Académique Documents
Professionnel Documents
Culture Documents
Security Protocol
Version 2.0
1 September 2014
The details of the relevant licence conditions are available on the Creative
Commons website as is the full legal code for the CC BY 3.0 AU licence (Creative
Commons Licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an
Honour website.
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law Branch
Attorney-Generals Department
35 National Cct
BARTON ACT 2600
Call: 02 6141 6666
Email: copyright@ag.gov.au
Document details
Security classification
Unclassified
Publicly available
Under review
Authority
Attorney-General
Author
Document status
Table of contents
1.
Scope 1
1.1.
Introduction 1
1.2.
1.3.
1.4.
1.4.1.
Agency heads
1.4.2.
Line managers
1.4.3.
Agency personnel 4
1.4.4.
Need-to-know principle
1.5.
Policy exceptions
1.5.1.
1.6.
Functional equivalents
2.
3.
3.1.
4.
Employment screening
10
4.1.
4.2.
4.3.
4.3.1.
5.
Additional information
11
11
13
5.1.
5.2.
Performance management
5.3.
Conflict of interest 13
5.4.
Incident investigation
5.5.
6.
13
13
14
15
6.1.
15
6.2.
6.2.1.
6.2.2.
6.2.3.
17
17
ii
6.2.4.
Persons employed under the Members of Parliament (Staff) Act
1984 (MoPS Act) 18
6.3.
18
6.4.
19
6.4.1.
Foreign Nationals with non-Australian Government security
clearances
19
6.5.
6.5.1.
Eligibility waivers
20
6.5.2.
Non-Australian citizens
6.5.3.
Uncheckable backgrounds
6.5.4.
21
21
6.6.
6.7.
7.
22
22
23
24
7.1.1.
7.1.2.
7.1.3.
Provisional access 27
7.2.
8.
8.1.
27
28
8.1.1.
8.2.
25
Assessing Suitability
28
8.2.1.
29
8.2.2.
Mitigation
8.2.3.
29
8.3.
Vetting decisions
8.4.
8.5.
29
8.5.1.
Statutory declaration
8.5.2.
8.6.
8.6.1.
Periodic Revalidations
8.6.2.
8.7.
Adverse findings
29
30
31
31
31
31
33
iii
8.8.
8.9.
33
33
34
34
35
9.
35
9.2.
9.3.
37
9.4.
Sharing of information
38
9.4.1.
37
37
38
9.4.2.
Contact reporting under the Australian Government Contact
Reporting Scheme
39
9.4.3.
Reporting security incidents to vetting agencies and other
appropriate agencies 39
9.5.
9.6.
40
9.6.1.
Clearance maintenance for personnel on secondment or
temporary assignment 40
9.7.
41
9.8.
9.8.1.
Clearance sponsorship of contractors that are no longer actively
engaged by an agency 42
10.
43
Separation of contractors 44
iv
Amendments
No.
Date
Location
Amendment
1
2
3
4
1. Scope
Introduction
1.
The core policies of the Protective Security Policy Framework (PSPF) provide the
mandatory requirements for protective security in Australian Government
agencies. The Australian Government Personnel Security Protocol provides
more detailed advice for agencies to meet their mandatory personnel security
requirements.
2.
3.
4.
This Protocol forms part of the third level of the Australian Governments
personnel security policy hierarchy, as shown in Figure 1. This protocol and its
supporting guidelines will inform agency-specific personnel security policy and
procedures.
6.
7.
The Personnel Security Protocol derives its authority from the PSPF Directive
on the security of Government business, Governance arrangements, and the
Personnel security core policy and mandatory requirements. It should be read
in conjunction with:
9.
11. Additional terms used in this Protocol can be found in the PSPF Glossary of
Terms.
Agency heads
13. Responsibility for development, implementation and maintenance of personnel
security management ultimately rests with the agency head.
14. Agency heads set:
employment standards
Line managers
15. Line managers play a key role in personnel security. They are more likely than
agency security staf to have a detailed and accurate knowledge of their
employees and the duties of a position in their work area.
