approvals under. their cognizance and re\ date all required accesses. Those no longer required will be formally ;terminated. Approved For Release .2004/05/12 :;CIA4RDP85T00788R000100060015-2 i 2111. J11., Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 In addition to this formal, annual review program, it is the responsibility of each of the above responsible offic to maintain a continuous review of access approvals to ensure that only those personnel with documented "need-to-know" have access at any time. d. Termination of Access: When it has been determined by the appropriate responsible official that individual accesse are no longer required, the individual concerned will be notifi that his/her access to specific types of informatioA is no long justified and that access privileges-are being terminated. he cognizant government Agency will be notified of all termination and, in turn, will notify the Central Access Approval Registry. Personnel may, within need-to-know requirements, be authorized to transfer internally within their industrial firms and retain required access approvals. Ho-ever, when leaving one firm to join another, all approvals will automatically be cancelled and need-to-know established by the new employer. Following approval by the cognizant Agency, those accesses deemed necessary for the completion of assigned duties with the new employer will be granted or secrecy agreement will be required. if reinstated,1>i,t-a new Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 : ? , Approved For Release 200e05/42 :Coi4-FkbP85T00788R000100060015-2 e. Termination Secrecy Agreements: At the time access is no longer required, the individual wil) be required to accou for and surrender all APEX documents under his cognizance and control, execute a certification that he retains no material or documents in the APEX system, and be reminded of the continuing obligation not to discuss or otherwise reveal APEX-controlled information. f. Access Ceilings: In order to control access to infor- mation within the APEX Security Control System, SIO's and Government Program Managers will provide access-ceilings for-, each contract activity involving APEX material. fr ? Approved For Release 200'4/05/12.: CIA-RbP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 IV. RESPONSIBILITIES OF APEX CONTROL AND SECURITY OFFICERS a. Duties of APEX Control Officers: 1. With the appropriately cleared officials, ensure that APEX materials are accounted for, con- trolled, transmitted, destroyed, packaged and other- wise safeguarded in accordance with provisions of this Manual. 2. Act as the exclusive control point within an APEX Control Facility for receiving and dis- patching APEX materials via electrical, courier or other means approved for the transmission of ,APEX materials. 3. Complete and return to the sender receipts attached to APEX documents received. Ensure that all outgoing materials have properly prepared receipts and send tracers as required for receipts not returned. 4. Ensure that APEX materials are disseminated only to those persons properly indoctrinated and with a valid need-to-know. sr)..r.,N1.11eld Approved For Release 2004/65/1-z :UlikLKOFbaco ru0788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 S. Provide advice and guidance on the proper classification levels, codewords and caveats within the APEX Security Control System. 6. Work closely with the APEX Security Officer to maintain the integrity of the APEX Security Control System. b. Duties of APEX Security Officers: 1. Coordinate and receive prior approval through appropriate channels, as reflected in VII.b for accreditation and establishment of APEX Control Facilities. 2. Maintain current listings of all APEX- accessed individuarwithin his jurisdiction. 3. Process all APEX access approval requests for personnel within his jurisdiction. 4. Conduct required security indoctrinations and debriefings of personnel approved for APEX access and obtain signed Non-Disclosure and Ter- mination Secrecy Agreements as necessary. S. Conduct reindoctrinations on a periodic basis, not to exceed two year intervals. /0 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 6. Conduct annual security inspections of APEX Control Centers under his jurisdiction and submit a copy, with any recommendations for corrective action, to the accrediting official. Conduct follow-up action on recommended corrective measures. 7. Establish security procedures for trans- mitting and receiving APEX materials. 8. Conduct investigations of any possible security infractions involving APEX information under his jurisdiction to determine if a compromise has occurred, make appropriate recommendations, and prepare required reports. 9. Notify cognizant agencies of all additions and deletions of access approvals within the APEX system on a timely basis. ' Coffl-11)E'11-1' LI\ JILL Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 V. SITURITY STANDARDS FOR ACCESS APPROVAL -a. Need-To-Know Policy; Access to the APEX Security Control System is governed by the "need-to-know" policy in conjunction with approval criteria established in this Manual. The need-to-know policy is defined as that determination made by competent authority which attests to the bona fide need - for access to perform official duties on behalf Of the United States Government. Need-to-know will be strictly applied and access will not be given solely by virtue of rankor status. within an industrial firm. Need-to-know approval rests with responsible. government officials. 1?. Personnel Security Standards: Criteria for security approval of an individual on a need-to-know basis for access t the APEX Security Control System are as follows: 1. The individual shall be stable, of excellent character and discretion and of unquestioned loyalty to the United States. 2. Except where there is a compelling need and a determination has been made by competent authority as described below that every reasonable assurance has been obtained that under the circumstances the Security risk is negligible: (a) Both the individual and the members of his or her immediate family I , Approved For Release 2004/0511t-i'dA:A.DP8t_T00788R000100060015-2 Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 shall be U.S. citizens. For these pur- poses "immediate family" is defined as including the individual's spouse, parents, brothers, sisters and children. (b) The members of the individual's immediate family and persons to whom he is bound by affection or obligation should neither be subject to physical, mental or other forms of duress by a foreign - A0 power, nor advocate the use of force ot violence to overthrow the Government of the United States by unconstitutional means. In exceptional cases, a responsible government official may determine that it is necessary or advisable in the national interest to authorize access to APEX prior to completion of the fully prescribed investigation. In this situation, such investigative checks as are immediately possible shall b made at once, and should include a personal interview by traine security or counterintelligence personnel. Access in such case shall be strictly controlled, and the fully prescribed investi- gation and final evaluation shall be Completed at the earliest practicable moment. Exceptions to 2(a)(b) above may be granted only by a government SIO or his designee. All exceptions granted will be common sense determinations based on all available information and shall be recolded by the agency making the exception. In 13 Approved For Release 2064/05/12 . 