C10.1.3.1. Preliminary Inquiry. When an actual or
potential compromise of classified information occurs, the head of the
activity or activity security manager having security cognizance shall
promptly initiate an inquiry into the incident to determine the following.
If information obtained as a result of the preliminary inquiry is sufficient
to provide answers to these questions, then
such information shall be sufficient to resolve the incident to include
institution of administrative sanctions under section C1.5.,
of this Regulation:
C10.1.3.1.1. When, where, and how did the incident occur?
What persons, situations, or conditions caused or contributed to the
C10.1.3.1.2. Was classified information was compromised?
C10.1.3.1.3. If a compromise occurred, what specific
classified information and/or material was involved?
C10.1.3.1.4. If classified information is alleged to have
been lost, what steps were taken to locate the material?
C10.1.3.1.5. In cases of compromise of classified
information to the public media, the inquiry should determine:
C10.1.3.1.5.1. In what specific medial article or program
did the classified information appear?
C10.1.3.1.5.2. To what extent was the compromised
C10.1.3.1.5.3. Was the information properly
C10.1.3.1.5.4. Was the information officially
C10.1.3.1.6. If there was no compromise, was there a failure
to comply with established security practices and procedures that could
lead to compromise if left uncorrected and/or, is there a weakness or
vulnerability in established security practices and procedures that could
result in a compromise if left uncorrected? What corrective action is
C10.1.3.2. Investigation. If the circumstances of an
incident are as such that a more detailed investigations is necessary, then
an individual will be appointed to conduct that investigation. This
individual must have an appropriate security clearance, have the ability to
conduct an effective investigation, and must NOT be someone likely to have
been involved, directly or indirectly, in the incident. Except in unusual
circumstances, the activity security manager should not be appointed to
conduct the investigation. In cases of compromise of classified information
to the public media, the investigation should expand upon subparagraph
C10.1.3.1.5., above, to include: