NHB 1620.3C NASA Security Handbook
NASA NHB 1620.3C, (PART 4)
HANDBOOK Effective Date February 1, 1993
_________________________________________________________________
Responsible Office: JL
Subject: NASA Security Handbook (PART 4 of 5)
PREFACE
APPENDIX A: GLOSSARY OF SECURITY TERMS
Access. The ability and opportunity to gain knowledge of
classified information.
Access Control. The means, through a variety of procedures and
equipment, to regulate and monitor the movement of personnel
and/or vehicle traffic through points of entry and exit.
Access Control System. A system of electromechanical and
electronic devices that monitor and permit or deny entry and exit
of a protected area by personnel or vehicles.
Acoustic Security. Those security measures designed and used to
deny audio access to information.
Aeronautical and Space Activities. (l) Research into, and the
solution of, problems of flight within and outside the Earth's
atmosphere; (2) the development, construction, testing, and
operation for research purposes of aeronautical and space
vehicles, and (3) such other activities as may be required for
the exploration of space.
Administrative/Service Area. Those areas within an accredited
facility where storage, exposure, discussion, and/or processing
of classified or sensitive material is not allowed.
Agency. Any department or agency of the Government.
Alien. Any person who is not a citizen or national of the United
States.
Anti-Terrorism. Defensive measures used to reduce the
vulnerability of individuals or property to terrorism.
Arrest Authority. Authority to execute arrests and searches
without warrants granted to designated NASA employees and
contractors by the National Aeronautics and Space Act of 1958, as
amended.
Audible Scrambler. A method of modifying communications equipment
to encode or decode transmitted signals. Provides a limited
degree of security in sensitive operations, but does not meet
encryption standards required for transmission of classified
information.
Authorized Person. A person who is appropriately cleared, has a
valid need-to-know, and has been granted access to an area.
Background Investigation. The means or procedures, such as
selective investigations, records checks, personal interviews,
and supervisory controls, designed to provide reasonable
assurance that persons being considered for or granted access to
classified information are loyal and trustworthy.
Back-up Power. A secondary source of power (usually batteries or
generators) to provide continued system operation when primary
(AC) power is interrupted.
Controlled Cryptographic Item (CCI). Secure telecommunications
or information handling equipment or associated cryptographic
component or ancillary device that is unclassified when unkeyed
(or keyed with unclassified key), but controlled.
Classification Category. The specific degree of security
classification that has been assigned to classified information
to indicate the extent of protection required in the national
interest.
Certified Tempest Technical Authority (CTTA). Designated official
responsible for performing TEMPEST countermeasure cost and
security analyses prior to the implementation of TEMPEST
countermeasures.
Classification Guide. The guidance issued or approved by an
original Top Secret classification authority that identifies the
information or material to be protected from unauthorized
disclosure and specifies the level and duration of classification
assigned or assignable to such information or material.
Classified Material. Any physical object on which is recorded or
in which is embodied classified information that may be discerned
by the study, analysis, observation, or other use of the object
itself.
Closed Area. An area in which security measures are applied
primarily to safeguard classified information and material, entry
to the area being equivalent to access to such classified
information and material.
Closed Circuit Television (CCTV). A television system where
video signals are transmitted from one area to another via
coaxial or fiber optic cables.
Closed Storage Area. An area, cleared for classified operations,
in which all classified material must be stored in a GSA-approved
security container when the area is unoccupied.
Cognizant Security Authority (CSA). Agency, office, or person
responsible for establishing security requirements.
COMINT. Information derived from the study of intercepted
electromagnetic communications.
Communications Security. The protection resulting from the
application of cryptosecurity, transmission security, and
emission security measures to telecommunications and from the
application of physical security measures to COMSEC information.
These measures are taken to deny unauthorized persons information
of value that might be derived from the possession and study of
such telecommunications, or to ensure the authenticity of such
telecommunications.
Compromise. A breach of security due to an unauthorized person's
gaining knowledge of classified information.
Compromising Emanations. Unintentional emissions that could
disclose information being transmitted, received, or handled by
any information-processing equipment. (See TEMPEST)
COMSEC. Communications Security.
COMSEC Accounting. Procedures that document the control of
COMSEC material from its origin through destruction or other
final disposition.
COMSEC Custodian. Individual designated responsible for the
receipt, transfer, accountability, safeguarding, and destruction
of COMSEC material assigned to a COMSEC account.
COMSEC Insecurity. Any occurrence that jeopardizes the security
of COMSEC material or the secure electrical transmission of
classified or sensitive government information.
COMSEC Material. Aids and hardware that are designed to secure
telecommunications.
Contractor. Any entity that is party to a contract with the
United States.
Concertina Wire. Rolled barbwire, usually in .914m/three-foot
diameter rolls that are pulled apart and expanded to make a
physical protective barrier. A military version is called
General Purpose Barbed Tape Obstacle. Also called razor wire or
wire obstacle.
Counterespionage. Aspect of counterintelligence designed to
detect, destroy, neutralize, exploit, or prevent espionage
activities through identification, penetration, manipulation,
deception, and repression of individuals, groups, or
organizations conducting or suspected of conducting espionage
activities.
Countermeasures Advisory Panel (CAP). An interagency panel that
recommends National TEMPEST policy for approval by the National
Telecommunications and Information Systems Security Committee
(NTISSC).
Cryptographic Information. All information and material,
including documents, devices, equipment and apparatus, essential
to the encryption, decryption, or authentication of
telecommunications. Whenever cryptographic information is
classified, the material is marked "CRYPTO" and the specific
security classification is indicated.
Cryptosystem. Associated items of COMSEC material used as a unit
to provide a single means of encryption or decryption.
Custodian. Any authorized person who possesses and is
responsible for safeguarding classified information or material.
Dead Bar. A solid bar attached to both a door and its frame on
the inner side to prevent opening from the outside.
Dead Bolt. A lock bolt with no spring action. Activated by a
key or turn knob and cannot be moved by end pressure.
Decibel. A unit of sound measurement.
Dedicated Phone Lines. Leased or propriety telephone lines used
solely for transmission of a particular signal.
DES Data Encryption Standard. An unclassified algorithm
implanted in electronic hardware or firmware devices used for the
cryptographic protection of unclassified but sensitive
information.
DOD Representative. An officer or employee of the Department of
Defense, or any department or agency thereof, or a member of the
Armed Forces, or a contractor or subcontractor of any DOD
department, agency, or Armed Forces, or an officer or employee of
any such contractor or subcontractor.
Door Switch. An electromechanical device attached to doors used
to detect door openings and generate an alarm.
Duress Alarm. A mechanical or electronic device that enables
personnel to alert a response force to obtain immediate
assistance without arousing suspicion.
Electrical Metallic Tubing (EMT). Steel tubing used to protect
electrical and electronic signal cables.
Electric Strike. A feature that locks or unlocks a door or
turnstile automatically or manually.
Electromagnetic Interference (EMI). A component of energy
generated by radar, high-voltage lines, radios, etc., that can
cause interference or damage to unprotected electronic equipment.
ELINT: Information derived from noncommunications
electromagnetic radiations (such as those emitted by radar).
Emission Security: The component of communications security that
results from all measures taken to deny unauthorized persons
information of value that might be derived from intercept and
analysis of compromising emanations from crypto and
telecommunications equipment. Frequently referred to as TEMPEST.
Expanded Steel. Also called Expanded Metal Mesh. A lacework
patterned material produced from sheet steel by making regular
uniform cuts and then pulling it apart with uniform pressure.
Fence Apron. Barbed wire section placed atop barrier fences,
usually placed at a 45-degree angle.
Fence Sensor System. A system mounted on a fence or installed as
part of a fence that detects an intruders' attempts to climb
over, penetrate, or crawl under the fence.
Foreign National. Any person who is not a U.S. citizen or not a
national of or an immigrant to the United States.
Guard. A properly trained and equipped individual whose duties
include the protection of assets.
ITAR. International Traffic in Arms Regulation.
Intelligence Community. The aggregate of the following executive
branch organizations and agencies involved in intelligence
activities: the Central Intelligence Agency; the National
Security Agency; the Defense Intelligence Agency; offices within
the Department of Defense for the collection of specialized
national foreign intelligence through reconnaissance programs;
the Bureau of Intelligence and Research of the Department of
State; intelligence elements of the military services; the
Federal Bureau of Investigation; the Department of the Treasury;
the Department of Energy; and staff elements of the Office of the
Director of Central Intelligence.
Intrusion Detection System (IDS). A security alarm system
consisting of one or more various types of components used to
detect unauthorized access into a protected area.
Level of IDS Protection. Number of sensor types used in an IDS
system to protect an area. (Door switches and motion detectors
in use in one area constitute two levels of protection.)
Limited Area. An area in which security measures are applied
for the safeguarding of classified information and material, or
unclassified property warranting special protection, and in which
uncontrolled movement of visitors or other unauthorized persons
would permit access to such classified information and material
or property, but within which such access may be prevented by
appropriate visitor escort or other internal restrictions and
controls.
NRP. NASA Resource Protection.
National Security Decision Directive (NSDD). A document that
promulgates Presidential decisions implementing national policy
and objectives in all areas involving national security. All
decision directives are individually identified by number and
signed by the President.
National Telecommunications and Information Systems Security
Committee (NTISSC). An interagency committee responsible for
approving national security policies for safeguarding systems
that process or communicate sensitive information.
Open Storage Area: A properly accredited vault or area in which
classified material may be processed, discussed, or stored
without the use of security containers.
Operations Security (OPSEC). A systematic and analytical process
by which the U.S. Government and its supporting contractors can
deny to potential adversaries information about capabilities and
intentions by identifying, controlling, and protecting evidence
of planning and execution of sensitive activities and operations.
Perimeter. A wall, fence, natural terrain, water, etc., that
provides a barrier or indicates the outer limits of an area.
Personnel Turnstile. A device consisting of fixed and rotating
bars that permits or prevents entry or exit in a protected area.
Protected Distribution System (PDS). A wireline or fiber optic
system that includes adequate acoustic, electrical,
electromagnetic and physical safeguards to permit its use for the
unencrypted transmission of classified information.
Radio Frequency Interference (RFI). A signal in the radio
frequency range that may prevent proper operation or destroy
unprotected electronic circuits.
Reader (Card). An electronic device used to decode data
contained on cards or keys to identify the holder as an
authorized or unauthorized entrant into a protected area.
Red/Black Concept. The separation of electrical and electronic
circuits, components, equipment, and systems, that handle
classified plain language information in electric signal form
(Red) from those that handle encrypted or unclassified
information (Black).
Restricted Area. An area in which security measures are applied
to safeguard or control property, or to protect operations and
functions that are vital or essential to the accomplishment of
the mission assigned to a NASA Installation or component
Installation.
Security Dispatcher. A person assigned to the duties of
dispatching response forces and/or patrols, usually in response
to alarms, calls for assistance, or other emergencies requiring
security personnel at the scene.
Security Survey. A comprehensive formal evaluation of a
facility, area, or activity by security specialists to determine
its physical or technical strengths and weaknesses and to propose
recommendations for improvement.
Sensitive Requiring special protection from disclosure to avoid
compromise or threat to the security of the sponsor.
Solid Wall. A wall that is constructed without hollow portions
in it.
Sound Groups. Voice transmission attenuation groups established
to satisfy acoustical security requirements.
Sound Transmission Class (STC): The ratings used in
architectural considerations of sound transmission loss such as
those involving walls, ceilings, and/or floors.
STS: Space Transportation System.
Special Access Program (SAP). Any program established and
approved under EO 12356 that imposes need-to-know or access
controls beyond those normally required for access to
Confidential, Secret, or Top Secret information.
Surreptitious Entry. The unauthorized entry into an area or
security container in a manner in which evidence of such entry is
not readily discernible.
TELINT. Information derived from the intercept and analysis of
communications between pieces of equipment. An example of TELINT
would be information obtained from the intercept of electronic
communications between a spacecraft and its ground-based guidance
system.
TEMPEST. An unclassified short name referring to investigations
and studies of compromising emanations. It is sometimes used
synonymously for the term "compromising emanations."
TEMPEST Test. A laboratory or on-site (field) test to determine
the nature and amplitude of conducted or radiated signals
containing compromising information. A test normally includes
detection and measurement of these signals and analyses to
determine the correlation between received signals and
potentially compromising transmitted signals.
Technical Surveillance Countermeasures (TSCM) Surveys and
Inspections: A thorough physical, electronic, and visual
examination to detect technical surveillance devices, technical
security hazards, and attempts at clandestine penetration of an
area for hostile technical collection of classified and sensitive
information.
Terrorism. The unlawful use of force or violence against persons
or property to intimidate or coerce a government, a civilian
population, or any segment thereof, in furtherance of political
or social objectives.
Type I COMSEC Product. A classified or CCI COMSEC product
endorsed for securing classified or sensitive government
information when appropriately keyed. NOTE: Refers only to
products and not to information, key, services, or controls.
Type I products contain a classified NSA algorithm. They are
available to U.S. Government users and their contractors and are
subject to export restrictions in accordance with ITAR.
Type II COMSEC Product. An unclassified device or equipment
endorsed for protecting sensitive government or government-
derived information. NOTE: Refers only to products and not to
information, key, services, or controls. Type II may not be used
for classified information. Type II products contain a classified
NSA algorithm, which distinguishes them from products containing
an unclassified DES algorithm. They are available to U.S.
Government users and their contractors and U.S.- sponsored
entities, but are subject to export restrictions in accordance
with ITAR.
Vault. An area used for storing, handling, discussing, and/or
processing classified information that is constructed to afford
maximum protection against unauthorized entry.
Visual Security. Those security measures designed and used to
deny unauthorized visual access to classified or sensitive
materials and activity.
Waiver. The approved continuance of a condition that varies from
a requirement and creates a vulnerability.
APPENDIX B: PERSONNEL AND INFORMATION SECURITY DEFINITIONS
For the purpose of this Handbook, the following definitions
will apply:
1. Access. The ability and opportunity to gain knowledge of
classified information; that is, an individual may obtain
access to classified information merely by being near a
place where the information is discussed or being within
a place where it is kept if the security measures in
force do not prevent the individual from gaining
knowledge of the information.
2. Aeronautical and Space Activities. (a) Research into,
and the solution of, problems of flight within and
outside the Earth's atmosphere; (b) the development,
construction, testing, and operation for research
purposes of aeronautical and space vehicles; and (c) such
other activities as may be required for the exploration
of space.
3. Agency. Any department or agency of the Government.
4. Alien. Any person who is not a citizen or national of
the United States (see "Immigrant Alien").
5. Authorized Person. A person who has been:
a. Cleared to at least the degree of security
classification of the information involved and has a
need-to-know the information in connection with that
person's official duties.
b. Authorized to enter a Security Area.
6. BDI - Background Investigation Update.
7. BGI - Background Investigation Upgrade.
8. Certifying Official. A NASA official authorized to
certify a NASA representative for access to Restricted
Data in the possession of (a) personnel of the Nuclear
Regulatory Commission (NRC) and its contractors; (b)
personnel of the Department of Energy (DOE) and its
contractors; and (c) NRC- or DOE-cleared personnel of
other Federal departments and agencies (except NASA and
the Department of Defense (DOD)) and their contractors.
9. Classification. The initial or original determination
that information requires protection against unauthorized
disclosure in the interest of national security, and a
designation of the level of classification. This
contrasts with the physical act of marking material
containing classified information to which a
classification category already has been assigned, e.g.,
information covered by a security classification guide or
material copied or reproduced from material previously
marked with an assigned classification (see "Marking").
10. Classification Authority. The authority delegated to an
official of NASA to originally classify information or
material that is determined by that official to require
protection against unauthorized disclosure in the
interest of national security. It further means the
authority to extend the duration of the original
classification, subject to the limits prescribed in this
Handbook, only so long as the basis for the original
classification continues to exist.
11. Classification Category. The specific degree of security
classification (Top Secret, Secret, or Confidential) that
has been assigned to classified information to indicate
the extent of protection required in the national
interest.
12. Classified Contract. Any contract, purchase order,
award, or grant that requires, or will require, access to
any classified information by the contractor, grantee,
supplier, or their employees in the performance of the
contract. A contract may be classified even though the
contractual document or the end item to be produced is
unclassified.
13. Classification Guide. The guidance issued or approved by
an original Top Secret classification authority that
identifies the information or material to be protected
from unauthorized disclosure and specifies the level and
duration of classification assigned or assignable to such
information or material. Appendix E, "NASA Information
Security Program," is the basic classification guide for
NASA.
14. Classified Information.
a. Information or material, herein collectively termed
information that is owned by, produced for or by, or
under the control of the U.S. Government, that has
been determined pursuant to "The Order" or prior
Executive Orders to require protection against
unauthorized disclosure, and that is so designated.
b. Other information to which an appropriate authority
of a foreign government or international pact
organization has assigned a security classification
to indicate the extent of protection required, and
which the United States is obligated to protect
pursuant to an agreement with that government or
organization.
15. Classifier. An individual who makes a classification
determination and applies a security classification to
information or material. A classifier may be an original
classification authority or a person who derivatively
applies a security classification based on a properly
classified source or a security classification guide.
16. Classified Material. Any physical object on which is
recorded or in which is embodied classified information
that may be discerned by the study, analysis,
observation, or other use of the object itself.
17. Closed Area. An area wherein security measures are
applied primarily for the purpose of safeguarding
classified information and material, entry to the area
being equivalent to access to such classified information
and material.
18. Cognizant Security Office. The Defense Investigative
Service (DIS) Industrial Security region which is
primarily responsible for exercising control over
industrial security matters at a contractor facility.
19. Communications Security (COMSEC). The protection
resulting from a measure taken to deny unauthorized
access to information related to national security that
might be derived from telecommunications, or measures
taken to ensure the authenticity of such
telecommunications.
20. Compromise. A breach of security owing to an
unauthorized person's gaining knowledge of classified
information.
21. Confidential Information. Information that could be
reasonably expected to cause damage to the national
security if disclosed to unauthorized persons.
22. Contractor. Any industrial, educational, commercial, or
other entity that is a party to a contract with the
United States and has received a facility clearance from
a Government department or agency.
23. Cryptographic Information. All information and material,
including documents, devices, equipment and apparatus,
essential to the encryption, decryption, or
authentication of telecommunications. Whenever
cryptographic information is classified, the material is
marked "CRYPTO" and the specific security classification
category also is indicated.
24. Custodian. Any authorized person who has possession of,
and is responsible for, safeguarding classified
information or material (see "Authorized Person" and
"Safeguarding").
25. Declassification Event. An event that would eliminate
the need for continued classification.
26. Declassify. Action taken by an appropriate authority to
cancel completely the security classification of an item
of classified information.
27. Derivative Classification. A determination that
information is in substance the same as information
currently classified, and a designation of the level of
classification.
28. Designated Agency Official. Refers to the official with
authority to deny, suspend, or remove an employee's
security clearance (except under 5 U.S.C. 7532). At NASA
Field Installation, this official is the Director; at
NASA Headquarters, this official is the Associate
Administrator for Management Systems and Facilities.
29. Document. Any recorded information regardless of its
physical form or characteristics, including, without
limitation, written or printed matter, data processing
cards and tapes, maps, charts, paintings, drawings,
engravings, sketches, working notes and papers,
reproductions of such things by any means or process, and
sound, voice, magnetic, or electronic recordings in any
form.
30. DoD Representative. An officer or employee of the
Department of Defense, or any department or agency
thereof, or a member of the Armed Forces, or a contractor
or subcontractor of any DOD department, agency, or Armed
Forces, or an officer or employee of any such contractor
or subcontractor (see "NASA Representative").
31. Downgrade. Action taken by an appropriate authority to
lower the classification category of an item of
classified information.
32. Employee. Any individual, including an expert,
consultant, or adviser, serving on a permanent or
temporary appointment, on a full-time, part-time, or
intermittent basis, and regardless of whether the
individual is compensated for services rendered.
33. Facility Security Clearance. From a security viewpoint,
an administrative determination that a facility is
eligible for access to classified information up to and
including a designated category.
34. Foreign Government Information. Information that has
been provided to the United States in confidence by or
produced by the United States pursuant to a written joint
arrangement requiring confidentiality with a foreign
government or international or regional organization of
governments.
35. Foreign National. Any person who is not a citizen or not
a national of or an immigrant to the United States (see
"Immigrant Alien").
36. Foreign Representative. A citizen or national of the
United States or an immigrant alien who is acting as a
representative official, or employee of a foreign
government, firm, corporation, or person.
37. Formerly Restricted Data. Information that has been
removed from the Restricted Data category based on a
formal determination by appropriate authority that the
information relates primarily to the military utilization
of atomic weapons, and that the information can be
protected adequately as classified information under the
provisions of "The Order." Such information may not be
transmitted or otherwise made available to any foreign
nation or international pact organization while it
remains classified information except under the
provisions of the Atomic Energy Act of 1954, as amended.
38. Immigrant Alien. Any person who is lawfully admitted
into the United States under an immigration visa for
permanent residence.
39. Information. Knowledge that can be communicated by any
means.
40. Information Security. The result of any system of
administration policies and procedures for identifying,
controlling, and protecting from unauthorized disclosure,
information of which protection is authorized by
Executive order or statute.
41. International Pact Organization. A regional defense
organization (e.g., NATO).
42. LDI - Limited Background Investigation Update.
43. LGI - Limited Background Investigation Upgrade.
44. Limited Area. An area wherein security measures are
applied primarily for the safeguarding of classified
information and material or unclassified property
warranting special protection and in which the
uncontrolled movement of visitors would permit access to
such classified information and material or property, but
within which area such access may be prevented by
appropriate visitor escort and other internal
restrictions and controls.
45. Marking. The physical act of stamping or otherwise
indicating on a document or other material (a) the
specific category of security classification assigned to
the information contained therein; and (b) other
pertinent notations (e.g., "Restricted Data--Atomic
Energy Act of 1954," "Unclassified when classified
enclosures are detached," and "CRYPTO").
46. Material. Any product or substance on, or in, which
information is embodied.
47. MDI - Minimum Background Investigation Update.
48. NASA Employee or Personnel.
a. Any permanent or temporary employee of NASA;
b. Any person serving without a contract as an advisor,
consultant, or expert to NASA; or
c. Any employee or member of another Federal department
or agency who is detailed to NASA or assigned to a
program or activity jointly sponsored by NASA.
49. NASA Representative. Any officer, employee, member of an
advisory committee, contractor, subcontractor, or officer
or employee or a contractor or subcontractor of NASA (see
"DOD Representative").
50. National Agency Check (NAC). A review of the files of
the Federal Bureau of Investigation (including
fingerprint files), Office of Defense Central Index of
Investigations, the Office of Personnel Management, or
other Government agencies, as appropriate. The files of
the Immigration and Naturalization Service and the
Central Intelligence Agency will be reviewed when the
individual is an alien or a naturalized citizen of the
United States.
51. National Security. The protection of the nation from
foreign aggression or espionage, including development of
defense plans or policies, intelligence or
counterintelligence activities, and related activities
concerning the preservation of the military strength of
the United States.
52. National of the United States. A citizen of the
United States, or a person who, although not a
citizen of the United States, owes permanent
allegiance to the United States.
53. Need-to-Know. A determination, by persons having
responsibility for classified information or matter, that
a proposed recipient's access to such classified
information or matter is necessary in the performance of
that person's official, contractual, or licensee duties
of employment under the cognizance of NASA.
54. Non-NASA Personnel. Any person (other than a NASA
employee) who is within the boundaries of a NASA
Installation or component and is outside the physical
limits of a cleared contractor facility (holding a
facility clearance under the DOD Industrial Security
Program) that is situated within the Installation or
component.
55. Original Classification. An initial determination that
information requires, in the interest of national
security, a specific degree of protection against
unauthorized disclosure, together with a designation
signifying that such a determination has been made.
56. Program Office Security Official (PSO). The PSO serves
as the first point of contact externally, and as the
focal point internally, on program security matters
within the responsibility of the program office Associate
Administrator. Primary responsibility for program
security rests with the program office Associate
Administrator.
57. Regrade. A determination that classified information
requires a different degree of protection against
unauthorized disclosure than currently provided, together
with a change of classification designation that reflects
such different degrees of protection.
58. Restricted Area. An area wherein security measures are
applied primarily for the safeguarding or administrative
control of property or to protect operations and
functions that are vital or essential to the
accomplishment of the mission assigned to a NASA
Installation or component Installation.
59. Restricted Data. All data concerning design,
manufacture, or utilization of atomic weapons, the
production of special nuclear material, or the use of
special nuclear material in the production of energy, but
will not include data declassified or removed from the
Restricted Data category pursuant to Section 142 of the
Atomic Energy Act of 1954.