16. Line managers are responsible for:
Agency personnel
17. All agency personnel are responsible for:
being aware of the importance of their role in, and responsibility for,
ensuring the maintenance of good personnel security practices throughout
the agency
Need-to-know principle
18. Agencies are to limit access to, and dissemination of, Australian Government
resources to those personnel who need the resources to do their work.
19. Agencies are to limit access to, and dissemination of, Australian Government
security classified resources to those who hold the appropriate level of
clearance.
20. Agencies are to provide information on the need-to-know principle to all
personnel as part of their security awareness training.
Policy exceptions
21. Exceptional circumstances or emergencies may arise that prevent agencies
from applying relevant controls identified in the PSPF. These may be either of
an ongoing or of an emergency nature.
22. Policy exceptions can be made for an are to or is to statement. By making
a policy exception, an agency head is acknowledging that the agency:
is aware of and willing to accept the risk posed to their agency, and
23. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access
requirements. For further information see Foreign Nationals with non-Australian
Government security clearances.
24. Agencies are to document their policy exceptions, including the risk
assessment, in accordance with their agency specific policies and procedures.
25. Where appropriate, policy exceptions and risk assessments may cover policy
decisions relating to types of activity, rather than individual instances.
5
Functional equivalents
26. Where agencies use alternative personnel security measures that provide the
same or better functionality than specified controls, a policy exception is not
required.
27. Before agreeing to the use of alternative protective security measures an
agency head, or delegate, should seek expert advice to confirm that the
technical performance requirements of the proposed measures meet or exceed
those of the specified control.
28. For further information see Governance arrangements Audit, reviews and
reporting.
intelligence agencies
33. Agencies are to include a contractual requirement for service providers and
contracting companies to seek written consent to share information with the
agency from all the service providers or contracting companys personnel who
may access the agencies resources. The agency may then on behalf of the
Commonwealth share this information with other agencies for the purposes of
assessing suitability to access Australian Government resources. See Annex C
of the Personnel security guidelines Agency responsibilities for a template
informed consent form.
employment screening;
separation activities.
Employment checks
Identity proofing
Eligibility
Qualification checks
Referee checks
Education
Employment screening
Stage
Initial security
clearances
Suitability assessments by
vetting agencies
Countering
manipulation
Security culture
Using incentives to
encourage the reporting of
security issues
Access controls
Protective
monitoring
Investigations
Ongoing
employment
suitability checks
Change of circumstances
Agency specific screening
Security clearance
maintenance
Periodic revalidations
Change of circumstances
Contact reporting
Separation activities
Post-employment personnel
security obligations under
Crimes Act/ Criminal Code
and other legislation
Withdrawal of
access
Security clearance
actions
37. An agencys protection against threats is only as good as the weakest element
of its protective security (governance, information security, physical security
and personnel security).
38. Adopting a comprehensive, risk-based approach to personnel security is
important in the protection of an agencys resources because:
sabotage, or
41. For further advice see Managing the Insider Threat to your Business.
42. Based on their personnel security risk review, agencies are to determine what
checks are required for employment screening, ongoing suitability to access
agency resources and for separation from the agency. These may include
agency specific employment screening checks or security clearances. For
example, the Australian Federal Police have a program of random drug and
alcohol testing.
10
43. For further advice on undertaking a personnel security risk review, see the
United Kingdom Centre for the Protection of National Infrastructure publication
Personnel Security Risk Assessment: A guide.
11
4. Employment screening
Mandatory Requirement
PERSEC 1: Agencies must ensure that their personnel who access Australian
Government resources (people, information and assets):
For agencies enabled by the Public Service Act 1999 eligibility refers to the requirements
for engagement of APS employees listed in section 22 of the Public Service Act 1999.
Agencies not enabled by the Public Service Act 1999 should refer to the requirements of
engagement of personnel contained within their own enabling legislation.