6IA-AbP85110u788R000100060015-2 APproved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 those cases in which the individual has lived ousitie of the . United States for a substantial period of his life, a thorough assessment of the adequacy of the investigation in terms of fulfillment of the minimum investigative requirements and judicious review of the information therein must be made before an exception is considered. c. Investigative Requirements: The investigation con- ducted on an individual under consideration for access to the APEX Security Control System will be thorough and. shall be designed to develop information as to whether the individual: clearly meets the above Personnel Security Standards. The investigation shall be accomplished through record checks and personal interviews of various sources by trained investigative personnel in order to establish affirmatively to the adjudicating agency complete continuity of identity to include birth, residences, education, employments and service. Where the investigation shall circumstances of exceed the basic a case indicate, requirements set military the out below to ensure that those responsible for adjudicating access eligibility have in their possession all the relevant facts available. ?r?1%. ; 4,1 ? - %' Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004%05/12 : CIA-RDP85T00788R000100060015-2 The individual shall furnish a signed personal history statement, fingerprints of a quality acceptable to the Federal Bureau of Investigation and a signed release, as necessary, authorizing custodians of police, credit, education and medical records, to provide record information to the investigative agency. Photographs of the individual shall also be obtained where additional corroboration of identity is required. Minimum standards for the investigation are as follows: 1. Verification of date and place of birth and citizenship. 2. Check of the subversive and criminal files of the Federal Bureau of Investigation, including submission of fingerprint charts, and such other. National agencies as are appropriate to the individual's background: An additional check of Immigration and Naturalization Service records shall be conducted on those members of the individual's immediate family who are United States citizens other than by birth or who are resident aliens. 3. A 'check of appropriate police records covering all areas where the individual has resided in the U.S. throughout the most recent fifteen (15) years or since the age of eighteen, whichever is the shorter period. .11" Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 4. Verification of the individual's financial status and credit habits through checks of appropriate credit institutions and interviews with knowledgeable sources covering the ? most recent five (S) years. 5. Interviews with neighbors in the vicinity of all the individual's residences in excess of six (6) months throughout the most recent five (5). year period. This coverage shall be expanded where the investigation suggests the existence of some questionable behavioral pattern.. 6. Confirmation of all employment during the past fifteen(15) years or since age eighteen, whichever is the shorter period but in any event the most recent two years. Personal co-workers at pl,ces ten (10) years shall 7. Verification interviews with supervisors and of employment be covering the. past accomplished. of attendance at institutes of higher learning in all instances and at the last secondary school attended within the past fifteen (15) years. Attendance at secondary schools may' be verified through qualified collateral sources. If attendance at /69 CONFIDITITIAL Approved For Release 2004/05/12 : CIA-RDP851-00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 educational institutions occurred within the most recent five (5) years, personal interviews with the faculty members or other persons who were acquainted with the individual during his attendance shall be accomplished. 8. Review of appropriate military records. 9. Interviews with.a sufficient number of knowledgeable acquaintances (a minimum of three developed during the course of the investigation) as necessary to provide a continuity to the extent practic.ab of the individual's activities and behavioral patterns:- over the past fifteen years with particular emphasis on the most recent five years. 10. When employment, education or residence has occurred overseas (except for pL-iod of less than five (5) years for personnel on US Government assignment and less than ninety days for other purposes) during the past fifteen years or since age eighteen, a check of the records will be made at the Department of State and other appropriate agencies. Efforts shall be made to develop sources, generally in.the United States, who knew the individual overseas in order to cover sigAficant employment, education or residence and to attempt to determine if any lasting foreign 11 C 1DLN Approved For Release 2004/05/12 CIA-Rbr85.1 0788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP8T00788R000100060015-2 contacts or connections were established during this period. However, in all cases where an individual has worked or lived outside of the U.S. continuously for over five years, the investigation will be expanded to cover fully this period in his life through the use of such investigative assets and checks of record sources as may be available to the US Government in the foreign country(ies) in which the individual resided. 11. In those instances in which the-individual has immediate family members or other persons with whom he is bound by affection or obligation in any of the situations described in subparagraph c2.(b) above, the investigation will include an interview of the individual by trained security, investigative or counterintelligence personnel to ascertain the facts as they may relate to the individual's access eligibility. 12. In all cases, the individual's spouse shall, at a minimum, be checked through the subversive files of the Federal Bureau of Investigation and other Natiokial agencies as appropriate. When conditions I, , ; ;_'_t' Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 indicate, additional investigation shall be conducted on the spouse of the individual and members of the immediate family to the extent necessary to permit a determination by the adjudicating agency that the provisions of Personnel Security Standards, abovejare met. 13. A personal interview of the individual will be conducted by trained security, investigative or counterintelligence personnel when necessary to resolve any significant adverse informLtion and/or inconsistencies developed during the inveitigation. Where a previous investigation has been conducted within the past five years which substantially meets the above minimum standards, it may serve as a basis for granting access approvals provided a review of the personnel and security files does not reveal substantive changes in the individual's securit eligibility. If a previous investigation does not substantiall meet the minimum standards or if it is more than five years old a current investigation shall be required but may be limited to that necessary to bring the individual's file up-to-date in accordance with the investigative requirements set forth above. Should new information be developed during the current investigation which bears unfavorably upon the individual's /9 CO1'..HDENTIAL ? Approved For Release 2004/05/12 : CIA-RDP85T007-88R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 activities covered by the previous investiL;ation, the Curr inquiries shall be expanded as necessary to develop full details of this new information. The evaluation of the information developed by investigation on an individual's loyalty and suitability sh be accomplished under the cognizance of the SIO concerned b analysts of broad knowledge, good judgment and wide experie in personnel security and/or counterintelligence. When all other information developed on an individu is favorable, a minor investigative requirement which has n. been met should not preclude favorable adjudication. In all evaluations, the protection of the national interest is pan mount. Any doubt concerning personnel having access to APE: information shall be resolved in favor of the national secul The ultimate determination of whether the granting of access is clearly consistent with the interests of national securit shall be an overall common sense determination based on all available information. d. Reinvestigations: Programs shall be instituted requ the periodic reinvestigation of personnel provided access to APEX information. These reinvestigations will be conducted on a normal five year recurrent basis, but on a more frequen basis Where the individual has shown some questionable bchav pattern, his activities are otherwise suspect, or when deeme( necessary by the SIO concerned. JL. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 The scope of reinvestigations shall be determine by the SIO concerned based on such considerations as the potential damage that might result from the individual's defection or willful compromise of APEX information and the availability and probable effectiveness of other means to continually evaluate factors related to the individual's suitability for continued access. In all cases, the reinvesti gation shall include, .as a minimum, appropriate National agenci checks, local agency4(including overseas checks where appropri credit checks and a personal discussion with the individual: by trained investigative, security or counterintelligence personnel when necessary to resolve significant adverse infor- mation or inconsistencies. Whenever adverse or derogatory information is dis- covered or inconsistencies arise which could impact upon an individual's security status, appropriate investigations shall be conducted on a timely basis. The investigation shall be of sufficient scope necessary to resolve the specific adverse or derogatory information, or inconsistency, in .question so that a determination can be made as to whether the individual' continued utilization in activities requiring APEX is clearly consistent with the interests of the national security. os7 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 rwir ii?\L Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 e. Contacts or Assoociatien with Foreign Nationals and Alien Marriages: Close, continuing personal associations with foreign nationals of APEX Security concern if they become characterized by ties of kinship, affection ar obligation. APEX?cleared personnel must protect themselves against cultivation and possible exploitation by foreign nationals who are or may be working for foreign intelligence services and to whom they might even unwittingly provide APEX classified information. The following types of relationships must be reported to the APEX Security Officer. 1. All contacts with citizens or representatives of communist-controlled countries, no matter how brief or apparently trivial the contacts may be. 2. Close and continuing or any regular, frequent contact with any other foreign national. Casual, inadvertent, or irregular contacts which arise.from normal living and working in a community need not be reported. However, if the person with whom the casual contact occurs shows undue interest in employment, assignment, etc., then the contact must be promptly reported.. Whenever any doubt exists whether a situation should be reported or made a matter of record, the individual should promptly make a report to the APEX SecOrity Officer. Failure to report such contact may result in denial or withdrawal of access to APEX material. cacD2 t Uri ,-11y- 1\1 ill I 's I I_ a I fa. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 i:,;. - Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 APEX approved individuals who contemplate marriage to a non-U.S. citizen must report such plans to their APEX Security Officer along with, at a minimum, details about the intended spouse's name, date and place of birth, country of origin and current citizenship, identity of immediate family members, current residence, present occupation and any present or former employment on behalf of any foreign government. Investigation of the prospective spouse will be undertaken prior to a determination being made that a waiver of standards might be made to continue the approved person in cleared status. f. Travel Restrictions: 1. -Unofficial Travel: Persons granted authoriza- tion for access to certain categories of extremely sensitive information on foreign intelligence sources and methods protected by the APEX Security Control System incur a special security obligation and are to be alerted by their APEX Security Officer to risks associated with unofficial visits to, or travel through certain designated countries. The APEX Security Officer concerned should advise that unofficial travel in those countries without official r ); L./Li\ Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/0571-21:'CIALRD1b85T00788R000100060015-2 approval may result in the withdrawal of approval for continued access to APEX information for persons with specific and extensive knowledge of the following categories of extremely sensitive information on foreign intelligence sources and methods: (a) Technological structure, function and technique of sensitive intelligence collection or exploitation systems/methods. ? (b) Designated system targets or sources. (c) Method and purpose of target selection. ? (d) Degree of success of collection or exploitation system/method (e) Collection or exploitation system/method capabilities and vulnera- bilities. All persons having access to APEX information who plan unofficial travel to or through designated countries must: (a) Give advance notice of such planned travel. (A.) .;1.1 ?,! s \L- Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 ? ;. 1 , Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 (b) Obtain a defer.sive security briefing from an APEX Security Officer before traveling to such countries. (c) Contact immediately the nearest U.S. consular, attache, or Embassy official ?if they are detained or subjected to signifi- cant harassment or provocation while traveling. (d) Report upon return from travel to their APEX Security Officer an incidents of potential security concern which befell them. 2. Individuals with Previous Access: Persons whose- ; access to APEX information is being terminated will be officially reminded of the risks associated with hazardous activities as defined herein and of their obligation to ensure protection of APEX. ; Approved For Release 2004%05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 -:!CWRDP85T00788R000100060015-2 VI. FACTORS GOVERNING CONTRACTOR ACCESS *a. General Guidelines:. Contractors and consultants dealing with participating Government Agencies or Departments will be furnished only that information which is essential to the fulfillment of contractuial obligations. This Manual will serve as the operating directive for the conduct of. APEX activities within industry. b. Factors Considered in Selection of Contractor Firms:. F A contractor or consultant's past record in properly safeguarding material will be taken into account when making contractor selections for work on APEX-..related activities. In this regard, when an APEX facility is established in industry, the APEX Security Officer of the government component responsible for its security will closely monitor its activities to ensure that APEX procedures are followed completely and that APEX materials are properly segregated from any other classified dr unclassified materials of the contractor. c. Restrictions on Access: Contractor companies which are under foreign ownership, control or influence shall generally be ineligible for access to APEX activities and 6 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 e?N : ; ? ' ??? e Approved For Release 2004/05/1k ;1,q.A-RpPao-gotyppft000l000600l5-2 Information. However, if that ownership, control or influence is not from a Communist?controlled country and the foreign interests own less than five percent of the contractor's voting stock and such minority holdings do not enable the foreign interest to control the appointment and tenure of the con- tractor's APEX?approved managing officials, a waiver of this provision may be granted after cognizant Agency review. Prior to the gra::ting of a waiver, provisions must be made to ensure that security safeguards exist to prevent disclosure of APEX controlled information to any non-U.S. owners and managing officials. Should foreign ownership increase beyond five percent during the course of a contract, a review of the con- tractor's eligibility for continued access will be made. d. Types of Access: Within the APEX Security Control System there are various types of access in industry. These types of access are identified as: APEX GENERAL; APEX (Operationa with Phases I, II, and III; and APEX (Product). The security criteria for indoctrination are the same for all categories in that all must meet investigative requirements of this Manual and must satisfy strict need-to-know tests. a.it ? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 A\ Approved For Release 2004105i12: CIA4iDP85T007'88R000100060015-2 The extent of indoctrination for the various categories is as follows: APEX GENERAL - This category is intended for guards, protective, administrative and other support personnel who need only to know generally that a system such as APEX exists because their industrial firm has such contracts, and that it involves operational programs which. generate product materials. Briefings of. APEX GEN approved individual will include reference to US Government contractual control but will not specify interested Departments of Agencies. They will not be briefed on details of operational activity; will not be told the number of operational programs being conducted; will not be given the codeword names. They will be instructed in the rules for protecting APEX material, for its proper storage, transport and destruction, and for its dissemination only to appropriately cleared individuals. 4%. ? . Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/4/P 01-AADp-85TO078R000100060015-2 APEX ( ) - Phase I Operational Codeword This level of access is intended primarily for industrial contractor/ personnel who resemble those in the APEX GEN category above (i.e., admin, protective, etc..). The criteria for access is identical >XII the ' only exception being that the specific operational ? program codeword will be divulged to the Phase I approved person. This category is intended for those support type personnel who do not fleet to know more than that a system such as APEX exists, that it must be protected, that National Security interests are involved and that the particular Project in which they and their firm participate has been given a specific code name which they will be told. APEX ( ) - Phase II Operational Codeword This level of access is intended also for industrial contractors whose personnel need-to-know more about specific operational parameters than Phase I personnel but have no need-to-know all aspects of the Program. Included within -4 DENI1AI Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 j`r)L i ; ; 1, : L.. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 the Phase. II briefing would be the general purpose of the Program, those technical details which are necessary to accomplish that portion of the engineering design, development, fabrication or installation which is directly within the individual's area of assignment. Reference will not be made to the particular governmental sponsor unless its identity is obvious from the nature of the contract. This category of access should be considered for machinists, engineers not directly involved in total program planning and others not requiring full program knowledge. APEX ( ) - Phase III Operational Codeword This level of operational access is reserved for those in industry and in government who, by virtue of contractual necessity or official duties are required to have full knowledge of a particular operational Program. The Phase III level of access will permit knowledge of all data released to the Phase I and II individuals plus it will allow detailed knowledge of the Program missions sponsor, financial Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 arrangements, gedgraDhic oc,ratonal bases, vulnerabilities, etc., as may be necessary. A need-to-know policy still exists despite approval for Phase III access and it should not be assumed that all details will be given to all Phase III accessed individuals. APEX ( ) - Generic Product The product resulting from operational Projects will be identified within the APEX Security Control System by its generic term. Access to each of these generic. products is not controlled by Phases of access. Most generally the APEX Product accesses will be reserved for analytic and research projects to produce finished intelligence. There will also be requirements to grant this approval to personnel who must design certain processing equipment in support of intelligence production. 6/ elf\ ? '? iA. Approved For Release 2004/05/12 : CIA-RDP85T00788R00010006.0015-2 Approved For Release 2004/05/1 Tpli.tOppoir.ocrwF000l00060015-2 i VII. PHYSICAL SECURITY a. Construction and Protection Standards: All materials within the APEX Security Control System must be stored in accredited APEX areas Standards for construction and pro- tection of facilities that store or process APEX material or provide discussion/work arcas for APEX information shall be as prescribed in the attached Physical Security Standards for Sensitive Compartmented Information Facilities, dated 3 April 1973 or other such guidelines as may subsequently super- cede it. (Appendix A) b. AcCreditation of Facilities: Before an industrial facility is authorized to handle APEXinaterial, it must be accredited by the cognizant Government APEX Security Representa- tive as having net the aforementioned construction and protection standards. c. Inspections: Periodic inspections of approved APEX eAL industrial facilities mandatory and must be accomplished at least annually. Inspections are to be performed by designated government APEX Security Representativeslwho will be persons experienced in conducting security inspections for the control 3,c2 cr) iv rip WI! t Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 :,1 Approved For Release 20041.051111.1CIA-R0PEISTC10788R000100060015-2 and storage of Sensitive Compartmented Information and will assure that procedures and safeguards comply with standards prescribed by this Manual. Reports of inspection will note all irregularities and will be forwarded to accrediting officials for review and necessary corrective action. In- spections will also include at least spot inventory of sensi- tive docutents. Failure to locate any such documents will be reported on a priority basis. d. Colocation within Facilities: When it is deemed - economically desirable to colocate different APEX activitie's-' within a single industrial APEX facility, a determination must first be made that such sharing will not have an adverse effect on either of the compartmented activities to be conducted. When security considerations permit, 4 "Memorandum of Agree- ment to Share Facilities" will be agreed to in writing by the industrial contractor and the government agencies sponsoring each separate APEX activity. The agreement will delineate the spaces to be used, storage procedures, access limitations, security responsibilities and any other provisions considered germane to sharing the facility. 