Notes on AFH-1, 1 Nov 21, Chapter 17, Security


1 February 2024. A new version of the Study Guide for Testing to Staff Sergeant was posted on the WAPS website. The new study guide is based on the 1 Nov 2021 version of the Air Force Handbook again and the content of the new study guide is the same as the existing 23E5 Study Guide. However, the ADTC for the new 2024 E-5 study guide changed five sections (4B, 8B, 13C, 14D, and 14F) from testable to not testable and one section, 18A, from not testable to testable. Chapter 17 was not affected by these changes.

The testable sections (17B, 17C, 17D, and 17E) in the new 24E5 study guide were compared to the 23E5 study guide and there are no changes. No updates to this chapter are necessary.





1 October 2023. A new version of the Study Guide for promotion to E-6 was posted on the Air Force's official website. The new study guide is based on the current version of the Air Force Handbook dated 1 Nov 2021 and the content of the study guide hasn't changed. However, the ADTC for the new study guide changed four sections (4E, 13B, 14A, and 14D) from being required for study to not being testable. And one section (19A), previously marked as not required for study is now testable. This website's individual chapter pages and practice tests have been updated to reflect these changes.

The content of the new 24E6 Study Guide Chapter 17 was compared to the current 23E6 Study Guide's Chapter 17 and there were no differences. This chapter 17 content is valid and may be studied for both the 23E6 and 24E6 promotion cycles.





20 November 2022. The Air Force posted a new version of the E-6 study guide, dated 1 Nov 2022, on their website. It replaces the E-6 study guide dated 1 November 2021 for promotion test cycle 23E6 (15 Feb - 15 Apr 2023). A preliminary review of the new study guide revealed no major changes and appears to only correct the minor differences between the 2021 E-5 and E-6 study guides as previously noted below.



Differences between 2021 and 2022 E-6 Study Guides


Section 17B - Operations Security

2021 E6 Study Guide

17.1. Air Force Operations Security Program

The purpose of operations security is to reduce the vulnerability of Air Force missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security uses a cycle to identify, analyze, and control critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. Air Force personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting combat operations. Air Force units utilize a profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers and signature managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security signature managers also recommend modifying the day-to-day activities at an installation or organization to create variations in the status quo. Operations security involves attentiveness to:

- Identify those actions that can be observed by adversary intelligence systems.

- Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.

- Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Operational Effectiveness. Operations security involves a series of analyses to examine the planning, preparation, execution, and post-execution phases of any operation or activity across the entire spectrum of military action and in any operational environment. Operations security analysis provides decision-makers with a means of weighing the risk to their operations. Decision-makers must determine the amount of risk they are willing to accept in particular operational circumstances in the same way as operational risk management allows commanders to assess risk in mission planning. Operational effectiveness is enhanced when commanders and other decision-makers apply operations security from the earliest stages of planning.

Operations Security Principles. Operations security principles must be integrated into operational, support, exercise, acquisition planning, and day-to-day activities to ensure a seamless transition to contingency operations. The operations security cycle consists of the following distinct actions:

- Identify critical information.

- Analyze threats.

- Analyze vulnerabilities.

- Assess risk.

- Apply appropriate operations security countermeasures.

2022 E6 Study Guide

17.7. USAF Operations Security Program

The purpose of operations security is to reduce the vulnerability of USAF missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security uses a cycle to identify, analyze, and control critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. USAF personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting combat operations. USAF units utilize a profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers and signature managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security signature managers also recommend modifying the day-to-day activities at an installation or organization to create variations in the status quo. Operations security involves attentiveness to:

- Identify those actions that can be observed by adversary intelligence systems.

- Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.

- Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Operational Effectiveness. Operations security involves a series of analyses to examine the planning, preparation, execution, and post-execution phases of any operation or activity across the entire spectrum of military action and in any operational environment. Operations security analysis provides decision-makers with a means of weighing the risk to their operations. Decision-makers must determine the amount of risk they are willing to accept in particular operational circumstances in the same way as operational risk management allows commanders to assess risk in mission planning. Operational effectiveness is enhanced when commanders and other decision-makers apply operations security from the earliest stages of planning.

Operations Security Principles. Operations security principles must be integrated into operational, support, exercise, acquisition planning, and day-to-day activities to ensure a seamless transition to contingency operations. The operations security cycle consists of the following distinct actions:

- Identify critical information.

- Analyze threats.

- Analyze vulnerabilities.

- Assess risk.

- Apply appropriate operations security countermeasures.

2021 E6 Study Guide

17.2. Operations Security Indicators

Operations security indicators are friendly, detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information. The five basic characteristics of operations security indicators that make them potentially valuable to an adversary are briefly described here.

Signatures. A signature is a characteristic of an indicator that is identifiable or stands out. Signature management is the active defense or exploitation of operational profiles at a given military installation. Defense of operational profiles is accomplished by implementing measures to deny adversary collection of critical information.

Associations. An association is the relationship of an indicator to other information or activities.

Profiles. Each functional activity generates its own set of more-or-less unique signatures and associations. The sum of these signatures and associations is the activity's profile. A profiling process is used to map the local operating environment and capture process points that present key signatures and profiles with critical information value.

Contrasts. A contrast is any difference observed between an activity's standard profile and most recent or current actions.

Exposure. Exposure refers to when and for how long an indicator is observed. The longer an indicator is observed, the better chance an adversary can form associations and update the profile of operational activities.

2022 E6 Study Guide

17.8. Operations Security Indicators

Operations security indicators are friendly, detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information. The five basic characteristics of operations security indicators that make them potentially valuable to an adversary are briefly described here.

Signatures. A signature is a characteristic of an indicator that is identifiable or stands out. Signature management is the active defense or exploitation of operational profiles at a given military installation. Defense of operational profiles is accomplished by implementing measures to deny adversary collection of critical information.

Associations. An association is the relationship of an indicator to other information or activities.

Profiles. Each functional activity generates its own set of more-or-less unique signatures and associations. The sum of these signatures and associations is the activity's profile. A profiling process is used to map the local operating environment and capture process points that present key signatures and profiles with critical information value.

Contrasts. A contrast is any difference observed between an activity's standard profile and most recent or current actions.