60. Safeguarding.
a. All measures taken to minimize the possibility of
compromise of classified information including
accountability, control, and storage of classified
material; and
b. All measures taken to protect unclassified property
warranting special protection.
61. Secret Information. Only information that could
reasonably be expected to cause serious damage to the
national security if disclosed to unauthorized persons.
62. Security Area. A physically defined area established for
the protection or security of facilities, property, or
classified information and material in the possession or
custody of NASA or a NASA contractor located at a NASA
Installation or component Installation, entry to which is
subject to security measures, procedures, or controls.
63. Security Officer. The Installation Security Officer of a
NASA Field Installation or the Chief, NASA Security
Office.
64. Security Storage Equipment. Any security filing cabinet,
safe, safe-type filing cabinet, modified steel filing
cabinet, vault, vault-type room, or other storage
container or equipment specifically approved by the
Security Officer for the storage of classified material.
65. Security Violation (Infraction). A failure to comply
with or observe security regulations or procedures
established to safeguard classified information but has
not resulted in the loss or compromise of the information
involved (see Compromise).
66. SDI - Single Scope Background Investigation update.
67. SGI - Single Scope Background Investigation upgrade.
68. Short Title. A brief, unclassified identifying
combination of words, letters or numbers assigned to a
specific classified document or item of material for the
purpose of brevity and security.
69. Special Access Program. Any program imposing
need-to-know or access controls beyond those normally
provided for access to Confidential, Secret, or Top
Secret information. Such a program includes, but is not
limited to, special clearance, adjudication, or
investigative requirements, special designation of
officials authorized to determine need-to-know, or
special lists of persons determined to have a
need-to-know.
70. Top Secret Information. Only that information that
could reasonably be expected to cause exceptionally grave
damage to the national security if disclosed to
unauthorized persons.
71. Unauthorized Person.
a. Any person not authorized to have access to specific
classified information in accordance with the access
provisions of this Handbook; or
b. Any person who enters a Security Area without proper
authorization.
72. United States and Its Territories. The 50 States; the
District of Columbia; the Commonwealth of Puerto Rico;
the Territories of Guam, American Samoa, and the Virgin
Islands; the Trust Territory of the Pacific Islands; the
Canal Zone; and the Possessions, Midway, and Wake
Islands.
73. Upgrade. A determination made in the interests of
national security that certain classified information
requires a higher degree of protection against
unauthorized disclosure than currently provided, together
with a change in the classification designation to
reflect the higher degree.
74. Visit.
a. Classified Visit. A visit involving the authorized
disclosure of classified information.
b. Unclassified Visit. A visit that does not involve
the disclosure of classified information.
75. Visitor.
a. Any person who is admitted to a NASA Field
Installation other than a NASA employee of that
Installation; and
b. A NASA employee visiting another agency or
contractor.
76. Work Document. Any note, draft, preliminary copy of a
page of a document, or a form used to collect data for
inclusion in a document, which is prepared prior to
incorporation into a master or final copy.
APPENDIX C: PERSONNEL SECURITY ADJUDICATION POLICY
GENERAL
The following adjudication policy has been developed to assist
NASA adjudicators in making determinations about an
individual's eligibility for employment or retention in
sensitive duties or eligibility for access to classified
information. Refer also to Appendix V and W.
While reasonable consistency in reaching adjudicative
determinations is desirable, the nature and complexities of
human behavior preclude the development of a single set of
guidelines or policies that is equally applicable in every
personnel security case. Accordingly, the following
adjudication policy is not intended to be interpreted as
inflexible rules of procedure. The following policy requires
that each adjudicator has successfully passed the Department
of Defense (DOD) Personnel Security Adjudication course as
well as attended the suitability and security adjudication
course provided by the Office of Personnel Management. The
adjudicator's sound judgment, mature thinking, and careful
analysis of each case must be weighed on its own merits,
taking into consideration all relevant circumstances, and
prior experience in similar cases as well as the guidelines
contained in the adjudication policy, which have been compiled
from common experience in personnel security determinations.
Each adjudication is to be an overall common sense
determination based upon consideration and assessment of all
available information, both favorable and unfavorable, with
particular emphasis being placed on the seriousness, recency,
frequency, and motivation for the individual's conduct; the
extent to which conduct was negligent, willful, voluntary, or
undertaken with knowledge of the circumstances or consequences
involved; and, to the extent that it can be estimated, the
probability that conduct will or will not continue in the
future. The listed "Disqualifying Factors" and "Mitigating
Factors" in this set of Adjudication Policies reflect the
consideration of those factors of seriousness, recency,
frequency, motivation, etc., to common situations and types of
behavior encountered in personnel security adjudications, and
should be followed whenever an individual case can be measured
against this policy guidance. Common sense may occasionally
necessitate deviations from this policy guidance, but such
deviations should not be made frequently and must be carefully
explained and documented.
The "Disqualifying Factors" provided herein establish some of
the types of serious conduct under the criteria that can
justify a determination to deny or revoke an individual's
eligibility for access to classified information, or
appointment to, or retention in sensitive duties. The
"Mitigating Factors" establish some of the types of
circumstances that may mitigate the conduct listed under the
"Disqualifying Factors." Any determination must include a
consideration of both the conduct listed under "Disqualifying
Factors" and any circumstances listed under the appropriate or
corresponding "Mitigating Factors."
In all adjudications, the protection of the national security
shall be the paramount determinant. In the last analysis, a
final decision in each case must be arrived at by applying the
standard that the issuance of the clearance or assignment to
the sensitive position is "clearly consistent with the
interests of national security."
LOYALTY
Basis: Commission of any act of sabotage, espionage, treason,
terrorism, anarchy, sedition, or attempts thereat or
preparation therefor, or conspiring with or aiding or abetting
another to commit or attempt to commit any such act.
Establishing or continuing a sympathetic association with a
saboteur, spy, traitor, seditionist, anarchist, terrorist,
revolutionist, or with an espionage or other secret agent or
similar representative of a foreign nation whose interests may
be inimical to the interests of the United States, or with any
person who advocates the use of force or violence to overthrow
the Government of the United States or to alter the form of
Government of the United States by unconstitutional means.
Advocacy or use of force or violence to overthrow the
Government of the United States or to alter the form of
Government of the United States by unconstitutional means.
Knowing membership with the specific intent of furthering the
aims of, or adherence to and active participation in any
foreign or domestic organization, association, movement, group
or combination of persons (hereafter referred to as
organizations) that unlawfully advocates or practices the
commission of acts of force or violence to prevent others from
exercising their rights under the Constitution or laws of the
United States or of any State or which seeks to overthrow the
Government of the United States or any State or subdivision
thereof by unlawful means.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Furnishing a representative of a foreign government
information or data that could damage the national
security of the United States.
2. Membership in an organization that has been characterized
by the Department of Justice as one that meets the
criteria in the above cited "Basis."
3. Knowing participation in acts that involve force or
violence or threats of force or violence to prevent
others from exercising their rights under the
Constitution or to overthrow or alter the form of
government of the United States or of any State.
4. Monetary contributions, service, or other support of the
organization defined in "Basis," above, with the intent
of furthering the unlawful objectives of the
organization.
5. Participation, support, aid, comfort or sympathetic
association with persons, groups, organizations involved
in terrorist activities, threats, or acts.
6. Evidence of continuing sympathy with the unlawful aims
and objectives of such an organization, as defined in the
"Basis" above.
7. Holding a position of major doctrinal or managerial
influence in an organization as defined in the "Basis"
above.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Lack of knowledge or understanding of other unlawful aims
of the organization.
2. Affiliation or activity occurred during adolescent/young
adult years (17-25), more than 5 years has passed since
affiliation was severed, and affiliation was due to
immaturity.
3. Affiliation for less than a year out of curiosity or
academic interest.
4. Sympathy or support limited to the lawful objectives of
the organization.
FOREIGN PREFERENCE
Basis: Performing or attempting to perform one's duties,
acceptance and active maintenance of dual citizenship or other
acts conducted in a manner that serve or could be expected to
serve the interests of another government in preference to the
interests of the United States.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. The active maintenance of dual citizenship by one or more
of the following:
a. Possession of a passport issued by a foreign nation
and use of this passport to obtain legal entry into
any sovereign state in preference to use of a U.S.
passport.
b. Military service in the armed forces of a foreign
nation or the willingness to comply with an
obligation to so serve, or the willingness to bear
arms at any time in the future on behalf of the
foreign state.
c. Exercise or acceptance of rights, privileges or
benefits offered by the foreign state to its
citizens (e.g., voting in a foreign election;
receipt of honors or titles; financial compensation
due to employment/retirement, educational or medical
or other social welfare benefits), in preference to
those of the United States.
d. Travel to or residence in the foreign state for the
purpose of fulfilling citizenship requirements or
obligations.
e. Maintenance of dual citizenship to protect financial
interests, to include property ownership, or
employment or inheritance rights in the foreign
state.
f. Registration for military service or registration
with a foreign office, embassy or consulate to
obtain benefits.
2. Employment as an agent or other official representative
of a foreign government, or seeking or holding political
office in a foreign state.
3. Use of a U.S. Government position of trust or
responsibility to influence decisions to serve the
interests of another government in preference to those of
the United States.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Claim of dual citizenship is with a foreign country whose
interests are not inimical to those of the United States
and is based solely on applicant's or applicant's
parent(s) birth; the applicant has not actively
maintained citizenship in the past 10 years and indicates
he/she will not in the future act so as to pursue this
claim.
2. Military service while a U.S. citizen was in the armed
forces of a state whose interests are not inimical to
those of the United States and such service was
officially sanctioned by United States authorities.
3. Employment is as a consultant only and services provided
is of the type sanctioned by the United States
government.
SECURITY RESPONSIBILITY SAFEGUARDS
Basis: Disregard of public law, statutes, Executive orders or
regulations, including violation of security regulations or
practices, or unauthorized disclosure to any person of
classified information, or of other information, disclosure of
which is prohibited by statute, Executive order or regulation.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Deliberate or reckless disregard of security regulations,
public law, statutes or Executive orders that could have
resulted in the loss or compromise of classified
information.
2. Deliberate or reckless violations of security
regulations, including, but not limited to, taking
classified information home or carrying classified data
while in a travel status without proper authorization,
intentionally copying classified documents to obscure
classification markings, disseminating classified
information to cleared personnel who have no need to
know, or disclosing classified information, or other
information, disclosure of which is prohibited by
statute, Executive order or regulation, to persons who
are not cleared or authorized to receive it.
3. Pattern of negligent conduct in handling or storing
classified documents.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Violation of security procedures was directly caused or
significantly contributed to by an improper or inadequate
security briefing, provided the individual reasonably
relied on such briefing in good faith.
2. Individual is personally responsible for a large volume
of classified information, and the nature of the
violation was merely administrative.
3. Security violation was merely an isolated incident not
involving deliberate or reckless violation of security
policies, practices or procedures.
CRIMINAL CONDUCT
Basis: Criminal or dishonest conduct
When it is determined that an applicant for a security
clearance, or a person holding a clearance, has engaged in
conduct that would constitute a felony under the laws of the
United States, the clearance of such person shall be denied or
revoked unless it is determined that there are compelling
reasons to grant or continue such clearance. Compelling
reasons can only be shown by clear and convincing evidence of
the following:
1. The felonious conduct (l) did not involve an
exceptionally grave offense; (2) was an isolated
episode; and (3) the individual has demonstrated
trustworthiness and respect for the law over an
extended period since the offense occurred; or
2. The felonious conduct (1) did not involve an
exceptionally grave offense; (2) was an isolated
episode; (3) was due to the immaturity of the
individual at the time it occurred; and (4) the
individual has demonstrated maturity,
trustworthiness, and respect for the law since that
time; or
3. In cases where the individual has committed
felonious conduct but was not convicted of a felony,
there are extenuating circumstances that mitigate
the seriousness of the conduct such that it does not
reflect a lack of trustworthiness or respect for the
law.
The above criteria supersede all criteria previously used to
adjudicate criminal conduct involving commission of felonies
under the Laws of the United States. Involvement in criminal
activities that does not constitute a felony under the laws of
the United States shall be evaluated in accordance with the
criteria set forth below. (For purposes of this paragraph,
the term "felony" means any crime punishable by imprisonment
for more than a year. The term "exceptionally grave offense"
includes crimes against the Federal Government, its
instrumentalities, officers, employees or agents; or involves
dishonesty, fraud, bribery or false statement; or involves
breach of trust or fiduciary duty; or involves serious threat
to life or public safety.)
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Criminal conduct that involves the following:
a. Commission of a state felony;
b. Force, coercion, or intimidation;
c. Firearms, explosives, or other weapons;
d. Dishonesty or false statements, e.g., fraud, theft,
embezzlement, falsification of documents or
statements;
e. Obstruction or corruption of government functions;
f. Deprivation of civil rights; or
g. Violence against persons.
2. Criminal conduct punishable by confinement for one year
or more.
3. An established pattern of criminal conduct, whether or
not the individual was convicted.
4. Failure to complete a rehabilitation program resulting
from disposition of a criminal proceeding or violation of
probation, even if the violation did not result in formal
revocation of probation. Rehabilitation should not be
considered a success or failure while the individual is
still on parole/probation.
5. Criminal conduct that is so recent in time as to preclude
a determination that recurrence is unlikely.
6. Close and continuing association with persons known to
the individual to be involved in criminal activities.
7. Criminal conduct indicative of a serious mental
aberration, lack of remorse, or insufficient probability
of rehabilitative success (e.g., spouse or child abuse).
8. Disposition:
a. Conviction.
b. Disposition on a legal issue not going to the merits
of the crime.
c. Arrest or indictment pending trial when there is
evidence that the individual engaged in the criminal
conduct for which arrested or indicted.
9. Arrest record. In evaluating an arrest record,
information that indicates that the individual was
acquitted, that the charges were dropped or the subject
of a "stet" or "nolle prosequi," that the record was
expunged, or that the cause was dismissed due to error
not going to the merits, does not negate the security
significance of the underlying conduct. Personnel
security determinations are to be made on the basis of
all available information concerning a person's conduct
and actions rather than the legal outcome of a criminal
proceeding.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Immaturity attributable to the age of the individual at
the time of the offense;
2. Extenuating circumstances surrounding the offense;
3. Circumstances indicating that the actual offense was less
serious than the offense charged;
4. Isolated nature of the conduct;
5. Conduct occurring only in the distant past (such as more
than 5 years ago) in the absence of subsequent criminal
conduct; or
6. Transitory conditions directly or significantly
contributing to the conduct (such as divorce action,
death in family, severe provocation) in the absence of
subsequent criminal conduct.
MENTAL OR EMOTIONAL DISORDERS
Basis: Any behavior or illness, including any mental
condition, which, in the opinion of competent medical
authority, may cause a defect in judgment or reliability with
due regard to the transient or continuing effect of the
illness and the medical findings in such case.
Disqualifying Factors
The behavior or condition falls in one or more of the
following categories:
1. Diagnosis by competent medical authority (board certified
psychiatrist or clinical psychologist) that the
individual has an illness or mental condition that may
result in a significant defect in judgment or
reliability.
2. Conduct or personality traits that are bizarre or reflect
abnormal behavior or instability even though there has
been no history of mental illness or treatment, but that
nevertheless, in the opinion of competent medical
authority, may cause a defect in judgment or reliability.
3. A diagnosis by competent medical authority that the
individual suffers from mental or intellectual
incompetence or mental retardation to a degree
significant enough to establish or suggest that the
individual could not recognize, understand or comprehend
the necessity of security regulations, or procedures, or
that judgment or reliability is significantly impaired,
or that the individual could be influenced or swayed to
act contrary to the national security.
4. Diagnosis by competent medical authority that an illness
or condition that had affected judgment or reliability
may recur even though the individual currently manifests
no symptoms, or that symptoms are currently reduced or in
remission.
5. Failure to take prescribed medication or participate in
treatment (including follow-up treatment or aftercare),
or otherwise failing to follow medical advice relating to
treatment of the illness or mental condition.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Diagnosis by competent medical authority that an
individual's previous mental or emotional illness or
condition that did cause significant defect in judgment
or reliability is cured and has no probability of
recurrence, or that there is such a minimal probability
of recurrence as to reasonably estimate there will be
none.
2. The contributing factors or circumstances that caused the
bizarre conduct or traits, abnormal behavior, or defect
in judgment and reliability have been eliminated or
rectified; there is a corresponding alleviation of the
individual's condition and the contributing factors or
circumstances are not expected to recur.
3. Evidence of the individual's continued reliable use of
prescribed medication for a period of at least 2 years,
without recurrence and testimony by competent medical
authority that continued maintenance of prescribed
medication is medically practical and likely to preclude
recurrence of the illness or condition affecting judgment
or reliability.
4. There has been no evidence of a psychotic condition, a
serious or disabling neurotic disorder, or a serious
character or personality disorder for the past 10 years.
FOREIGN CONNECTIONS/VULNERABILITY TO BLACKMAIL OR COERCION
Basis: Vulnerability to coercion, influence, or pressure
that may cause conduct contrary to the national interest.
This may be (l) the presence of immediate family members or
other persons to whom the applicant is bonded by affection or
obligation in a nation (or areas under its domination) whose
interests may be inimical to the United States, or (2) any
other circumstances that could cause the applicant to be
vulnerable.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Indications that the individual now is being blackmailed,
pressured or coerced by any individual, group,
association, organization or government.
2. Indications that a vulnerable individual actually has
been targeted and/or approached for possible blackmail,
coercion or pressure by any individual, group,
association, organization, or government.
3. Indications that the individual has acted to increase the
vulnerability for future possible blackmail, coercion or
pressure by any individual, group, association,
organization or governments, especially by or in a
country designated hostile to the United States (see
Appendix F). Indicators include, but are not limited to
the following:
a. Failure to report to security officials any
evidence, indication or suspicion that mail to
relatives has been opened, unusually delayed or
tampered with in any way, or that telephone calls
have been monitored.
b. An increase in curiosity or official or
quasi-official inquiries about the individual to
relatives in the country where they reside
occasioned by the receipt of mail, packages,
telephone calls or visits from the individual.
c. Contact with, or visits by, officials to the
individual while visiting relatives in another
country, to learn more about the individual, or the
individual's employment or residence, etc.
d. Unreported attempts to obtain classified or other
sensitive information or data by representatives of
a foreign country.
4. Conduct or actions by the individual while visiting in a
country hostile to the United States that increase the
individual's vulnerability to be targeted for possible
blackmail, coercion, or pressure. These include, but are
not limited to the following:
a. Violation of any laws of the foreign country where
relatives reside during visits or through mailing
letters or packages (e.g., smuggling, currency
exchange violations, unauthorized mailings,
violations of postal regulations of the country, or
any criminal conduct, including traffic violations)
that may call the attention of officials to the
individual.
b. Frequent and regular visits, correspondence, or
telephone contact with relatives in the country
where they reside, increasing the likelihood of
official notice.
c. Failure to report to security officials those
inquiries by friends or relatives for more than a
normal level of curiosity concerning the
individual's employment, sensitive duties, military
service, or access to classified information.
d. Repeated telephone or written requests to the
foreign government officials for official favors,
permits, visas, travel permission, or similar
requests that increase the likelihood of official
notice.
e. Reckless conduct, open or public misbehavior or
commission of acts contrary to local customs or
laws, or that violate the mores of the foreign
country and increase the likelihood of official
notice.
f. Falsification of documents, lying to officials,
harassing or taunting officials or otherwise acting
to cause an increase in the likelihood of official
notice or to increase the individual's vulnerability
because personal freedom could be jeopardized.
g. Commission of any illicit sexual act, drug purchase
or use, drunkenness or similar conduct that
increases the likelihood of official notice, or that
increases the individual's vulnerability because
personal freedom could be jeopardized.
5. Conduct or actions by the individual that increase the
individual's vulnerability to possible coercion,
blackmail or pressure, regardless of the country in which
it occurred, including, but not limited to the following:
a. Concealment or attempts to conceal from an employer
prior unfavorable employment history, criminal
conduct, mental or emotional disorders or treatment,
drug or alcohol use, sexual preference, or sexual
misconduct described under that section below, or
fraudulent credentials or qualifications for
employment.
b. Concealment or attempts to conceal from immediate
family members, or close associates, supervisors or
coworkers, criminal conduct, mental or emotional
disorders or treatment, drug or alcohol abuse,
sexual preference, or sexual misconduct described
under that section below.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Receives no financial assistance from and provides no
financial assistance to persons or organizations in the
designated country.
2. Has been in the United States for at least 5 years since
becoming a U.S. citizen without significant contact with
persons or organizations from the designated country
(each year of active service in the United States
military may be counted).
3. Has close ties of affection to immediate family members
in the United States.
4. Has adapted to the lifestyle in the United States,
established substantive financial or other associations
with U.S. enterprises or community activities.
5. Prefers the way of life and form of the U.S. Government
over the other country.
6. Is willing to defend the United States against all
threats, including the designated country in question.
7. Has not divulged the degree of association with the U.S.
Government or access to classified information to
individuals in the designated country in question.
8. Has not been contacted or approached by anyone or any
organization from a designated country to provide
information or favors, or to otherwise act for a person
or organization in the designated country in question.
9. Has promptly reported to proper authorities all attempted
contacts, requests or threats from persons or
organizations from the designated country.
10. The individual is aware of the possible vulnerability to
attempts of blackmail or coercion and has taken positive
steps to reduce or eliminate such vulnerability.
FINANCIAL MATTERS
Basis: Excessive indebtedness, recurring financial
difficulties, or unexplained affluence.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. History of bad debts, garnishments, liens, repossessions,
unfavorable judgments, delinquent or uncollectible
accounts or debts written off by creditors as
uncollectible losses with little or no apparent or
voluntary effort by the individual to pay amounts owed.
2. Bankruptcy:
a. Due to financial irresponsibility, or
b. With continuing financial irresponsibility
thereafter.
3. Indebtedness aggravated or caused by gambling, alcohol,
drug abuse, or other factors indicating poor judgment or
financial irresponsibility.
4. A history or pattern of living beyond the person's
financial means or ability to pay, a lifestyle reflecting
irresponsible expenditures that exceed income or assets,
or a history or pattern of writing checks on closed
accounts or not covered by sufficient funds.
5. Indication of deceit or deception in obtaining credit or
bank accounts, misappropriation of funds, income tax
evasion, embezzlement, fraud, or attempts to evade lawful
creditors.
6. Indifference to or disregard of financial obligations or
indebtedness or intention not to meet or satisfy lawful
financial obligations or when present expenses exceed net
income.
7. Unexplained affluence or income derived from illegal
gambling, drug trafficking or other criminal or nefarious
means.
8. Significant unexplained increase in an individual's net
worth.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Schedule program or systematic efforts demonstrated over
a period of time (generally 1 year) to satisfy creditors,
to acknowledge debts and arrange for reduced payments,
entry into debt-consolidation program or seeking the
advice and assistance of financial counselors or court
supervised payment program.
2. Change to a more responsible lifestyle, reduction of
credit card accounts, and favorable change in financial
habits over a period of time (generally 1 year).
3. Stable employment record and favorable financial
references.
4. Unforeseen circumstances beyond the individual's control
(e.g., a major or catastrophic illness or surgery,
accidental loss of property or assets not covered by
insurance, decrease or cutoff of income, indebtedness
resulting from court judgments not due to the
individual's financial mismanagement), provided the
individual demonstrates efforts to respond to the
indebtedness in a reasonable and responsible fashion.
5. Indebtedness due to failure of legitimate business
efforts or business-related bankruptcy without evidence
of fault or financial irresponsibility on the part of the
individual, irresponsible mismanagement of an
individual's fund by another who had fiduciary control or
access to them without the individual's knowledge, or
loss of assets as a victim of fraud or deceit, provided
the individual demonstrates efforts to respond to the
indebtedness in a reasonable and responsible fashion.
6. Any significant increase in net worth was due to
legitimate business interests, inheritance or similar
legal explanation.
ALCOHOL ABUSE
Basis: Habitual or episodic use of intoxicants to excess.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Habitual or episodic consumption of alcohol to the point
of impairment or intoxication.
2. Alcohol-related incidents such as traffic violations,
fighting, child or spouse abuse, non-traffic violation or
other criminal incidents related to alcohol use.
3. Deterioration of the individual's health or physical or
mental condition owing to alcohol use or abuse.
4. Drinking on the job, reporting for work in an intoxicated
or "hungover" condition, tardiness or absences caused by
or related to alcohol abuse, and impairment or
intoxication occurring during, and immediately following,
luncheon breaks.
5. Refusal or failure to accept counseling or professional
help for alcohol abuse or alcoholism.
6. Refusal or failure to follow medical advice relating to
alcohol abuse treatment or to abstain from alcohol use
despite medical or professional advice.
