UNCLASSIFIED//
ROUTINE
R 051800Z JAN 16
FM SECNAV WASHINGTON DC
TO ALNAV
INFO SECNAV WASHINGTON DC
CNO WASHINGTON DC
CMC WASHINGTON DC
BT
UNCLAS

ALNAV 001/16

MSGID/GENADMIN/SECNAV WASHINGTON DC/-/JAN//

SUBJ/UNAUTHORIZED DISCLOSURES OF CLASSIFIED INFORMATION OR CONTROLLED 
UNCLASSIFIED INFORMATION ON DEPARTMENT OF THE NAVY INFORMATION SYSTEMS//

REF/A/DOC/DOD/14 AUG 2014//
REF/B/DOC/DOD/24 FEB 2012//
REF/C/MSG/SECNAV/DON/192014Z AUG 2010//
REF/D/MSG/SECNAV/DON/222106Z FEB 2011//
REF/E/DOC/SECNAV/JUN 2006//
REF/F/MSG/NAVY/071526Z MAY 2008//
REF/G/DOC/SECNAV/17 MAY 2012//
REF/H/DOC/NAVY/7 JUN 2010//
REF/I/DOC/NAVY/9 SEP 2013//
REF/J/DOC/DOD/24 FEB 2012//
REF/K/MSG/DONCIO/291652Z FEB 2008//
REF/L/MSG/NAVY/032052Z NOV 2008//
REF/M/SECNAV/28 DEC 2005//
REF/N/MSG/SECNAV/DON/042232Z OCT 2007//
RFF/O/MSG/SECNAV/DON/181905Z DEC 2008//
REF/P/DOC/CNSS/01 FEB 2008//
REF/Q/DOC/SECNAV/JUN 2006//
REF A IS DEPSECDEF MEMO, UNAUTHORIZED DISCLOSURES (UD) OF CLASSIFIED 
INFORMATION OR CONTROLLED UNCLASSIFIED INFORMATION (CUI) ON DOD INFORMATION 
SYSTEMS.  
REF B IS DODM 5200.01-VOLUME 3, DEPARTMENT OF DEFENSE (DOD) INFORMATION 
SECURITY PROGRAM: PROTECTION OF CLASSIFIED INFORMATION.  
REF C IS ALNAV 055/10, SAFEGUARDING CLASSIFIED NATIONAL SECURITY INFORMATION.  
REF D IS ALNAV 014/11, SAFEGUARDING CLASSIFIED NATIONAL SECURITY INFORMATION 
REPORT OF FINDINGS AND RECOMMENDATIONS.  
REF E IS SECNAV M-5510.36, DEPARTMENT OF THE NAVY (DON) INFORMATION SECURITY 
PROGRAM MANUAL.  
REF F IS BANIF 020-08, SECURITY INCIDENT REPORTING PROCEDURES.  
REF G IS SECNAVINST S5460.3G, MANAGEMENT, ADMINISTRATION, SUPPORT, AND 
OVERSIGHT OF SENSITIVE ACTIVITIES, SPECIAL ACCESS PROGRAMS AND OTHER 
COMPARTMENTED ACTIVITIES WITHIN THE DEPARTMENT OF THE NAVY.  
REF H IS OPNAVINST N9210.3, SAFEGUARDING OF NAVAL NUCLEAR PROPULSION 
INFORMATION (NNPI).  REF I IS NAVSEA 08 LTR SER 08B/13-00231, POLICY FOR 
PROCESSING AND HANDLING UNAUTHORIZED DISCLOSURES OF UNCLASSIFIED NAVAL 
NUCLEAR PROPULSION.  
REF J IS DODM 5200.01-VOLUME 4, DOD INFORMATION SECURITY PROGRAM:  CONTROLLED 
UNCLASSIFIED INFORMATION.  
REF K IS GENADMIN MSG, LOSS OF PERSONALLY IDENTIFIABLE INFORMATION (PII) 
REPORTING PROCESS.  
REF L IS NTD 11-08, ELECTRONIC SPILLAGE REQUIREMENTS.  
REF M IS SECNAVINST 5211.5E, DON PRIVACY PROGRAM.  
REF N IS ALNAV 070/07, DON PERSONALLY IDENTIFIABLE INFORMATION (PII) ANNUAL 
TRAINING POLICY.  
REF O IS GENADMIN, DON PII TRAINING REQUIREMENT.  
REF P IS COMMITTEE FOR NATIONAL SECURITY SYSTEMS INSTRUCTION NO. 1001.  
REF Q IS DEPARTMENT OF THE NAVY PERSONNEL SECURITY PROGRAM MANUAL.
POC/BRIDGET DELGROSSO/CIV/DUSN(P)SECURITY/LOC:  WASHINGTON DC/TEL:
(703) 601-0608/EMAIL:  BRIDGET.DELGROSSO@NAVY.MIL//POC/JOHN 
BUNKALL/CIV/DONCIO/LOC:
WASHINGTON DC///TEL:  (703) 695-2933/ EMAIL: JOHN.BUNKALL@NAVY.MIL//