Exposure. Exposure refers to when and for how long an indicator is observed. The longer an indicator is observed, the better chance an adversary can form associations and update the profile of operational activities.


Section 17C - Information Protection

2021 E6 Study Guide

17.3. Information Protection Procedures

Information protection is a subset of the Air Force security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and controlled unclassified information that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2022 E6 Study Guide

17.9. Information Protection Procedures

Information protection is a subset of the USAF security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and Controlled Unclassified Information (CUI) that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2021 E6 Study Guide

17.4. Information Security

All personnel in the Air Force are responsible for protecting classified information and controlled unclassified information under their custody and control. DoD Manual 5200.01, Department of Defense Information Security Program, and AFI 16-1404, Air Force Information Security Program, provide the guidance for managing classified information and controlled unclassified information.

Classified Information. Classified information is designated accordingly to protect national security. There are three levels of classification: Top Secret, Secret, and Confidential. Each individual is responsible for providing the proper safeguards for classified information, reporting security incidents, and understanding the sanctions for noncompliance.

Top Secret. Top Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

Secret. Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

Confidential. Confidential shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

2022 E6 Study Guide

17.10. Information Security

All personnel in the USAF are responsible for protecting classified information and CUI under their custody and control. DoDM5200.01V1_AFMAN16-1404V1, Information Security Program: Overview, Classification, and Declassification, 10 January 2021, provide the guidance for managing classified information and CUI.

Classified Information. Classified information is designated accordingly to protect national security. There are three levels of classification: Top Secret, Secret, and Confidential. Each individual is responsible for providing the proper safeguards for classified information, reporting security incidents, and understanding the sanctions for noncompliance.

Top Secret. Top Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

Secret. Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

Confidential. Confidential shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

2021 E6 Study Guide

17.5. Controlled Unclassified Information

Controlled unclassified information is information that requires access and distribution controls and protective measures, and may be referred to accordingly as: for official use only, law enforcement sensitive, Department of Defense unclassified controlled nuclear information, and limited distribution. Requirements, controls, and protective measures developed for these materials are found in DoDI 5200.48 Controlled Unclassified Information (CUI)

For Official Use Only Information. For official use only (FOUO) information is the most commonly used controlled unclassified information category. The classification is used as a dissemination control applied by the Department of Defense to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest as identified in the Freedom of Information Act. No person may have access to information designated as FOUO unless they have a valid need for access in connection with the accomplishment of a lawful and authorized government purpose. FOUO information shall be indicated by markings that identify the originating office. FOR OFFICIAL USE ONLY or UNCLASSIFIED//FOR OFFICIAL USE ONLY will be marked at the bottom of the outside of the front cover (if there is one), the title page, the first page, all applicable internal pages (to include specific sections and paragraphs), and the outside of the back cover (if there is one).

During work hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel, such as not leaving FOUO status information unattended where unauthorized personnel are present. After working hours, store the information in unlocked containers, desks, or cabinets if the building is provided security by government or government-contract personnel. If building security is not provided or deemed inadequate, store the information in locked desks, file cabinets, bookcases, or locked rooms.

Original Classification. Original classification is the initial decision by an original classification authority that an item of information could reasonably be expected to cause identifiable or describable damage to the national security subjected to unauthorized disclosure and requires protection in the interest of national security. Only officials designated in writing may make original classification decisions.

Derivative Classification. Air Force policy is to identify, classify, downgrade, declassify, mark, protect, and destroy classified information consistent with national policy. Controlled unclassified information will also be protected per national policy. Within the Department of Defense all cleared personnel are authorized to derivatively classify information, if: 1) they have received initial training before making derivative classification decisions, and 2) they have received refresher training at least once every two years. Derivative classification is the incorporating, paraphrasing, restating, or generating classified information in a new form or document. Derivative classifiers must use authorized types of sources for making decisions. One of the most important responsibilities of the derivative classifier is to observe and respect the classification determinations made by an original classification authority.

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoD Manual 5200.01, Vol 2, Department of Defense Information Security Program: Marking of Classified Information. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoD Manual 5200.01, Volume 2, DoD Information Security Program: Marking of Classified Information, for additional information and marking illustrations.

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed SF 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret, SF 704, Secret, and SF 705, Confidential.

End-of-Day Security Checks. Use SF 701, Activity Security Checklist, to record the end of the day security checks. This form is required for any area where classified information is used or stored. Ensure all vaults, secure rooms, and containers used for storing classified material are checked. Classified information systems should specifically be stored in a general services administration approved safe or in buildings or areas cleared for open storage of classified.

2022 E6 Study Guide

17.11. CUI

CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. Requirements, controls, and protective measures developed for these materials are found in DoDI 5200.48_AFI 16-1403, Controlled Unclassified Information, 5 Oct, 2021.















Original Classification. Original classification is the initial decision by an original classification authority that an item of information could reasonably be expected to cause identifiable or describable damage to the national security subjected to unauthorized disclosure and requires protection in the interest of national security. Only officials designated in writing may make original classification decisions.

Derivative Classification. USAF policy is to identify, classify, downgrade, declassify, mark, and protect classified information and records, and to destroy classified records containing classified information, consistent with national policy. CUI will also be protected per national policy. Within the Department of Defense all cleared personnel are authorized to derivatively classify information, if: 1) they have received initial training before making derivative classification decisions, and 2) they have receiver refresher training every year. Derivative classification is the incorporating, paraphrasing, restating, or generating classified information in a new form or document. Derivative classifiers must use authorized types of sources for making decisions. One of the most important responsibilities of the derivative classifier is to observe and respect the classification determinations made by an original classification authority.

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoDM5200.01V2_AFMAN16-1404V2, Information Security Program: Marking of Classified Information, 6 January 2021. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoDM5200.01V2_AFMAN16-1404V2, for additional information and marking illustrations.

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed Standard Form (SF) 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret (Cover Sheet), SF 704, Secret (Cover Sheet), and SF 705, Confidential (Cover Sheet).

End-of-Day Security Checks. Use SF 701, Activity Security Checklist, to record the end of the day security checks. This form is required for any area where classified information is used or stored. Ensure all vaults, secure rooms, and containers used for storing classified material are checked. Classified information systems should specifically be stored in a general services administration approved safe or in buildings or areas cleared for open storage of classified.