7. Refusal or failure to significantly decrease consumption
of alcohol or to change lifestyle and habits that
contributed to past alcohol-related difficulties.
8. Indications of financial or other irresponsibility or
unreliability caused by alcohol abuse, or discussing
sensitive or classified information while drinking.
9. Failure to cooperate in or successfully complete a
prescribed regimen of an alcohol abuse rehabilitation
program.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Successfully completed an alcohol awareness program
following two or less alcohol-related incidents and has
significantly reduced alcohol consumption, and made
positive changes in lifestyle and improvement in job
reliability.
2. Successfully completed an alcohol rehabilitation program
after three or more alcohol-related incidents, has
significantly reduced or eliminated alcohol consumption
in accordance with medical or professional advice,
regularly attended Alcoholics Anonymous or similar
support organization for approximately 1 year after
rehabilitation, and abstained from the use of alcohol for
that period of time.
3. Whenever one of the situations listed below occurs, the
individual must have successfully completed an alcohol
rehabilitation or detoxification program and totally
abstained from alcohol for a period of approximately 2
years:
a. The individual has had one previously failed
rehabilitation program and subsequent alcohol abuse
or alcohol-related incidents.
b. The individual has been diagnosed by competent
medical or health authority as an alcoholic,
alcoholic dependent, or chronic abuser of alcohol.
4. Whenever the individual has had repeated unsuccessful
rehabilitation efforts and has continued drinking or has
been involved in additional alcohol-related incidents
then the individual must have successfully completed an
alcohol rehabilitation or detoxification program, totally
abstained from alcohol for a period of at least 3 years
and maintained regular and frequent participation in
meetings of Alcoholics Anonymous or similar
organizations.
5. If an individual's alcohol abuse surfaced solely as a
result of self- referral to an alcohol abuse program and
there have been no precipitating factors such as alcohol-
related arrests or incidents, action will not normally be
taken to suspend or revoke security clearance solely on
the self-referral for treatment.
DRUG ABUSE
Basis: Illegal or improper use, possession, transfer, sale or
addiction to any controlled or psychoactive substance,
including narcotics, such as cannabis, or any other dangerous
drug.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Abuse of cannabis only, not in combination with any other
substance.
a. Experimental abuse, defined as an average of once
every 2 months or less, but no more than six times
within the past 2 years.
b. Occasional abuse, defined as an average of not more
than once a month within the past 3 years.
c. Frequent abuse, defined as an average of not more
than once a week within the past 5 years.
d. Regular, compulsive, or habitual abuse, including
physical and/or psychological dependency defined as
an average of more than once a week within the past
15 years.
2. Abuse of any narcotic, psychoactive substance or
dangerous drug (including prescription drugs) either
alone or in combination with another or cannabis, as
follows:
a. Experimental abuse, defined as an average of once
every 2 months or less, but no more than 6 times
within the past 3 years.
b. Occasional abuse, defined as an average of not more
than once a month within the past 5 years.
c. Frequent abuse, defined as an average of not more
than once a week within the past 10 years.
d. Regular, compulsive, or habitual abuse, including
physical and/or psychological dependency defined as
an average of more than once a week within the past
15 years.
3. Involvement to any degree in the unauthorized
trafficking, cultivating, processing, manufacturing,
selling, or distributing of any narcotic, dangerous drug,
or cannabis, or assisting those involved in such acts
whether or not the individual was arrested for such
activity. (Note: There is no corresponding Mitigating
Factor for this Disqualifying Factor.)
4. Involvement with narcotics, dangerous drugs or cannabis
under the following conditions whether or not the
individual engages in personal use:
a. Possession.
b. Possession of a substantial amount, more than could
reasonably be expected for personal use.
c. Possession of drug paraphernalia for cultivating,
manufacturing or distributing (e.g., possession of
gram scales, smoking devices, needles for injecting
intravenously, empty capsules or other drug
production chemical paraphernalia).
d. Possession of personal drug paraphernalia (e.g.,
needles for injecting, smoking devices and
equipment, etc.).
5. Information that the individual intends to continue to
use (regardless of frequency) any narcotic, dangerous
drug or cannabis. (NOTE: There is no corresponding
Mitigating Factor for this Disqualifying Factor because
it is NASA policy that, as a general rule, if any
individual expresses or implies any intent to continue
use of any narcotic, dangerous drug, or other controlled
substance, including marijuana and hashish, without a
prescription, in any amount and regardless of frequency,
it is to be considered contrary to the national interest
and the interests of national security to grant or allow
retention of a security clearance for access to
classified information for that individual.)
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Abuse of cannabis only, as follows: (Use this to assess
Disqualifying Factor 1.)
a. Experimental abuse, which occurred more than 2 years
ago and the individual has demonstrated an intent
not to use cannabis or any other narcotic,
psychoactive substance, or dangerous drug in the
future.
b. Occasional abuse of cannabis, which occurred more
than 3 years ago, and the individual has
demonstrated an intent not to use cannabis or any
other narcotic, dangerous drug, or psychoactive
substance in the future.
c. Frequent abuse of cannabis occurred more than 5
years ago, and the individual has demonstrated an
intent not to use cannabis or any other narcotic,
dangerous drug, or psychoactive substance in the
future.
d. Regular compulsive, habitual use or physical or
psychological dependency on cannabis occurred more
than 15 years ago. The individual has demonstrated
an intent not to use cannabis or any other narcotic,
dangerous drug, or psychoactive substance in the
future and has demonstrated a stable lifestyle, with
no indication of physical or psychological
dependence.
2. For abuse other than cannabis alone. Use is considered
cumulative and each separate substance must not be
considered separately. (Use this to assess Disqualifying
Factor 2.)
a. Experimental abuse occurred more 3 years ago, the
individual has demonstrated an intent not to use any
drugs or cannabis in the future and has successfully
completed a drug rehabilitation program.
b. Occasional abuse occurred more than 5 years ago, the
individual has demonstrated an intent not to use any
drugs or cannabis in the future, has a stable
lifestyle and satisfactory employment record, and
has successfully completed a drug rehabilitation
program.
c. Frequent abuse occurred more than 10 years ago, the
individual has demonstrated an intent not to use any
drugs or cannabis in the future, has a stable
lifestyle, including satisfactory employment record
with no further indication of drug abuse, and has
successfully completed a drug rehabilitation
program.
d. Compulsive abuse occurred more than 15 years ago,
the individual has demonstrated an intent not to use
any drugs or cannabis in the future, has a stable
lifestyle, including satisfactory employment record
with no further indication of drug abuse, and has
successfully completed a drug rehabilitation
program.
3. Use this only to assess conduct under Disqualifying
Factor 4 in the corresponding subparagraphs.
a. No possession of drugs or other criminal activity in
the past 2 years.
b. The individual has not possessed drugs in the past 3
years, has had no other criminal activity in the
past 3 years and has demonstrated an intent not to
be involved in such activity in the future.
c. The individual has not possessed drug paraphernalia
used to process, manufacture or distribute for the
past 5 years, has had no other criminal activity in
the past 5 years and has demonstrated an intent not
to be involved in such activity in
the future.
d. The individual has not possessed drug paraphernalia
for personal use in the past 2 years, has had no
other criminal activity in the past 2 years and has
demonstrated an intent not to be involved in such
activity in the future.
4. For the purpose of this Handbook, Narcotic, Dangerous
Drug and Cannabis are defined as follows:
a. Narcotic. Opium and opium derivatives or synthetic
substitutes.
b. Dangerous Drug. Any of the non-narcotic drugs that
are habit forming or have a potential for abuse
because of their stimulant, depressant, or
hallucinogenic effect.
c. Cannabis. The intoxicating products of the hemp
plant, Cannabis Sativa, including but not limited to
marijuana, hashish, and hashish oil.
FALSIFICATION
Basis: Any knowing and willful falsification, cover-up,
concealment, misrepresentation, or omission of a material fact
from any written or oral statement, document, form, or other
representation or device used by NASA or any other Federal
agency.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Deliberate omission, concealment, falsification or
misrepresentation of relevant and material facts
including, but not limited to, information concerning
arrests, drug abuse or treatment, alcohol abuse or
treatment, treatment for mental or emotional disorders,
bankruptcy, military service information, organizational
affiliations, financial problems, employment, foreign
travel, or foreign connections from any Personnel
Security Questionnaire, Personal History Statement or
similar form used by any Federal agency to conduct
investigations, determine employment qualifications,
award benefits or status, determine security clearance or
access eligibility, or award fiduciary responsibilities.
2. Deliberately providing false or misleading information
concerning any of the relevant and material matters
listed above to an investigator, employer, supervisor,
security official or other official representative in
connection with application for security clearance or
access to classified information or assignment to
sensitive duties.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. The information was not relevant or material to reaching
a security clearance or access determination.
2. The falsification was an isolated incident in the distant
past (more than 5 years) and the individual subsequently
had accurately provided correct information voluntarily
during reapplication for clearance or access, and there
is no evidence of any other falsification
misrepresentation or dishonest conduct by the individual.
3. The behavior was not willful.
4. The falsification was done unknowingly or without the
individual's knowledge.
5. The individual made prompt, good-faith efforts to correct
the falsification before being confronted with the facts
of falsification.
6. Omission of material fact was caused by or significantly
contributed to by improper or inadequate advice of
authorized personnel, provided the individual reasonably
relied on such improper or inadequate advice in good
faith, and when the requirement subsequently was made
known to the individual, the previously omitted
information was promptly and fully provided.
REFUSAL TO ANSWER
Basis: Failing or refusing to answer or to authorize others
to answer questions or provide information required by a
Congressional committee, court or agency in the course of an
official inquiry whenever such answers or information concern
relevant and material matters pertinent to an evaluation of
the individual's trustworthiness, reliability, and judgment.
Disqualifying Factors
The behavior falls in one or more of the following categories:
1. Failure or refusal to provide full, frank and truthful
answers or to authorize others to do so, in connection
with any application for security clearance or access, to
include required nondisclosure and security termination
agreements.
2. Failure or refusal to provide appropriate investigative
forms, including release forms, for use by investigators
in obtaining information from medical institutions,
agencies or personal physicians, therapists,
psychologists, psychiatrists, counselors, rehabilitation
treatment, agencies or personnel; from police or criminal
agencies, probation agencies or officers, financial
institutions, employers, Federal or State agencies,
professional associations, or any other organizations as
required as part of an investigation for security
clearance, access, appointment, or assignment to
sensitive duties.
3. Failure or refusal to authorize others to provide
relevant and material information necessary to reach a
security clearance determination.
4. Failure or refusal to answer questions or provide
information required by a Congressional committee, court,
or agency when such answers or information concern
relevant and material matters pertinent to evaluating the
individual's trustworthiness, reliability and judgment.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. The individual was unable to provide the information
despite good faith and reasonable efforts to do so.
2. The individual was unaware of the necessity to provide
the information requested or of the possible consequences
of such refusal or failure to provide the information
and, upon being made aware of this requirement, fully,
frankly, and truthfully provided the requested
information.
3. The individual sought and relied in good faith on
information and advice from legal counsel or other
officials that the individual was not required to provide
the information requested and, upon being made aware of
the requirement, fully, frankly, and truthfully provided
the requested information.
SEXUAL MISCONDUCT
Basis: Acts of sexual misconduct or perversion indicative of
moral turpitude, poor judgment, or lack of regard for the laws
of society.
Disqualifying Factors
1. Behavior falls in one or more of the following
categories;
a. Acts performed or committed in open or public
places;
b. Acts performed with a minor or with animals;
c. Acts involving inducement, coercion, force,
violence, or intimidation of another person;
d. Prostitution, pandering, or the commission of sexual
acts for money or other remuneration or reward;
e. Sexual harassment;
f. Self-mutilation, self-punishment, or degradation;
g. Conduct that involves spouse swapping or group sex
orgies;
h. Adultery that is recent, frequent, and likely to
continue and has an adverse effect on good order or
discipline within the workplace (e.g.,
officer/enlisted, supervisor/subordinate,
instructor/student);
i. Conduct determined to be criminal in the locale in
which it occurred;
j. Deviant or perverted sexual behavior that may
indicate a mental or personality disorder (e.g.,
transsexualism, transvestism, exhibitionism, incest,
child molestation, voyeurism, bestiality, or
sodomy).
2. The conduct has been recent.
3. The conduct increases the individual's vulnerability to
blackmail, coercion, or pressure.
4. Evidence that the applicant has intention or is likely to
repeat the conduct in question.
Mitigating Factors
The following circumstances may mitigate disqualifying
information:
1. Sexual misconduct occurred on an isolated basis during or
preceding adolescence with no evidence of subsequent
conduct of a similar nature, and clear indication that
the individual has no intention of participating in such
conduct in the future.
2. Sexual misconduct was isolated, occurred more than 3
years ago, and there is clear indication that the
individual has no intention of participating in such
conduct in the future.
3. The individual was a minor or was the victim of force or
violence by another.
4. The individual has successfully completed professional
therapy, has been rehabilitated, and diagnosed by
competent medical authority that misconduct is not likely
to recur.
5. Demonstration that the individual's sexual misconduct can
no longer form the basis for vulnerability to blackmail,
coercion, or pressure.
APPENDIX D: PERSONNEL SECURITY CASE PROCESSING PROCEDURES
1. PROCESSING OF NASA NATIONAL AGENCY CHECKS (NAC) FOR
UNESCORTED ACCESS BY NONCIVIL SERVANTS
There are four types of individuals who may require
unescorted access to NASA Installations. The following
procedures will identify each type and explain
appropriate NASA NAC processing.
a. Foreign National Residing Outside of the United
States
(1) Submit inquiry to FBI Name Check electronically,
by utilizing the Name Check Request System
(NCRS). (Search of FBI subversive records.) A
fee will be charged.
(2) Submit 2 NASA Name Check Request Forms (NF-531)
to the CIA. (Search of CIA security and
subversive records.)
(3) Submit 1 NF-531 to the Department of State.
(Search of Department of State security
records.)
(4) Submit a Visa Letter to the Department of State.
(Search of visa eligibility records.)*
b. Foreign National Residing in the United States
(1) Submit inquiry to FBI Name Check by utilizing
the NCRS.
(2) Submit Fingerprint Card (FD-258) via mail to the
FBI Identification Division (FBI Ident).
(Search of FBI criminal records.) FBI Ident
will only accept FB-258's for processing. Do
not submit NF-531's. A fee will be charged.
(3) Submit OFI Form 79 - Notice of Personnel
Investigation (OFI-79) to OPM - FIPC (Search of
OPM investigative records).
(4) Submit 2 NF-531 to the CIA.
(5) Submit 1 NF-531 to the Department of State.
(6) Submit 1 NF-531 to the Defense Investigative
Service (DIS) - Defense Central Index of
Investigations (DCII) (Search of DIS/DCII
investigative records).
(7) Submit inquiry to the Immigration and
Naturalization Service (INS) electronically by
utilizing on-line terminal access software
(Search of INS naturalization and alien
registration records). A fee will be charged.
* Do not submit visa letters to the Department of
State on foreign nationals residing in the U.S.
c. U.S. citizen residing in the U.S.
(1) Submit inquiry to FBI Name Check by utilizing
the NCRS. A fee will be charged.
(2) Submit FD-258 to FBI Ident. A fee will be
charged.
(3) Submit OFI-79 to OPM-FIPC.
(4) Submit 1 NF-531 to DIS/DCII.
d. U.S. citizen residing outside of the U.S.
(1) Submit inquiry to FBI Name Check by utilizing
the NCRS. A fee will be charged.
(2) Submit FD-258 to FBI Ident. A fee will be
charged.
(3) Submit OFI-79 to OPM-FIPC.
(4) Submit 2 NF-531's to CIA.
(5) Submit 1 NF-531 to the Department of State.
(6) Submit 1 NF-531 to DIS/DCII.
Credit searches may be utilized when there is a
clear indication that an employee/applicant's
position includes fiduciary responsibilities; or
when issues develop during the course of a personnel
security investigation involving financial
irresponsibility. Credit searches will be initiated
by utilizing on-line terminal access supplied by the
Credit Bureau Incorporated (CBI).
2. UNIFORM PERSONNEL SECURITY FILE SYSTEM
The following NASA Forms will be designated as the first
two or three pages of all civil servant personnel
security file folders in the order presented below.
a. NASA Form 397 - Investigation Review Sheet
(1) Date and type of clearance granted, if any.
(2) Date and type of investigation(s) completed.
(3) Any pertinent information relating to personnel
security actions, such as administrative
withdrawals, clearance revalidations, or
security adjudications.
b. NASA Form 346 - Notification of Completion of
Investigation Under EO 10450 and/or Certificate of
Clearance
(1) Full name of employee.
(2) Date and place of birth of employee.
(3) Position title of employee.
(4) Position sensitivity level designation of
employee.
(5) NASA Installation.
(6) Date and type of investigation(s) completed.
(7) Name of agency that conducted the investigation.
(8) Date and type of clearance granted, if any.
(9) Typed name and signature of security
representative who processed the NASA Form 346.
c. NASA Form 1630 - Request for Access to Classified
National Security Information. NASA Form 1630 will
be utilized for civil servant personnel security
file folders that indicate a requirement for access
to classified national security information.*
(1) Name and address of requesting official.
(2) Employee's full name and social security number.
(3) Date of application.
(4) Position title of employee.
(5) Employee's mail code.
(6) Type of clearance applied for.
(7) Bona fide justification for access to classified
national security information.
(8) Name, title, signature, and date of applicants
first and second level supervisors.
(9) Date and initials of approving security
office representative.
(a) Generating a new 1630.
(b) Recertifying the original 1630 with
initials and dates from supervisors and
certifying officials.
(c) Utilizing a recertification roster.
* NASA Form 1630's will be recertified on an
annual basis for access review/security
clearance revalidation.
3. PERSONNEL SECURITY FILE REVIEW
All personnel security files that are released for review
to authorized Federal officials will contain a NASA Form
1536 (Privacy Act Disclosure Authorization and Accounting
Record). NASA Form 1536 will be utilized to adequately
document information identifying the nature of the
record, purpose of disclosure, agency, and requestor.
4. AUTHORITY FOR RELEASE OF INFORMATION
NASA Form 1635, Authority for Release of Information,
will be utilized when release authorization is required
in order for NASA investigators to obtain certain
appropriate investigatory material.
APPENDIX E: NASA INFORMATION SECURITY PROGRAM
14 CFR Part 1203
Information Security Program
PART 1203 - INFORMATION SECURITY PROGRAM
Subpart A - Scope
Sec.
1203.100 Legal basis.
1203.101 Other applicable NASA regulations.
Subpart B - NASA Information Security Program
1203.200 Background and discussion.
1203.201 Information security objectives.
1203.202 Responsibilities.
1203.203 Degree of protection.
Subpart C - Classification Principles and Considerations
1203.300 General.
1203.301 Identification of information requiring protection.
1203.302 Combination, interrelation or compilation.
1203.303 Dissemination considerations.
1203.304 Internal effect.
1203.305 Restricted Data.
Subpart D - Guides for Original Classification
Sec.
1203.400 Specific classifying guidance.
1203.401 Effect of open publication.
1203.402 Classifying material other than documentation.
1203.403 State-of-the-art and intelligence.
1203.404 Handling of unprocessed data.
1203.405 Proprietary information.
1203.406 Additional classification factors.
1203.407 Duration of classification.
1203.408 Assistance by Installation security classification
officers.
1203.409 Exceptional cases.
1203.410 Limitations.
1203.411 Restrictions.
1203.412 Classification guides.
Subpart E - Derivative Classification
1203.500 Use of derivative classification.
1203.501 Applying derivative classification markings.
Subpart F - Declassification and Downgrading
Sec.
1203.600 Policy.
1203.601 Responsibilities.
1203.602 Authorization.
1203.603 Systematic review for declassification.
1203.604 Mandatory review for declassification.
Subpart G - Foreign Government Information
1203.700 Identification.
1203.701 Classification.
1203.702 Duration of classification.
1203.703 Declassification.
AUTHORITY: 42 U.S.C. 2457 et seq. and E.O. 12356.
Subpart A - Scope.
Section 1203.100 Legal basis.
a. Executive Order 12356 (hereinafter referred to
as "the Order"). The responsibilities and
authority of the Administrator of NASA with
respect to the original classification of
official information or material requiring
protection against unauthorized disclosure in
the interest of national defense or foreign
relations of the United States (hereafter
collectively termed "national security"), and
the standards for such classification are
established by the "the Order" (47 FR 14874) and
the Information Security Oversight Office
Directive No. 1, June 25, 1982;
b. EO 10865. Executive Order 10865 (24 FR 1583)
requires the Administrator to prescribe by
regulation such specific requirements,
restrictions, and other safeguards as the
Administrator may consider necessary to protect:
(l) Releases of classified information to or
within United States industry that relate
to contracts with NASA; and
(2) Other releases of classified information to
industry that NASA has responsibility for
safeguarding.
c. The National Aeronautics and Space Act.
(l) Section 304(a) of the National Aeronautics
and Space Act of 1958, as amended (42
U.S.C. 2451 et seq.), states the following
in part: "The Administrator shall
establish such security requirements,
restrictions, and safeguards as he deems
necessary in the interest of the national
security."
(2) Section 303 of the Act states the
following: "Information obtained or
developed by the Administrator in the
performance of his functions under this Act
shall be made available for public
inspection, except (i) information
authorized or required by Federal Statute
to be withheld; and (ii) information
classified to protect the national
security: Provided that nothing in this
Act shall authorize the withholding of
information by the Administrator for the
duly authorized committees of the
Congress."
Section 1203.101 Other applicable NASA regulations.
a. Subpart I of this Part, (14 CFR) "NASA Security
Management Working Group."
b. NMI 1600.2, "NASA Security Program."
Subpart B-NASA Information Security Program
Section 1203.200 Background and discussion.
a. In establishing a civilian space program, the
Congress required NASA to "provide for the
widest practicable and appropriate dissemination
of information concerning its activities and the
results thereof," and for the withholding from
public inspection of that information that is
classified to protect the national security.
b. In recognition of the essential requirement for
an informed public concerning the activities of
its Government, as well as the need to protect
certain national security information from
unauthorized disclosure, "the Order" was
promulgated. It designates to the National
Aeronautics and Space Administration certain
responsibility for matters pertaining to
national security and confers on the
Administrator of NASA, or such responsible
officers or employees as the Administrator may
designate, the authority for original
classification of official information or
material that requires protection in the
interest of national security. It also provides
for the following:
(l) Basic classification, downgrading, and
declassification guidelines;
(2) The issuance of directives prescribing the
procedures to be followed in safeguarding
classified information or material;
(3) A monitoring system to ensure the
effectiveness of the Order;
(4) Appropriate administrative sanctions
against officers and employees of the
United States Government who are found to
be in violation of the Order or
implementing directive; and
(5) Classification limitations and restrictions
as discussed in Section 1203.410 and
Section 1203.411.
c. "The Order" requires the timely identification
and protection of that NASA information the
disclosure of which would be contrary to the
best interest of national security.
Accordingly, the determination in each case must
be based on a judgment on whether disclosure of
information could reasonably be expected to
result in damage to the national security.
Section 1203.201 Information security objectives.
The following are objectives of the NASA Information
Security Program:
a. Ensure that information is classified only when
a sound basis exists for such classification and
only for such period as is necessary.
b. Prevent both the unwarranted classification and
the overclassification of NASA information.
c. Ensure the greatest practicable uniformity
within NASA in the classification of
information.
d. Ensure effective coordination and reasonable
uniformity with other Government departments and
agencies, particularly in areas where there is
an interchange of information, techniques or
hardware.
e. Provide a timely and effective means for
downgrading or declassifying information when
the circumstances necessitating the original
classification change or no longer exist.
Section 1203.202 Responsibilities.
a. The Chairperson, NASA Security Management
Working Group (Subpart I of this Part), is
responsible for:
(1) Directing the NASA Information Security
Program in accordance with NASA policies
and objectives and applicable laws and
regulations.
(2) Ensuring effective compliance with and
implementation of "the Order" and the
Information Security Oversight Office
Directive No. 1 relating to security
classification matters.
(3) Reviewing, in consultation with the NASA
Security Management Working Group
questions, suggestions, appeals and
compliance concerning the NASA Information
Security Program and making determinations
concerning them.
(4) Coordinating NASA security classification
matters with Program Office Security
Officials, NASA Installations, the
Department of Defense (DOD), the Department
of Energy (DOE) and other Government
agencies as appropriate.
(5) Reviewing Security Classification Guides
for NASA programs and projects.
(6) Developing, maintaining and recommending to
the Administrator guidelines for the
systematic review covering 30-year-old
classified information under NASA's
jurisdiction.
(7) Reviewing and coordinating with appropriate
offices all appeals of denials of requests
for records under Sections 552 and 552a of
Title 5, United States Code (Freedom of
Information and Privacy Acts) when the
denials are based on the records' continued
classification.
