Guideline K (Handling Protected Information) of the Adjudicative Guidelines for Determining Eligibility for Access to Classified Information encompasses the handling of classified information, as well as sensitive but unclassified, embargoed technology, company proprietary, and privacy information. Of the approximately 1200 initial case decisions posted at the Defense Office of Hearings and Appeals (DOHA) website for the period January to November 2010, 14 cases involved Guideline K issues. Over 64% of these initial case decisions resulted in security clearance denials or revocations. One case that initially resulted in the granting of a clearance was later reversed on appeal. All of these cases also cited Guideline E: Personal Conduct and/or Guideline M: Use of Information Technology Systems as potentially disqualifying issues. These addition issues were usually directly related to the Guideline K conduct, because the conduct displayed questionable judgment and unreliable behavior and/or because the conduct involved computers.
The Adjudicative Guidelines states, “Deliberate or negligent failure to comply with rules and regulations for protecting classified or other sensitive information raises doubt about an individual’s trustworthiness, judgment, reliability, or willingness and ability to safeguard such information, and is a serious security concern.” Guideline K lists 9 specific examples of potentially disqualifying conduct, some of which duplicate disqualifying conduct under Guideline E and Guideline M. These 9 examples can be reduced to 2 general types of behaviors:
1. Intentional violation of security rules.Sponsored
Become a Certified Ethical Hacker
2. Repeated negligence, carelessness, or inattention in following security rules.
Cases involving either of these 2 types of behaviors often result in a clearance denial or revocation. Clearances are usually granted or continued in cases involving a single recent unintentional violation or where only a few unintentional violations occurred more than 3 years earlier and the applicant responded favorably to remedial training. DOHA Administrative Judges (AJs) appear to impose a stricter standard when applying the most common mitigating condition of “passage of time without recurrence” to Guideline K cases.
Applying a stricter standard for mitigating security violations is judicious. With most security clearance issues (i.e. alcohol, drugs, finances, criminal conduct, etc) adjudicators try to evaluate the possibility of future recurrence of the problem, because the problem might in turn lead to deliberate or negligent compromise of classified information. Whereas, any recurrence of a security violation could by itself result in the unauthorized disclosure of classified information. In a somewhat extreme application of this stricter standard an applicant’s clearance was revoked by DOHA in 2010 because of numerous unintentional security violations spanning several years, where the last violation occurred 12 years ago.1
Another consideration for applying a stricter standard to these cases is that certain types of security violations are potential counterintelligence indicators that an individual might be disclosing protected information to unauthorized personnel. These behaviors include:
• Unauthorized removal of protected information from the office.
• Unauthorized introduction of cameras or recording devices into areas storing protected material.
• Retention of protected information obtained at a previous employment without the authorization or the knowledge of that employer.
• Unauthorized copying of protected information.
• Concealing or removing protective markings when copying protected information.
• Efforts to view or obtain protected information clearly beyond one’s need-to-know.
In early December 2010 numerous news sources reported that the White House Office of Management and Budget sent a memo to federal agencies forbidding unauthorized federal government employees and contractors from accessing classified documents publicly available on WikiLeaks and other websites. Other news stories reported that university students were advised not to viewed classified information at WikiLeaks, because it could result in the denial of a security clearance in the future.
There has been some indignation regarding these warnings, but “The fact that classified information has been made public does not mean that it is automatically declassified.2 To access classified information a person must have the proper clearance and need-to-know. Guideline K specifically makes “inappropriate efforts to obtain or view classified or other protected information outside one’s need to know” a potentially disqualifying condition. However, because of the unusual circumstances involved, it’s questionable whether viewing classified information on WikiLeaks or any other public website will actually result in a security clearance denial or revocation, particularly for people who were not subject to government security regulations at the time. The most likely response will be an admonishment regarding future violations.
A literal interpretation of Guideline K suggests that it only applies to violation of security rules directly related to accessing, handling, and storing protected information. However, adjudicators use a broader interpretation of Guideline K that includes violation of rules regarding the duty to self-report potentially disqualifying conditions and comply with other security requirements. An Admininstrative Judge’s (AJ) decision to revoke a clearance in DOHA Case No. 06-26489 is particularly instructive. This decision was later affirmed on appeal.
“Applicant’s failure to comply with rules and regulations for protecting classified and other sensitive information occurred in April 2005, and is not therefore recent. However, at his hearing, Applicant maintained that he was confused by the reporting requirement and, therefore, his failure to follow the instructions given to him should be excused. Applicant’s continuing refusal to acknowledge his responsibility to comply with a reporting requirement was intentional and has not been mitigated by the passage of time. He knew that he should report the [foreign] relationship and deliberately chose not to do so. He failed to demonstrate a positive attitude toward the discharge of his security responsibilities.”
Under DoD Regulation 5200.2-R (Personnel Security Program) cleared personnel must report all potentially disqualifying information listed under Guidelines A through M of the Adjudicative Guidelines, plus:
• Change in name, marital status, and citizenship.
• Change in job assignment that eliminates the need for access to classified information.
• Any situation related to actual, probable, or possible espionage, sabotage, or subversive activities directed at the United States.
• Any known or suspected security violation or vulnerability.
• Efforts by any person, regardless of nationality, to obtain illegal or unauthorized access to classified information.
Supervisors and coworkers have an equal obligation to advise appropriate security officials when they become aware of information with potentially serious security significance regarding someone with access to classified information.
Individuals with Sensitive Compartmented Information or other Special Access Program authorizations have additional reporting requirements, such as impending unofficial foreign travel and any close and/or continuing contact with a foreign national where ties of kinship, affection, influence, or obligation exist, even if the contact does not create a heightened risk of foreign exploitation.
Like all security issues, security violations can be mitigated, if they are unlikely to recur because they happened long ago or under unusual circumstances. Security violations can also be mitigated, if the applicant received improper or inadequate training and subsequently obtained the needed training.
If you commit a security violation or fail to comply with some other security requirement, report the matter to your security officer immediately and request remedial or additional training. The Defense Security Service Academy offers a variety of security education courses for federal employees and contractors. Complete the training in a timely manner, obtain documentation that the training was completed, and insure that a copy of the documentation is placed in your security file.
1 This DOHA case (No. 04-12742) appears ripe for appeal. Because of the apparently faulty logic applied by the DOHA AJ, the case if appealed will probably be reversed or at least remanded for a new hearing. The AJ held that although the applicant had passive access to classified information at briefings and meetings during the past 12 years (without any security violations), she did not actively handle classified information, and therefore the applicant has not had an opportunity to demonstrate that the lax or sloppy security habits of the past will not recur. Using this logic, anyone whose clearance is revoked due to a security violation will never receive a clearance in the future, because they will not have an opportunity to demonstrate responsible handling of classified information without a clearance.
2 Paragraph 4-106, National Industrial Security Program Operating Manual, DoD 5220.22-M, February 28, 2006.
William H. Henderson is a retired security investigator, author of Security Clearance Manual, and regular contributor to ClearanceJobsBlog.com and ClearanceJobs.com. Copyright © 2011 Last Post Publishing. All rights reserved.