RMKS/1.  This is a coordinated Deputy Under Secretary of the Navy (Policy) 
(DUSN(P)) Security and Department of the Navy (DON) Chief Information Officer 
(CIO) message that outlines the DON specific implementation and reporting 
requirements of REF A. Nothing in this ALNAV shall be interpreted to delay or 
preclude immediate reporting of instances of UD or other compromise of CUI to 
the Naval Criminal Investigative Service when there is a deliberate or 
suspected intent to commit espionage or harm national security.

2.  Background.  UD of classified information or CUI pose a significant 
threat to our nation’s security and to DON operations and missions. It is 
imperative our Sailors, Marines, civilians, and contract personnel safeguard 
classified information and CUI as stated in REF A.

3.  Scope and applicability.  This ALNAV applies to all DON Sailors, Marines, 
civilians, foreign nationals, and contract personnel authorized access to DON 
networks and information systems.

4.  Purpose and definitions.  This ALNAV reiterates and strengthens 
responsibilities, identifies training and reporting requirements, and assigns 
actions to be taken by Commanding Officers (CO), supervisors, security staff 
(e.g., Command Security Manager (CSM), Special Security Officer (SSO), 
Information System Security Manager (ISSM)), privacy officials, and users on 
DON networks and information systems in the event of an electronic spillage 
(ES) or UD of classified information and CUI, including unclassified Naval 
Nuclear Propulsion Information (U-NNPI).
    a.  CO is used throughout this message as a generic term to identify a 
position of authority at any DON organization, base, station, unit, 
laboratory, installation, facility, center, activity, detachment, squadron, 
ship, battalion, regiment, etc..
    b.  An ES is defined in para 4.a of REF A, referred to as data spill in 
that reference.  Examples of an ES of classified information:  Secret 
information processed on and/or transmitted via NIPRNET, TS/SCI information 
processed on and/or transmitted via SIPRNET.  Examples of an ES of CUI: For 
Official Use Only (FOUO) information posted to a publicly accessible website; 
FOUO-Law Enforcement Sensitive (FOUO-LES) information forwarded to a personal 
email address.
    c.  A UD is defined in REF B as a communication or physical transfer of 
classified information or CUI to an unauthorized recipient.  Many spillages 
result in UD of classified information or CUI.
    d.  Para 7 of REF A refers to classification by compilation, which means 
information individually unclassified or classified at a lower level, but 
when aggregated or compiled in a single document, may become classified or 
classified at a higher level, if the aggregation reveals an additional 
association or relationship that meets the standards for classified 
information under an executive order.

5.  Discussion.  Despite previous correspondence and various safeguards,
DON network users continue to cause ES, degrading operational readiness and 
underscoring a lack of information security discipline.  This poses a risk to 
national security, can lead to a loss of confidence in the Departments 
ability to safeguard information, and creates the potential for further 
widespread UD of that information.