(8) Recommending to the Administrator
appropriate administrative action to
correct abuse or violations of any
provision of the NASA Information Security
Program, including notifications by warning
letter, formal reprimand and to the extent
permitted by law, suspension without pay
and removal.
b. All NASA employees are responsible for bringing
to the attention of the Chairperson of the NASA
Security Management Working Group any
information security problems in need of
resolution, any areas of interest wherein
information security guidance is lacking, and
any other matters likely to impede achievement
of the objectives prescribed herein.
c. Each NASA official to whom the authority for
original classification is delegated shall be
accountable for the propriety of each
classification (see Subpart H) and is
responsible for:
(l) Ensuring that classification determinations
are consistent with the policy and
objectives prescribed above, and other
applicable guidelines.
(2) Bringing to the attention of the
Chairperson, NASA Security Management
Working Group, for resolution, any
disagreement with classification
determinations made by other NASA
officials.
(3) Ensuring that information and material that
no longer require the present level of
protection are promptly downgraded or
declassified in accordance with applicable
guidelines.
d. Other Officials-in-Charge of Headquarters
Offices are responsible for the following:
(1) Approving Security Classification Guides
for those programs they are responsible
for. These guides should be coordinated
with the NASA Security Office.
(2) Ensuring that classified information or
material prepared within their respective
offices is appropriately marked.
(3) Ensuring that material proposed for public
release is reviewed to eliminate classified
information.
e. Directors of Field Installations are responsible
for the following:
(1) Developing proposed Security Classification
Guides. Proposed guides must be forwarded
to their Program Office Security Official
for coordination and necessary approval.
(2) Ensuring that classified information or
material prepared in their respective
installations is marked appropriately.
(3) Ensuring that material proposed for public
release is reviewed to eliminate classified
information.
f. The Chief, NASA Security Office, NASA
Headquarters, who serves as the Chairperson of
the NASA Security Management Working Group, is
responsible for the NASA-wide coordination of
security classification matters.
g. The Chief, NASA Security Office, is responsible
for establishing procedures for the safeguarding
of classified information or material (e.g.,
accountability, control, access, storage,
transmission, and marking) and for ensuring that
such procedures are systematically reviewed; and
those that are duplicative or unnecessary are
eliminated.
Section 1203.203 Degree of Protection.
a. General. Upon determination that information or
material must be classified, the degree of
protection commensurate with the sensitivity of
the information must be determined. If there is
reasonable doubt about the need to classify
information, it shall be safeguarded as if it
were classified pending a determination by an
original classification authority, who shall
make this determination within 30 days. If
there is reasonable doubt about the appropriate
level of classification, it shall be safeguarded
at the higher level of classification pending a
determination by an original classification
authority, who shall make this determination
within 30 days.
b. Authorized Categories of Classification. The 3
categories of classification, as authorized and
defined in "the Order," are set out below. No
other restrictive markings are authorized to be
placed on NASA classified documents or materials
except as expressly provided by statute or by
NASA Directives.
(1) Top Secret. Top Secret is the designation
applied to information or material the
unauthorized disclosure of which could
reasonably be expected to cause
exceptionally grave damage to the national
security. Examples of exceptionally grave
damage include armed hostilities against
the United States or its allies; disruption
of foreign relations vitally affecting the
national security; the compromise of vital
national defense plans or complex
cryptologic and communications intelligence
systems; the revelation of sensitive
intelligence operations; and the disclosure
of scientific or technological developments
vital to national security.
(2) Secret. Secret is the designation applied
to information or material the unauthorized
disclosure of which could reasonably be
expected to cause serious damage to the
national security. Examples of serious
damage include disruption of foreign
relations significantly affecting the
national security; significant impairment
of a program or policy directly related to
the national security; revelation of
significant military plans or intelligence
operations; and compromise of significant
scientific or technological developments
relating to national security.
(3) Confidential. Confidential is the
designation applied to that information or
material for which the unauthorized
disclosure could reasonably be expected to
cause damage to the national security.
Subpart C - Classification Principles and Considerations
Section 1203.300 General.
In general, the types of NASA-generated information
and material requiring protection in the interest of
national security lie in the areas of applied
research, technology, or operations.
Section 1203.301 Identification of information requiring
protection.
Classifiers shall identify the level of
classification of each classified portion of a
document (including subject and titles), and those
portions that are not classified.
Section 1203.302 Combination, interrelation or compilation.
An interrelationship of individual items, classified
or unclassified, may result in a combined item
requiring a higher classification than that of any
of the individual items. Compilations of
unclassified information are considered unclassified
unless some additional significant factor is added
in the process of compilation. For example: (a)
the way unclassified information is compiled may be
classified; (b) the fact that the information is
complete for its intended purpose may be classified;
or (c) the fact the compilation represents an
official evaluation may be classified. In these
cases, the compilations would be classified.
Section 1203.303 Dissemination considerations.
The degree of intended dissemination, use of the
information and whether the end purpose to be served
renders effective security control impractical are
considerations during the classification process.
These factors do not necessarily preclude
classification, but must be considered in order not
to impose security controls that are impractical to
enforce.
Section 1203.304 Internal effect.
The effect of security protection on program
progress and cost and on other functional activities
of NASA should be considered. Impedances and added
costs inherent in a security classification must be
assessed in light of the detrimental effects on the
national security interests that would result from
failure to classify.
Section 1203.305 Restricted Data.
Restricted Data or Formerly Restricted Data is so
classified when originated, as required by the
Atomic Energy Act of 1954, as amended. Specific
guidance for the classification of Restricted Data
is provided in "Classification Guides" published by
the Department of Energy.
Subpart D - Guides for Original Classification
Section 1203.400 Specific classifying guidance.
Technological and operational information and
material, and in some exceptional cases scientific
information falling within any one or more of the
following categories, must be classified if its
unauthorized disclosure could reasonably be expected
to cause damage to the national security. In cases
where it is believed that a contrary course of
action would better serve the national interests,
the matter should be referred to the Chairperson,
NASA Security Management Working Group, for a
determination. The following list is not intended to
be exclusive. Original classifiers are responsible
for initially classifying other types of information
not included in the following list which, in their
judgment, requires protection under "the Order."
a. Information that provides the United States, in
comparison with other nations, with a
significant scientific, engineering, technical,
operational, intelligence, strategic, tactical,
or economic advantage related to national
security.
b. Information that, if disclosed, would
significantly diminish the technological lead of
the United States in any military system,
subsystem or component, and would result in
damage to such a system, subsystem, or component.
c. Scientific or technological information in an
area where an advanced military application that
would in itself be classified is foreseen during
exploratory development.
d. Information that, if known, would:
(1) Provide a foreign nation with an
insight into the defense application
or the war or defense plans or posture
of the United States;
(2) Allow a foreign nation to develop, improve,
or refine a similar item of defense
application.
(3) Provide a foreign nation with a base upon
which to develop effective countermeasures.
(4) Weaken or nullify the effectiveness of a
defense or military plan, operation,
project, weapon system, or activity vital
to the national security.
e. Information or material that is important to the
national security of the United States in
relation to other nations when there is sound
reason to believe that those nations are unaware
that the United States has or is capable of
obtaining the information or material, i.e.,
through intelligence activities, sources, or
methods.
f. Information that if disclosed could be exploited
in a manner prejudicial to the national security
posture of the United States by discrediting its
technological power, capability, or intentions.
g. Information revealing an unusually significant
scientific or technological "breakthrough" that
is probably unknown to or not within the
state-of-the-art capability of other nations.
If the "breakthrough" supplies the United States
with an important advantage of a technological
nature, classification also would be appropriate
if the potential application of the information,
although not specifically visualized, would
afford the United States a significant national
security advantage in terms of technological
lead time or an economic advantage relating to
national security.
h. Information of such a nature that an unfriendly
government in possession of it would be expected
to use it for purposes prejudicial to U.S.
national security and which, if classified,
could not be obtained by an unfriendly power
without a considerable expenditure of resources.
i. Information that, if disclosed to a foreign
government, would enhance its military research
and development programs to the detriment of
U.S. counterpart or competitive programs.
j. Operational information pertaining to the
command and control of space vehicles, the
possession of which would facilitate malicious
interference with any U.S. space mission that
might result in damage to the national security.
k. Information that, if disclosed, could jeopardize
the foreign relations or activities of the
United States; for example, the premature or
unauthorized release of information relating to
the subject matter of international
negotiations, foreign government information or
information regarding the placement or
withdrawal of NASA tracking stations on foreign
territory.
l. United States Government programs for
safeguarding nuclear materials or facilities.
m. Other categories of information that are related
to national security and that require protection
against unauthorized disclosure as may be
determined by the Administrator. The
Chairperson, NASA Security Management Working
Group, will promptly inform the Director,
Information Security Oversight Office, General
Services Administration (GSA) of such
determinations.
Section 1203.401 Effect of open publication.
Regardless of its source or form, public disclosure
of information currently classified or being
considered for classification does not preclude
initial or continued classification. However, such
disclosure requires an immediate reevaluation to
determine whether the information has been
compromised to the extent that downgrading or
declassification is indicated. Similar
consideration must be given to related items of
information in all programs, projects, or items
incorporating or pertaining to the compromised items
of information. In these cases, if a release were
made or authorized by an official Government source,
classification of clearly identified items may no
longer be warranted. Questions concerning the
propriety of continued classification should be
referred to the Chairperson, NASA Security
Management Working Group.
Section 1203.402 Classifying material other than
documentation.
Items of equipment or other physical objects may be
classified only where classified information may be
derived by visual observation of internal or
external appearance, structure, operation, test,
application, or use. The overall classification
assigned to equipment or objects shall be at least
as high as the highest classification of any of the
items of information that may be revealed by the
equipment or objects, but may be higher if the
classifying authority determines that the sum of
classified or unclassified information warrants such
higher classification. In every instance where
classification of an item of equipment or object is
determined to be warranted, such determination must
be based on a finding that there is at least one
aspect of the item or object that requires
protection. If mere knowledge of the existence of
the equipment or object would compromise or nullify
the reason or justification for its classification,
the fact of its existence should be classified.
Section 1203.403 State-of-the-art and intelligence.
A logical approach to classification requires
consideration of the extent to which the same or
similar information available from intelligence
sources is known or is available to others. It is
also important to consider whether it is known
publicly, either domestically or internationally,
that the United States has the information or even
is interested in the subject matter. The known
state-of-the-art in other nations is an additional
substantive factor requiring consideration.
Section 1203.404 Handling of unprocessed data.
It is the usual practice to withhold the release of
raw scientific data received from spacecraft until
it can be calibrated, correlated and interpreted
properly by the experimenter under the monitorship
of the cognizant NASA office. During this process,
the data are withheld through administrative
measures, and it is not necessary to resort to
security classification to prevent premature
release. However, if at any time during the
processing of raw data it becomes apparent that the
results require protection under the criteria set
forth in this Subpart D, it is the responsibility of
the cognizant NASA office to obtain the appropriate
security classification.
Section 1203.405 Proprietary information.
Proprietary information made available to NASA is
subject to examination for classification purposes
under the criteria set forth in this Subpart D.
Where the information is in the form of a proposal
and accepted by NASA for support, it should be
categorized in accordance with the criteria of
Section 1203.400. If NASA does not support the
proposal but believes that security classification
would be appropriate under the criteria of Section
1203.400 if it were under Government jurisdiction,
the contractor should be advised of the reasons why
safeguarding would be appropriate, unless security
considerations preclude release of the explanation
to the contractor. NASA should identify the
Government department, agency or activity whose
national security interests might be involved and
the contractor should be instructed to protect the
proposal as though classified, pending further
advisory classification opinion by the Government
activity whose interests are involved. If such a
Government activity cannot be identified, the
contractor should be advised that the proposal is
not under NASA jurisdiction for classification
purposes, and that the information should be sent,
under proper safeguards, to the Director,
Information Security Oversight Office, 750 17th
Street, N.W., Suite 530, Washington, DC 20006, for a
determination.
Section 1203.406 Additional classification factors.
In determining the appropriate classification
category, the following additional factors should be
considered:
a. Uniformity Within Government Activities. The
effect classification will have on technological
programs of other Government departments and
agencies should be considered. Classification
of official information must be reasonably
uniform within the Government.
b. Applicability of Classification Directives of
Other Government Agencies. It is necessary to
determine whether authoritative classification
guidance exists elsewhere for the information
under consideration, which would make it
necessary to assign a higher classification than
that indicated by the applicable NASA guidance.
Generally, the classification by NASA should not
be higher than that of equivalent information in
other departments or agencies of the Government.
Section 1203.407 Duration of classification.
a. Information shall be classified as long as
required by national security considerations.
When it can be determined, a specific date or
event for declassification shall be set by the
original classification authority at the time
the information is originally classified.
b. Information classified under predecessor orders
and marked for declassification review shall
remain classified until reviewed for
declassification under the provisions of the
"the Order."
Section 1203.408 Assistance by Installation security
classification officers.
Installation Chief of Security (ICS), as the
installation point-of-contact, will assist
installation personnel in:
a. Interpreting security classification guides and
classification assignments for the installation.
b. Answering questions and considering suggestions
concerning security classification matters.
c. Ensuring a continuing review of classified
information for the purpose of declassifying or
downgrading in accordance with Subpart E of this
part.
d. Reviewing and approving, as the representative
of the contracting officer, the DD Form 254,
Contract Security Classification Specification,
issued to contractors by the installation.
Section 1203.409 Exceptional cases.
a. In those cases where a person not authorized to
classify information originates or develops
information that is believed to require
classification, that person should safeguard the
material as though it were classified until it
has been evaluated and a decision made by an
appropriate classifying authority. For NASA
employees the classifying authority is normally
the Headquarters Program Office Security
Official. Persons other than NASA employees
should forward, under appropriate safeguards,
material in which NASA has primary interest to
the NASA Security Management Working Group, Code
JIS, Washington, DC 20546 for a classification
determination.
b. Information in which NASA does not have primary
interest shall be returned promptly, under
appropriate safeguards, to the sender in
accordance with Section 1203.405.
c. Material received from another agency for a NASA
security classification determination shall be
processed within 30 days. If a classification
cannot be determined during that period, the
material shall be sent, under appropriate
safeguards, to the Director, Information
Security Oversight Office, GSA, for a
determination.
Section 1203.410 Limitations.
a. Classification may not be used to conceal
violations of law, inefficiency of
administrative error; to prevent embarrassment
to a person, organization or agency; or to
restrain competition.
b. Basic scientific research information not
clearly related the national security may not be
classified.
c. A product of non-Government research and
development that does not incorporate or reveal
classified information to which the producer or
developer was given prior access may not be
classified under this Part 1203 until and unless
the Government acquires a proprietary interest
in the product. This Part 1203 does not affect
the provisions of the Patent Secrecy Act of 1952
(35 U.S.C. 181-188).
d. References to classified documents that do not
disclose classified information may not be
classified or used as a basis for
classification.
e. Classification may not be used to limit
dissemination of information that is not
classifiable under the provisions of this Part
1203 or to prevent or delay the public release
of such information.
f. Information may be classified or reclassified
after receipt of a request for it under the
Freedom of Information Act (5 U.S.C. 552) or the
Privacy Act of 1974 (5 U.S.C. 552a), or the
mandatory review provisions of "the Order" if
such classification meets the requirements of
"the Order" and is accomplished personally on a
document-by-document basis by an official with
original Top Secret classification authority.
g. The Administrator, the Chairperson, NASA
Security Management Working Group, or an
official with original Top Secret classification
authority may reclassify information previously
declassified and disclosed if it is determined
in writing that (1) The information requires
protection in the interest of national security;
and (2) the information may reasonably be
recovered. These reclassification actions shall
be reported promptly to the Director of the
Information Security Oversight Office, GSA.
Section 1203.411 Restrictions.
a. Except as provided by directives issued by the
President through the National Security Council,
classified information originating in one agency
may not be disseminated outside any other agency
to which it has been made available without the
consent of the originating agency. For purposes
of this section, the DoD shall be considered one
agency.
b. Classified information shall not be disseminated
outside the Executive Branch except under
conditions that ensure the information will be
given protection equivalent to that afforded
within the Executive Branch.
Section 1203.412 Classification guides.
a. General. A classification guide, based upon
classification determinations made by
appropriate program and classification
authorities, shall be issued for each classified
system, program, or project. Classification
guides shall:
(1) Identify the information elements to be
protected, using categorization and
subcategorization to the extent necessary
to ensure that the information involved can
be readily and uniformly identified.
(2) State which of the classification
designations (i.e., Top Secret, Secret, or
Confidential) apply to the identified
information elements.
(3) State the duration of each specified
classification in terms of a period of time
or future event. Whenever a specific time
or future event for declassification cannot
be predetermined, the following notation
will be used: DECLASSIFY ON: Originating
Agency's Determination Required or "OADR."
(4) Indicate specifically that the
designations, time limits, markings and
other requirements of "the Order" are to be
applied to information classification
pursuant to the guide.
(5) Be approved personally and in writing by an
official who is authorized to classify
information originally at the highest level
of classification prescribed in the guide.
The identity of the official will be shown
on the guide. Such approval constitutes an
original classification decision.
Normally, all guides will be approved by
the Chairperson, NASA Security Management
Working Group, whose office will maintain a
list of all classification guides in
current use.
c. Review of Classification Guides. Classification
guides shall be reviewed by the originator for
currency and accuracy not less than once every
two years. Changes shall be in strict
conformance with the provisions of this Part
1203 and shall be issued promptly. If no
changes are made, the originator shall so
annotate the record copy and show the date of
the review.
Subpart E - Derivative Classification
Section 1203.500 Use of derivative classification.
The application of derivative classification
markings is a responsibility of those who
incorporate, paraphrase, restate, or generate in new
form information that is already classified, and of
those who apply markings in accordance with
instructions from an authorized original classifier
or in accordance with an authorized classification
guide. If a person who applied derivative
classification markings believes that the
paraphrasing, restating, or summarizing of
classified information has changed the level of or
removed the basis for classification, that person
must consult for a determination with an appropriate
official of the originating agency or office of
origin who has the authority to upgrade, downgrade,
or declassify the information.
Section 1203.501 Applying derivative classification markings.
Persons who apply derivative classification markings
shall:
a. Observe and respect original classification
decisions;
b. Verify the information's current level of
classification so far as practicable before
applying the markings; and
c. Carry forward to newly created documents any
assigned authorized markings. The
declassification date or event that provides the
longest period of classification shall be used
for documents classified on the basis of
multiple sources.
Subpart F - Declassification and Downgrading
Section 1203.600 Policy.
Information shall be declassified or downgraded as
soon as national security considerations permit.
NASA reviews of classified information shall be
coordinated with other agencies that have a direct
interest in the subject matter. Information that
continues to meet the classification requirements
prescribed by Section 1203.400 despite the passage
of time will continue to be protected in accordance
with "the Order."
Section 1203.601 Responsibilities.
Officials authorized original classification
authority may declassify or downgrade information
that is subject to the final classification
jurisdiction of NASA and shall take such action in
accordance with the provisions of this Subpart F.
Section 1203.602 Authorization.
Information shall be declassified or downgraded by
the official who authorized the original
classification, if that official is still serving in
the same position, the originator's successor, a
supervisory official of either, or officials
delegated such authority in writing by the
Administrator or the Chairperson, NASA Security
Management Working Group.
Section 1203.603 Systematic review for declassification.
a. General. Except for foreign government
information as provided in Subpart G of this
Part, classified information constituting
permanently valuable records of the government
as defined by 44 U.S.C. 2103, and information in
the possession and control of the Administrator
of the General Services Administration pursuant
to 44 U.S.C. 2107 or 2107 note, shall be
reviewed for declassification as it becomes 30
years old.
(l) Systematic review for declassification of
classified cryptologic information will be
coordinated through the National Security
Agency.
(2) Systematic review for declassification of
classified information pertaining to
intelligence activities (including special
activities) or intelligence sources or
methods will be coordinated through the
Central Intelligence Agency.
(3) The Chairperson, NASA Security Management
Working Group, shall designate experienced
personnel to assist the Archivist of the
United States in the systematic review of
30-year-old U.S. originated information and
30-year-old foreign information. Such
personnel shall:
(i) Provide guidance and assistance to
National Archives and Records Service
employees in identifying and
separating documents and specific
categories of information within
documents that are deemed to require
continued classification; and
(ii) Develop reports of
information or document
categories so separated,
with recommendations
concerning continued
classification.
b. Systematic Review Guidelines. The Chairperson,
NASA Security Management Working Group, shall
develop, in coordination with NASA
organizational elements, guidelines for the
systematic review for declassification of
30-year-old classified information under NASA's
jurisdiction. (See Subpart G of this part,
Foreign Government Information.) The guidelines
shall state specific limited categories of
information which, because of their national
security sensitivity, should not be declassified
automatically but should be reviewed
item-by-item to determine whether continued
protection beyond 30 years is needed. These
guidelines are authorized for use by the
Archivist of the United States and, with the
approval of the Administrator, by an agency
having custody of the information covered by the
guidelines. All information, except foreign
government information, cryptologic information,
and information pertaining to intelligence
sources or methods, not identified in these
guidelines as requiring review and for which a
prior automatic declassification date has not
been established shall be declassified
automatically at the end of 30 years from the
date of original classification. These
guidelines shall be reviewed at least every 5
years and revised as necessary unless an earlier
review for revision is requested by the
Archivist of the United States. Copies of the
declassification guidelines promulgated by NASA
will be provided to the Information Security
Oversight Office, GSA.
c. Systematic Review Procedures. All classified
security records 30 years old or older, whether
held in storage areas under installation control
or in Federal Records Centers, will be surveyed
to identify those that require scheduling for
future disposition.
(1) All NASA information or material in the
custody of the National Archives and
Records Service that is permanently
valuable and more than 30 years old is to
be reviewed systematically for
declassification by the Archivist of the
United States with the assistance of the
personnel designated for the purpose
pursuant to paragraph (a)(3)(i) of this
section. The Archivist shall refer to NASA
that information or material that NASA has
indicated requires further review. In the
case of 30-year-old information or material
in the custody of NASA installations, such
review will be accomplished by the
custodians of the information or material.
The Installation having primary
jurisdiction over the information or
material received from the Archivist or in
its custody, shall proceed as follows:
(i) Classified information or material
over which NASA exercises exclusive or
final original classification
authority and that is to be
declassified in accordance with the
systematic review guidelines developed
under paragraph (b) of this section
shall be so marked.
(ii) Classified information or
material over which NASA
exercises exclusive or final
original classification authority
and that, in accordance with the
systematic review guidelines
developed under paragraph (b) of
this section, is to be kept
protected, shall be listed by
category by the responsible
custodian, and referred to the
Chairperson, NASA Security
Management Working Group. This
listing shall:
a. Identify the information or
material involved.
b. Recommend classification beyond
30 years to a specific event
scheduled to happen or a specific
period of time or, the
alternative, recommend:
DECLASSIFY ON: Originating
Agency's Determination Required
or "OADR."
(iii) The Administrator shall consider
and determine which category
shall be kept classified and the
dates or event for
declassification. Whenever a
specific time or future event for
declassification cannot be
predetermined, the following
notation will be applied:
DECLASSIFY ON: Originating
Agency's Determination Required
or "OADR." The Archivist of the
United States will be notified in
writing of this decision.
c. Declassification by the Director
of the Information Security
Oversight Office, GSA. If the
Director of the Information
Security Oversight Office, GSA,
determines that NASA information
is classified in violation of
"the Order," the Director may
require the information to be
declassified. Any such decision
by the Director may be appealed
through the NASA Security
Management Working Group to the
National Security Council. The
information shall remain
classified pending a prompt
decision on the appeal.
Section 1203.604 Mandatory review for declassification.
a. Information covered. All information classified
under "the Order" or predecessor orders, except
as provided at Section 1203.604(b) shall be
subject to a review for declassification by the
originating agency, if:
(1) The request is made by a United States
citizen or permanent resident alien, a
Federal agency, or a state or local
government; and
(2) The request describes the document or
material containing the information with
sufficient specificity to enable the agency
to locate it with a reasonable amount of
effort. After review, the information or
any reasonable segregable portion thereof
that no longer requires protection shall be
classified and released unless withholding
is otherwise warranted under applicable
law.
b. Presidential Papers.
(l) Information originated by a President,
the White House Staff, by committee,
commissions, or boards appointed by
the President, or others specifically
providing advice and counsel to a
President or acting on behalf of a
President is exempted from the
provisions of Section 1203.604(a).
(2) The Archivist of the United States shall
have the authority to review, downgrade,
and declassify information under the
control of the Administrator of the General
Services Administration or the Archivist
pursuant to Sections 2107, 2107 note, or
2203 of Title 44, United States Code.
