Security Incident Procedure

Security Incident Procedure

This procedure establishes a graduated disciplinary response to security violations in accordance with U.S. Department of Defense regulations and the University's security agreement with the Department of Defense.
Effective Date:
Responsible Party:
None Assigned
Administrative Category:
Applies To:
Faculty, Staff, Students
Material Original Source:

University of Alabama at Birmingham 

Security Incident Procedure 

June 22, 2010


This document establishes a Security Incident Procedure which includes a graduated scale of disciplinary actions.  Its purpose is to enhance the protection of classified information, materials, equipment, or areas by identifying, evaluating, and assigning responsibility for breaches of security associated with the aforementioned items.  A graduated scale of disciplinary actions is required under section 1-304 of the National Industrial Security Program Operating Manual (NISPOM), DOD 5220.22-M, February 28, 2006, Chapter 1 (, to which The University of Alabama at Birmingham agreed to abide by signing a security agreement, Form DD-441, with the U.S. Department of Defense (DOD).

The following procedure applies to all personnel who possess a U.S. Government security clearance under University of Alabama at Birmingham sponsorship (also known as Key Management Personnel).


The significance of a security incident does not depend upon whether information was actually compromised.  It depends upon the intentions and attitudes of the individual who committed the violation.  Ability and willingness to follow the rules for protection of classified information is a prerequisite for maintaining a security clearance.  Although accidental and infrequent infractions or minor violations are to be expected, deliberate or repeated failure to follow the rules is definitely not.  It may be a symptom of underlying attitudes, emotional, or personality problems that are a serious security concern.


The following behaviors are of particular concern and may affect your security clearance: 

  • A pattern of routine security violations due to inattention, carelessness, or a cynical attitude toward security discipline.

  • Taking classified information home, ostensibly to work on it at home, or carrying it while in a travel status without proper authorization.  

  • Prying into projects or activities for which the person does not have (or no longer has) a need to know.  This includes requests for classified publications from reference libraries without a valid need to know, or any attempt to gain unauthorized access to computer systems, information, or databases. 

  • Intoxication while carrying classified materials or that causes one to speak inappropriately about classified matters or to unauthorized persons. 

  • Deliberate revelation of classified information to unauthorized persons to impress them with one's self-importance. 

  • Copying classified information in a manner designed to obscure classification markings.  This may indicate intent to misuse classified information. 

  • Making unauthorized or excessive copies of classified material.  Going to another office to copy classified material when copier equipment is available in one’s own work area is a potential indicator of unauthorized copies being made. 

  • Failing to report requests for classified information from unauthorized individuals.


A.  Security incident – A failure to safeguard classified documents, materials, or items per applicable regulations. For UAB, this is the National Industrial Security Program Operating Manual DOD 5220.2-M and University Compliance Office/Facility Security Office (UCO/FSO) policies. 

B.  Security infraction – A security incident that, in the judgment of the UCO/FSO, does not result in actual or possible compromise of the information.  For example, at the end of the workday, an employee fails to record the closing of a security container or vault door on the SF-702 log sheet.  Infractions are more administrative in nature, but are required to be documented to deter patterns of neglect or disregard for security procedure. 


C.  Security violation – A security incident that, in the judgment of UCO/FSO, could result in the actual or possible compromise of the information.  For example, not securing a security container or vault door at the end of the workday or when there are no cleared personnel present. 

D.  One year moving window – The period of time in which the aggregate of valid (as adjudicated by the UCO/FSO) security incidents will be counted.  The period will start on the date of the most recent incident and extends backwards for a period of 12 months. 

E.  Collateral security clearance - A security clearance with no special access authorizations, e.g. SCI or SAP.  Top Secret, Secret, and Confidential are collateral security clearances. 

Security Inspections 

The FSO, or her/his designee, is responsible for conducting security inspections of those facilities or areas that are utilized to store, process, or work with classified information, materials or equipment.  Inspections will be conducted on a routine basis; however, they can also be conducted on an unannounced basis depending upon the situation.  A facility or area that is prone to security violations may be inspected on a more frequent basis.  

Reporting & Adjuducation of Security Incidents 

All security incidents will be reported to UCO/FSO.  Employees must inform the FSO orally or in writing of any improper security practice that comes to the employee’s attention in order that remedial action may be taken.  Reporting of security incidents is based upon an honor system.  All of us must take the responsibility upon ourselves to ensure that all classified items are secured properly and afforded all the protection required and when a security incident occurs initiate self-reporting. 

Failure to report a security violation is itself a security violation and may be a very serious concern.  Upon the discovery or report of a security incident, the UCO/FSO will open a file on the incident, start an investigation, and initiate the UCO/FSO Record of Incident form


The UCO/FSO, or her/his designee, will conduct an investigation of the reported security incident that will include, but not be limited to, personal interviews of person or persons involved, site visitation where the security incident occurred and the gathering of any additional information that pertains to the security incident investigation.  All information will become part of the security incident file that will be kept in the UCO/FSO facility.  The individual suspected of the incident will also be able to make a statement that is a part of the Record of Incident form.  