33 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 r.r-r'UTiDTH-1!i-? Approved For Release 2004/05/14.: CIAARDP85T00788R000100060015-2 e. Emergency Destruction and Evacuation Planning: Each APEX industrial facility must maintain an Emergency Plan which is approved by the cognizant Government APEX Security Rep- resentative. This plan will normally be part of an overall facility or corporate plan. It will, however, be separately stated for the APEX facility and will include provisions for the protection of APEX data as well as protection of assigned personnel. Plans shall include provisions for the emergency destruction of sensitive materials as well as action to be taken in the event of fire or other natural disaster. Emergency planning should ensure that adequate protective and firefighting n equipment is available, especially in vat areas, and that escape and emergency exit plans are provided for and published. Updates of Emergency Plans will be made annually and training provided to familiarize assigned personnel with these plans. f. Personnel Access Controls: Positive controls for personnel access must be established over all areas where APEX information is handled. In areas where only small groups of personnel are involved, this control may be by means of personal identification. Where larger numbers, possibly beginning with a figure of fifty, are involved, a system of identification badges r Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved Approved For Release 2004/051'1V: CIALRID086T00788R000100060015-2 may be required for assigned personnel and cleared visitors. The industrial contractor will implement whichever procedure is deemed appropriate by the cognizant APEX Government Security Representative. Access to APEX areas by uncleared visitors must be approved in advance by sponsoring agencies except in those emergency situations where maintenance, fire or medical personnel may require access. Uncleared visitors will be escorted at all times while in APEX areas. g. Two Person Rule: To provide proper protection to APEX materials, SIO's, Government and Contractor Program Managers will designate sensitive facilities, Such as ACF's, as requiring "two man coverage" at all times. Persons selected to work in such areas will be chosen on the basis of proven reliability and maturity. Approved For For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 (A? j Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 VIII. TECHNICAL SECURITY a. Technical Security Countermeasures: Technical Security Countermeasures inspections will be conducted as soon as possible after the opening of an APE' industrial facility and following Major physical renovations. Reinspections are to be conducted every 18 months. Such inspections will be scheduled by the cognizant Government APEX Security Representative'. The Govern- ment APEX Security Representative will also ensure that personnel assigned to APEX facilities are briefed concerning. the threat of technical penetration. b. Computer Security: All Automatic Data Processing equipment used in APEX industrial facilities will be operated in compliaLce with standard requirements provided by the cognizant Government APEX Security Representative. No APEX or APEX-related information is to be processed prior to approval by the Government Security Representative. c. Emanations Control (TEMPEST Security): ,Prior to electrical processing of any APEX or APEX-related information.) equipment to be used must be certified as satisfactory from % Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/0F12.::PIATRDP85T00.7188R000100060015-2 i; I- an emanations control standpoint and that proper RED/BLACK engineering measures have been taken to ensure that any com- promising emanations are contained within areas determined to be satisfactory. . When new or modified equipments are brought into service in existing APEX areas, TEMPEST approval must be received: It is the responsibility of the cognizant Govern- ment APEX Security Representatives to arrange for all required TEMPEST inspections and schedule any required corrective measures. NOTE: All requirements for technical security approvals are in addition to physical security approvals required in Section VIII. cg 0'0 Hi ti) Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Un-EFL.,._;n1 Approved For Release 2004/05/12 : CIA-RDP85TOut881q000100060015-2 IX. ACCESS APPROVAL CERTIFICATIONS a. General Guidelines: The cognizant Government APEX contracting or security representative is the sole authority empowered to certify APEX accesses held by a contractor to other government departments and agencies or to other govern- ment contractors or consultants. Such certification will be made only when "need-to-know" and the necessity of visit require- ments have been established. Normally, certifications will be made on a one-time visit basis only. However, in unusual cases, when constant cont/act is requiredjterm certifications for a period not exceeding one year may be authorized. Visit certifications are to be made in writing, either by letter or secure communi- cation circuits, as required by circumstances; When time does not permit, such certifications may be made by telephone but should be confirmed subsequently in writing. b. Visits by Contractors: No visits will be undertaken by the contractor without the approval of the cognizant Govern- ment APEX program contract manager. c. Central Access Approval Registry: To record and serve as the official central data base for the APEX Security Control System, a Central Access Approval Registry is established CO hi ?41=1n ,Eiy:Ti Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 as a service Of comi4lon concern. All anDrovals APEX System will be on record in this data base. d. Information Updates: A critical feature of the APEX Security Control System is its ability to accurately reflect personnel currently cleared for various compartments of the system. To function properly, all contractors must provide timely information on changes in the status of their personnel. These updates will be provided to ensure that all briefing or debriefing actions are recorded as soon as possible. The Central Access on a quarterly basis, lists of individual contractors. Approval Registry will provide, of personnel approved on behalf It is expected that, with pro- vision of these lists, review will be made of active approvals and that those no longer needing access will be cancelled and reported through cognizant agencies to the Central Registry. This is a continuing requirement assigned to each ACO irrespec- tive of the formal annual review by Program Managers of personnel approved for access. These same listings will be used to correct records in order to reflect personnel approved but not recorded in the Central Registry. Verification, through Program Managers, on!.u I r r. ; t J? 11/1! Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 1 Approved For Release 2004/05/12.": CIA-Rb1451-067.88R000100060015-2 will be effected, as necessary, prior to adding personnel or approvals for already approved personnel to the Central Registry. iVo r r-- kAiiI IL Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 20041, - 011,k-RDP85T007.88R000100060015-2 - X. SECURITY CLASSIFICATION AND CONTROL GUIDELINE'S a. Basic Guidance: Security classification and document control are a function of Management. Classification of infor- mation, therefore, will be accomplished only by individuals 'specifically authorized under. E.O. 12065, This authority extends to contractors through Government contracting officers. Use of compartmentation caveats will be solely to provide need-to-know or access protection where normal management and - safeguarding procedures are not, as a protective measure, con-: sidered sufficient. Using compartmentation as a means of restricting access to sensitive data should be viewed as a meaningful exercise and not one which occurs by force of habit. b. Decompartmentation/Sanitization: Contractors are not authorized to decompartment or sanitize any materials (documents, film, hardware, tape, et al) except as specifically approved by cognizant agencies. Authority to decompartment or sanitize must be received in writing and must be kept with program records for the duration of the contract. Secure electrically trans- mitted messages may function as the required written authority. C01.