2
To be suitable personnel need to demonstrate qualifications and/or experience required
of the position including satisfaction of any agency specific requirements. Agency specific
requirements may include demonstration and compliance with relevant codes of conduct
(e.g. APS Code of Conduct), behaviours and/or values.
1
12
50. Further details on assessing employment screening checks are in the Personnel
security guidelinesAgency personnel security responsibilities.
51. Agencies should, based on their risk assessment, undertake periodic
reassessments of suitability for employment.
13
Additional information
62. Additional information on employment screening is available from:
14
personal safety and security measures in agency facilities and in the field
self-managing risk
contact reporting
incident reporting
66. For further advice see the Protective security governance guidelines Security
awareness training.
Performance management
67. Agencies should include personnel security compliance as part of their
personnel performance management.
Conflict of interest
68. Public confidence in the integrity of personnel is vital to the proper operation of
government. Confidence may be jeopardised if the community perceives a
15
Incident investigation
70. Agencies are to investigate reports of a security incident in accordance with
their agency specific policies and procedures.
71. Agencies are to consult with the AFP, jurisdictional police, ASIO and/or ASD
where the security incident may have criminal or National Security
implications.
72. For further details on undertaking an investigation see Protective security
governance guidelinesReporting incidents and conducting security
investigations and the Australian Government Investigation Standard s .These
guidelines also provide advice on referring matters to the appropriate law
enforcement agencies, ASIO and the Australian Signals Directorate, depending
on the nature of the incident.
75. Agencies should determine the period between original screening and any
subsequent re-screening. The period will depend on the agencys risk profile
and any specific risks associated with the position.
16
76. Agencies should record the outcomes of their monitoring and evaluations on
the same file as any employment screening results.
17
80. Vetting agencies are to cancel the clearance process for any failure to
cooperate in the clearance process. Agencies are to remove any access to
Australian Government security classified resources from clearance subjects, if
advised by the vetting agency that the clearance has been revoked or the
process cancelled.
81. Agencies are to apply this control to all personnel, irrespective of their position
or duties.
82. Agencies are not to use temporary access provisions to provide access to
Australian Government security classified resources to personnel that are not
actively cooperating with the vetting process.
18
85. An agency head may require that all agency staf in a particular category be
cleared to a specified level. Factors that may influence this decision include:
88. Agencies should assess whether the checks undertaken for a security
clearance provide the required level of assurance or whether agency-specific
checks will better meet their needs.
89. Agencies are to maintain a register of positions that require a clearance.
Before advertising a position, agencies are to identify:
90. Agencies should periodically reassess the security clearance requirement for
positions, at least each time the position becomes vacant and before it is
advertised.
ii.
iii.
iv.
SECRET
CONFIDENTIAL
PROTECTED
UNCLASSIFIED with a
DISSEMINATION LIMITING MARKER
UNCLASSIFIED
Positive vetting
Baseline
Employment screening
1
Compartmented Information
Certain
Sensitive and
TOP SECRET
Notes:
1. Access to Sensitive and Compartmented Information is detailed in the Sensitive
Material Security Management Protocol (SMSMP) which is only available to those with
a need to know.
2. In certain limited circumstances Compartmented information is available at the NV2
level. For further information see the SMSMP.
93. For further information on access to caveats and codewords, refer to the
Australian Government Information Core Policy and supporting Protocol and
guidelines; and the SMSMP.
20
97. The lead agency for a contract is to sponsor all contractor clearances where a
single contract covers a number of agenciese.g. as the result of a panel
arrangement.
98. The lead agency is to ensure that they have arrangements (policies and
procedures) in place to ensure the ongoing suitability of contractors in
accordance with this protocol. For further information see Section 8.8
clearance maintenance for contractors.
99. Lead agencies are to ensure that ongoing suitability assessments of
contractors are included in the contract.
100. If an interested party becomes aware of a contractors change in
circumstances, the interested party is to inform the vetting agency. The
vetting agency is to inform all other interested parties. For further information
on sharing see Section 1.6 - Sharing Personal Information.