Review procedures developed by the
Archivist shall provide for consultation
with NASA in matters of primary subject
interest to NASA.
c. Submission of requests for review. Requests for
mandatory review of classified information shall
be submitted in accordance with the following:
(l) Requests originating within NASA shall, in
all cases, be submitted directly to the
NASA Installation that originated the
information.
(2) For most expeditious action, requests from
other Governmental agencies or from members
of the public should be submitted directly
to the NASA Installations that originated
the material, or, if the originating
component is not known, the requestor may
submit the request to:
(i) The Chairperson, NASA Security
Management Working Group; or the head
of the NASA organization most
concerned with the subject matter of
the material requested, or
(ii) The office designated to receive
requests for records under the
Freedom of Information Act
pursuant to Part 1206 of this
chapter.
d. Requirement for processing.
(1) Requests that are submitted under the
Freedom of Information Act shall be
processed in accordance with 14 CFR Part
1206.
(2) Other requests for declassification
review and release of information
shall be processed in accordance with
the provisions of this section,
subject to the following conditions:
(i) The request is in writing and
reasonably describes the
information sought with
sufficient particularity to
enable the installation to
identify it.
(ii) The requestor shall be asked to
correct a request that does not
comply with paragraph (d)(2)(i)
of this section, to provide
additional information, or to
narrow the scope of the request
and shall be notified that no
action will be taken until the
requestor complies.
(iii) If the request requires the
rendering of services for which
fees may not be charged under
Part 1206, but may be charged
under 31 U.S.C. 483a (1976), the
rates prescribed in Section
1206.700 shall be used, if
appropriate.
e. Processing of Requests. Requests that meet the
requirements of paragraph (d)(2) of this section
will be processed as follows:
(1) NASA Installation action upon the initial
request shall be completed within 60 days.
(2) Receipt of the request shall be
acknowledged promptly. The NASA
installation shall determine whether, under
the declassification provisions of this
Part 1203, the requested information may be
declassified and, if so, shall make sure
information available to the requestor,
unless withholding is otherwise warranted
under applicable law. If the information
may not be released in whole or in part,
the requestor shall be given a brief
statement of the reasons for denial, a
notice of the right to appeal the
determination to the Chairperson, NASA
Information Security Program Committee,
National Aeronautics and Space
Administration, Washington, DC 20546, and a
notice that such an appeal must be filed
within 60 days in order to be considered.
(3) All appeals of denials of requests for
declassification shall be acted upon and
determined finally within 30 days after
receipt and the requestor shall be advised
that the appeal determination is final. If
continued classification is required under
the provisions of this Part 1203, the
requestor shall be notified of the reasons
thereof.
(4) The declassification and release of foreign
government information that is subjected to
mandatory review under this section shall
be determined only in accordance with
Section 1203.703.
(5) When a NASA Installation receives any
request for declassification of information
in documents in its custody, which was
classified by another NASA Installation or
Government agency, it shall refer copies of
the request and the requested documents to
the originating Installation or agency for
processing, and may, after consultation
with the originating Installation or
agency, inform the requester of the
referral. In cases in which the
originating NASA Installation determines in
writing that a response under Section
1203.604(f) is indicated, such cases will
be forwarded promptly to the Chairperson,
NASA Information Security Program
Committee, for final resolution and
appropriate response.
f. Neutral Response. In response to a request for
information under the Freedom of Information
Act, the Privacy Act of 1974, or the mandatory
review provisions of "the Order," NASA shall
refuse to confirm or deny the existence or
nonexistence of requested information whenever
the fact of its existence or nonexistence is
itself classifiable under "the Order."
g. Declassification of Transferred Documents or
Material.
(1) Material Officially Transferred. In the
case of classified information or material
transferred by or pursuant to statute or
Executive Order to NASA in conjunction with
a transfer of functions (not merely for
storage purposes) for NASA's use and as
part of its official files or property, as
distinguished from transfers merely for
purposes of storage, NASA shall be deemed
to be the original classifying authority
over such material for purposes of
downgrading and declassification.
(2) Material Not Officially Transferred. When
any NASA Installation has in its possession
classified information or material
originated by an agency that has since
ceased to exist and that information has
not been officially transferred to another
department or agency, or when it is
impossible for the possessing NASA
Installation to identify the originating
agency, and a review of the material
indicates that it should be downgraded or
declassified, the possessing NASA
Installation shall be deemed to be the
originating agency for the purpose of
declassifying or downgrading such material.
If it appears probable that another agency
or another NASA organization may have a
substantial interest in whether the
classification of any particular
information should be maintained, the
possessing NASA Installation shall not
exercise the power conferred upon it by
this paragraph, until after consultation
with any other agency or NASA organization
having an interest in the subject matter.
(3) Transfer for Storage or Retirement.
(i) Insofar as practicable, classified
documents shall be reviewed to
determine whether they can be
downgraded or declassified prior to
being forwarded to records centers or
to the National Archives for storage.
Any downgrading or declassification
determination shall be indicated on
each document by appropriate markings.
(ii) Classified information
transferred to the General
Services Administration for
accession into the Archives of
the United States shall be
downgraded or declassified by the
Archivist of the United States in
accordance with "the Order," the
directives of the Information
Security Oversight Office, GSA,
and NASA guidelines.
h. Downgrading and Declassification Actions.
(1) Notification of changes in classification
or declassification. When classified
material has been marked with specific
dates or events for downgrading or
declassification, it is not necessary to
issue notices of such actions to any
holders. However, when such actions are
taken earlier than originally scheduled, or
the duration of classification is
shortened, the authority making such
changes shall, to the extent practicable,
ensure prompt notification to all
addressees to whom the information or
material was transmitted originally. The
notification shall specify the marking
action to be taken, the authority therefor,
and the effective date. Upon receipt of
notification, recipients shall make the
proper changes and notify persons to whom
they have transmitted the classified
information or material.
(2) Posted Notice. If prompt re-marking of
large quantities would be unduly
burdensome, the custodian may attach
declassification, downgrading, or upgrading
notices to the storage unit in lieu of the
re-marking action otherwise required. Each
notice shall indicate the change, the
authority for the action, the date of the
action, and the storage units to which it
applies. Items withdrawn from such storage
units shall be promptly re-marked. However,
when information subject to a posted
downgrading or declassification notice is
withdrawn from one storage unit solely for
transfer to another, or a storage unit
containing such information is transferred
from one place to another, the transfer may
be made without re-marking if the notice is
attached to or remains with each shipment.
f. Foreign Relations Series. In order to permit
the State Department editors of Foreign
Relations of the United States to meet their
mandated goal of publishing 20 years after the
event, NASA shall assist these editors by
facilitating access to appropriate classified
materials in its custody and by expediting
declassification review of items from its files
selected for publication.
Subpart G - Foreign Government Information
Section 1203.700 Identification.
In order to qualify as foreign government
information, information must fall into one of the
two following categories:
a. Information provided to the United States by a
foreign government or international organization
of governments, such as the North Atlantic
Treaty Organization (NATO), where the United
States has undertaken an obligation, expressed
or implied, to keep the information in
confidence. The information is considered to
have been provided in confidence if it is marked
in a manner indicating it is to be treated in
confidence or if the circumstances of the
delivery indicate that the information be kept
in confidence.
b. Information requiring confidentiality produced
by the United States pursuant to a written,
joint arrangement with a foreign government or
international organization of governments. A
written, joint arrangement may be evidenced by
an exchange of letters, a Memorandum of
Understanding, or other written record of the
joint arrangement.
Section 1203.701 Classification.
a. Foreign government information that is
classified by a foreign entity shall either
retain its original classification designation
or be marked with a United States classification
designation that will ensure a degree of
protection equivalent to that required by the
entity that furnished the information. Original
classification authority is not required for
this purpose.
b. Foreign government information that was not
classified by a foreign entity but was provided
to NASA with the expressed or implied obligation
that it be held in confidence must be
classified. "The Order" states that
unauthorized disclosure of foreign government
information, the identity of a confidential
foreign source, or intelligence sources or
methods is presumed to cause damage to the
national security. Therefore, such foreign
government information shall be classified at
least Confidential. However, at the time of
classification, judicious consideration shall be
given to the sensitivity of the subject matter
and the impact of its unauthorized disclosure
upon both the United States and the originating
foreign government or organization of
governments in order to determine the most
appropriate level of classification. Levels
above Confidential must be assigned by an
original classification authority.
Section 1203.702 Duration of classification.
Unless the guidelines for the systematic review of
30-year-old foreign government information developed
pursuant to Section 1203.603(b) prescribe dates or
events for declassification:
a. Foreign government information shall not be
assigned a date or event for declassification
unless such is specified or agreed to by the
foreign entity.
b. Foreign government information classified after
December 1, 1978, shall be annotated:
DECLASSIFY ON: Originating Agency's
Determination Required or "OADR."
Section 1203.703 Declassification
a. Information classified in accordance with
Section 1203.400 shall not be declassified
automatically as a result of any unofficial
publication or inadvertent or unauthorized
disclosure in the United States or abroad of
identical or similar information.
b. Following consultation with the Archivist of the
United States and, where appropriate, with the
foreign government or international organization
concerned and with the assistance of the
Department of State, NASA will issue guidelines
for the systematic review of 30-year-old foreign
government information that will apply to
foreign government information of primary
concern to NASA. These guidelines are authorized
for use by the Archivist of the United States
and, with the approval of NASA, by an agency
having custody of such information. The
Chairperson, NASA Information Security Program
Committee, will initiate administrative
functions necessary to effect review of these
guidelines at least once every 5 years and
submit recommendations to the Administrator
based on these reviews. If, after applying the
guidelines to 30-year-old foreign government
information, a determination is made by the
reviewer that classification is necessary, a
date for declassification or DECLASSIFY ON:
Originating Agency's Determination Required or
"OADR" shall be shown on the face of the
document.
c. Requests for mandatory review for
declassification of foreign government
information shall be processed and acted upon in
accordance with the provisions of Section
1203.603 except that foreign government
information will be declassified only in
accordance with the guidelines developed for
that purpose under Section 1203.702 and after
consultation with other Government agencies with
subject matter interest as necessary. In those
cases where these guidelines cannot be applied
to the foreign government information requested,
the foreign originator should be consulted
through appropriate channels prior to final
action regarding the request. However, when the
responsible NASA Installation knows the foreign
originator's view toward declassification or
continued classification of the types of
information requested, consultation with the
foreign originator is not necessary.
d. Requests for mandatory review for
declassification of foreign government
information that NASA has not received or
classified shall be referred to the Government
agency having a primary interest. The requestor
shall be advised of the referral.
APPENDIX F: INDUSTRIAL SECURITY REQUIREMENTS CHECKLIST
1. Security Requirements Checklist. The office responsible
for the technical supervision of a proposed classified
prime contract will draft a DD Form 254 or other written
notification and forward it to the Security
Classification Officer for approval. This action should
be taken sufficiently in advance to permit forwarding a
copy with each invitation for bid or request for proposal
or quotation. When appropriate, the action will be based
on, and consistent with, information contained in an
applicable security classification guide, DD Form 254, or
other document prepared either by NASA or by another
Government agency responsible for the particular program
or project involved. The resulting DD Form 254, and any
changes to it, will be signed by the Security
Classification Officer as a representative of the
contracting officer.
2. Preparation of a DD Form 254
a. Instructions for the preparation of DD Form 254 are
attached to the Form. In addition, the following is
applicable to NASA contracts:
(1) In item 12 of the DD Form 254, delete the words:
"To the Directorate For Freedom of Information
and Security Review, Office of the Assistant
Secretary of Defense (Public Affairs) for review
in accordance with the Industrial Security
Manual," and insert the words: "To the Office
of Public Affairs, National Aeronautics and
Space Administration, Washington, DC 20546, for
review."
(2) The above change and the information set
forth in subparagraphs b and c will be
incorporated into documents prepared in
lieu of DD Form 254.
b. In the case of prime contracts, the Public
Information Office of the NASA contracting
Installation will also be specified in Item 12 to
show that proposed publicity releases will be
submitted through that office to the Office of
Public Affairs, NASA, Washington, DC 20546.
c. In the case of subcontracts, the publicity office of
the prime contractor will be specified in addition
to the Public Information Office of the NASA
contracting Installation to show that proposed
publicity releases will be submitted through those
two offices to the Office of Public Affairs, NASA,
Washington, DC 20546.
3. Distribution for Contracts. The distribution of a DD
Form 254 or of other written notification pertaining to a
prime contract and subcontract will be as required by the
ISR. In addition, a copy of each DD Form 254 or other
written notification for prime contracts will be sent to
the Chief, NASA Security Office.
APPENDIX G: SECURITY AREA SIGN
R E S T R I C T E D A R E A
BY THE ORDER OF
NATIONAL AERONAUTICS AND SPACE ADMINISTRATION
Unauthorized persons who enter may be subject to prosecution
under 18 U.S.C. 799.
Procedures for Ordering Signs
Outdoor signs are metal, measuring approximately 40.64 cm/16
inches high and 50.8 cm/20 inches wide. Indoor signs are
cardboard measuring approximately 22.86 cm/9 inches high and
12 inches wide. Installations should order signs as needed
through their normal supply source on NASA Forms.
Restricted Area Sign (Outdoor), NASA Form 1506
Restricted Area Sign (Indoor), NASA Form 1506A
Limited Area Sign (Outdoor), NASA Form 1507
Limited Area Sign (Indoor), NASA Form 1507A
Closed Area Sign (Outdoor), NASA Form 1508
Closed Area Sign (Indoor), NASA Form 1508A
APPENDIX H: NRP SYSTEM SECURITY STANDARD, PURPOSE, AND
SCOPE
1. SCOPE
This Appendix prescribes the minimum security standard
for NASA's unique assets that are designated to be
protected under the NASA Resource Protection (NRP)
Program. The ultimate goal of the NRP system security
standard is to ensure that a baseline approach,
consistent with security priorities, is taken throughout
the Agency toward the protection of NASA's unique
designated national resources during their useful life
cycle. When dictated by the vulnerability of the asset
to be protected, and the threat to be protected against,
security disciplines such as physical security,
operations security (OPSEC), communications security
(COMSEC), information security, personnel security,
industrial security, etc., will be integrated into the
total NRP effort. All security measures will be applied
based on the standards outlined in this NASA Security
Handbook. Applying security disciplines in a coordinated
effort ensures that all vulnerabilities and threats are
properly addressed.
2. RESPONSIBILITY
a. Directors of Field Installations (Center Directors)
are designated as RAA's for their respective
Installations and will be the decisionmaker in
determining which Installation assets will be
granted waivers, if any, of the applicable security
standards.
b. NRP waivers will be forwarded to Headquarters for
review by the Program Office, the SMWG, and Code
JIS.
3. CONCEPT
a. The responsible NASA Installation, in conjunction
with the applicable Program Office and as approved
by the NASA Security Management Working Group
(SMWG), will implement the minimum standards
specified herein, and such other additional measures
deemed necessary, to minimize the vulnerability of
the asset to the threat. Waivers to this standard
will be forwarded from the Installation, through the
Program Office and the SMWG, to the Associate
Administrator for Management Systems and Facilities
for review.
b. Category A - Mission Critical Assets
(l) A positive entry control system will be
employed at all times while in the area and
will challenge anyone observed without a
valid badge.
(2) Personnel granted unescorted entry will have
been the subject of a favorably adjudicated
National Agency Check (NAC) as a minimum.
(3) Personnel granted unescorted entry will display
an appropriate area access security badge at all
times while in the area and will challenge
anyone observed without a valid badge.
(4) Personnel granted unescorted entry will receive
formal initial and annual follow-on security
education training.
(5) Escorted entry procedures will be in
accordance with the NASA Security Handbook.
(6) A Facility Security Manager will be
designated in writing for each Category A
resource.
(7) The Installation will maintain the
capability to respond to facility security
alarms with a minimum of two armed security
officers, within five minutes of the
security force being alerted.
(8) Appropriate security area signs, in
accordance with the NASA Security Handbook,
will be posted conspicuously at all
personnel and vehicle access points and at
intermittent locations along the perimeter
of the area.
(9) A formal physical security survey will be
conducted of each resource using the
criteria set forth in the NASA Security
Handbook. The survey results will be
approved by the Installation RAA and
incorporated into the Installation's NRP
Program.
c. Category B - Mission Essential Assets
(1) Personnel employed within the area will maintain
entry control by being observant for
unauthorized persons.
(2) Personnel granted unescorted entry will have
been the subject of a favorably adjudicated NAC
as a minimum.
(3) Personnel granted unescorted entry will display
an appropriate area access security badge at all
times while in the area and will challenge
anyone observed without a valid badge.
(4) Personnel granted unescorted entry will receive
formal initial and annual follow-on security
education training.
(5) Escorted entry procedures will be in accordance
with the NASA Security Operations Handbook.
(6) A Facility Security Manager will be designated
in writing for each Category B resource.
(7) The Installation will maintain the capability to
respond to facility security alarms with a
minimum of two armed security officers within
ten minutes of the security force being alerted.
(8) Appropriate security area signs, in accordance
with the NASA Security Handbook, will be
conspicuously posted at all personnel and
vehicle access points and at intermittent
locations along the perimeter of the area.
(9) A formal physical security survey will be
conducted of each resource using the criteria
set forth in the NASA Security Handbook. The
survey results will be approved by the
Installation RAA and incorporated into the
Installation's NRP Program.
APPENDIX I: PHYSICAL SECURITY SURVEY CHECKLIST
1. POLICY AND PROGRAM
a. Has Installation Director established a security
policy?
(1) Is the policy published?
(2) Is it part of all managers'/supervisors'
responsibility?
(3) Is an individual designated to establish and
supervise the security program?
b. Are Installation senior management officials
accessible to the Installation Chief of Security
(ICS)?
c. Is there a published Security Installation
Management Instruction?
d. Are disciplinary procedures for security violations
established?
(1) In writing?
(2) Specify offenses and penalties?
(3) Incidents recorded?
(4) Reviewed by senior management?
(5) Uniformly enforced?
2. ORGANIZATION
a. Is there a full-time security officer/official?
(1) If part-time, what percent of time is spent
on security?
(2) Describe the management chain from the ICS
to the Installation Director.
b. Number of full-time civil service security personnel
assigned? Contractors?
c. Number of personnel performing security duties each
shift?
(1) Do they perform nonsecurity duties
concurrently?
(2) Do security duties have first priority?
d. Have security personnel received special training?
Describe.
e. Are written reports made of security-related
incidents?
f. Are follow-up investigations conducted as warranted?
g. Have background investigations of security personnel
been conducted?
h. Security Force
(1) Number?
(2) Employed or contracted?
(3) If contracted service, was the ICS involved
throughout the contract process?
(4) Are there written guard post orders?
(5) Are weapons carried?
(i) Type and quantity?
(ii) Government furnished or contractor
furnished?
(iii) Are personnel trained and qualified in
accordance with Security Operations
Handbook, Chapter 33, Firearms, with
the weapon with which armed?
(6) What is frequency of tour of duty?
(7) Are tours varied concerning day and time?
(8) Do guards submit written reports for each shift?
(9) Describe any formal training received by guards.
(10) Are guards uniformly dressed/outfitted?
i. Does the ICS maintain contact with local law
enforcement agencies to keep abreast of criminal
activities and potential threats to the
Installation's resources?
3. CONTROL OF ENTRY AND MOVEMENT
a. Is positive identification required of all persons
entering the Installation? How?
b Are there periodic 100 percent checks of
identification? How often? By whom?
c. Are all visitors registered? Required to be
escorted?
d. How are employees distinguished from visitors?
e Is there control of employee movement between areas
within the Installation?
f. Are supervisors instructed to challenge strangers
found in their work areas?
4. BARRIERS
a. Is there a continuous barrier around the entire
Installation perimeter?
b. Is fencing constructed/erected consistent with the
standards in the Security Handbook, Appendix L?
c. Are sensors installed?
d. Are walls used as perimeter barriers? At least
2.438m/eight ft. high?
e. All doors equipped with alarm devices or under
surveillance?
f. Windows permanently closed? Protected by bars or
heavy screens? Alarmed? Can be used for entry or
exit?
5. LIGHTING
a. Is all of the perimeter lighted?
b. Strip of light on both sides of the perimeter
barrier?
c. Illumination sufficient to detect movement easily at
91.44m/100 yards?
d. Are lights checked daily prior to darkness?
e. Is extra lighting installed at entry points and
points of possible intrusion?
f. Are lighting repairs made promptly?
g. Is the power supply for the lighting protected
against tampering?
h. Are circuit drawings available to facilitate quick
repairs?
i. Are switches and controls protected? Weatherproofed
and tamper resistant? Accessible to security
personnel? Master switches centrally located?
j. Good illumination for guards on all routes inside
the perimeter?
k. Materials and equipment in receiving, shipping, and
storage areas adequately lighted?
l. Bodies of water on perimeter adequately lighted?
m. Is there an auxiliary power source for protective
lighting?
6. LOCKS AND KEYS
a. Is responsibility for control of locks and keys
assigned to a security supervisor?
b. Does the ICS control locks and keys to all
buildings? Gates? Sensitive areas?
c. Is there an established formula for issuing keys?
d. Are managers responsible for keys within their work
areas?
e. Are keys issued to non-employees?
f. Do recipients sign receipts for keys issued?
g. Are keys recovered from departing employees? If
not, what happens?
h. Are lock and key control procedures and regulations
in writing?
i. Are master keys not marked as such?
j. Are spare keys stored under double lock or in a
locked and fireproofed cabinet?
k. Is access to spare keys restricted? To whom?
l. Are locks changed immediately upon theft or loss of
keys?
m. Are locks on perimeter doors and gates changed
annually?
n. Are padlocks on interior facilities changed or
rotated annually?
o. Is the manufacturer's serial number on padlocks
obliterated and replaced by Installation code
numbers?
p. Are in-use padlocks locked to the hasp or staple
when the door or gate is open?
q. Are door locks installed so that bolt extends 1/2
inch into the jamb? Is the bolt covered by steel
cover plate between door and jamb to prevent
levering?
r. Are combination locks changed annually? When
knowledgeable persons leave or terminate? When
compromised? (NATO every 6 months - Imprest Fund
every 6 months)
s. Are combinations memorized or written down?
t. Are combinations disclosed on basis of operational
necessity only, and not convenience?
u. Are deadbolt locks installed in all doors that must
be unlocked from the outside?
v. Are all safes GSA approved for the storage of their
respective contents?
7. ALARMS
a. Are intrusion detection systems (IDS) installed for
the protection of the facility perimeter? High-
value storage areas? Other internal areas warranting
such?
b. What types of sensors are employed?
c. Are the sensors tested periodically? Monitored by a
central station?
d. Is closed circuit television (CCTV) used for access
control? Surveillance? Is it monitored
continuously?
e. Are fire alarms monitored as part of the security
program?
8. COMMUNICATIONS
a. Is there a separate communications system for
security and emergency use?
b. If radio is shared with others, can security
override?
c. Is there a means of immediately contacting guards on
patrol? How?
d. Are local community emergency services personnel
linked with the communications system?
e. Is there a means of alerting employees to an
emergency? Describe?
9. PERSONNEL SCREENING
Are all security personnel screened in accordance with
the standards contained in Chapter 9 of the Security
Handbook?
APPENDIX J: INTRUSION DETECTION SYSTEMS
1. GENERAL
a. Electronic Intrusion Detection Systems (IDS) can
contribute greatly to overall physical security and
should be considered for inclusion in the plan by
NASA security managers. The following list includes
some factors to be considered in evaluating the
possible use of electronic IDS:
(1) Threat;
(2) Location and response time capability of
security personnel;
(3) Value or sensitivity of the facility or material
and its criticality to the NASA mission;
(4) Area environment;
(5) Radio and electrical interference in the area;
(6) Operational hours of the Installation or
facility.
b. Many modern sensors, detectors, and systems are
available for security applications and can make a
useful contribution if properly selected and
installed. Following is a discussion of some
interior and exterior IDS's along with suggestions
for desired performance and installation:
(l) General Requirements.
(a) Equipment Enclosures. All enclosures
for equipment supplied should be
protected against tampering by being
equipped with tamper switches or
triggering mechanisms electrically
compatible with the alarm system, or
they should be fully filled with an
epoxy compound. Internal wiring of
equipment should be such that the
tamper switches and triggering
mechanisms are not bypassed even
though the detector itself is
operating in the access mode. All
controls that affect the sensitivity
of the units shall be located inside
the tamper-resistant enclosure.
(b) Environmental Requirements. All units
should be capable of operating in
temperatures ranging from -7.777-
C/18- F to 54- C/ 130- F. All units
should be capable of operating at the
highest percent level of relative
humidity expected in the area in which
it is used.