Removed the following questions due to the paragraphs about FOUO being removed:


4. Unclassified information that requires access and distribution controls and protective measures is collectively referred to as Controlled Unclassified Information. The most commonly used category of Controlled Unclassified Information is: (17.5.)

A. Confidential
B. LIMITED DISTRIBUTION
*C. For Official Use Only
D. Law Enforcement Sensitive


5. For Official Use Only is a dissemination control applied to unclassified information when disclosure to the public of that particular record would reasonably be expected to cause: (17.5.)

A. damage to national security
B. serious damage to national security
C. exceptionally grave damage to national security
*D. a foreseeable harm to an interest as identified in the Freedom of Information Act


6. A person may not have access to information designated as For Official Use Only unless they: (17.5.)

A. have a security clearance
B. have been "read into" the program
C. have signed a nondisclosure agreement
*D. have a valid need for access for a lawful and authorized Government purpose


7. During work hours, reasonable steps shall be taken to protect content designated as For Official Use Only (FOUO) from access by unauthorized personnel. After working hours, material designated as FOUO should be stored: (17.5.)

A. in a safe approved for classified storage
B. in the base COMSEC vault if the building is not continuously occupied
C. in unlocked containers, desks, or cabinets if there is no building security
*D. in unlocked containers, desks, or cabinets if building security is provided by Government or Government-contract personnel

2021 E6 Study Guide

17.6. Security Incidents Involving Classified Information

Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoD Manual 5200.01 Volume 3, DoD Information Security Program: Protection of Classified Information. The general security incident characteristics are briefly described here.


Infraction. An infraction is a security incident involving failure to comply with requirements which cannot reasonably be expected to, and does not, result in the loss, suspected compromise, or compromise of classified information. An infraction may be unintentional or inadvertent, and does not constitute a security violation; however, if left uncorrected, could lead to a security violation or compromise. Infractions require an inquiry to facilitate immediate corrective action.

Violation. Violations are security incidents that indicate knowing, willful negligence for security regulations, and result in, or could be expected to result in, the loss or compromise of classified information. Security violations require an inquiry or investigation.

Compromise. A compromise is a security incident (violation) in which there is an unauthorized disclosure of classified information. This could include the disclosure of information to a person(s)who does not have a valid clearance, authorized access, or a need to know.

Loss. A loss occurs when classified information cannot be physically located or accounted for. This could include classified information/equipment being discovered as missing during an audit and cannot be immediately located.

Data Spills. Classified data spills occur when classified data is introduced either onto an unclassified information system, to an information system with a lower level of classification, or to a system not accredited to process data of that restrictive category.

Information in the Public Media. If classified information appears in the media or public internet sites, or if approached by a media representative, personnel shall not confirm or verify the information. Immediately report the matter to a supervisor, security manager, or commander, but do not discuss with anyone without an appropriate security clearance and a need to know.

2022 E6 Study Guide

17.12. Security Incidents Involving Classified Information

Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoDM5200.01V3_AFMAN16-1404V3, DoD Information Security Program: Protection of Classified Information, 22 December 2020. The general security incident characteristics are briefly described here.

Infraction. An infraction is a security incident involving failure to comply with requirements (i.e., the provisions of References (d) and (f), this Manual or other applicable security policy) which cannot reasonably be expected to, and does not, result in the loss, of classified records, or in the suspected or actual compromise of classified information. An infraction may be unintentional or inadvertent. While it does not constitute a security violation, if left uncorrected, can lead to security violations or compromises. It requires an inquiry to facilitate immediate corrective action but does not require an in-depth investigation.

Violation. Violations are security incidents that indicate knowing, willful, and negligent for security regulations, and result in, or could be expected to result in the loss of classified records or the compromise of classified information. Security violations require an inquiry and/or investigation.

Compromise. A compromise is a security incident (more specifically, a violation) in which there is an unauthorized disclosure of classified information (i.e., disclosure to a person(s) who does not have a valid clearance, authorized access, or a need to know).

Loss. A loss occurs when records containing classified information cannot be physically located or accounted for. This could include classified records/equipment is discovered missing during an audit and which cannot be immediately located.

Data Spills. Classified data spills occur when classified data is introduced either onto an unclassified information system or to an information system with a lower level of classification, or to a system not accredited to process data of that restrictive category. Although it is possible that no unauthorized disclosure occurred, classified data spills are considered and handled as a possible compromise of classified information involving information systems, networks, and computer equipment until the inquiry determines whether an unauthorized disclosure did or did not occur.

Information in the Public Media. If classified information appears in the public media, including on public Internet sites, or if approached by a representative of the media, DoD personnel shall be careful not to make any statement or comment that confirms the accuracy of or verifies the information requiring protection. Report the matter as instructed by the appropriate DoD Component guidance, but do not discuss it with anyone who does not, in the case of classified information, have an appropriate security clearance and need to know.

2021 E6 Study Guide

17.7. Industrial Security

Air Force policy is to identify, in classified contracts, specific information and sensitive resources that must be protected against compromise or loss while entrusted to industry. Security policies, requirements, and procedures are applicable to Air Force personnel and on-base Department of Defense contractors performing services under the terms of a properly executed contract and associated security agreement or similar document, as determined by the installation commander.

2022 E6 Study Guide

17.13. Industrial Security

USAF policy is to identify, in classified contracts, specific information and sensitive resources that must be protected against compromise or loss while entrusted to industry. Security policies, requirements, and procedures are applicable to USAF personnel and on-base Department of Defense contractors performing services under the terms of a properly executed contract and associated security agreement or similar document, as determined by the installation commander.

2021 E6 Study Guide

17.8. Personnel Security

The Personnel Security Program entails policies and procedures that ensure military, civilian, and contractor personnel who access classified information or occupy a sensitive position are consistent with interests of national security. For most personnel, this involves procedures for obtaining proper security clearances required for performing official duties. It involves the investigation process, adjudication (approval) for eligibility, and the continuous evaluation for maintaining eligibility. Commanders and supervisors must continually observe and evaluate their subordinates with respect to these criteria and immediately report any unfavorable conduct or conditions that might bear on the subordinates' trustworthiness and eligibility to occupy a sensitive position or have eligibility to classified information.