6.  Action.  Effective immediately, ensure compliance with the requirements 
in REF A and the following DON-specific implementing requirements.  Service, 
program, or command-specific policy shall be updated to reflect the UD and ES 
classified information reporting requirements.
    a.  To aggressively monitor ES and UD of classified information, and IAW 
REFs A, C and D, DON/Administrative Assistant (DON/AA), Chief of Naval 
Operations (CNO), and Commandant of the Marine Corps (CMC) shall implement 
the following:
        (1) DON/AA (less NCIS, NAVIG and ONR), CNO, and CMC (or designated 
representative) shall submit a quarterly (vice monthly) report to DUSN(P) 
Security  supporting DUSN(P) as the senior agency official for security, and 
the DON CIO as the DON senior Chief Information Officer for cybersecurity and 
senior official for privacy.  NCIS, NAVIG, and ONR shall submit reports 
direct to DUSN(P) Security and DON CIO. Reports are due to DUSN(P) Security 
and DON CIO NLT 30 working days after the end of each quarter of the fiscal 
year.
        (2) Reports shall include the following information:  The number of 
classified UD(s), including a UD(s) resulting from an ES, originating within 
area of responsibility (AOR) under DON/AA, CNO, and CMC; preliminary 
inquiries (PI) completed and reported; classification level involved for each 
UD and/or ES originated within AOR; action taken by commands to prevent 
reoccurrence; the ES and/or UD category (i.e., willful, negligent discharge 
of classified information (NDCI), or inadvertent) as defined in para 10.A, 
REF A; and the type of administrative, judicial, contractual, or other 
disciplinary/corrective actions recommended and/or taken, if applicable.
        (3) DON/AA, CNO, and CMC shall issue and/or update guidance to 
subordinate commands to meet the reporting requirement.
    b.  ES and UD reporting requirements follow:
        (1) Classified collateral information:  Chapter 12, REF E refers for 
PI reporting requirements, along with modifications identified below:
            (a) COs shall comply with the PI completion timeline in REF B, 
which shall not exceed 10 working days vice the 72 hour requirement in 
Chapter 12, REF E.
            (b) Comply with the PI report format in Chapter 12, REF E, with 
the following changes:  Add to para 3 or I of the PI (as applicable depending 
on the PI format used), an additional sub-paragraph that identifies the 
category (i.e., willful, NDCI, or inadvertent) of ES and UD as defined in 
para 10.A, REF A; and at a minimum designate and mark the PI as FOUO.
            (c) Initiation of a PI shall not be postponed to obtain a 
classification determination from the original classification authority (OCA) 
via other means when an incident occurs.  The PI facilitates that decision 
when submitted to the OCA, per requirements in Section 9 Actions to be Taken 
by the OCA, Enclosure 6, REF B.
        (2) Reporting requirements for special types of classified 
information, U-NNPI, and CUI are as follows, but the required documentation 
shall include the information in para 10.A, REF A.
            (a) Sensitive Compartmented Information (SCI) (e.g., Intelligence 
information marked with SI, TK, or HCS handling caveats): REF F applies.
            (b) Special Access Program (SAP):  REF G applies.
            (c) NNPI:  REF H and I apply for U-NNPI.  REF C and H, along with 
requirements in para 6.b.(1) above, apply for classified NNPI.
            (d) CUI:  Section 1.K, REF J applies, with exception of PII. A 
breach of PII shall be reported per REF K.
        (3) Specific steps to be taken when an ES of classified information 
occurs is promulgated via the release of this ALNAV, cancel requirements of 
REF L, and is posted on the DUSN(P) Security website at https://portal.
secnav.navy.mil/orgs/dusnp/sitepages/home.aspx.
    c.  REFs B, H, J, M, N and O identify elements of training for inclusion 
in initial indoctrination and annual refresher training for classified 
information and CUI, along with training resources. Refer to para 6.g below 
for re-indoctrination briefing requirements.
    d.  The aggregation of data on our networks and information systems 
coupled with the drive towards information sharing could result in 
classification by compilation, resulting in an ES of classified information 
if processed on an information system not authorized for that security  
level:  DON personnel shall refer to Security Classification Guides (SCG) 