(c) Dependability. The sensitivity and
stability of all detectors should be
designed to withstand neutralization
or compromise.
(d) Electronic Components. To the extent
practical, all electronic components
should be state-of-the-art and be
solid state.
(e) Detectors/Sensors. All detectors and
sensors should initiate an alarm
signal under any of the following
conditions:
i. When sensing a stimulus or
condition for which it was
designed to react.
ii. If primary power fails.
iii. If the detector's circuitry is
opened, shorted, or grounded and
if such condition is capable of
compromising the device's normal
operation.
iv. If a tamper switch or triggering
mechanism is activated.
Note: To the extent feasible, the
device should be designed to initiate
an alarm if any part or component
fails or ages to the extent to render
the detector ineffective. Terminals
should be located within the detector
enclosure and should be readily
accessible to permit wiring for
required combinations of detector
units. All controls and terminals
which are not required for operation
of the detector should not be readily
accessible.
(2) Annunciator Switch-Access/Secure and
Reset. The annunciator panel should
have an access/secure switch and an
alarm reset switch. An alarm should
create a lock-on condition which
should require manual restoration, and
controls should be provided to reset
the system. When a detector circuit
is conditioned for authorized entry
into the protected area (access mode),
the annunciator should continue to
indicate alarms if circuit supervisory
limits are exceeded or if any tamper
switches are disturbed.
(3) Annunciator Connections to Components.
The annunciator should be provided
with terminals to connect the power
supply (normal and standby) to
detectors and/or sensors and to
interconnect with other annunciators.
(4) Annunciator Unit. Annunciator units should
be so designed that when connected with
their ancillaries into a detection circuit,
they provide the means to monitor the
condition and control the operation of the
detection circuit at a location removed
from the detector(s). Annunciator units
should be electrically compatible with the
detectors and circuit supervisory
equipment. When specified, individual
annunciator units should be furnished in
appropriate enclosures. To the extent
practical, equipment related to the
annunciator, such as the standby battery,
power supply, battery charging equipment,
audible alarm, and circuit supervisor
functions, should be contained in the same
enclosure.
(5) Line Supervision. The circuit
supervisors should provide security to
the communication link between the
detectors and/or sensors and the
annunciator.
2. INTERIOR INTRUSION DETECTION
a. Detectors. Detectors should be listed by
Underwriters Laboratory and should be one of the
following types:
(l) Balanced Magnetic Switch.
(2) Passive Infrared Detector.
(3) Vibration Detectors.
(4) Capacitance Detector.
(5) Ultrasonic Motion Detector.
(6) Microwave Motion Detector.
(7) Pressure Mat Detector.
(8) Closed Circuit Television Motion Detector.
(9) Conductive Foil.
(10) Breakwire.
b. Balanced Magnetic Switch. The switch mechanism
should be of the balanced magnetic type and should
initiate an alarm on increase, decrease, or
attempted substitution of an external magnetic
field. The switch and magnet should be enclosed in
separate housings of cast, composed of nonferrous
durable material, and provide reasonable protection
against moisture and dust. The mechanism should be
adjusted from .635 cm\ 1/4 inch to 2.54 cm\1 inch to
accommodate Installation variances. The switch
should be electrically protected so that a sudden
surge of voltage greater than required for normal
operations will create an alarm. The switch should
be designed so an alarm is initiated whenever the
switch housing is moved more than 2.54 cm\1 inch
from the magnet housing. When simulating a closed
position, the switch shall be rated for a minimum of
500,000 activations without malfunction.
c. Passive IR Detector. This detector should initiate
an alarm when a temperature differential occurs
within the field of view. The sensor should detect
a person, a minimum of 1.524 m/5 feet tall, 31.752
kg/70 pounds, walking at the rate of .3048 m/1 foot
per second or faster out to a range of at least 9
m/30 feet. The system should stabilize within 2
minutes after being turned on and should not be
capable of being defeated by the use of portable IR
absorbent or reflective material placed between the
sensor and a person moving in the protected area.
The system should not be susceptible to changes in
temperature due to an air conditioner being turned
on or off.
d. Vibration Detector. This detector should consist of
piezoelectric pickup devices or an equivalent device
connected through an amplifier/accumulator designed
to initiate an alarm signal in response to
structurally borne vibration caused by explosion, a
short series of blows, a longer series of lighter
blows, or similar phenomena. The
amplifier/accumulator should integrate the amplitude
of input stimuli with respect to time up to the
present alarm level. In addition, the
amplifier/accumulator should be so designed that
stimuli of insufficient magnitude to initiate an
alarm are bled off to the normal quiescent level at
a rate of decay from the level immediately before an
alarm to 10 to 15 percent of alarm level in not less
than 5, or more than 15, minutes.
e. Capacitance Detector. This detector should consist
of a control unit containing circuitry designed to
detect a change in the capacitive coupling which
exists between one or more antennas and ground.
Antennas should be energized to create an
electrostatic or electromagnetic field, so that if
the protected object is touched by a person wearing
a heavy glove or approached within 6 inches by a
conductive mass of the density and size of a human
(a minimum of 1.542m/5 feet tall, 31.752 kg/70
pounds) the capacitive coupling between antennas and
ground will be initiated. The detector should be
designed to disconnect antennas when the detector is
in the access mode and will create an alarm when the
detector is placed in the secure mode.
f. UltraSonic Motion Detector. This detector should
consist of one or more transmitter/receiver elements
and the necessary control circuitry. The detector
should sense disturbances in a field (minimum height
of 2.438 m/8 feet) of acoustic energy above a
frequency of 18 KHz. Movement of a human (a minimum
of 1.524 m/5 feet tall, 31.752 kg/70 pounds) within
the protected area for a distance of 1.524 m/5 feet
or less, at any velocity between 6.096 m/20 feet and
182.88 m/600 feet pm should cause the control unit
to initiate an alarm signal.
g. Microwave Motion Detector. This detector should
consist of transmitter/receiver elements and
necessary control circuitry to saturate the
protected area with electromagnetic energy.
Movement of a human (a minimum of 1.524 m/5 feet
tall, 31.752 kg/70 pounds within the protected area
for a distance of five feet or less at any velocity
between (3.04 m/10 feet) and (182.88 m/600 feet) pm
should cause the detector to initiate an alarm
signal. The microwave detectors should be designed
so that nuisance alarms due to electromagnetic
emission of other equipment such as fluorescent
lights or motors are prevented.
h. Pressure Mat Detector. This detector should be in
the form of a flat mat and should initiate an alarm
when a weight of 31.752 kg/70 pounds or more is
applied to any 3-inch square top surface of the mat.
Detectors should be resistant to water and dust and
the wiring circuitry should be capable of
supervision. The detector should be rated to
withstand not less than 500,000 activations without
failure.
i. CCTV Detector. This detector should detect the
presence of an intruder by electronically comparing
successive scenes for a difference in images. An
alarm should be initiated when the compared images
differ by more than 6.5 percent. The detector
should be capable of desensitizing portions of the
viewed areas where naturally moving objects occur.
Comparison of the video information within the
protected area should occur at not less than 1
sample per second. Failure of the camera should
produce an alarm independent of any detectable scene
difference occurring in the secure area. The CCTV
motion detector should be designed to operate with
cameras which automatically compensate for scene
illumination.
j. Conductive Foil. This material is intended for
application to glass and other surfaces to
detect intrusion, and installed and connected
into an electrically supervised detector
circuit. Breaking or grounding the foil should
cause an alarm to be initiated. Foil should not
exceed 1.2 metric in tensile strength and should
be capable of carrying a maximum electrical
current of 60 milliamperes at 60 volts with a
temperature rise of not more than one degree.
Adhesive and protective coating material
necessary for application should be provided
with the foil and should be of types resistant
to aging, moisture, and temperature change.
Foil for glass should not be more than 1.2
cm\1/2 inch wide. Foil for other purposes
should be not more than 2.54 cm\1 inch wide.
k. Breakwire. This wire is intended to be used in
fabricating screens and grids, open wiring, and
grooved stripping in various arrays and
configurations necessary to detect surreptitious and
forcible penetrations on movable openings, floors,
walls, ceilings, and skylights. When correctly
arranged, properly installed, and connected into an
electrically supervised detector circuit, cutting,
breaking or grounding the breakwire shall cause an
alarm to be initiated. Hard drawn breakwire used in
fabricating security screens should not exceed four
pounds tensile strength and be capable of carrying a
current of 60 milliamperes at 60 volts with a
temperature rise of not more than 1 degree Celsius.
Wire shall not be larger than 24 AWG.
3. EXTERIOR INTRUSION DETECTION
Detectors. Detectors should be one of the following
types:
a. Mechanical Fence Sensors. This system should
initiate an alarm upon movement of the fence. All
sensors in this system should house adjustable
sensitivity mechanical switches with normally open
or closed contacts as specified. The sensors should
be mounted on the fence posts at a maximum of 6
meters apart or on every fence post for high
security applications. If the sensors are mounted
on the fence fabric, they should be placed at a
maximum of 3.04 m/10 feet apart. This system should
use some count and time criteria in the signal
processor to differentiate between intrusions and
nuisance indications.
b. Electromechanical Fence Sensors. This system should
be capable of initiating an alarm when the sensor is
acted upon by accelerations generated in the fence
fabric during penetration. Transducers should be
placed on every fence post or on the fence fabric
itself between each pair of posts. Each transducer
shall be connected in series along the fence with a
common cable to form a single zone of protection.
The maximum single detection zone should not exceed
(91.4 m/300 feet). The cable should be routed in a
sealed conduit and the transducers should be
installed in electrical enclosures. If the cable is
installed underground, it should either be routed in
a conduit or be direct burial cable.
c. Strain Sensitive Cable. This system should be
capable of initiating an alarm when the duration of
a series of impulses is exceeded. (This is
determined by the sensitivity setting.) Movement of
the cable will produce an output voltage when the
cable is moved. Cables should be fastened directly
to the fence using wire ties so movement of the
fence fabric is coupled directly to the transducer
cable.
d. Taut Wire Sensor Fence. This system should initiate
an alarm upon deflection of a wire that is
incorporated into sensor switches, which cause
activation of the lever arm of the switch such that
contact closure results. The system's sensitivity
setting is the determining factor on alarm
initiation. All sensor switches should be mounted
rigidly onto a fence post located approximately
midspan on the fence section. The length of a
sensor wire and the entire sensor fence section
should not exceed 60 meters. If the sensor section
is less than 6 meters in length, a coil spring must
be installed on each end of each horizontal wire.
Total overall fence height should be approximately
2.7 meters high as follows:
(l) Eleven horizontal barbed wires attached one
over the other to the fence posts to a
height of approximately two meters;
(2) Three barbed wires on slant outriggers for
0.4 meters of vertical height;
(3) A smooth "anti-ladder" trip wire supported
by steel rods extending from the outriggers
for an additional 0.3 meters of vertical
height. This system should have a self-
adjusting property which compensates for
wire creepage due to transitions between
temperature extremes, and it should have no
more than a nominal 2 mm lateral movement
of the actuating lever arm of a sensor
switch. If the sensor fence is to be
attached to a chain-link fence, no bottom
or top rails shall be used.
(4) The path along the alignment of the sensor
fence should be clear of all vegetation to
3 feet on each side of the fence, and the
ground surface directly below the fence.
Spacing between the bottom taut wire and
the ground surface should be no greater
than 10 cm. The horizontal wire that is
threaded through the sensor switch channel
must be pretensioned to approximately 35 kg
as it is terminated to its anchor posts.
Each end of the wire should be wrapped
tightly and flat, twice around the
anchoring tab, and then around itself at
approximately a 90 degree angle for a
minimum of 4 complete wraps.
(5) At no longer than 6 month intervals, each
sensor switch should be unclamped from its
associated fence wire to permit the switch
lever arm to return to its neutral
position.
e. Magnetic Point Sensors. This system should be
capable of detecting an individual weighing more
than 31.752 k/70 pounds crossing the sensitive area
of the system at a minimum speed of 0.15 meters per
second, whether walking, crawling, or rolling. The
system design shall use techniques (e.g., electronic
signal processing) to eliminate nuisance alarms from
adverse environmental phenomena. The sensors should
be installed at a depth below the ground surface
stated by the manufacturer. The sensors should be
in two separate parallel lines at a distance of 1.5
to 2 meters apart. The sensors and electronic
circuitry buried in the ground should be made of
durable, moisture proof, rodent resistant material.
f. Ported Coaxial Cable Sensor. A continuous or pulsed
rf field must be disturbed and a change in the
received signal must be processed to initiate an
alarm in this system. Cables should be situated
away from running water, and areas which permit
standing water should be modified to facilitate
drainage. The system should have the capability of
detecting an individual weighing a minimum of 31.752
kg/70 pounds. Systems should have the capability to
indicate compensation for heavy rainfall, jamming
interference, and a failure during automatic self-
testing. The maximum zone length shall not exceed
100m and cables shall be buried no less than 9
inches below surface ground and spaced approximately
1.524 m/5 feet apart.
g. Magnetic Buried Line Sensors. This system should be
able to detect a 400-pole-centimeter (CGS units)
magnet moving at a rate of 0.15 meters per second
within a radius of 0.3 meters of a sensor cable.
The detection system should be equipped with
inhibitor coils to minimize nuisance alarms due to
electromagnetic interference. No more than six
sensing loops per inhibitor coil should be used in
order to prevent simultaneous desensitizing of the
entire system. The sensing loops of electrical
cable should be buried in the ground according to
the manufacturer's stated depth. Multiple units
(cable and amplifier) should be used to protect a
perimeter. All associated buried circuitry should
be buried within the protected zone and packaged in
hermetically sealed containers. The cable should be
laid in accordance with the manufacturer's
recommended geometrical configurations to reduce
nuisance alarms from external sources. When cable
is being installed in rocky soil, care shall be
taken to remove sharp rocks during backfilling over
the cable. Inhibitors should be buried in the
ground at least 6 meters from the cable inside the
protected perimeter. Continuous electromagnetic
interference obstructs the detection of an intruder
carrying metal over the buried cable by keeping the
inhibitor activated, thereby preventing the alarm
unit from responding to a change in flux caused by
the intruder. The device should therefore be used
only where the environment is relatively free of
severe man-made electromagnetic interference (e.g.,
overhead power cables, pole-mounted transformers,
and generators). The cable should never be
installed close to overhead power transmission
lines. Moreover, the cable should be placed at
least 3 meters from parallel running metal fences
and at least 20 meters from public roads to minimize
nuisance alarms.
h. Seismic Buried Line Sensors. A passive system that
includes piezoelectric, pressure, geophone sensors
or their equivalent. This system should be capable
of detecting an individual weighing more than 31.752
kg/70 pounds crossing the sensitive area of the
system at a minimum speed of 0.15 meters per second,
whether walking, crawling, or rolling. The system
design should employ techniques to eliminate
nuisance alarms from adverse environmental
phenomena. The sensors should be installed at the
depth below the ground surface stated by the
manufacturer. Detection zones shall extend
approximately 1 meter on each side of the buried
transducers.
i. Infrared Detector. This system should be a
multibeam modulated type consisting of a minimum of
three transmitters and 3 receivers per unit. An
infrared perimeter alarm system should be capable of
detecting an individual weighing a minimum of 31.752
kg/70 pounds passing between the transmitters and
receivers at a rate between 0.15 to 5 meters per
second, whether walking, running, jumping, crawling,
or rolling. Furthermore, the system should be able
to operate as above with a factor of 20 (13db)
insertion loss due to atmospheric attenuation (e.g.,
fog) at a maximum range of 100 meters.
(1) An infrared perimeter alarm system should be
installed so that, at any point, the lowest beam
is no higher than 21 cm above grade and the
highest beam at least 1.6 meters above ground.
Sufficient overlap of beams should exist so that
an individual cannot intrude between the beams
and remain undetected. The transmitters and
receivers should be mounted rigidly (e.g.,
installed on a rigid post or concrete pad) to
prevent nuisance alarms from vibrations. Each
transmitter and receiver post should be provided
with a pressure-sensitive cap to detect attempts
at scaling of or vaulting over the infrared beam
post. The maximum distance between the
transmitter and receiver should be selected to
permit proper operation during conditions of
severe atmospheric attenuation that are typical
for the site, generally a maximum distance of
100 meters. Total blocking of any individual
transmitter and its receiver module must result
in a system alarm. It is recommended that the
infrared perimeter alarm system be installed
inside the physical perimeter barrier with the
transmitter and receiver units positioned a
minimum of 3 meters from the barrier.
Installation of the infrared alarm system inside
and directly adjacent to the perimeter barrier
should be avoided since the barrier may provide
a solid base from which an intruder can jump
over the beams into the protected area.
j. Microwave Detectors
(l) This system should be capable of detecting
an intruder weighing a minimum of 31.752
kg/70 pounds passing between the
transmitter and receiver at a rate between
0.15 and 5 meters per second, whether
walking, running, jumping, crawling, or
rolling. The beam should be modulated, and
the receiver should be frequency selective
to decrease susceptibility to receiver
"capture."
(2) The transmitter and receiver should be
installed on an even terrain clear of
trees, tall grass, and bushes. Each unit
shall be mounted rigidly at a distance of
about 1 meter above the ground. Because of
variances in the antenna pattern of
different microwave systems, this height
may have to be varied slightly to obtain
proper ground coverage. The distance
between a transmitter and its receiver
should be in accordance with the
manufacturer's specifications and site-
specific requirements. Neither the
transmitter nor the receiver should be
mounted on a fence. To prevent passage
under the microwave beam in the shadow of
an obstruction, hills should be leveled,
ditches filled, and obstructions removed so
that the area between a transmitter and
receiver is clear of obstructions and free
of rises or depressions of a height or
depth greater than 15 cm. The clear areas
shall be sufficiently wide to preclude
generation of alarms by objects moving near
the microwave link (e.g., personnel walking
or vehicular traffic). Approximate
dimensions of the microwave pattern should
be provided by the manufacturer. If the
microwave link is installed inside and
roughly parallel to a perimeter fence or
wall, the transmitter and receiver should
be positioned so as to prevent someone from
avoiding detection by jumping over the
microwave beam into the protected area from
atop the fence or wall. Typically, a chain
link security fence with an overall height
of 2.4 meters will necessitate a minimum of
2 meters between the fence and the center
of the microwave beam. Provisions should
be made for adjusting the sensitivity to
intruder motion, area or distance range, or
both, to cover areas of various sizes and
configurations.
k. E-Field Detectors. This sensor should initiate an
alarm when an individual weighing a minimum of
31.752 kg/70 pounds is at least 0.5 meters from the
sensing wire, whether crawling or rolling under the
lower sensing wire, stepping and jumping between the
field and sensing wires, or jumping over the top
sensing wire of the system. The field and sensing
wire should be supervised to prevent the undetected
cutting or bypassing of the system through
electronic or clandestine means. The system design
should employ techniques to minimize alarms caused
by high winds, thunderstorm related electrical
phenomena, and small animals. The system should
stabilize within seconds after being turned on and
above a probability of detection greater than 0.90
with a confidence level of 95 percent.
l. Closed Circuit Television (CCTV) Motion Detector.
This detector should detect the presence of an
intruder by electronically comparing successive
scenes for differences in images. An alarm should
be initiated when the compared images differ by more
than 6.5 percent. The detector should be capable of
desensitizing portions of the viewed areas where
naturally moving objects occur. Comparison of the
video information within the protected area should
occur at not less than one sample per second and
indicate failure of the camera scene difference
occurring in the secure area. The CCTV motion
detector should be designed to operate with cameras
that automatically compensate for scene
illumination.
APPENDIX K: AUTOMATED ENTRY CONTROL SYSTEMS
The following components function as a system to restrict
access to a facility:
1. Central security control;
2. Security force stations;
3. Communication networks;
4. Portal systems;
5. Enrollment center;
6. Bypass systems; and
7. Identifying systems.
Added peripherals such as metal detectors and X-ray devices
help prevent the entry or exit of contraband. The actual
level of security a system provides depends on the
sophistication of the portals, the degree of tamper-proofing,
and the type of processor used.
1. CENTRAL SECURITY CONTROL
a. Central security control consists of data
electronic processors and emergency power
equipment. The processor may be a computer,
minicomputer, or microprocessor(s).
The microprocessor or "computer on a chip" may be
located at the portal, whereas the computers should
be at a hardened monitoring site. The cost of
using computers, even mini-computers, may be
prohibitive except on a large scale. The
microprocessor is a tiny computer that makes remote
sensors of large capacity possible. It can be
programmed easily, and is less vulnerable and more
economical than larger computers.
b. Software to control processors is of particular
value to the security industry. Programmable
Read Only Memory chips (PROM) can retain their
memory when power is removed. Simply by
changing the PROM's that contain the system's
program, a single set of basic hardware can be
optimized to perform a great variety of tasks.
Their use overcomes the difficulty and expense
of generating and updating the software required
by minicomputers.
c. Central Security Control Processor. Central
processors store reference files, which include
fingerprints, voice prints, and memorized
numbers, to verify authorized personnel at
terminal portals. Other functions performed by
the central processor depend on the system
design. At one extreme, only minimal capability
is designed into the portals; consequently, data
are transmitted to the central control and
passive decisions are made by the central
processor. At the other extreme, significant
capability is designed into the portal system
and passive decisions are made locally at the
portal. In all cases, portal system status and
alarm status signals are sent to the central
processor to be processed and then transferred
to the information display in the security
station. The central processor should also
perform functional and state-of-health tests,
and log transactions and alarms, to verify that
each portal is functioning properly.
d. Emergency Power Equipment. A power system's
greatest vulnerability to sabotage lies not
within a controlled area but along the
transmission lines between the power generation
station and the facility. Since these areas are
difficult to protect against sabotage, emergency
power will be provided.
2. SECURITY FORCE STATIONS
a. The information display system at a station
provides the security force with information
from the central processor. Since these
systems are usually self-operable, officers are
free to perform other functions. If the system
needs support, it will generate an audio signal.
b. Portal Status Assessment. Closed circuit television
(CCTV) provides visual coverage of an entire portal
area to help assess certain situations. In addition
to CCTV assessment, audio links with each portal in
the system allow the security force to communicate
with personnel using the portals.
3. COMMUNICATION NETWORKS
Tamper-proofing data transmission lines is an important
factor in the overall security of the entry control
system. The lines must be monitored to detect damage,
failure, or attack so that an appropriate response can be
made.
4. PORTAL SYSTEMS
a. General. Without officer assistance, a number
of portals can be used to control access to
automated systems. A portal may be simply a
keycard reader or, more elaborately, a separate
room or building with two interlocking doors.
One door acts as a barrier between the portal
interior and the controlled area, while the
other acts as a barrier between the portal
exterior and the noncontrolled area.
Based on the throughput rate (personnel per minute)
and maximum wait time, the number of portals
required at a given entrance can be established.
b. Scanners read cards, fingerprints, and hand
geometry then retrieve the employee's reference
file to compare the data to verify a person's
identify.
c. If portals rely on central control, a large number
of signal lines between the portals and central
control will be necessary, and servicing each portal
may be prohibitive. But if a portal has its primary
controller built in, supervision equipment is
minimized. This means that additional portals,
serviced by the same central control, can be
incorporated into the system with little effect on
overall system response time.
5. ENROLLMENT CENTER
a. The enrollment center formulates reference files
that must be transferred to the central security
control to be stored. In many systems, such as
keycard, the enrollment center is at the central
security control.
b. Access to enrollment centers and areas where
badges are fabricated and encoded should be
restricted. Scanners and badge information
need not be in the controlled area; however,
equipment for transferring that data to central
control should be located in the controlled
area.
6. BYPASS SYSTEM
a. Manual or portal bypasses are occasionally
necessary to process rejected personnel due to a
false alarm or to facilitate entry by
handicapped personnel.
b. Location. The location of a portal bypass
depends on entry-control strategy. If large
numbers of people are processed at an entry
point, the need for a portal bypass in the area
is justified. If few personnel are admitted at
several entry points, a centrally located portal
bypass is more cost-effective. For example, a
logical location for a perimeter portal bypass
might be at a vehicle access area where the
security force is normally present.
c. The type and the degree of modification that may
be required for physically handicapped personnel
is stated in Federal and state standards, which
specify dimensions, clearances, and design
criteria for stairways, walks, ramps, handrails,
doorways, and reach distances for controls. If
it is not feasible to handle handicapped
personnel routinely, the bypass portal, which
will allow the passage of a wheelchair, can be
used to provide personnel identification devices
located in accordance with appropriate
specifications.
7. IDENTIFYING SYSTEMS
a. There are three ways in which a person can be
identified by an automated system:
(l) By knowing an ID number or password;
(2) By carrying something such as a cardkey that
will activate a device at the access point; or
(3) By using a device that can measure static
characteristics such as height, weight, hand
print, or handwriting.
b. The keycard system is the most common. Coded
credential systems, also called key-card
systems, are commercially available as well.
The equipment outlined in subparagraph c below
is the result of compiling features and options
from a number of manufacturers. Interesting
features include the number of master-keying
levels possible, the number of times a card can
be recorded and used over, and the ability to
add hardware components or to change computer
programs.
c. Keycard System Options
(1) Central Controller. Digital computer with
modular component design, preprogrammed to run
the entire system. Complete with detection and
protection capability for power fluctuation.
(2) Recording Station. Records all events and
operator actions on rigid/flexible disk or
magnetic tape providing an audit trail.
(3) CRT Display. Large cathode-ray tube
provides high speed display of alarms and
other data, as well as providing the
operator readers interface via a keyboard.
Color and black and white tubes are
available.
(4) Video Equipment. A complete array of fixed
and scanning CCTV cameras are available for
visual checking of any location, sending
their images to the high-resolution
monitors at the controller console.
(5) Electronic Map Display. With up to 256 points
as to status of alarm and entry points, this
option provides immediate graphic indication of
building security and access activity in color.
Different colored lights, flashing and stable,
quickly identify problem areas.
(6) Alarm-Sensing Devices. Devices for sensing
smoke, fire, water level, intrusion, and
environmental (HVAC) changes can be installed as
part of the system. Alarm monitors constantly
check on the status of the sensing devices. Any
changes are relayed to the central controller,
which can either sound an alarm, switch on a
panel light, print out the warning, change map
display state, or automatically control a video
system.
(7) System Console. The minimum basic module is a
keyboard printer that can produce an original
and copies on standard printer paper. To enter
or obtain information, the operator types
commands in abbreviations and symbols.
Computer output is printed in English. Remote
operator terminals are also available.
d. Keycard Options. Keycard considerations include the
selection of card/badge sizes, which is usually a
compromise between a smaller, easily handled badge
and a larger badge with more room for a photograph,
colorcode indicators, and print. Most commercial,
coded credential systems use the standard credit
card size, 54 by 80 mm (2-1/8 by 3-3/8 inches).
This size, however, is too small or, at best,
marginally acceptable for a picture badge. A
slightly larger common badge size is 60 by 83 mm (2-
3/8 by 3-1/4 inches). Although the latter badge is
not much larger than the standard credit card, it
provides more area if designed vertically.
(1) Optical Coded Badge. The optical coded badge
contains a geometric array of spots printed on
an insert laminated into the badge.
Photodetectors in the badge reader detect the
relative optical transmission of the spots and,
hence, the code. The pattern of spots can be
concealed to resist tampering by making the
badge opaque to visible light but transparent to
infrared light. The spots are then printed with
ink which is opaque to infrared light. This
technique offers good tamper protection and
badges are reasonably difficult to counterfeit.
The badge can be made completely nonmagnetic and
nonmetallic so as not to interfere with metal
detectors.
(2) Electric Circuit Coded Badge. The electric
circuit coded badge is a plastic laminated badge
containing a printed circuit pattern that
selectively closes electrical circuits when
inserted into a badge reader. In this case, the
badge reader is simply a card edge connector for
a printed circuit board. The badge, however,
can be decoded with a simple electrical
continuity tester and counterfeit badges can,
therefore, be easily fabricated.
(3) Magnetic Coded Badge. Several magnetic coded
badge systems are presently in wide use. The
badge contains a sheet of flexible magnetic
material on which an array of spots have been
permanently magnetized. The code is determined
by the polarity of the magnetized spots. The
badge reader contains either magnetic sensors
that are interrogated electrically, or magnetic
reed switches that are mechanically actuated
when a magnetic spot with the proper polarity is
located adjacent to the reed. The magnetic
spots can be accidentally erased if the badge is
placed into a sufficiently strong magnetic
field. However, field experience has shown that
this is not a significant problem. The amount
of data that can be encoded on this type of
badge is limited to approximately 60 bits.
Since it is possible to build equipment to
recode or duplicate the pattern of magnetic
spots, fabrication of a false credential is
possible. It is more difficult, however, to
falsify this type of credential than to
fabricate an electric circuit coded badge.
(4) Magnetic Stripe Coded Badge. Magnetic stripe
encoding is widely used in commercial credit
card systems, and numerous vendors manufacture
equipment that is compatible with the ANSI
standard for this technique. With the magnetic
stripe coded badge, a stripe of magnetic
material along one edge of the badge is encoded
with the badge data. The data are then read as
the magnetic stripe is moved across a magnetic
read head. Data from the magnetic stripe can be
decoded or duplicate badges can be encoded using
parts from a common magnetic tape recorder. The
magnetic stripe is more sensitive to accidental
erasure than other magnetic techniques. Two
types of encoding are specified in the ANSI
standard for magnetic stripe encoding. One type
allows up to 40 numeric characters while the
other has up to 90 alphanumeric characters. The
use of alphanumeric coding allows the badge
holder's name to be included in addition to a
badge number. A disadvantage of the 90-
character data encoding, however, is that more
accurate reader spacing and alignment are
required.
(5) Passive Electronic Coded Badge. With the
passive electronic coded badge, electrically
tuned circuits are laminated into the badge and
the code is read by generating a sweptfrequency,
radiofrequency (rf) field and detecting the
frequencies at which significant energy is
absorbed. These frequencies correspond to the
resonant frequencies of the tuned circuits and
are decoded to give a unique badge number or
code. An important advantage of this technique
is that the badge does not need to be inserted
into a reader mechanism, but is simply placed
near the antenna that serves as the read
station. Badges can be decoded with common rf
test instruments and counterfeit badges could be
fabricated. The number of unique code
combinations is limited to a few thousand.
(6) Capacitance Coded Badge. With the capacitance
coded badge, an array of small conducting plates
is laminated in the badge. Selected plates are
connected together and the code is read from the
badge by an electronic reader that measures the
capacitance of the plates and distinguishes
which plates are isolated and which are
connected.
(7) Active Electronic Badge. The active electronic
badge system consists of a portable,
electrically coded badge and a stationary
interrogation unit. The interrogation unit
supplies power to the badge by magnetic
induction and receives and decodes the
identification number from the badge. When the
interrogation unit is placed at strategic
locations, such as corridors or doorways leading
to controlled areas, the system can
automatically monitor, identify, and log the
individual badge entering or leaving the rf
field without the employee taking any action
whatsoever.
(8) Nylon Badge/Key. This unit is not a badge
at all but a (5.08 cm/2") x (2.032 cm/.8")
x (.4064 cm/.16") key-blank shaped, glass-
filled nylon, magnetically coded metal key.
Like the key, the reader is about two-
thirds smaller. All keys look alike and
photographs are not possible.
e. Badge preparation. It is preferable that assembly
and lamination of the badge be performed at the
facility site. Intolerable delays, administrative
overhead, and reduced security may result if this
cannot be done. Coded badges must be enrolled in
the memory of the control processor after
fabrication. For simple systems, enrollment is
performed by means of a keyboard located on the
control console. Unless a backup copy of the
control processor memory is maintained, all badges
must be manually reenrolled after each power failure
or equipment malfunction. This could be a serious
problem for large Installations.
f. Durability. A badge should be able to withstand
daily use for a period of 5 years. Some
polyvinyl-chloride (PVC) plastic materials
deteriorate rapidly when exposed to sunlight.
Most common credit card materials exhibit these
problems. However, some PVC formulations are
available that eliminate most of these problems.
Polyester-based plastics are more durable, but
care must be taken in their selection to ensure
that reliable, permanent lamination of the badge
can be achieved.
(1) Some badges become brittle at temperatures below
10 degrees Celsius. As a result, for low-
temperature environments, Mylar badges (for a
suitable substitute) should be used.
(2) Although specifications must be checked for
each application, most credential readers
will operate from 0 to 70 degrees Celsius.
Humidity does not affect operation if the
temperature is above the dew point. If
credential readers are employed outside of
the entry-control portal, automatically
controlled heaters must be installed to
maintain the temperature above the dew
point.
g. Resistance to Decoding. Any type of coded badge can
be decoded and duplicated if sufficient money and
talent are devoted to the attempt. The following
list is Sandia Laboratory's (Reference l) ranking of
coding techniques from the easiest to the most
difficult to duplicate. (The badge/key has not been
evaluated).
(1) Electric circuit code;
(2) Magnetic stripe code;
(3) Magnetic code;
(4) Metallic stripe code;
(5) Capacitance code;
(6) Optical code;
(7) Passive electronic code; and
(8) Active electronic code.
(a) The first two coded badges are easily
duplicated, while the last six are
significantly more difficult to duplicate.
In general, it is not necessary to decode a
badge to duplicate it. The degree of
difficulty in decoding the badges listed
follows approximately the same rank order.
Often the code data are cryptographically
encoded or contain other internal checks.
Counterfeiting a new badge would then
require both decoding and understanding the
internal check algorithm; this type of
counterfeiting is much more difficult to
accomplish.
(b) Resistance to decoding and counterfeiting
is not as important if the badge is used in
conjunction with a separate personnel
identification system. In this type of
system, the badge number simply indexes a
file, the reference file, where personnel
identifier data are stored in a central
computer. Access is allowed only if the
personnel identifier algorithm is
satisfied. In this case, counterfeiting a
badge will not, in itself, guarantee
access.
h. The following card features are available:
(1) Most reader systems cards are compatible with
existing photo identification systems.
(2) Signature panels can be furnished.
(3) Cards are usually furnished by the factory
with sequential numbers. Should cards ever
need to be replaced or additional
quantities be required, this serial code
immediately identifies to the factory the
required code previously furnished. Each
facility has its own code. This feature
assures that only cards belonging to the
particular system with the correct
facility's code will operate the reader's
assigned "lock" section. Once the reader
has determined that the card is a proper
one for the system, it will open data
transmission lines to the controller,
causing the individual serial number of the
card to be transmitted for processing.
Credit cards, similar looking cards, or
even keycards with a different facility
code, will not function in the system's
readers.
(4) Up to four masterkey levels are available
in standard systems. The card itself is
encoded in the same manner as one would cut
masterkeys.
(5) Cards can be recycled. Reuse is limited to
14 holders in any system presently
available.
(6) Photo badge cards encourage employee
participation in the program. It is
possible for unauthorized persons to
"tailgate" their way through the electronic
system by walking in behind cardholders
before the door closes. Also, cards can be
lost or stolen and actually be in the hands
of an unauthorized person when they are
inserted into the readers. Since all
employees are required to wear their own
portrait ID cards, employees can maintain a
random system of spot checks within the
facility and thus discourage tailgating and
other unauthorized intrusion. Those not
wearing a badge can be questioned by their
peers or reported to security.
(7) In two systems available, the badge acts as
a mechanical lock key. The keycard (slot)
mechanical door lock can be used wherever a
standard key-operated door lock might be
installed. The card is virtually
impossible to duplicate and is capable of
millions of coding combinations. If the
card is lost or stolen, necessitating a
change in coding for added security, the
combination can be changed on site, without
the expense of a new lock and set of keys.
There is no need to remove the door lock to
make the change. The mechanical door lock
may be reprogrammed on the spot with the
use of a new "program board." Each card
lends itself to mastering or submastering
requirements. Three models are available:
(a) In the basic model, a rigid outside
knob can be unlocked only by the
insertion of the proper card. The
inside knob can open the door at any
time.
(b) In another type, a lever is located near
the inside knob. When the lever is not
engaged, the outside knob can open the door
at any time without using the card. When
the lever is engaged, the lock can only be
opened by the insertion of a properly coded
card. The inside knob then, can open the
door at any time.
(c) A third type contains a keyway on the
inside knob. When the push button is
engaged from the inside, card operation is
locked out, and access is only available by
an emergency key. When the push button is
released, access can be granted upon the
insertion of the proper card, or by the
emergency key. The inside knob can open
the door at all times, releasing the push
button (if engaged) each time it is
rotated.
i. The Reader
(1) Reader Uses
(a) Readers can be used to turn off or on
alarms, detectors, sensors, CCTV
systems, gates, etc.
(b) For safety, they can limit access and
usage of hazardous equipment to
trained or qualified operators.
(c) Control of fuel pumps, switches for
air conditioning/heating units,
floodlights, etc., is possible.
Trucking firms use the fuel pump
control to permit round-the-clock
operation.
(d) Tool storage cribs, food lockers and
freezers of food organic specimens,
and the like, can be protected.
(e) Elevator call buttons can be
controlled. Elevator readers are
available with or without keyboards.
(f) Card readers are being used by at
least one large trucking firm to
prevent hijacking of their vehicles.
The readers are mounted below the
dash. In addition to the unit, an
alarm system can be installed using
the existing circuitry of the reader
control box. If the vehicle is
tampered with when the driver is
absent, the alarm sends out a signal
to the driver on his pager, as well as
an audible signal on the truck itself.
(g) Copying machines can be controlled
from a nearby reader. If the
prospective user's status level
authorizes copier use at that time,
the machine is enabled. When copying
is completed, the employee removes his
card from the reader, which disables
the copier and simultaneously causes
his identifying number, along with the
number of copies made, to be entered
in the system activity log. The same
system can easily be adapted to
control any apparatus which can supply
a count pulse output.
(h) Computer terminal minutes of use can
be counted by requiring reader access.
(2) When considering replacement of a card
system, it should be remembered that some
card readers can be programmed to read the
codes on the magnetic stripes of cards that
were initially fabricated for other makes
of readers.
(3) The cardreaders described are the open slot
type (unlike the proximity sensors/readers
discussed elsewhere). This keyway type is
the most popular. It requires a plastic
card to be inserted fully into the opening
and withdrawn in the reverse direction.
Other firms offer a wipe-through, open-
ended channel. The manufacturers claim
there is less chance of bending the badges.
The proximity sensor type has one advantage
over both types. There is no opening to
stuff or jam with paper, flat tools, or
other objects.
(4) There are on-line and off-line reader
systems.
(a) An on-line system comprises card
readers which are directly connected
to the central controller. Each
reader performs a limited analysis of
the card (plus identification
keyboard-initiated number if used),
then communicates the derived
information to the central controller
for verification. Access is either
permitted or denied by the controller
sending a signal to the appropriate
reader. You can convert some card
readers to keyboard readers in some
on-line systems anytime without
additional wiring or computer
programming.
(b) "Off-line" means that each controlled
point of entry has its own self-
contained control, which operates
without reference to any central
control.
i. A number of units are available that
require no power other than that
required for the electric door strike,
and that use the card itself to
operate a microswitch.
ii. Units can contain battery backup for
emergency standby.
iii. The memory is permanent in case
of a power failure.
iv. Security is significantly increased
with an off-line system that uses both
a card and a PIN. Part of the card
encoding contains the identification
number in scrambled form and the unit
checks that this corresponds with the
entered code.
v. Off-line, stand-alone systems
generally offer programmable readers.
The card encoding and programming can
be arranged to provide a number of
access levels. Keys can be mastered
to actuate any door in an Installation
or submastered to actuate only
specific door locks.
vi. The entrance code can be changed in a
number of ways. In some models, a
program board is secured in the rear
of the reader housing. If the program
board is removed and not replaced, all
card holders will be excluded.
Because all cards are the same code,
it means that if any cards are lost or
a large number of employees are
terminated, one would have to change
the codeboard in each reader and issue
new cards to all existing qualified
personnel. Unless this is a situation
where changeovers occur on a scheduled
basis, this could be expensive.
However, if this does happen, the
dealer can return the cards and code
boards to the factory and they will be
recoded.
vii. Some readers can only be recoded
by replacing them. There is no
on-site programming featured.
Equipped with a keyboard the loss
of cards does not affect the
security of this unit. The
memorized "password" code that is
tapped into the keyboard can be
quickly changed by indicator
dials in the control box. This
means that the card
reader/keyboard unit can function
as a daily password device, with
a new code set into the control
daily, or whenever desired, and
the cost of reader replacement is
avoided. Some readers offer two
modes of operation. The card
reader may be switched from card
only mode of operation to card
plus digital code, known only by
the card owner. The card only
(or digital code only) choice
might be used for busy times or
heavy traffic areas.
viii. Another means of reprogramming
off-line readers that is quite
common is through the use of
miniature hand-held programmers.
After opening the front panel the
programmer is plugged in. Often
they are equipped with a four-
digit LED display showing the
number and its status. The
status is changed by just
pressing buttons. For some
makes, connected, multiple units
can be reprogrammed from a single
location. One may assign, deny,
reassign, or void any card or
group of cards, anytime. With an
inexpensive external timer, one
may allow certain cards to enter
during one period, and deny them
during another, or there may be
cards assigned to any time
period. Cards or internal
program boards do not have to be
changed. On some models a time
overlap operation is achieved by
inserting an interim program
board that enables both original
cards and new cards to be used
during a changeover period.
ix. The programmable reader can be
integrated with intercoms,
annunciators, phone directory entrance
systems and, as mentioned earlier,
closed circuit television equipment.
(5) Some systems have readers that can operate
independently as a card lock and/or as a
slave unit. The reader can either transmit
a code to a central controller or compare
this same number against an internal code
set at the lock itself. The codes are
easily set at the reader or from a remote
location. The flexibility of the system
will allow one cardkey to operate both "on-
line" and "off-line" equipment for any
length of time designated.
(6) Some readers act as a backup system to the
main controller. If communication with the
central computer is lost, the individual ID
code on the card can't be transmitted and
one will lose some central control
functions. But the access control system
can continue to work.
(7) Some of the more sophisticated optional
systems offer readers with features such
as:
(a) Audio signals that verify the proper
key stroke has been made;
(b) A four digit LED indicator that may be
used as a time clock or for other
digital messages;
(c) As many as six lighted message
indicator panels that clearly indicate
to the cardholder the results of the
read;
(d) Pleasant or unpleasant audible tones
to reinforce the message; and
(e) The reader, together with the
controller, can incorporate
sophisticated error recovery
procedures to protect against
communication line errors.
(8) The following features are common to many
units:
(a) Head life ratings of 250,000 pass-
through.
(b) On the keyboard models, one of the
digits can be designated a duress
alarm to send a silent alarm to the
monitor station. However, the door
will still unlock and there will be no
visual indication a alarm has been
transmitted. Besides the go/no go
signal, the reader can accept a number
of other commands from the controller
such as the "unlock" command, which
holds the door in the unlocked state
until a subsequent "lock" command is
received.
(c) An incorrect code alarm feature allows
a preset number of errors to be made
during code entry before producing a
loud local alarm. This prevents
access due to repeated random number
attempts.
(d) Tamper sensors trigger local and
monitoring console alarms if the
reader is physically attacked. The
reset can be at the reader or the
controller.
(e) The following sequence on keyboard
models is common. Before access is
permitted, three elements of
credential verification are required.
First, the facility code, unique to
each customer and invisibly programmed
onto each cardkey, is verified in the
reader. Next, if the facility code is
correct, the serial number invisibly
encoded on each card is electronically
read and cross referenced by the
secured control unit to establish the
unique 4-digit code necessary for the
cardholder to tap in at the keyboard.
Finally, the personal memorized code
is tapped in at the keyboard and, if
verified by the control unit as
correct for that cardholder, access is
granted. It is not unusual for the
sequence to be reversed in that the
first action may be keyboard operation
to establish access to the card memory
before card analysis can take place.
j. Reader Installation
(1) Card readers are manufactured in many
housing and mounting configurations to
satisfy any Installation requirement.
(a) The flush-mounted reader is the most
widely used of readers. This model
offers a simple mounting application
in various wall thicknesses using
extension bolts.
(b) There are surface mounted units also.
The surface mounted unit is most
suitable for installation on brick,
concrete, or other impregnable type
walls where there is only enough room
to bring the hookup wires to the
reader through conduit or a small hole
in the wall itself.
(c) Another type of housing available is
the pedestal mount. This housing
would be used to mount a reader at a
door entrance, parking lot entrance,
or any situation where the reader
housing cannot be affixed to a wall or
equipment surface.
(d) Another housing configuration is a
chain-link fence model.
(e) Special mounts are available for
rolling service doors. Readers can be
mounted right in a wood or metal door.
Door frame mounts are also available
for glass doors.
(2) Readers can be up to one and a half miles
from a microcomputer, using standard
twisted wire pairs, or up to three miles
using a multiplexer. For greater
distances, telephone lines driven by modems
can be used. When card readers are
separated from the system console by more
than 5000 feet, the cost of installing
cable signal attenuation and noise effects
makes it desirable or necessary to use data
modems for signal transmission.
(3) Unlike processing components, reader
systems do not require air conditioned
rooms. Operating temperatures range from
less than (-17.777- C/0- F) up to (44.888-
C/ 120- F) without a heater. Storage
temperatures of units can range from -25 to
160 degrees Fahrenheit. The card reader
must be able to be operated at all times
and in all weather conditions to provide
service. Not all readers have outside
weatherproofing kits.
(a) Cold weather packs include a heating
unit. It is a thermostatically
controlled resistance heating system
to keep those units with internal
moveable parts free to move at all
times.
(b) A weather seal or flap of ethylene
propylene is mounted between the
reader cartridge and the inside of the
face plate. This flap protects the
mechanism of the reader by keeping
dirt, dust, rain, and snow from
penetrating the reader housing. The
card must actually penetrate the seal
itself when it is inserted into the
card slot of the face plate. The
action of the flap being penetrated by
the card also serves to wipe off
anything on the card itself, keeping
it out of the reader.
(4) There are places where one should use an
electric deadbolt instead of an electric
strike, and places where you should not, to
unlock the door or gate. The strike is
much more suitable to situations where the
door controlled by a card reader is in
constant use. In many instances, however,
the deadbolt provides a much stronger
security locking system. The deadbolt,
operated by a card reader, is powered
instantly, but it does take a few seconds
for the bolt to retract from the strike
plate, allowing the door to open freely.
Because the electrically operated deadbolt
or strike is located at the door, it offers
you the opportunity to install alarm
sensing devices to signal when any attempt
of forced entry is made.
k. The Central Processor
(1) The real-time capabilities of a computer-
based security system enables it to process
alarms and keycard transactions as they
occur and, concurrently, perform a wide
range of other functions such as changing
an employee record, adding a new employee
to the file, or performing a search request
by using an associated CRT terminal in an
interactive mode.
(2) At the highest end of the security system's
spectrum, dual computer systems are
available, each with its own complete
memory. The tasks in the system are
divided between the two computers; this
maximizes the responsiveness of the system
for handling access requests and for
processing data to generate reports. In
addition to the basic data processing
tasks, the two computers monitor the
activity of each other. If a problem is
found in one computer, the other computer
assumes the entire processing load and
signals that service is needed. The system
never stops.
(3) Almost all of the recent ID technological
progress has been in computers or related
peripherals, and in the necessary
transmission links. The latter
developments are important since complete
system controllers/PU's need not be in the
same building it is controlling. Several
buildings with thousands of personnel and
hundreds of entrances can be linked to one
system. Local control of each can be
maintained as desired.
(4) Central control does not have to be at the
security master station. For instance, in
some systems alarms are recorded on
magnetic tape and transmitted to auxiliary
security stations for visual display on a
CRT or a printer.
(5) Central control consoles are delivered
preprogrammed to the user based on the needs of
the planning survey conducted jointly by company
representatives and facility representatives.
(6) As was mentioned earlier, in a fairly large
system the microprocessor might be
receiving data from hundreds of separate
events occurring simultaneously and
transmitting instructions and commands
after data collection and analysis. The
following will outline some of the
activities that are either standard or
optional, depending on a system's
sophistication. As with the reader and
card components, the information will
highlight some of the representative
features available in a number of systems
instead of describing a specific model or
models.
(a) General Features
i. The controller can scan each
channel of the system (alarms as
well as readers) independently at
a rate that allows every device
to be polled at least once per
second. When it picks up
activity at a reader, it passes
the card code from the active
reader, to the control unit.
ii. Systems, through electronic circuit
programming, can check themselves for
console or transmission lines
malfunctions.
iii. An individual door, a series of
doors, or all doors may be
automatically or manually shunted
from the system. A file in
memory lists all doors in a shunt
condition and presents the day(s)
and time period(s) the condition
exists.
iv. One can control the operating mode of
the access control system. One may
wish to establish an automatic time
program so that doors automatically
lock at prescribed times (after
hours). The security officer can
manually override the automatic system
to lock or unlock all doors or, in the
case of an emergency situation,
inactivate all readers and prevent
even those employees with valid cards
from entering.
v. Individual card holders can be entered
or deleted on line. There is no need
to place the system out of service.