Adjudicative Guidelines. The Department of Defense Central Adjudication Facility is the designated authority to grant, deny, and revoke security clearance eligibility using the Department of Defense 13 adjudicative guidelines, while applying the whole person concept and mitigating factors. Individuals are granted due process and may appeal if the security clearance eligibility is denied or revoked. For additional details, refer to the DoDM 5200.02_AFMAN 16-1405, Air Force Personnel Security Program. The 13 Adjudicative Guidelines include:

Allegiance to the United States

Foreign Influence

Foreign Preference

Sexual Behavior

Personal Conduct

Financial Considerations

Alcohol Consumption

Drug Involvement

Psychological Conditions

Criminal Conduct

Handling Protected Information

Outside Activities

Use of Information Technology

2022 E6 Study Guide

17.14. Personnel Security

The Personnel Security Program entails policies and procedures that ensure military, civilian, and contractor personnel who access classified information or occupy a sensitive position are consistent with interests of national security. For most personnel, this involves procedures for obtaining proper security clearances required for performing official duties. It involves the investigation process, adjudication (approval) for eligibility, and the continuous evaluation for maintaining eligibility. Commanders and supervisors must continually observe and evaluate their subordinates with respect to these criteria and immediately report any unfavorable conduct or conditions that might bear on the subordinates' trustworthiness and eligibility to occupy a sensitive position or have eligibility to classified information.

Adjudicative Guidelines. The Department of Defense Central Adjudication Facility is the designated authority to grant, deny, and revoke security clearance eligibility using the Department of Defense 13 adjudicative guidelines, while applying the whole person concept and mitigating factors. Individuals are granted due process and may appeal if the security clearance eligibility is denied or revoked. For additional details, refer to the DoDM 5200.02_AFMAN 16-1405, Air Force Personnel Security Program, 31 July 2018. The 13 Adjudicative Guidelines include:

Allegiance to the United States

Foreign Influence

Foreign Preference

Sexual Behavior

Personal Conduct

Financial Considerations

Alcohol Consumption

Drug Involvement

Psychological Conditions

Criminal Conduct

Handling Protected Information

Outside Activities

Use of Information Technology


Section 17D - Information Access, Cyber Security, and Mobility

2021 E6 Study Guide

17.9. The Privacy Act

The Privacy Act of 1974 (as amended) establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal information about individuals that is maintained in a system of records by federal agencies. The Privacy Act provides individuals with a means by which to seek access to and amend their records, and sets forth agency record-keeping requirements.

Disclosure of Information. Privacy Act rights are personal to the individual who is the subject of the record and cannot be asserted derivatively by others. The Privacy Act prohibits the disclosure of information from a system of records without the written consent of the subject individual. Individuals have the right to request access or amendment to their records in a system. The parent of any minor, or the legal guardian of an incompetent, may act on behalf of that individual.

Collection of Information. The Privacy Act limits the collection of information to what the law or executive orders authorize. System of records notices must be published in the federal register allowing the public a 30-day comment period. Such collection must not conflict with the rights guaranteed by the First Amendment to the U.S. Constitution. A Privacy Act statement must be given when individuals are asked to provide personal information about themselves for collection in a system of records.

System of Records Maintenance. Privacy Act system of records is a group of any records under the control of any agency from which information is retrieved by the individual's name, number, or unique identifier.

Note: Department of Defense personnel may disclose records to other offices in the Department of Defense when there is "an official need to know" and to other federal government agencies or individuals when a discloser of record is a "routine use" published in the system of records notices or as authorized by a Privacy Act exception. In addition, information may be released for a disclosed specified purpose with the subject's consent. The office of primary responsibility of the data should keep an account of all information they've released.

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332, Air Force Privacy and Civil Liberties Program.

2022 E6 Study Guide

17.15. The Privacy Act

The Privacy Act of 1974 (as amended) establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal information about individuals that is maintained in a system of records by federal agencies. The Privacy Act provides individuals with a means by which to seek access to and amend their records, and sets forth agency record-keeping requirements.

Disclosure of Information. Privacy Act rights are personal to the individual who is the subject of the record and cannot be asserted derivatively by others. The Privacy Act prohibits the disclosure of information from a system of records without the written consent of the subject individual. Individuals have the right to request access or amendment to their records in a system. The parent of any minor, or the legal guardian of an incompetent, may act on behalf of that individual.

Collection of Information. The Privacy Act limits the collection of information to what the law or executive orders authorize. System of records notices must be published in the federal register allowing the public a 30-day comment period. Such collection must not conflict with the rights guaranteed by the First Amendment to the U.S. Constitution. A Privacy Act statement must be given when individuals are asked to provide personal information about themselves for collection in a system of records.

System of Records Maintenance. Privacy Act system of records is a group of any records under the control of any agency from which information is retrieved by the individual's name, number, or unique identifier.

Note: Department of Defense personnel may disclose records to other offices in the Department of Defense when there is "an official need to know" and to other federal government agencies or individuals when a discloser of record is a "routine use" published in the system of records notices or as authorized by a Privacy Act exception. In addition, information may be released for a disclosed specified purpose with the subject's consent. The office of primary responsibility of the data should keep an account of all information they've released.

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332.

2021 E6 Study Guide

17.10. Freedom of Information Act

The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.

Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R/AFMAN 33-302, Freedom of Information Act Program, for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2022 E6 Study Guide

17.16. Freedom of Information Act

The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.

Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R_AFMAN 33-302 for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2021 E6 Study Guide

17.11. Cybersecurity

Cybersecurity is defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications systems, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Cybersecurity disciplines include: Air Force Risk Management Framework, IT controls/countermeasures, communications security, TEMPEST (formerly known as emissions security), AF Assessment and Authorization (formerly known as Certification and Accreditation Program), and Cybersecurity Workforce Improvement Program. AFI 17-130, Cybersecurity Program Management, describes risk management and cybersecurity as representations of dynamic, multi-disciplinary sets of challenges. Processes and practices must continuously evolve and improve to match the ever-changing threat environment.

Cybersecurity Program Risk Management Strategy. The Air Force's Cybersecurity Program's risk management strategy must ensure that the confidentiality, integrity, and availability of all information owned or held in trust by the Air Force is protected. The program strategy must also be integrated into all key mission and business processes. To ensure operational agility, cybersecurity capabilities will be balanced to include safety, reliability, interoperability, and ease of use, while maximizing performance, as well as promoting transparency and interoperability with Air Force mission partners. All Air Force personnel are required to complete Information Assurance Awareness training prior to system access and annually thereafter.