The security incident will be adjudicated by the FSO utilizing only the information that is obtained from the incident investigation and that is documented.  After the incident is adjudicated a final report will be written and forwarded along with all investigative documentation to the University Compliance Officer (UCO) for review.  After review and approval by the UCO the individual(s) involved will be informed in writing of the findings.  

All records associated with a security incident investigation will be kept in the office of the FSO.  All records are open to those personnel directly involved in the security incident; however, they cannot be removed or copied.


An appeal to the validity or categorization of a security incident can be made in writing to the UCO.  The appeal must be received by UCO within 7 days of receiving notification of the findings.  The appeal will be based upon existing information; no new information can be introduced or considered in the appeal process. 

Security Incident Examples 

The following is not a complete list of infractions or violations but is a sampling of what could occur.  The difference between an infraction and a violation can be very fine. 


  • Failure to log opening or closing of a security container or vault door.  

As stated previously, infractions are more administrative in nature.  You can be issued an infraction for leaving classified material out on your desk even if you are in a vaulted area that is approved for classified materials and there is a 24/7 monitored and approved alarm system which was operational and in use when the material was left out on the desk.  


  • Leaving a classified file or security container unlocked and unattended either during or outside normal working hours.
  • Keeping classified material in a desk or unauthorized cabinet, container, or area.
  • Leaving classified material unsecured or unattended on desks, tables, cabinets, or elsewhere in an unsecured area, either during or after normal working hours.
  • Losing classified material that has been entrusted to your care.
  • Reproducing or transmitting classified material without proper authorization.
  • Removing classified material from the work area in order to work on it at home.
  • Granting a visitor, contractor, employee, or any other person access to classified information without verifying both the individual's clearance level and need-to-know.
  • Discussing classified information over the telephone or other than a phone approved for classified discussion. 
  • Discussing classified information in lobbies, cafeterias, corridors, or any other public area where the discussion might be overheard.
  • Carrying safe combinations or computer passwords (identifiable as such) on one's person, writing them on calendar pads, keeping them in desk drawers, or otherwise failing to protect the security of a safe or computer.
  • Failure to mark classified documents properly.
  • Failure to follow appropriate procedures for the destruction of classified material.
  • Tampering with a security container or vault door.

    Disciplinary Actions 

1.  All personnel that have the responsibility to safeguard classified information/material from unauthorized access are subject to disciplinary actions (administrative and/or criminal).
2.  Potential or actual infractions or violations of classified information/material must be reported immediately to the Facility Security Office to ensure the integrity of the information/material and the university.  Failure to report or the misrepresentation of an infraction or violation is in itself a violation and may result in a disciplinary action.  It is the responsibility of all personnel to act responsibly and to correct irresponsible or unauthorized behavior to prevent the compromise of classified information/material and to ensure the safety and security of other personnel, property, and the University.
3.  The disciplinary action to be taken for a specific security infraction or violation will be decided upon by the UCO and the FSO meeting together to discuss the infraction or violation.  The disciplinary actions that may be taken are: 
  • Retraining
  • Verbal warning
  • Verbal reprimand
  • Written reprimand
  • Suspension of security clearance (see Notes 1 & 2 below)
  • Termination of security clearance (see Note 2 below)
  • Criminal actions 
This guide does not dictate the disciplinary action to be taken; rather, it establishes a range of options that can be taken to ensure the safety and security of personnel and property.  The action taken will be based upon the severity of each or subsequent infraction(s) or violation(s)  and may include none, any, or all of the actions listed.  Multiple infractions and/or violations within the one-year period raise doubts about an individual's trustworthiness and ability to safeguard classified information/material.
Security infractions or violations may also be addressed in accordance with UAB policy and procedure.
4.  All security incidents will become part of the individual's security record that is maintained by the FSO.


1.  Suspension of a security clearance can be for any length of time that is determined to be appropriate for the security incident and and will be determined by UCO and FSO.  Prior to the reinstatement of the security clearance, a meeting to discuss the individual's suitability for a security clearance will be held.  Attending will be the UCO, the FSO, the individual, and the individual's immediate supervisor.  This meeting is mandatory for reinstatement of the security clearance.
2.  Any clearance or termination will be noted in the Department of Defense Joint Personnel Access System database.  This is the database of record for the U.S. Government that tracks all industrial security clearances and actions.
3.  Per NISPOM (DOD 5220.22-M) section 1-304 entitled "Individual Culpability Reports", any security violation that deliberately disregards security requirements, involves gross negligence in the handling of classified material, or was not deliberate in nature but involves a pattern of negligence or carelessness will be reported to the Defense Security Service.  The deliberate disclosure of classified information/material will also be reported to the FBI for criminal investigation.

Record of Incident

 Security incidents are reported using the Joint Personnel Adjudication System (JPAS), within the Defense Security Services -- Offices of Chief Information Officer at


National Industrial Security Program Operating Manual DoD, 5220.22-M, February 28, 2006; Department of Defense Security Agreement, Form DD-441; classified Information Nondisclosure agreement, SF-312.


 The Empowered Official and the facility FSO are responsible for the review of this procedure as needed but no less frequently than every four years.