issued by an OCA to determine if the information results in classification by 
compilation.  If in doubt, contact the applicable OCA(s) for a classification 
by compilation determination, when the information is not identified in an 
SCG. A current list of DON OCAS can be found at
http://www.secnav.navy.mil/dusnp/security/information/pages/classificationman
agement.aspx.
    e.  It is the responsibility of the CO to appoint a Preliminary Inquiry 
Officer (PIO) to initiate the PI vice the Head of the DoD Component as stated 
in para 8, REF A; the CO may delegate that authority to the CSM.  The 
appropriate command authority (i.e., CO or CSM) to appoint the PIO shall be 
inclusive in command security policy:  The requirements in Section 3.C, 
Enclosure 6, REF B apply, if the person reporting an incident believes the CO 
or CSM may have been involved in or responsible for the incident.
    f.  Procedures required for associated cleanup costs are inclusive in the 
steps to be taken for an ES posted at the website in para 6.b.(3): CNO and 
CMC shall develop and issue policy identifying the risk management process 
and factors for the appropriate remediation options and procedures when an ES 
of classified information on DON networks occurs, per requirements in REF P.
    g.  The CO must consider the requirements of para 10, REF A for any 
incident related to the improper handling of classified information and CUI 
or improper use of information systems.  At the discretion of the CO or 
supervisor, the following actions should be taken for willful violations of 
classified information or NDCI, and may also be applied to PII breaches and 
UD of U-NNPI.  However, the CO or supervisor shall consult with the 
appropriate legal and personnel offices for guidance, prior to initiating the 
actions below or any other corrective actions to ensure they are developed 
IAW established disciplinary and adverse action procedures.
        (1) First time offenders should have their network privileges 
temporarily disabled while ES remediation is underway, but should be no less 
than five working days.  Offenders should receive formal counseling and a 
copy of that action must be provided to the CSM, ISSM, privacy official, and 
the violators supervisor, as applicable.  If network privileges are 
suspended, the offender shall receive corrective training tailored to the 
incident.  Additionally, COs must validate the individual attended annual 
security training, including PII training if applicable to the incident.
        (2) Second time offenders should lose network privileges for 30 days, 
along with the additional actions identified in para 6.g.(1) above.
        (3) Third time offenders should lose account privileges indefinitely, 
along with additional actions identified in para 6.g.(1).  Indefinite loss of 
account privileges may be appealed to the first flag officer in the chain of 
command via the CO.  This action may impact continued suitability for 
employment.
        (4) Depending on the severity of the event, the CO in consultation 
with the CSM and ISSM, shall determine if access to classified information 
shall be suspended for cause per para 10-5, REF Q.
    h.  The CO or CSM shall make the following entries in the Joint Personnel  
Adjudication System (JPAS) and provide follow-on supporting documentation via 
the Case Adjudication Tracking System (CATS) as follows:
        (1) Initial entry in JPAS - indicate a security incident involving 
classified information has occurred and a PI is pending.
        (2) Follow-up entry in JPAS indicate, at a minimum, the date the PI 
was completed and that a final classification determination by the OCA(s) is 
pending.  This entry is made after the CO approves the PI results and 
recommendations made by the PIO and it has been distributed per the 
applicable policy requirements in para 6.b. above.
        (3) Final entry in JPAS indicate the OCA(s) classification 
determination at the time of the incident, type of security incident (i.e., 
infraction or violation), category of ES and/or UD (i.e., willful, NDCI, or 
inadvertent), all corrective actions taken to include access suspensions, 
disciplinary actions, and training.  Separately, provide DoDCAF with a copy 
of the documentation that supports the JPAS entries via CATS or by 
appropriate secure channels, if classified.

7.  Released by Ray Mabus, Secretary of the Navy.

BT
#0001
NNNN
UNCLASSIFIED//