Judges of The High Court of Australia, The Supreme Court, Family Court of
Australia, The Federal Circuit Court of Australia and Magistrates
103. Other appointed office holders may have enabling legislation which gives the
same privileges as the people identified in the preceding paragraphe.g.
Members of the Administrative Appeals Tribunal and Members of the Social
Security Appeals Tribunal.
104. Personnel of the office holders in paragraphs 100 and 101 are not exempt from
the requirements for a security clearance and are to be security cleared to the
appropriate level if they require ongoing access to security classified
information.
105. An Australian officer holders exemption from the requirements of the PSPF is
limited to the requirement for a security clearance. Agencies responsible for
managing protective security for Australian office holders are to ensure that
classified material in their possession is appropriately safeguarded at all times
in accordance with the PSPF.
22
gain agreement from the clearance applicant to meet the conditions of the
waiver, and
114. Only Australian citizens with a checkable background are eligible for an
Australian Government security clearance, unless these eligibility requirements
have been waived by the sponsoring agency head. Agency Heads need to be
aware that granting an eligibility waiver, does not guarantee that a clearance
will be granted by the vetting agency.
23
115. Sponsoring agencies are to confirm all clearance subjects are eligible, by
confirming citizenship and checkable background requirements, prior to
requesting a security clearance.
Eligibility waivers
116. An agency head may, under certain conditions waive the citizenship or
checkable background requirements for a person to be eligible for a security
clearance.
117. An agency heads decision to waive an eligibility requirement is to be based on
a thorough analysis of the risks to the Australian Government and the possible
impact on the National Interest. For further information see Personnel security
guidelinesAgency personnel security responsibilities.
118. Agency heads need to be aware of the inherent risks posed from a malicious
trusted insider when granting eligibility waivers. Any decision to grant a waiver
needs to be assessed against and linked to the agencys risks. Agency heads
need to be aware that by granting a waiver, they are taking on a risk that may
be detrimental to the Australian Government. If the documents supporting the
waiver do not fully detail the risks to the National Interest, mitigations and any
residual risks, the vetting agency may reject the request for security clearance.
119. The vetting agency is to record, or place, the waiver on the clearance subjects
Personal Security File.
120. An eligibility waiver is role-specific, non-transferable, finite and subject to
review. In other words, the waiver is to apply only while the clearance holder
remains in the position for which the clearance was granted.
121. The waiver is not to follow the clearance holder to any other position without
review. An eligibility waiver is not open-ended and is to be subject to regular
review to confirm that there is a continuing requirement for the waiver.
122. Agencies are to reassess eligibility waivers yearly.
Non-Australian citizens
123. An agency is to only grant an eligibility (citizenship) waiver where:
it has been identified that there is no Australian citizen who could fill the
position, and
Uncheckable backgrounds
127. A checkable background is established when a vetting agency has validated
information provided by a clearance subject with respect to their background
from independent and reliable sources.
128. A clearance subject has an uncheckable background when the vetting agency
cannot complete the minimum checks and inquiries for the relevant checking
period, or the checks and inquiries, where able to be made, do not provide
adequate assurance about the clearance subjects life or background. In these
circumstances, the vetting agency may decline the request for a clearance.
129. Any clearance subject that has spent greater than 12 months (cumulative) out
of Australia within the requisite background checking period is to be
considered to have an uncheckable background (if their periods of time out of
Australia cannot be verified from independent and reliable sources). If the
clearance subjects periods of time out of Australia cannot be verified from
independent and reliable sources, the subject is to be assessed by the vetting
agency as ineligible to be considered for an Australian Government security
clearance.
130. Vetting agencies are to consider the security risk to the Australian
Government as the primary factor when assessing whether a person is
considered to have a checkable background, and therefore whether they are
eligible to be considered for an Australian Government security clearance.
131. For an individual to be eligible for an Australian Government security
clearance, background checks should generally be able to be undertaken in
Australia. It is expected that individuals sponsored by agencies for an
Australian Government security clearance will have strong, established ties to
Australia.
25
133. Sponsoring agencies are to ensure a person subject to a waiver follow any
conditions placed on the clearance. Sponsoring agencies are to advise vetting
agencies of any non-compliance with conditions of the waiver.
134. The vetting agency is to cease a clearance where the clearance subject does
not adhere to the conditions of the waiver.
135. The sponsoring agency is to reassess the waiver and advise the vetting
agency if the clearance subject changes duties.
27
TOP SECRET classified resources unless the person requiring access holds
a Negative Vetting Level 1 clearance.
151. Temporary access to TOP SECRET resources (where the person does not hold a
Negative Vetting Level 1 clearance), or caveat, compartmented or codeword
material may only be given after a policy exception is approved by the agency
head. Agencies should seek agreement from the information owners and
compartment controllers, prior to granting temporary access to TOP SECRET
resources.
152. Sponsoring agencies are to advise the vetting agency of any temporary
access approved. The vetting agency is to record the access on the clearance
subjects PSF and/or security records database.
ii.
29
Provisional access
Period of access
Classified Resources
allowed
TS
SCI
TS1
S2, C2
TS
SCI
TS 1
S2, C2
Requirements:
N/A
Employment screening
157. Agencies are to only approve short term access to TOP SECRET classified
resources in exceptional circumstances where:
Provisional access
158. Sponsoring agencies may approve provisional access for up to SECRET security
classified resources where there is a sound business case to support access
during the clearance process.
159. Agencies are to only approve provisional access to TOP SECRET classified
resources in exceptional circumstances where:
160. Before granting provisional access, sponsoring agencies are to confirm with
the vetting agency that:
161. Agencies may approve provisional access until the clearance process is
complete. Agencies may change the type of temporary access from short term
to provisional once the vetting agency has confirmed it has received the
completed pack and advises there are no concerns.
164. MOPs Staf are not to be given temporary access to sensitive compartmented,
codeword or caveat information
165. A Ministers Portfolio Department should approve short term access for new
MOPS Act staf for the Departments Minister until their security clearances are
granted unless advised to withdraw the access due to concerns including noncompliance with the clearance process.
31
166. The vetting agency is to notify the Portfolio Department and the Department
of Finance of any concerns or non-compliance with the security clearance
process.
167. The Department of Finance is to advise Portfolio Departments of any
Ministerial staf whose clearance process has been cancelled for noncompliance with the security clearance process.
168. The Portfolio Department is to withdraw any temporary access to security
classified information for MOPS staf whose clearance process has been
cancelled. For more information see Section 6.1 - Cooperation in the clearance
process
32
Assessing Suitability
174. Vetting agencies are to:
take into account the result of all checks and inquiries as the basis for
determining suitability
33
175. Vetting agencies should consider any information they become aware of, that
is relevant to suitability, even if the matters falls outside of the minimum
checking period.
176. The vetting agency is to deny a security clearance where any reasonable
doubts about the clearance subjects suitability that cannot be resolved.
Reasonable doubt exists when concerns regarding the suitability of a clearance
subject remain after all minimum and any supplementary checks are
completed.
Mitigation
178. Where the background assessment, including supplementary checks, identifies
a personal vulnerability, the vetting agency is to determine if there are any
mitigating factors. Mitigating factors are detailed in section 5 of the Personnel
security guidelines - Vetting practices
Vetting decisions
182. Vetting agencies are to base all vetting on an assessment of the whole person
See the Adjudicative Guidelines.
183. The vetting agency is to advise the clearance subject and sponsoring agency
in writing of the decision to grant including any risk mitigations, deny, deem
ineligible or cancel a security clearance and any conditions imposed.
34
35
1.
Psychological assessment
2.
Negative Vetting 2
Negative Vetting 1
Security interview
Security interview
3.
4.
5.
Financial statement
6.
Financial statement
Suitability screening
questionnaire
7.