Five Functions of the Air Force Cybersecurity Program. The Air Force Cybersecurity Program encompasses the five functions briefly described here.

- Identify. Develop and maintain the organizational understanding required to manage cybersecurity risk.

- Protect. Implement controls to ensure the delivery of mission critical infrastructure services.

- Detect. Possess the ability to detect cybersecurity events when they occur.

- Respond. Possess the ability to take action regarding detected cybersecurity events.

- Recover. Possess the ability to remain operationally resilient and to restore capabilities or services that were impaired due to cybersecurity events.

2022 E6 Study Guide

17.17. Cybersecurity

Cybersecurity is defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Cybersecurity disciplines include: Air Force Risk Management Framework, IT controls/countermeasures, communications security, TEMPEST (formerly known as emissions security), AF Assessment and Authorization (formerly known as Certification and Accreditation Program), and Cybersecurity Workforce Improvement Program. AFI 17-130, Cybersecurity Program Management, 13 February 2020, describes risk management and cybersecurity as representations of dynamic, multi-disciplinary sets of challenges. Processes and practices must continuously evolve and improve to match the ever-changing threat environment.

Cybersecurity Program Risk Management Strategy. The USAF's Cybersecurity Program's risk management strategy must ensure that the confidentiality, integrity, and availability of all information owned or held in trust by the USAF is protected. The program strategy must also be integrated into all key mission and business processes. To ensure operational agility, cybersecurity capabilities will be balanced to include safety, reliability, interoperability, and ease of use, while maximizing performance, as well as promoting transparency and interoperability with USAF mission partners. All USAF personnel are required to complete Information Assurance Awareness training prior to system access and annually thereafter.

Five Functions of the USAF Cybersecurity Program. The USAF Cybersecurity Program encompasses the five functions briefly described here.

- Identify. Develop and maintain the organizational understanding required to manage cybersecurity risk.

- Protect. Implement controls to ensure the delivery of mission critical infrastructure services.

- Detect. Possess the ability to detect cybersecurity events when they occur.

- Respond. Possess the ability to take action regarding detected cybersecurity events.

- Recover. Possess the ability to remain operationally resilient and to restore capabilities or services that were impaired due to cybersecurity events.

2021 E6 Study Guide

17.12. Computer Security

Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.

Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the Air Force or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, Operations Security, and must be consistent with the requirements of DoD 5500.07-R, Joint Ethics Regulation.

2022 E6 Study Guide

17.18. Computer Security

Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.

Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the USAF or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, and must be compliant with the requirements of DoD 5500.07-R.

2021 E6 Study Guide

17.13. Information Systems

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable FIPS 140-2, Security Requirements for Cryptographic Modules.

Countermeasures. A countermeasure is any action, device, procedure, or technique that meets or opposes (counters) a threat, vulnerability, or attack by eliminating, preventing, or minimizing damage, or by discovering and reporting the event so corrective action can be taken.

Threats. Every Air Force information system has vulnerabilities and is susceptible to exploitation. Threats to information systems include, but are not limited to, any circumstance or event with the potential to adversely impact any operation or function through an information system via unauthorized access, destruction, disclosure, modification of information, or denial of service. There are three steps involved in protecting information systems from viruses and other forms of malicious logic. These steps include a combination of human and technological countermeasures to ensure the protection is maintained throughout the lifecycle of the information system.

- Infection. Infection is the invasion of information system applications, processes, or services by a virus or malware code causing the information system to malfunction.

- Detection. Detection is a signature or behavior-based antivirus system that signals when an anomaly caused by a virus or malware occurs.

- Reaction. When notified of a virus or malware detection, react by immediately notifying your information system security officer and following local procedures.

2022 E6 Study Guide

17.19. Information Systems

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable Federal Information Processing Standard (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, 25 May 2001.

Countermeasures. A countermeasure is any action, device, procedure, or technique that meets or opposes (counters) a threat, vulnerability, or attack by eliminating, preventing, or minimizing damage, or by discovering and reporting the event so corrective action can be taken.

Threats. Every USAF information system has vulnerabilities and is susceptible to exploitation. Threats to information systems include, but are not limited to, any circumstance or event with the potential to adversely impact any operation or function through an information system via unauthorized access, destruction, disclosure, modification of information, or denial of service. There are three steps involved in protecting information systems from viruses and other forms of malicious logic. These steps include a combination of human and technological countermeasures to ensure the protection is maintained throughout the lifecycle of the information system.

Infection. Infection is the invasion of information system applications, processes, or services by a virus or malware code causing the information system to malfunction.

Detection. Detection is a signature or behavior-based antivirus system that signals when an anomaly caused by a virus or malware occurs.

Reaction. When notified of a virus or malware detection, react by immediately notifying your information system security officer and following local procedures.

2021 E6 Study Guide

17.14. Mobile Computing Devices

Mobile computing devices are information systems, such as portable electronic devices, laptops, smartphones, and other handheld devices that can store data locally and access Air Force managed networks through mobile access capabilities. All wireless systems (including associated peripheral devices, operating systems, applications, network connection methods, and services) must be approved prior to processing Department of Defense information. The information systems security officer will maintain documented approval authority and inventory information on all approved devices. All mobile computing devices not assigned or in use must be secured to prevent tampering or theft. Users of mobile devices will sign a detailed user agreement outlining the responsibilities and restrictions for use.

2022 E6 Study Guide

17.20. Mobile Computing Devices

Mobile computing devices are information systems, such as portable electronic devices, laptops, smartphones, and other handheld devices that can store data locally and access USAF managed networks through mobile access capabilities. All wireless systems (including associated peripheral devices, operating systems, applications, network connection methods, and services) must be approved prior to processing Department of Defense information. The information systems security officer will maintain documented approval authority and inventory information on all approved devices. All mobile computing devices not assigned or in use must be secured to prevent tampering or theft. Users of mobile devices will sign a detailed user agreement outlining the responsibilities and restrictions for use.

2021 E6 Study Guide

17.15. Public Computing Facilities or Services

Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident according to the current Air Force guidance on computer security.

2022 E6 Study Guide

17.21. Public Computing Facilities or Services

Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident.