\!FID[NTLIT\ Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 CO I 1) F I A L Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 C. Challenges to Classification Levels and Control Restrictions: Any person with access to APEX may challenge either the classification level or the need for compartmented control of any APEX material. The challenger should submit the challenge to the originating component for consideration. Items which are irreconcilable shall be forwarded through APEX control channels for final review and resolution. crr? ri y --)1\11- Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05M/2J dA-RDP13631)0788R000100060015-2 XI. CONTROL STANDARDS AND PROCEDURES a. Classification Levels: Documents in the APEX Security Control System will be classified according to damage accruing to National Security if disclosed without authority. Classifica- tion levels will be ascribed in accordance with E.O. 12065, ? reserving CONFIDENTIAL for "identifiable damage", SECRET for "serious damage", and TOP SECRET for "exceptionally grave damage". No other classification levels are authorized and: none are ? b. Classification Guides: Contractors will be furnished Classification Guides by Government Program Managers or contracting officers to assist in the classification of documents, hardware or other items originating in Contractor firms. These guides will be made as-specific as possible and will be used as the means by which contractor firms assign classification categories. Cognizant Government agencies will provide individual guidance as required for situations not covered in the basic guides. c. Labelling: The following labelling requirements are established for all written or graphic materials that contain APEX information and are disseminated within the APEX Security Control System: to be adopted within the APEX Security Control System. L 1)('1'1 1:11)1-.-.11-111\1_ Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 r n ; A Ji ?Ii.,; I t Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 1. Classification: The overall classification of a document, whether or not permanently bound, or any copy or reproduction thereof, shall be con- spicuously, marked or stamped at the top and bottom of the outside of the front cover (fl :any), on the title page (if any), on the first page, on the back page, and on the outside of the back cover (if any). Each interior page of a document shall . be conspicuously marknd or stamped at the top and bottom with the highest classification of the document. The determination of national security classification shall be on the basis of the policies indicated in Executive Order 12065 on National Security Infor- mation. Portions of documents, to include paragraphs, subparagraphs, and titles shall be marked to reflect the level of classification and dissemination con- trol markings or that the particular portion is unclassified. 2. Control System Caveats: All documents controlled within the system will be marked "HANDLE VIA APEX SECURITY CONTROL SYSTEM" on the front CONHDENT Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/056 J l4%.14:1513851-0788R000100060015-2 cover (if any), title page (if any), back page and first page of all documents. Each interior page which contains APEX information will also bear the same markings. 3. Codewords and Indicators: Codewords for operational projects and product indicators will be placed following the classification marking on the top and bottom of the title page, first page and each page which contains information requiring specific codeword/indicator protection. 4. Control Numbering': APEX document control numbers,which will be provided by cognizant govern- meat agencies, will be placed immediately above the Control System Caveat on the front cover, title page and first page of each document. A "one up" six digit numbering system, to include year of creation, will be utilized (e.g., A-123456/79). 5. Declassification Review Notice: Having satisfied threshold criteria demanding protection under the APEX Security Control System clue to sensitivity of the source, method or the infor- mation itself, APEX materials are classified for a period of 20 years excepting Foreign Government tiU/V1- i it";; Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Information which will remain protected for 30 years. The following Declassification Review Notice will be used on the cover, title page, or first page of typescript text, or inside of formal publications: Classified By: (appropriate authority) Review for Declassification On: (Indicate ? date, 20 or 30 years from date of issuance). Reason for Extended Classification: APEX.XII.B.6 The abbreviation "REVW 20/30 YRS" may be sub- stituted in electrically transmitted messages. 6. Abbreviations: Distinctive APEX markings will - not be abbreviated where there is a likelihood that the abbreviation will be confusing or otherwise not under- stood by the recipient. A standard list of approved abbreviations will be provided to contractors. 7. Marking Files, Folders or Groups of Documents: Files, folders, or groups of documents shall be con- spicuously marked to assure the protection of all S.7.1 contained therein. Such material shall be marked on the file folder tab or other prominent location or PFCX affixed to an appropriate -Sal cover sheet. vn T:1 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 c. Pouching and Transmittal Requirements: APEX material to be transmitted from one facility to another must be carried either by two couriers approved for this purpose, by diplomatic pouch, or by the Armed Forces Courier Service (ARFCOS). Courier procedures shall ensure that APEX materials are adequately protected against the possibility of hijacking, unauthorized viewing, loss or other form of compromise during the transmission. Transmittal of APEX material via non-U.S. Government operated or chartered aircraft is prohibited.* The cognizant SIO must specifically approve all exceptions. APEX couriers shall be active duty military or U.S.:. Government civilian employees meeting investigative standards of this Manual and be specifically designated by the cognizant sponsoring agency. Couriering of APEX by contractor employees is prohibited except when specifically approved by a responsible government official. APEX materials shall be enclosed for delivery in two opaque envelopes or otherwise be suitably double-wrapped using canvas bags, cartons, crates, leather pouches, etc. Containers will be secured with tape, lead seals, tumbler padlocks, or by other means which would reasonably prdtect against surreptitious access. 'Woes not apply to ARFCOS and the Diplomatic Courier Service CONFIDEWIAL Approved For Release 2004%05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 The inner a:1.cl outer container shall be annotated to show the pouch address and package number of the sending APT facility. The notation "TO BE OPENED BY THE ACO" shall be placed above the pouch address of the receiving APEX facility on both containers. The proper security classification and caveat "CONTAINS APEX CONTROLLED MATERIAL" shall be annotated on each side of the inner wrapper only. The inner shall contain the document receipt and should also ? container reflect the name or office symbol of the person/activitiy for whom the material is intended d. Electrical Transmissions: APEX material transMitted electronically will be controlled according to procedures pre- scribed below. Senders must assure that electronic transmissio are made only to authorized recipients and receivers must prey! procedures for the proper protection.of APEX material received in'this manner. These procedures shall include the establish- ment of a recipient's need-to-know in circumstances where no hard copy or record copy of the material will result. The transmission of APEX material shall be restricted to means specifically approved and accredited for this purpose. Electrical transmission of APEX material shall be limited to specifically accredited communications circuits secured by a government approved crypto and protected distri- bution system. cn -.1- (I. i L.) I Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 f Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Operational proceduressAll ensure that only properly indoctrinated personnel are provided access to clear text APEX materials. Material transmitted by accredited communications circuits or other specialized means shall be marked at the top and bottom with the assigned classification and paragraph marked ,in the manner prescribed above for documents. Applicable code- words, designators, caveats, etc., shall be clearly shown con- sistent with the design of the message form or format being used. The first item in the text of a message shall be tile overall classification of the message, applicable codeword(s), Control System Designator, and such other markings as may be required to note dissemination controls. e. Cover Sheets: To preclude unauthorized disclosure, an unclassified cover sheet shall be used when transmitting APEX materials Outside an ACF. Publications need not have a separate document cover sheet affixld if the publication cover includes all prescribed markings and is unclassified standing alone. f. Destruction: As soon as possible after its purpose has been served ,all APEX controlled material shall be destroyed in a manner that will preclude reconstruction in any intelligible CONE( [Tiff! r, Approved For Release 2004105/12 : CIA-RDP85T00788R000100060015-2 e iFjb; Approved For Release 2004/05/12 : CIA-14DP8o100788R000100060015-2 form. However, only those items approved by the cognizant government agency may be destroyed, and only those methods of destruction specifically authorized by the responsible government program manager shall be used. (These methods may 25X1 destroyed). All destruction shall be supervised and witnessed by at least two APEX indoctrinated individuals. Destruction certificates will be completed for all items destroyed. APEX material contained within computer or automated data processing systems or other magnetic media shall be erased by approved' degaussing equipment or destroyed by other approved means. g. Reproduction: JReproduction of APEX material shall be kept to a minimum consistent with operational necessity. Copies of documents are subject to the same contrcls as the original. Adherence to stated prohibitions against reproduction is manda- tory. .Any equipment used for APEX reproduction must be thoroughly inspected and sanitized before removal from an APEX facility. Reproduction of TOP SECRET materials within the APEX System requires consent of originating Agencies: Materials classified SECRET or CONFIDENTIAL may be restricted from re- production by originating Agencies. Co V*1 t Iii jL;"" ? e..$1, Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Ii. Accountability: All APEX TOP SECRET documents will be inventoried at least annually or when there is a termination of contract, a change of designated APEX Control Officers or authorized custodians of such material. . Random inventories will be conducted annually for all APEX materials classified SECRET or CONFIDENTIAL according ,to formulacprovided by the cognizant government Agency ASO. Should the random inventory of APEX material fail to locate a number of the sampled documents, the contractor ASO will order a complete inventory of all APEX documents received by an APEX Control Facility. Reports of discrepancies will be provided to the cognizant agency who will initiate a search for and investigation of all missing documents. APEX Control Facilities shall keep a record of all APEX numbered materials that are received by or dispatched outside the Control Facilities. This dissemination record shall include a brief entry which identifies the nature of the controlled material and the specific organizations - outside or within the Control Facility - for whom the material is intended.. Dissemination records of incoming materials shall be retained. The disseminatior record requirement for dispatched materials maybe satisfied by t'c 61 Finriffi Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 , :r Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 keeping copies of the envelopackageipeuch receipt or other appropriate dissemination record maintained by the dispatching Control Facility. Such receipts should be retained for a minimum of two years. Working materials containing APEX-controlled data, that are used and retained exclusively within an ACF - such as preliminary drafts of reports, studies, film clips included in analysts' reference files, and waste materials such as carbon sheets, carbon ribbons, reproduction plates, stencils, composition tapes, masters, stenographic notes, work sheets,-:, and similar items? do not require an APEX number or dissemintion record but shall be safeguarded and marked as "WORKING PAPERS" in accordance with the storage requirements for APEX-controlled materials. (?)( )i\! --- n i 't Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 I, L ? ; Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 XII. PROCEDURES FOR CONTROL OF OTHER HARD COPY DOCU!.SFYTS a. Automatic Data Processing: All automatic data processing of APEX controlled information and material will be conducted in accordance with instructions provided by the responsible Government official. To facilitate identification, accounting and control of APEX-controlled data in magnetic form, each reel. or cassette .of tape, each magnetic card or disk pack which contains APEX-controlled data will be prominently marked with labels indicating security classification, APEX Security Control System markings and other required APEX caveat designators Internal media identification must include a header and trailer block which contains security markings. b. Film/Photuraphic Materials: Roll film, slides, or other forms of photographic negatives or positive items must be labelled as to security classification and control under APEX control procedures and document and copy number. Labels on roll film placed in metal containers will be located as follows: 1. one on end of spool flange 2. one on side of spool container, and -,s3. one on container cover. (.;1\iFI13E1\TIAL Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 200,4/95/1,2-:?clA.,RPe85:100788R000100060015-2 I ? :-1 - : I Film in transparent containers needs only one label placed visibly on the spool flange. This procedure is intended to facilitate reuse of the containers. c. Microfiche: Each microfiche will have a heading whose elements are readable without magnification. The heading elements will specify: the long and short titles of the document; security classification and codewords which shall not be abbreviated; standard abbreviations or codes for handling caveats, dissemination contral markings and distribution re.- strictions. The exact placement of the heading elements will be as prescribed by the responsible government official. Micro- fiche may also be placed in envelopes which, through a specified color code, indicate the level of security protection to be accorded the microfiche. d. Microfilm: Each roll of microfilm, whether mounted on an open reel or. in a cartridge, will contain security informa- tion which is readable without magnification. For source document microfilm, the information will be on a page target and contain the security classification and codewords,- which shall:- not be abbreviated, standard abbreviations and codes for handling' caveats, dissemination control markings and distribution. Corti-11,r" t Approved For Release': ()!I:itt/05i421: 61/LRDP85T00788R000100060015-2 CU; y I ! mi- Approved For Release'2004/05/1,2 CCIA-Mp.P85T00788R000100060015-2 restrictions. This page target will immediately precede the first page of the document and will follow the last page of text preceding the "END - date filmed" target frame. For film produced by a Computer Output Microfilm (COM) recorder, the above mentioned security information will be recorded in human readable format when within equipment capability on a length of.film immediately preceding and following the document text. The boxes containing processed film in open reels and the film cartridges will be labeled with the appropriate security information. In addition, the labeling will include the dotu-..7 ment's long and short titles. Microfilms containing documents with individual titles and APEX numbers too numerous to be included on the label, may be identified by a generalized composite title and a new APEX number. ;, ; ; ! ! -'1 !i? Approved For Release 2004/05/12: CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 XIII. SECURITY VIOLATIONS/COYPaOMISYS *a. Responsibility to Report: Each person approved and briefed for APEX access is responsible for reporting any possible security violations or compromises of APEX information to his/ her APEX Security Officer. Such reporting must be done immediately to keep damage to an absolute minimum. Ars/investigation is to be conducted immediately if there is a probability that a compromise has occurred. The cognizant government agency ASO. is to be notified both of the incident and investigative results in timely fashion. b. Investigative Responsibiliti: Contractor and cognizant government Agency ASO's are jointly responsible for the investi- gation of all security violations and possible compromises of APEX materials within their jurisdiction. Investigations will attempt to develop full details of the violation or compromise, determine whether and how much information was exposed, what damage resulted, and offer conclusions as to whether culpability was apparent in allowing the violation or comproMise to occur. Penalties will be assessed as prescribed by the cognizant government Program Managers. These violations will be administerec- or\rni rtrf,Tri A 1* ? ,Elt Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 k.),..111k J i-??% Approved For Reteasy 2004/05/12 : CIA-RDP85T00788R000100060015-2 by the ASO andwunitii,e action tal:en will be recorded in contractor and cognizant goverhment agency security files. When it is determined that material has, in fact, been revealed improperly or accidentally to an unauthorized U.S. national, the contractor will immediately advise the cognizant Government ASO of the incident and will secure an agreement of secrecy on the inadvertent exposure. If the inadvertent exposure has been made to a non;-U.S. citizen, the contrLctor ASO will obtain guidance from the cognizan- Government agency ASO whether or not to seek an inadvertent disclosure statement. In all cases of inadvertent exposure a written report will be provided by the contractor ASO to the cognizant agency ASO. If personnel to whom inadvertent exposure has been made have been investigated to DCID 1/14 standards, have executed an inadvertent exposure oath and can reasonably be expected to honor their obligation to maintain APEX security, the cognizant Government ASO may make. a finding that no compromise has occurred. 'Cikrif r II"' Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 c. Corrective A.c t ion : In the COUTSC of investigating security violations and compromises, it may become clear that there are weaknesses in operating procedures in the affected components. It is the responsibility of each contractor ASG when identifying such basic flaws, to initiate corrective action. The corrective action recommended will be incorporated in the investigative report to the cognizant Government Agency ASO. kJ() k j tLiL..1I, t Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 .; h. ? - ? .-, ? .? ? , ? Approved For Release 2004/0511'2 .'iiek1RDP-8-5T00788R000100060015-2 XIV. SECURITY EDUCATION Security education is a continuing program which must be formally provided at the time of initial indoctrination, periodically while in approved status and at the time of termination of access. At all times both ASO's and all indoctrinated personnel must continually maintain and increase security awareness on the part of all approved individuals through day-to-day vigilance and reinforcement of basic security principles. a. Initial Indoctrination: Upon the granting of initial access, personnel are to be indoctrinated by an ASO. The indoctrination will, at a minimum, include the following: 1. The need for , purpose,and structur??.of the APEX Security Control System and the adverse effects on the national security that could result from unauthorized disclosure of APEX information. 2. An explanation of the sensitivity of APEX information and its relationship to other intelli- gence information processed by the United States Government. 3. The administrative, physical and other procedural security requirements of the APEX Security Control System. Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 ' ? Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 4. Individual classification management responsibilities of personnel in the APEX system to include classification/declassification, de- CoMpartmentation and sanitization guidelines and marking requirements. S. The criminal penalties for espionage and. unauthorized disclosure in the appropriate sections of Titles 18 (e.g., Sections 792-798) and 50, U.S. . Code, relative to APEX information. 6. The administrative sanctions for violation or disregard of APEX security procedures.. 7. A review of the techniques employed by foreign intelligence organizations in attempting to obtain national security information. 8. A review of individual security responsi- bilities to include, at a minimum, (a) the prohibition against disclosing any classified information over either non- secure telephones or in non-secure places, (b) the need and method to determine that prospective recipients are approved for access, truly need information to perform their official duties and can provide proper protection to the information in question) ? ? ? _ ? : IN I? 60 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 r? ; f..11 Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 (c) administrative reporting require- ments such as non-official foreign travel, contacts with foreign nationals, attempts by unauthorized persons to obtain APEX informa- tion, possible loss or compromise of APEX material, physical security deficiencies or probable personnel security concerns which would impact adversely on APEX security. b. Periodic Reindoctrination: At intervals of no less than-two years, all APEX.windoctrinated 'personnel are to receive a 'formal reindoctrination. This reindoctrination should cover all the points enumerated in paragraph a. In addition, as personnel grow in understanding of the APEX Security Control-- The System by being exposed to it/shouldAdevelop on a more sophisticated level appropriate to the specific types of APEX activity involved (e.g., vulnerability of operational activities to countermeasures, need to protect identity of human sources for purposes of their individual safety, etc.). Such reindoc- trinations should reinforce responsibilities of the individual and this opportunity should be used to encourage' suggestions for better security within the system. 40-N ?-?N :?? ? ! ? \ 5 ' ? : - Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 I ?? lt;t ? ' ?? **".? ? ; Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2 c. Termination of Access: When it has been determined that individuals no longer require access to any type of APEX information, they should be scheduled for a debriefing and provided with final instructions and guidelines on the protection of APEX. information and their personal responsi- bilities. At a minimum, this debriefing will include: ? 1, A reminder of the appropriate sections of Titles 18 and 50 of the U.S. Code, their pro- visions and criminal sanctions relative to espionage. and unauthorized disclosure. ? 2. The continuing obligation never to divulge,. publish or otherwise reveal to any unauthorized person any APEX information without ? express permission of the appropriate responsible' officials. 3. An acknowledgement of individual responsibility to report to appropriate U.S. Government officials any attempt by an un- authorized person to solicit APEX information.. 4. A declaration that the individual no. longer has any APEX materials in his/her possession. 5. A review of travel restrictions and reporting requirements, if required. At. the time of debriefing, the person terminating should again be encouraged to provide any comments pertinent to enhanced APEX security. 6(; r\ rs ? . .f i ? ? 1 t Approved For Release 2004/05/12 : CIA-RDP85T00788R000100060015-2