Baseline Vetting
Qualification verification
Suitability screening
questionnaire
ASIO assessment
Qualification verification
Suitability screening
questionnaire
ASIO assessment
2
ASIO assessment
Qualification verification
Statutory Declaration
Statutory Declaration
Statutory Declaration
Statutory Declaration
Identity verification
Identity verification
Identity verification
Identity verification
Notes:
1.
2.
3.
4.
Suitability is assessed against the criteria contained in the Annex J of the Personnel security guidelines - Vetting practices
Qualifications checks should be part of an agency employment screening process where qualifications are claimed and/or mandatory.
Financial statement provides a detailed summary of a clearance subjects assets, income, liabilities and expenditure. see section 4.6.2 of the Personnel security guidelinesVetting
practices
Referees are to collectively cover the whole checking period. Professional checks are to cover at least the preceding 3 months. Additional referees may be required.
36
5.
6.
7.
8.
The application of spent convictions legislation will vary dependent on the jurisdiction in which the ofence occurred.
Identity checked in accordance with the Australian Identity Proofing Guidelines (level 3 for baseline and NV1 and level 4 for NV2 and PV). In addition to documentation to confirm
residential addresses, employment, supporting documentation is also required to confirm citizenship status, and if relevant overseas travel see Personnel security guidelinesVetting
practices.
For further details see the Sensitive Material Security Management Protocol
Financial history check - provides an overview of a clearance subjects financial history. See section 4.6.2 of the Personnel security guidelinesVetting practices further details on
financial history checks,
37
185. Table 4 shows the hierarchy of checks and processes that reflects the level of
assurance required for each level of security clearance.
Statutory declaration
186. Clearance subjects are to sign a Statutory Declaration made under the
Statutory Declarations Act 1959 (Cth) that confirms:
they have not altered the original documents or the copies provided to the
vetting agency, and
reviews for cause for all clearances where concerns about a clearance
holders suitability to hold a clearance are identified. For further
information see Section 10.6.2 - Reviews for cause .
191. The vetting agency is to advise the clearance subjects sponsoring agency of
any review/investigation being undertaken by the vetting agency, to allow the
sponsoring agency to assess whether to deny access pending the outcome of
the review.
Periodic Revalidations
192. Vetting agencies are to periodically initiate revalidations of all Baseline,
Negative and Positive Vetting security clearances.
193. The requirements for the revalidation of security clearances are listed in Table
5. The table shows the hierarchy of checks and processes that reflect the level
38
of assurance required for each level of security clearance. Vetting agencies are
to undertake additional checks to resolve concerns on a case-by-case basis.
Negative vetting
level 1
Negative vetting
level 2
Positive vetting
To be undertaken by
vetting agencies at
least every 15
years.
To be undertaken by
vetting agencies at
least every 10 years.
To be undertaken by
vetting agencies at
least every 5 years.
To be undertaken by
vetting agencies at
least every 5 years.
Updated personal
particulars covering
period since
previous vetting
Updated personal
particulars covering
period since previous
vetting
Updated personal
particulars covering
period since previous
vetting
Updated personal
particulars covering
period since
previous vetting
Financial history
check
Financial history
check
Financial history
check
Financial history
check
1 professional
referee check
1 professional referee
check
2 referee checks
(including 1
professional and 1
un-nominated)
3 Referee checks
(including 1
professional and 1
un-nominated)
ASIO check
ASIO check
ASIO check
Financial statement
Financial statement
Financial statement
and supporting
documents
Interview
Interview
194.
195.
196.
197.
Psychological
assessment
39
203. Vetting agencies are to undertake any checks required to resolve the
concern(s) that led to the initiation of the review for cause. This may include:
204. Vetting agencies are to advise both the clearance subject and the sponsoring
agency including interested parties (for contractors) of the review for cause
outcome.
Adverse findings
205. Decisions and actions taken during a security clearance could be subject to
judicial review. Vetting agencies will need to demonstrate that they have met
the requirements of procedural fairness. For further information see section 6.2
of the Personnel security guidelines Vetting practices.
206. Where a decision is made to deny a clearance, the vetting agency is to inform
the clearance subject of the procedures for seeking a review of the decision.