They also can immediately assign new
security access status when an
employee is promoted or transferred
without reissuing a card.
vi. All changes or instructions to memory
can be made in English while remaining
on-line. Other languages are
available as well.
vii. Up to 16 readers may be connected
per modem for digital data
transmission over telephone
circuits to the central
controller.
viii. The decision to grant or deny
access can be made locally near
the object to which access is
desired, or centrally at one
location that controls many
objects. Each method has its
advantages and disadvantages.
a. Locally made decisions
require that a set of
hardware exist at each
access station to read an
access card and grant or
deny access accordingly and
accurately. Each set of
hardware must be well
protected, therefore,
against any compromise of
its function that makes
defeat of the system
possible. Also, the set of
reference data must be
updated within each local
unit as it becomes
necessary.
b. Centrally made decisions
require local hardware to
receive input data, transmit
and respond to a command, in
addition to central
equipment to decode the
card, identify the station,
reference the data, permit
or deny access, and transmit
commands back to the local
station. Central equipment
requires protected
communication lines between
the local and central
locations as well as
protection against shutdown
of the whole system. On the
other hand, it typically
allows more elaborate access
methods and more complete
record keeping. While
updating access reference
sets and more complete
record keeping are easier in
a centralized system, it may
be more difficult to protect
against equipment failure or
compromise than it would be
with local units.
c. Many of the problems can be
eliminated by combining the
two techniques so that the
local unit permits access,
and the central unit does
not veto it. The local
units may then be updated
easily, and the central
equipment may still produce
comprehensive movement and
status reports. Yet, if any
piece of equipment fails or
is sabotaged, security is
not completely compromised.
ix. Upon loss of power to the control
computer, all card readers can
automatically operate in an off-line
mode. As many as 128 time zones are
possible. A time zone is a completely
arbitrary set of time intervals. For
example, a single time zone may
include:
a. 9:00 am to 5:00 pm Monday
through Thursday
b. 9:00 am to 6:00 pm Friday
c. 8:30 pm to 12:00 pm Saturday
For high security areas, programming
can limit the areas to one access per
day or shift, hour, etc.
x. Batch processing. To save time
in programming, large numbers of
cards in consecutive groups (same
access level, time zone, etc.)
may be programmed in one
operation. Thousands of cards
may be programmed in seconds.
They may be voided out in an
equally short time. The cards
must be numbered sequentially.
If a block programmed card is
subsequently lost or stolen, the
serial number on the card that
replaces it will not be in the
same numerical order. For
example, if cards numbered 1
through 100, all with the same
access numbers, are programmed
into a system at one time and
card number 43 is lost, it might
be replaced by card number 208.
Along with other cards replaced
since the card group was first
programmed, it is out of
numerical order and each must be
programmed separately, one at a
time.
xi. If the message from the reader to the
central console is that the holder of
a card just inserted is not cleared
for access, an alarm is triggered at
the security control center. In
addition, the system produces a hard
copy readout-red letters on printed
tape-that tells the date, time, and
place of attempted entry. With this
information, staff can spot any
emerging pattern of repeated attempts.
They can then concentrate surveillance
at those points.
xii. To prevent the repeated use of
cards at selected reader
locations, an "antipassback"
feature can be programmed into
the controller memory. The
memory prevents the use of a card
more than once at the entrance
until it is again used at the
correct exit, where it is
returned to entry status.
(b) Optional Features
i. Most memory central options may
be added at any future time
simply by plugging modules into
an existing jack on the back of
the memory controller.
ii. An optional feature allows you to
issue cards with limited access to
your visitors. If the card is not
returned, it will be automatically
disabled at the end of the day.
iii. You can keep track of who is in
the facility with annunciators.
Each time someone uses a valid
card to enter, a light is
illuminated next to his or name
on a panel at the
control station.
iv. For paging purposes, the system memory
can be searched. The time and
location of last badging can be
obtained.
v. Personal accounting systems for "two-
man rule" implementation are available
as needed for special security areas.
A reader won't open a door until two
approved cards are
inserted.
vi. Access terminals can also be used for
security force latch tours. Computer
programs can be provided for both
random and compulsory tours.
vii. When queried by the employees
card code, the status level(s)
and latest activity of a
particular employee can be
learned. Information includes:
a. Employee name;
b. ID number;
c. Shift;
d. Card status (lost, stolen,
temporarily void, or
normal); and
e. Admittance level.
viii. The same types of information can
be learned of a particular door,
all of which are identified by
code. Examples are the holiday
status of the door (any openings
permitted and when) and length of
time a door will remain unlocked
when a reader is activated (e.g.,
3, 5, or 10 seconds).
ix. Information can be displayed on a CRT
or a paper printer or both, depending
on the equipment and the security
officer's instructions.
x. Various functions of the controller
are of a nature where immediate
attention of authorized personnel may
be required. For emergency situations
a controller program can establish a
fixed action routine for security
force officers monitoring the system.
Security personnel are provided with
complete information and instructions
related to each security transaction
as it occurs. This minimizes the
possibility of an improper response or
panic in an emergency situation.
Training security officers is faster
and easier. The actions to be
accomplished can be indicated on a
display (CRT), automatically activated
as soon as an alarm is triggered.
This display is brought to the
monitor's attention by a local alarm
sounding on the console. The display,
in its most sophisticated scheme, is a
graphic floor plan or area boundary
outline of walls, buildings, etc.,
with a distinct light indicator
pinpointing the exact location of the
alarm. Under this display is a text
of instructions. As examples, they
might include:
a. Send officer to "location."
b. Call fire department, "the
number."
c. Shut off data processing
master switch.
xi. Indication of an alarm condition
continues until the officer makes a
mandatory affirmative response. The
type of action taken and the time it
occurs is received by the processor
and stored in a data file in the
memory.
l. Reports Available. As mentioned above, many reports
can be prepared by the computer-based system. The
following is a list of the most common ones that can
become records. Management can select ranges and
criteria for each report tailored to the needs of
the facility.
(l) Comprehensive Transaction Log. This is a
record of all access transactions and
includes both granted and denied access
requests.
(2) Unauthorized Access Log. Only requests for
access that have been denied (failure to
key a correct memorized ID code or
insufficient authorization) are placed in
this file. Logging of authorized
transactions may be suppressed.
(3) Regulated Area Log. An area of a building
may be designated as a regulated area; the
computer maintains a special file for all
access activity in regulated areas.
(4) Regulated Person Log. A person may be
designated as a regulated person; the
computer maintains a special file for all
access activity or regulated persons.
(5) Daily Attendance Log. A list of all
employees (or all employees in a given
department or shift) who have reported for
work. Alternatively, a list of absentees
may be generated.
(6) Security Reports. The security officer can
be provided a printout of all persons
(cards) in the facility after a certain
hour. Managers may also want historical
records of security response to alarms to
include records of alarms they reset.
(7) Time Specific Logs. Events that occurred
during a specific period, such as card
transactions, alarms, operator actions, and
reasons for denial of entry.
(8) System Status Reports. Providing the
status and descriptions of alarm groups and
card readers.
(9) Job Time Log. This file contains
information on the amount of time spent on
various jobs when readers are used in
conjunction with machinery.
Note: In automated systems, reports can be
printed on the standard line printer,
transferred to microfiche for storage, or placed
on magnetic tape.
m. Proximity Badge Reader Systems
(1) There are three proximity frequency sensing
systems on the market used as personnel
access control systems. These are
badge/cardkey sensor, door-strike-door
activation systems that have eliminated the
conventional card slot readers. For the
sake of illustration, one popular system is
detailed.
(a) The command key is a passive
electronically coded vinyl badge in
standard credit card size. The badge
is coded to respond to three specific
RF frequencies providing a chance key,
master key and grandmaster key
capability for integration with other
systems in a building or complex.
(b) A flexible vinyl sensor with an
adhesive neoprene pad is supplied with
each system. There are four different
models. The standard unit supplied
can be placed up to 151.5m/500 feet
from the control unit. Others can be
mounted from 151.5m/500 to 303m/1000
feet from the control unit; two are
designated for glass mounting. The
sensors are 21.3m/8.4 x .32cm/1/8
inch, flat, circular disks mounted
adjacent to the door being controlled.
(c) A transformer plugs into a standard
115 VAC power outlet and provides 12
VAC power to the control unit. A
standby power unit replaces the
transformer and plugs into 115 VAC
outlet. It contains a 4-1/2 ampere-
hour battery with regulated charging
circuits sufficient for 3 hours of
operation with a hundred look
actuations.
(d) The control unit contains the
electronic circuitry, the authorized
key code, and power supplies to
provide unlocking power to the locking
hardware. The unit may be mounted in
any secure location within a
303m/thousand feet of the door being
controlled. A single coaxial cable
connects it to the sensor.
(e) Operation. By bringing the badge within
(12.7 to 17.8cm) (5 to 7 inches) of a
sensor located near the door, the system is
actuated within one-half second. This is
accomplished by the sensor "sensing" the
key code and sending it to the control
unit. There, the code is compared against
stored, valid codes. If the badge code is
authorized for that door at that time, a
signal is sent to unlock the door's
electrically actuated lock. If that badge
code is not authorized, the system will
prohibit access and will sound an alarm
when so required.
(f) All system activity messages may be
output to a printer and auxiliary
output data ports, in addition to
being displayed on the CRT. The
operator may select which types of
messages will be output to each port
(printer or CRT).
(g) System Features/Options
i. Proximity card reader access control
for up to 256 sensors.
ii. Memory for 5000 distinct key codes.
iii. 123 access levels.
iv. Eight time codes for access control by
time. Each time code has start times,
stop times, and any combination of
days of the week for which the time
code is valid. One time code is
assigned to each key code.
v. Card codes can be read from both
sides of a sensor. Many areas
may be controlled for both entry
and exit using a single sensor.
vi. Recall of over 10,000 system activity
messages recorded on disk.
vii. Over 30 computer commands for
such functions as entering data
into memory, operator overrides,
alarm acknowledgement, system
status reports, listing, disk
searches, debugging, and
maintenance.
viii. Three command levels provide
protection against unauthorized
entry into the system for
programming or operating.
Programming or operating of the
system, via the system's
terminal, requires an operator to
enter a command level by typing a
user defined password. Each
password is assigned to only one
command level.
ix. Selectable printout of system activity
and alarms.
x. Options to control both ingress
and egress with a single sensor.
xi. Individual card recognition and
voiding capabilities.
xii. Variable door unlock time. Four
seconds standard. Variable door
unlock time potentiometer, allows
timing to be set from 1 to 25
seconds.
xiii. Alarm and lockout time: five
seconds minimum.
(h) The frequency-sensing systems suffer
chiefly from drifts in the coded
frequencies caused by shock,
vibration, component aging, etc., and
especially from changes in
temperature. This drifting means that
to avoid overlapping and confusion,
only a limited number of frequencies
in a given band may be used for coding
purposes. A further hazard is the
possibility of picking the lock by
breaking the codes. The fact is that
"Key" frequencies and/or codes in most
existing systems can eventually be
determined, some more easily than
others.
e. Positive Personnel Identity Verification
Techniques. Systems that verify identity based
on some unique physical characteristic of the
individual.
(1) Fingerprint Systems. "What a person is"
presents a good case for identification. It is
for this reason that fingerprints are widely
accepted as positive identification. While
fingerprints can be forged, it is a difficult
process that often fails.
(a) One firm presently offers an automatic
fingerprint verification system. The
system consists of up to 16 finger-
scanning terminals placed at entry
points and a central control console
located in a controlled area. The
terminals have digital keyboards.
(b) System Operation. In the enrollment
sequence, the system optically scans
each of the eight fingers (thumbs are
not used) and selects two, primary and
alternate. The primary is then
scanned to build up a minutiae data
base and to determine which one of two
matcher algorithms will be used for
subsequent verification attempts for
this finger.
i. To request access to an area an
individual enters a preassigned
number on the keyboard at the
terminal and places the primary
finger on a scanning window.
ii. An area or the fingerprint is
optically scanned, and the
automatically extracted minutiae are
stored in the output buffer and
simultaneously made available to the
"matcher." (Prior to finger scanning,
the file minutiae are sent to the
terminal from the central computer as
initiated by the entry of the numeric
I.D. on the keyboard).
iii. After subject minutiae
extraction, the matcher is
automatically initiated. If the
subject is authorized access,
then a positive action such as
opening a door or unlocking a
computer terminal is taken.
iv. The system allows up to three scans on
the primary finger followed by up to
three scans on the alternate finger.
The user can verify on any one of
these six scans; a rejection occurs
only after all scans have failed.
(c) System Details. The scanning terminal
uses electromechanical motion of a
mirror to scan the reflected ridge and
valley images of the finger placed on
a prism located in the terminal
scanning window. The scanned image is
converted to digital data by
photoelectric devices. The data are
transmitted asynchronously to the
central control console. The
transmitted image consists of an 12 x
125 array of points representing about
a l-cm square near the center of the
finger.
i. The terminal is 45.72 cm/18" high
x 38.1 cm/15" wide x 38.1 cm/15"
deep and is wall mounted. Weight
is 18.144 kg/40 pounds. Optimum
environment is 4.440- C/40- F to
26.66- C/80- F in relative
humidity of 10 to 95 percent.
ii. According to the manufacturer, the
scan time is one second. Processing
time-minutiae extraction, and file
minutiae matched against subject
minutiae-is less than 2.5 seconds
after the end of the scan.
iii. The central security control
console is comprised of terminal
controllers, a preprocessor, a
control processor, storage disks,
and a control panel. The control
processor continually
communicates with the terminal
controllers, requesting the
status of terminals and checking
whether any service is required.
If service is requested by a
terminal (such as an entry
request), the control processor
acknowledges the request by
accepting the ID number and
loading fingerprint data for that
number from a data storage file.
The control processor then
directs the terminal controller
to initiate a finger scan at the
requesting terminal. If the
finger is properly placed in the
terminal scan window, the
terminal scans the finger and
transmits the image array
asynchronously to the central
control preprocessor. The
preprocessor divides the image
into 100 smaller arrays and
determines if these smaller
arrays contain minutiae (ridge
endings or ridge forking). The
preprocessor determines the
minutiae locations and
characteristics in the scanned
image and transmits this data to
the central processor. The
central processor correlates the
data from the preprocessor with
the data stored from previous
enrollment scans. From this
correlation, the central
processor determines a score of
the scan and makes a "verified"
or "not verified" decision, which
is transmitted to the scanning
terminal and displayed to the
person requesting entry. The
central control station performs
a number of tasks, including
tests of tampering with the
system, tests for suspicious
activity (such as a number of
attempts to key in an unassigned
number), and daily logging of
entries at each terminal.
(d) In addition to the usual peripherals,
such as the CRT/keyboard, printer, and
minicomputer, the following system
options are also available:
i. In option l, the company supplies
the terminals meant to be
interfaced with the customer's
computer. Additionally, the
company supplies a descriptive
interface package that instructs
the user in the necessary
software programming of the
computer to effectuate operation.
ii. In option 2, the company supplies
a turnkey system, including the
terminals and its dedicated
central computer. Different
models have varying file
capacities; one series easily
encompasses 100,000 individuals.
iii. In option 3, the Installation
supplies a multiplexed turnkey
system where the local terminals
are in relatively close proximity
to the secure physical area or
secure data access points, but
the central computer is remotely
located in the Installation
service area. The computer and
its auxiliary printers, CRT entry
terminals, etc., are multiplexed
for multi-remote terminal
operation. Similarly, the
indicated phone lines and
terminating modem at the facility
are multiplexed for multiremote
terminal networks. The terminals
are line concentrated to a
dedicated network modem which
transmits and receives signals to
and from the central computer via
the dedicated line.
Multinetworks from a given local
geographical area can time share
their data flow across a given
phone line. For this system
configuration, the customer pays
a monthly charge for his part of
the fixed modem/line charges and
a transaction rate fee.
iv. In option 4, the company may
operate in any of the prior
designated modes with the
additional inclusion of an
internal PROM-supported minutiae
file of key individuals who can
still gain access to and from the
central facility even under
catastrophic interruption of
communication.
v. In option 5, company terminals
are configured as described in
either option 1 or 2, and
possibly coupled with 4, but
option 5 uses the computers in
the company service bureau as the
backup central facility to avoid
frustrating problems concerned
with enforced downtime on the
primary central computer.
(e) Error Rates. In three independent groups
of government-sponsored field tests over
periods of 47 days, three months, and four
months, the lowest error rates follow:
i. Type I: 9, 2.18 and 2.32
percent.
ii. Type II: 58, 6.54 and 6.60
percent.
Note: Verification rates were twice that
claimed by the manufacturer.
(2) Hand Geometry System. Proof that hand
geometry is a measurable unique
characteristic of individuals has been
established. Two versions of hand geometry
systems are available on the market:
computer and multiplexer console
controlled.
(a) Components and Operation
1. Portal. The portal, called a
transmitting identifier, is a
33.02 cm/3"(W) x 53.34 cm/21"(D) x
49.53 cm/19 1/2"(H) console (hand
scanner) weighing 20.412 kg 45 pounds.
It is placed on a desk or shelf 30 to
33 inches above the floor. Operating
temperature is 10- C/50- F to 37.777-
C/100- F. It can either operate on-
line or in the stand-alone mode.
a. The scanner plate of the
console has a hand outline
template with a steel peg
guide for proper placement
of the fingers, a palm
capacitive switch to sense
hand presence, a card reader
slot in the non-computer
system, status indication
lights, and a lamp. This
hand decoding terminal has
photodetecting devices in
the slots beneath each
finger which scan the hand,
the area between the index
and middle fingers, and the
area between the ring and
little fingers. These
scanners are used to
determine the length of each
finger.
b. When an individual wishes to
use the card noncomputer-
based system, he enters his
reference file number
through the reader. The
central controller retrieves
the necessary reference file
data from separate memory
(add-on storage) or out of
its own capacity. A scan of
the hand is made and these
data are transmitted to the
controller, which makes a
finger length comparison. A
decision on verification is
then transmitted back to the
scanning terminal.
c. In computer-based
applications, the system
randomly selects either hand
or demands both without
warning.
d. The controller informs the
individual, by extra lights
located on the hand scanner,
what hand is to be scanned.
There are then programmable
variations available as to
what will happen if one hand
is rejected; for example,
the system alarms trigger or
access is granted if the
other hand is accepted.
e. There is an adjustable door
lock timer. The limits are
from .5 to 15 seconds.
f. As with other portal
activation equipment in
automatic systems, a signal
can activate an electric
door strike, allow a time
clock to punch, or permit
access to a computer, etc.
ii. Encoder and Enrollment. The
encoder, used in a non-computer
card system, plugs into any
portal console within its system
and enables magnetic stripe cards
to be encoded. It is 33.02
cm/13"(W) x 122.58 cm/l9(D) x
77.419 cm/12"(H) and weighs 9.979
kg/22 pounds. Operating
temperature is the same as for
the portal. The encoder for each
customer is unique. A card made
on one customer's system cannot
be used in another customer's
system.
a. A blank card is inserted
into the portal reader slot.
The user places one hand on
the template and the encoder
computes the hand geometry
readings and encodes those
readings on the card, along
with any area access and/or
employee number data. The
latter data are entered
through encoder hand
controls. The action is
repeated for the other hand.
Enrollment time is less than
2 minutes.
b. Up to twelve area access
zones and up to an eight
digit employee
identification number is
possible.
c. Automatic duplication of the
cards is possible. This is
done primarily to have a
backup master file card to
change the employee's status
level without him or her
physically reporting in.
d. In a computer-based system,
encoding is accomplished
with the CPU, not an
encoder.
iii. Card Reader. A separate card
reader is available where
security provided by the hand
identification procedure is not
required. The unit is
programmable for cards only for
that activity or one limited area
within the facility.
a. The unit is equipped with a
door lock timer from 0.5 to
15 seconds.
b. On-line or stand-alone modes are
switch selectable.
c. Surface-mounting is standard
with flush mounting
available.
d. Dimensions: 25.4 cm/l0"(H)
x 20.32 cm/8"(W) x 11.43
cm/4 1/2"(D).
e. Since the portal and reader
accept the same card, any
combination of the devices
may be intermixed in a
system.
iv. Central Console. The console in
a noncomputer system is a type of
multiplexer. The basic central
console contains memory for 1,000
employees and can be used with up
to 15 stations. The unit is
completely automatic except for
requiring an operator for listing
and deleting employee numbers in
the memory. There is automatic
battery backup for memory in case
of a power failure. Automatic
polling of the stations takes
place continuously. With add-on
memory, up to 10,000 employees'
validation data for up to 63
stations can be provided.
v. Optional Features
a. A printer that provides the
employee number, time, date,
station and access
indication or reason for no
access.
b. An alarm point station
monitor that gives audible,
visual and permanent printed
record of alarm conditions.
c. Memory expansion in 1,000
employee increments.
(3) Federal Test Results. A number of field
evaluation tests have been conducted by the
Armed Forces, and through contract, by
nonmilitary U.S. agencies. Two multiphase test
summaries follow:
(a) Type I Error (%) Type II Error (%)
9.0 0.0
6.4 0.0
4.4 0.0
3.7 0.0
3.4 4.5
3.0 4.5
2.7 5.5
(b) Type I Error (%) Type II Error (%)
3.0 3.0
0.62 3.68
0.89 2.97
APPENDIX L: FENCE STANDARDS
It is sometimes necessary to establish external perimeter
barriers around facilities or areas to create physical and
psychological deterrents to accidental entry; to delay
intruders; make detection and apprehension by security forces
more likely; to increase the effectiveness of security forces;
and to direct the flow of vehicle and pedestrian traffic. A
fence is the barrier most often used to accomplish those goals
and to define property lines. Dual fencing can be used for
those highly sensitive areas such as Category A, NASA Resource
Protection (NRP) facilities where it is essential to slow down
or deter a potential intruder. If the cognizant security
official at a NASA facility decides that fencing is required,
the following minimum standards should be met.
1. CHAIN LINK FENCING
Chain link fencing is the type of structural barrier most
commonly used and recommended for security purposes and
should be used to enclose areas where fencing is
required. The following standards apply:
a. Fabric. The standard fence fabric will be nine-
gauge (3.8 mm) zinc or aluminum-coated steel
wire chain link with mesh openings not larger
than 2 inches (50 mm) per side and a twisted and
barbed selvage at the top and bottom.
b. Fabric Ties. Only nine-gauge (3.8 mm) steel
ties should be used. If the ties are coated or
plated, the coating or plating will be
electronically compatible with the fence fabric
to inhibit corrosion.
c. Height. The standard height of a security fence
should be eight feet (2.4 meters). This includes a
fabric height of seven feet (2.1 meters), plus a top
guard. Building connections may need to be higher.
d. Posts, Supports, and Hardware. All posts,
supports and hardware for security fencing
should meet the requirements of Federal
Specification RR-F-191/3B. All fastening and
hinge hardware should be secured in place by
peening or welding, to allow proper operation of
components, while preventing disassembly of the
fencing or removal of gates. All posts and
structural supports will be located on the inner
side of the fence. Posts will be positively
secured into the soil to prevent shifting,
sagging, or collapse. A top rail assists
climbers and should not be specified in a
security application unless appearance is of the
utmost importance.
e. Reinforcement. Taut reinforcing wires should be
installed and interwoven or affixed with fabric
ties along the top and bottom of the fence for
stabilization of fence fabric.
f. Ground Clearance. The bottom of the fence
fabric must be within two inches (50 mm) of firm
soil or buried sufficiently (concrete footings
or gravel may be used) in soft soil to
compensate for shifting soil.
g. Culverts and Openings. Culverts under or
through a fence should be of ten inch (254 mm)
pipe, or of clusters of such pipe, or
equivalent. Openings under or through a fence
should be secured with material equal or greater
in strength than the fence.
h. Top Guards. A top guard should be installed on
all perimeter fences and may be added on
interior enclosures for additional protection.
The top guard should consist of three strands of
steel barbed wire stretched taut at a 45 degree
slant, and fastened to supporter posts. The top
strand should be 12 inches (.3 meters) above and
parallel to the fence line and the remaining two
strands should be spaced evenly between the top
of the fence and the top strand of barbed wire.
Top guard supporting arms should be permanently
affixed to the top of fence posts.
i. Fence Placement. No fence should be located so
that the features of the land (topography) or
structures (utility tunnels, light and telephone
poles, fire escapes, ladders, etc.) defeat its
purpose by allowing passage over, around or
under the fence.
j. Barriers. Buildings, structures, waterfronts,
and other barriers used instead of (or as part
of) a fence line must provide equivalent
protection to the fencing used in that area.
k. Clear Zones. Normally a clear zone of 3.048m/10
feet on both sides of the fence is provided.
The clear zone should be free of obstruction to
allow observation by a security force member.
2. ALTERNATIVE FENCING
Where a boundary passes through an isolated area (forest,
jungle, or swamp) that is unpatrolled and where vehicular
passage is impossible, the boundaries may be defined with
a three or four strand barbed wire fence approximately 4
feet (1.2 meters) high.