207. The vetting agency is to also advise the sponsoring agency of the decision to
deny the clearance.
208. Vetting agencies are to report any denial of NV and PV security clearances,
including any exclusion periods, to ASIO.
213. Vetting agencies are to resolve any grievances raised by the clearance subject
regarding:
the manner in which the vetting agency conducted the clearance, or the
decision made.
214. Vetting agencies are to advise the clearance subject of these procedures as
part of the clearance process.
APS employees may seek review through the Australian Public Service
Commissioner or the Commonwealth Ombudsman, and
218. Any person may seek review through the Federal Court.
219. The delegate for the purposes of the review should be independent from the
original decision maker.
220. The Public Service Regulations 1999 (Cth) provides guidance on review
processes for APS employees.
221. The vetting agency and the clearance subject seeking the review are to cooperate fully with the review process.
classified resources. For further information see Personnel security guidelines Vetting practices.
Recognition of clearances
225. Vetting agencies are to recognise the security clearances granted by another
vetting agency, unless:
the vetting agency has concerns that the incoming clearance subject is no
longer suitable to access Australian Government security classified
resources at that clearance level.
is not being maintained by the clearance holder for a period greater than
six months due to long term absence from their role, and
228. Security clearances without sponsorship, but still within the revalidation period,
are considered inactivei.e. the clearance is not in use but has not been
cancelled as a result of a review for cause.
229. Upon notification of change of sponsorship for a clearance within the
revalidation period, the vetting agency is to identify the security clearances as
active, only once the vetting agency has assessed any changes of
circumstances.
230. Vetting agencies are to identify security clearances as active upon notification
of sponsorship by a new agency, where the clearance is within the revalidation
period subject to the vetting agencys assessment of any changes of
circumstances. For further information see the Personnel security guidelines Vetting practices.
42
233. See the Personnel security guidelines - Vetting practices for details of
qualifications, competencies and training requirements for vetting staf.
43
notify the vetting agency of other issues of security concern relating to the
ongoing suitability of clearance holders, including security incidents and
any concerns relating to integrity
238. These responsibilities are in addition to the controls identified for all personnel
contained in Section 5 Ongoing suitability for employment.
44
241. Agencies may also need to coordinate additional training/ briefings for
personnel with access to Sensitive Compartmented Information with the
compartment owners.
are to report any results including any non-compliance with the additional
requirements, to the vetting agency.
244. Where compliance with additional requirements is not met by the clearance
subject, the vetting agency is to undertake a review for cause into the
clearance subjects ongoing suitability. The resultant action by the vetting
agency may be the variation or withdrawal of a security clearance.
246. Agencies are to report any security concerns they have as to the ongoing
suitability of their clearance subjects to their vetting agency.
247. The annual health check does not replace an agencys ongoing responsibility
for their performance management including code of conduct investigations.
For further information on the annual health check see section 14.1 of the
Personnel security guidelines Agency personnel security responsibilities.
Sharing of information
248. Agencies are to provide vetting agencies with any information about the
suitability of a person to hold a security clearance. This includes but is not
limited to:
249. Agencies should not use the clearance review process to deal with personnel
management problems (e.g. underperformance). However, if it is likely that
such concerns could afect a persons suitability to hold a clearance, line
managers should notify their agency security section who in turn may notify
the vetting agency.
250. Vetting agencies are to advise sponsoring agencies of any suitability concerns
raised about clearance subjects and any pending or active reviews for cause. In
such cases and based on a risk assessment the sponsoring agency is to,
determine whether to limit or suspend the clearance subjects access to
security classified resources.
46
252. Agencies are to also require agency personnel to advise the agency of
changes in personal circumstances of other clearance holders if they have
concerns that may be relevant to a clearance holders suitability.
253. The agency is to then advise the vetting agency of any notified reportable
changes in circumstances.
256. For further information see Personnel security guidelines Agency personnel
security responsibilities.
258. Agencies are to consult with the Australian Federal Police (AFP) and/or the
Australian Security Intelligence Organisation (ASIO) in respect of investigations
that may have potentially serious issues.
259. Agencies are to also advise security incidents to:
Security violation a deliberate action that leads, or could lead, to the compromise of official resources; or an
accidental failure that leads to the compromise of CONFIDENTIAL or above material.
47
260. Agencies are to withdraw all access to security classified resources for any
person responsible for a security violation as soon as reasonably practicable
after the violation is identified.
261. Agencies should make a risk based decision on whether to remove or restrict
access for personnel directly responsible for security breaches 5 or conduct that
indicates a disregard for security.
262. Agencies should reassess any clearance holders access when an investigation
into a violation or breach is finalised.
263. Agencies are to notify the vetting agency when a breach of the code of
conduct or other disciplinary finding has been made against a clearance
holder, including any cases where a breach is established following the
clearance holders departure from the agency.
264. Agencies are to include security incidents as part of their compliance reporting
requirements detailed in mandatory requirement GOV7.
Security breaches an accidental or unintentional failure to observe the requirements for handling official
resources involving material classified up to including PROTECTED
48
the requirement for contract staf to protect the agencys information and
assets, and
276. The agency should require the contracting company to inform the agency if an
individual employed by the company is/has:
provisions for revoking physical and ICT access upon a contracted staf
members exit from the company.
50
Prior to separation
281. Prior to a clearance holders separation an agency is to:
caveat information.
282. Agencies are to report any security concerns (non-compliance with the
separation procedures) about departing clearance holders to the vetting
agency and ASIO (Security as defined in the Australian Security Intelligence
Organisation Act 1979(Cth) ), particularly where the clearance holder departs
without having a security debrief.
283. The vetting agency is to place this information on the PSF where it will be
reviewed prior to consideration of any new vetting action.
284. If departing clearance holders do not cooperate with these procedures or are
otherwise assessed to pose a risk to security, the agency is to undertake a risk
assessment and implement mitigations.
On separation
285. On separation of a clearance holder, an agency is to advise the vetting
agency:
51
Separation of contractors
289. Sponsorship of a contractor clearance ceases when the contractor no longer
has a business relationship with the sponsoring agency.
290. An agency should include in their contracts an obligation on the contracting
company to advise the agency when the contractors staf or sub-contractors
with sponsored clearances have ceased to work on the agencys contract.
291. Agencies are to advise the vetting agency when a sponsored contractor no
longer requires a security clearance to access the agencys security classified
resources.
292. Vetting agencies are to advise any other known agencies using the contractor
that the contractors clearance is no longer sponsored by that agency, giving
interested parties the opportunity to assume sponsorship including the
responsibilities for clearance maintenance of the contractor.
52
the electorate officer is not required to access, and will not come into
contact with, security classified information or resources:
-
294. The Secretary, Attorney-Generals Department will approve the request to vary
the requirement for a Negative Vetting Level 2 security clearance following a
recommendation by the Portfolio Department that confirms the electorate
officer will not access security classified information or resources above
PROTECTED or SECRET as appropriate (see above).
295. The following security clearance levels are to apply:
electorate officers for Ministers who are not members of the NSC,
and who access security classified information or resources at TOP
SECRET.
electorate officers for Ministers who are not members of the NSC,
and who access security classified information or resources at
CONFIDENTIAL and/or SECRET.
Baseline:
-
53
name
is an electorate officerMinisters
for
and is not required to access, and will not come into contact with, TOP SECRET security classified
material. I request a variation of the requirement for the above electorate officer to hold a Negative
Vetting
Level 2 security clearance.
Name of Chief of Staf
Date
Signature
/
At or below PROTECTED
AT CONFIDENTIAL OR SECRET
Signature
Date
Approval of request
As the delegate for Secretary, Attorney-Generals Department, I vary the requirement for the
above mentioned electorate officer to be security cleared to Negative Vetting Level 2, subject to
them undergoing:
Baseline
Signature
54