2021 E6 Study Guide

17.16. Communications Security

Communications security refers to measures and controls taken to deny unauthorized persons information derived from information systems of the U.S. Government related to national security and to ensure the authenticity of such information systems. Communications security protection results from applying security measures to communications and information systems generating, handling, storing, processing, or using classified or sensitive information, the loss of which could adversely affect national security interests. Communications security also entails applying physical security measures to communications security information or materials.

Cryptosecurity. Cryptosecurity is a component of communications security resulting from the provision and proper use of technically sound cryptosystems.

Transmission Security. Transmission security is a component of communications security resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptoanalysis. Examples of transmission security measures include using secured communications systems, registered mail, secure telephone and facsimile equipment, manual cryptosystems, call signs, or authentication to transmit classified information.

Physical Security. Physical security is communications security resulting from the use of all physical measures necessary to safeguard communications security material from access by unauthorized persons. Physical security measures include the application of control procedures and physical barriers. Physical security also ensures continued integrity, prevents access by unauthorized persons, and controls the spread of communications security techniques and technology when not in the best interest of the United States and our allies. Common physical security measures include verifying the need to know and clearance of personnel granted access, following proper storage and handling procedures, accurately accounting for all materials, transporting materials using authorized means, and immediately reporting the loss or possible compromise of materials.

2022 E6 Study Guide

17.22. Communications Security

Communications security refers to measures and controls taken to deny unauthorized persons information derived from information systems of the U.S. Government related to national security and to ensure the authenticity of such information systems. Communications security protection results from applying security measures to communications and information systems generating, handling, storing, processing, or using classified or sensitive information, the loss of which could adversely affect national security interests. Communications security also entails applying physical security measures to communications security information or materials.

Cryptosecurity. Cryptosecurity is a component of communications security resulting from the provision and proper use of technically sound cryptosystems.

Transmission Security. Transmission security is a component of communications security resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptoanalysis. Examples of transmission security measures include using secured communications systems, registered mail, secure telephone and facsimile equipment, manual cryptosystems, call signs, or authentication to transmit classified information.

Physical Security. Physical security is communications security resulting from the use of all physical measures necessary to safeguard communications security material from access by unauthorized persons. Physical security measures include the application of control procedures and physical barriers. Physical security also ensures continued integrity, prevents access by unauthorized persons, and controls the spread of communications security techniques and technology when not in the best interest of the United States and our allies. Common physical security measures include verifying the need to know and clearance of personnel granted access, following proper storage and handling procedures, accurately accounting for all materials, transporting materials using authorized means, and immediately reporting the loss or possible compromise of materials.

2021 E6 Study Guide

17.17. TEMPEST

TEMPEST, formerly known as emissions security, is protection resulting from all measures taken to deny unauthorized persons information of value that may be derived from the interception and analysis of compromising emanations from cryptographic equipment, information systems, and telecommunications systems. The objective of TEMPEST is to deny access to classified, and in some instances unclassified, information that contains compromising emanations within an inspectable space. The inspectable space is considered the area in which it would be difficult for an adversary with specialized equipment to attempt to intercept compromising emanations without being detected. TEMPEST countermeasures, such as classified and unclassified equipment separation, shielding, and grounding, are implemented to reduce the risk of compromising emanations.

2022 E6 Study Guide

17.23. TEMPEST

TEMPEST, formerly known as emissions security, is protection resulting from all measures taken to deny unauthorized persons information of value that may be derived from the interception and analysis of compromising emanations from cryptographic equipment, information systems, and telecommunications systems. The objective of TEMPEST is to deny access to classified, and in some instances unclassified, information that contains compromising emanations within an inspectable space. The inspectable space is considered the area in which it would be difficult for an adversary with specialized equipment to attempt to intercept compromising emanations without being detected. TEMPEST countermeasures, such as classified and unclassified equipment separation, shielding, and grounding, are implemented to reduce the risk of compromising emanations.


Section 17E - Antiterrorism

2021 E6 Study Guide

17.18. Antiterrorism Efforts

The Air Force seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all Air Force members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.

Headquarters Air Force. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.

The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead Air Force agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the Air Force single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

Commanders. Commanders at all levels who understand the threat can assess their ability to prevent, survive, and prepare to respond to an attack. A terrorism threat assessment requires the identification of a full range of known or estimated terrorist threat capabilities (including the use or threat of use of chemical, biological, radiological, nuclear, or high-yield explosives and weapons of mass destruction). In addition to tasking appropriate agencies to collect information, commanders at all levels should encourage personnel under their command to report information on individuals, events, or situations that could pose a threat to the security of Department of Defense personnel, families, facilities, and resources.

Antiterrorism Training. At least annually, commanders conduct comprehensive field and staff training to exercise antiterrorism plans, to include antiterrorism physical security measures, continuity of operations, critical asset risk management, and emergency management plans. Antiterrorism training should include terrorism scenarios specific to the location and be based on current enemy tactics, techniques, procedures, and lessons learned. Additionally, the current baseline through force protection condition 'Charlie' measures shall be exercised annually at installations and self-supported separate facilities.

Random Antiterrorism Measures Program

Installation commanders shall develop and implement a random antiterrorism measures program that will include all units on the installation. The intent of the program is to provide random, multiple security measures that consistently change the look of an installation's antiterrorism program.

Random antiterrorism measures introduce uncertainty to an installation's overall force protection program to defeat surveillance attempts and to make random antiterrorism measures difficult for a terrorist to accurately predict our actions. The program shall be included in antiterrorism plans and tie directly with all force protection conditions, including force protection condition 'normal', to ensure continuity and standardization, should threats require Air Force-wide implementation. Random antiterrorism measures times for implementation, location, and duration shall be regularly changed to avoid predictability. Random antiterrorism measures execution shall be broad based and involve all units and personnel.

2022 E6 Study Guide

17.24. Antiterrorism Efforts

The USAF seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all USAF members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.

HAF. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.

The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead USAF agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the USAF single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

Commanders. Commanders at all levels who understand the threat can assess their ability to prevent, survive, and prepare to respond to an attack. A terrorism threat assessment requires the identification of a full range of known or estimated terrorist threat capabilities (including the use or threat of use of chemical, biological, radiological, nuclear, or high-yield explosives and weapons of mass destruction). In addition to tasking appropriate agencies to collect information, commanders at all levels should encourage personnel under their command to report information on individuals, events, or situations that could pose a threat to the security of Department of Defense personnel, families, facilities, and resources.

Antiterrorism Training. At least annually, commanders conduct comprehensive field and staff training to exercise antiterrorism plans, to include antiterrorism physical security measures, continuity of operations, critical asset risk management, and emergency management plans. Antiterrorism training should include terrorism scenarios specific to the location and be based on current enemy tactics, techniques, procedures, and lessons learned. Additionally, the current baseline through force protection condition 'Charlie' measures shall be exercised annually at installations and self-supported separate facilities.

Random Antiterrorism Measures Program

Installation commanders shall develop and implement a random antiterrorism measures program that will include all units on the installation. The intent of the program is to provide random, multiple security measures that consistently change the look of an installation's antiterrorism program.

Random antiterrorism measures introduce uncertainty to an installation's overall force protection program to defeat surveillance attempts and to make random antiterrorism measures difficult for a terrorist to accurately predict our actions. The program shall be included in antiterrorism plans and tie directly with all force protection conditions, including force protection condition 'normal', to ensure continuity and standardization, should threats require USAF-wide implementation. Times for implementation, location, and duration of random antiterrorism measures shall be regularly changed to avoid predictability. Execution of random antiterrorism measures shall be broad based and involve all units and personnel.

2021 E6 Study Guide

17.19. Ground Transportation Security

Criminal and terrorist acts against individuals usually occur outside the home and after the victim's habits have been established. Your most predictable habit is the route you travel on a regular basis. Always check for fingerprints, smudges, or tampering of the interior and exterior of your vehicle, including the tires and trunk. If you detect something out of the ordinary, do not touch anything. Immediately contact the local authorities. When overseas, travel with a companion. Select a plain car and avoid using government vehicles, when possible. Do not openly display military equipment or decals with military affiliations. Keep doors locked at all times. Do not let someone you do not know direct you to a specific taxi. Ensure taxis are licensed and have safety equipment (seat belts at a minimum). Ensure that the face of the taxi driver and the picture on the license are the same.

2022 E6 Study Guide

17.25. Ground Transportation Security

Criminal and terrorist acts against individuals usually occur outside the home and after the victim's habits have been established. Your most predictable habit is the route you travel on a regular basis. Always check for fingerprints, smudges, or tampering of the interior and exterior of your vehicle, including the tires and trunk. If you detect something out of the ordinary, do not touch anything. Immediately contact the local authorities. When overseas, travel with a companion. Select a plain car and avoid using government vehicles, when possible. Do not openly display military equipment or decals with military affiliations. Keep doors locked at all times. Do not let someone you do not know direct you to a specific taxi. Ensure taxis are licensed and have safety equipment (seat belts at a minimum). Ensure that the face of the taxi driver and the picture on the license are the same.

2021 E6 Study Guide

17.20. Commercial Air Transportation Security Overseas

Before traveling overseas, consult the Foreign Clearance Guide to ensure you meet all requirements for travel to a particular country. Get the required 'area of responsibility' threat briefing from your security officer, antiterrorism officers, or the appropriate counterintelligence or security organization within three months prior to traveling overseas. Use office symbols on travel documents if the word description denotes a sensitive position. Use military contracted flag carriers. Avoid traveling through high-risk areas. Do not use rank or military address on tickets. Do not discuss military affiliation. Have proper identification to show airline and immigration officials. Do not carry classified documents unless absolutely mission essential. Dress conservatively. Wear clothing that covers military or United States-affiliated tattoos. Carry plain civilian luggage. Do not wear or carry distinct military items.

2022 E6 Study Guide

17.26. Commercial Air Transportation Security Overseas

Before traveling overseas, consult the Foreign Clearance Guide to ensure you meet all requirements for travel to a particular country. Get the required 'area of responsibility' threat briefing from your security officer, antiterrorism officers, or the appropriate counterintelligence or security organization within three months prior to traveling overseas. Use office symbols on travel documents if the word description denotes a sensitive position. Use military contracted flag carriers. Avoid traveling through high-risk areas. Do not use rank or military address on tickets. Do not discuss military affiliation. Have proper identification to show airline and immigration officials. Do not carry classified documents unless absolutely mission essential. Dress conservatively. Wear clothing that covers military or United States-affiliated tattoos. Carry plain civilian luggage. Do not wear or carry distinct military items.

2021 E6 Study Guide

17.21. Suspicious Packages or Mail

Look for an unusual or unknown place of origin; no return address; excessive amount of postage; abnormal size or shape; protruding strings; aluminum foil; wires; misspelled words; differing return address and postmark; handwritten labels; unusual odor; unusual or unbalanced weight; springiness in the top or bottom; inflexibility; crease marks; discoloration or oily stains; incorrect titles or title with no name; excessive security material; ticking, beeping, or other sounds; or special instruction markings, such as "personal, rush, do not delay, or confidential" on any packages or mail received. Be vigilant for evidence of powder or other contaminants. Never cut tape, strings, or other wrappings on a suspect package. If the package has been moved, place the package in a plastic bag to prevent any leakage of contents. If handling mail suspected of containing chemical or biological contaminants, wash hands thoroughly with soap and water. Report suspicious mail immediately and make a list of personnel who were in the room when the suspicious envelope or package was identified.

2022 E6 Study Guide

17.27. Suspicious Packages or Mail

Look for an unusual or unknown place of origin; no return address; excessive amount of postage; abnormal size or shape; protruding strings; aluminum foil; wires; misspelled words; differing return address and postmark; handwritten labels; unusual odor; unusual or unbalanced weight; springiness in the top or bottom; inflexibility; crease marks; discoloration or oily stains; incorrect titles or title with no name; excessive security material; ticking, beeping, or other sounds; or special instruction markings, such as "personal, rush, do not delay, or confidential" on any packages or mail received. Be vigilant for evidence of powder or other contaminants. Never cut tape, strings, or other wrappings on a suspect package. If the package has been moved, place the package in a plastic bag to prevent any leakage of contents. If handling mail suspected of containing chemical or biological contaminants, wash hands thoroughly with soap and water. Report suspicious mail immediately and make a list of personnel who were in the room when the suspicious envelope or package was identified.

2021 E6 Study Guide

17.22. General Antiterrorism Personal Protection

Individual vigilance is integral to the antiterrorism program, whether stateside or overseas. Several actions are provided here to help ensure individual protection.

- Dress and behave in a way that does not draw attention.

- Be inconspicuous and avoid publicity.

- Travel in small groups.

- Avoid spontaneous gatherings or demonstrations.

- Be unpredictable.

- Vary daily routines to/from home and work.

- Be alert for anything suspicious or out of place.

- Avoid giving unnecessary personal details to anyone unless their identity can be verified.

- Be alert to strangers who are on government property for no apparent reason.

- Refuse to meet with strangers outside your workplace.

- Always advise associates or family members of your destination and anticipated time of arrival.

- Report unsolicited contacts to authorities.

- Do not open doors to strangers.

- Memorize key telephone numbers and dialing instructions.

- Be cautious about giving information regarding family travel or security measures.

- When overseas, learn and practice a few key phrases in the local language.

2022 E6 Study Guide

17.28. General Antiterrorism Personal Protection

Individual vigilance is integral to the antiterrorism program, whether stateside or overseas. Several actions are provided here to help ensure individual protection.

- Dress and behave in a way that does not draw attention.

- Be inconspicuous and avoid publicity.

- Travel in small groups.

- Avoid spontaneous gatherings or demonstrations.

- Be unpredictable.

- Vary daily routines to/from home and work.

- Be alert for anything suspicious or out of place.

- Avoid giving unnecessary personal details to anyone unless their identity can be verified.

- Be alert to strangers who are on government property for no apparent reason.

- Refuse to meet with strangers outside your workplace.

- Always advise associates or family members of your destination and anticipated time of arrival.

- Report unsolicited contacts to authorities.

- Do not open doors to strangers.

- Memorize key telephone numbers and dialing instructions.

- Be cautious about giving information regarding family travel or security measures.

- When overseas, learn and practice a few key phrases in the local language.

2021 E6 Study Guide

17.23. Home and Family Security

Spouses and children should always practice basic precautions for personal security. Familiarize family members with the local terrorist threat and regularly review protective measures and techniques. Ensure family members know what to do in any type of emergency. Several actions are provided here to help ensure home and family security.

- Restrict the possession of house keys.

- Lock all entrances at night, including the garage.

- Keep the house locked, even if you are home.

- Destroy all envelopes or other items that show your name, rank, or other personal information.

- Remove names and rank from mailboxes.

- Watch for unfamiliar vehicles cruising or parked frequently in the area, particularly if one or more occupants remain in the vehicle for extended periods.

- Post or preprogram emergency telephone numbers for immediate access. Report all threatening phone calls to security officials and the telephone company, making note of any background noise, accent, nationality, or location.

2022 E6 Study Guide

17.29. Home and Family Security

Spouses and children should always practice basic precautions for personal security. Familiarize family members with the local terrorist threat and regularly review protective measures and techniques. Ensure family members know what to do in any type of emergency. Several actions are provided here to help ensure home and family security.

- Restrict the possession of house keys.

- Lock all entrances at night, including the garage.

- Keep the house locked, even if you are home.

- Destroy all envelopes or other items that show your name, rank, or other personal information.

- Remove names and rank from mailboxes.

- Watch for unfamiliar vehicles cruising or parked frequently in the area, particularly if one or more occupants remain in the vehicle for extended periods.

- Post or preprogram emergency telephone numbers for immediate access. Report all threatening phone calls to security officials and the telephone company, making note of any background noise, accent, nationality, or location.

2021 E6 Study Guide

17.24. Human Intelligence and Counterintelligence

Human intelligence is a category of intelligence derived from information collected and provided by human sources and collectors, and where the human being is the primary collection instrument. Counterintelligence is information gathered and activities conducted to protect against such threats. A few primary human intelligence collection efforts are briefly described here.

Interrogation. Interrogation is the systematic effort to procure information to answer specific collection requirements by direct and indirect questioning techniques of a person who is in the custody of the forces conducting the questioning. Proper questioning of enemy combatants, enemy prisoners of war, or other detainees by trained and certified Department of Defense interrogators may result in information provided either willingly or unwittingly.

Source Operations. Designated and fully trained military human intelligence collection personnel may develop information through the elicitation of sources, to include: "walk-in" sources who, without solicitation, make the first contact with human intelligence personnel; developed sources who are met over a period of time and provide information based on operational requirements; unwitting persons with access to sensitive information.

Debriefing. Debriefing is the process of questioning cooperating human sources to satisfy intelligence requirements, consistent with applicable law. The source usually is not in custody and is usually willing to cooperate. Debriefing may be conducted at all echelons and in all operational environments. Through debriefing, face-to-face meetings, conversations, and elicitation, information may be obtained from a variety of human sources.

Document and Media Exploitation. Captured documents and media, when properly processed and exploited, may provide valuable information, such as adversary plans and intentions, force locations, equipment capabilities, and logistical status. The category of "captured documents and media" includes all media capable of storing fixed information, as well as computer storage material. This operation is not a primary human intelligence function, but may be conducted by any intelligence personnel with appropriate language support.

Human Intelligence Threat Areas. A few primary threat areas are briefly described here.

Espionage. The act of obtaining, delivering, transmitting, communicating, or receiving information about national defense with intent or reason to believe the information may be used to the injury of the United States or to the advantage of any foreign nation.

Subversion. An act or acts inciting military or civilian personnel of the Department of Defense to violate laws, disobey lawful orders or regulations, or disrupt military activities with the willful intent, thereby to interfere with or impair the loyalty, morale, or discipline of the U.S. Armed Forces.

Sabotage. An act or acts with intent to injure, interfere with, or obstruct the national defense of a country by willfully injuring or destroying, or attempting to injure or destroy, any national defense or war material, premises, or utilities, as well as human and natural resources.

Terrorism. The calculated use of unlawful violence or threat of unlawful violence to inculcate fear intended to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

2022 E6 Study Guide

17.30. Human Intelligence and Counterintelligence

Human intelligence is a category of intelligence derived from information collected and provided by human sources and collectors, and where the human being is the primary collection instrument. Counterintelligence is information gathered and activities conducted to protect against such threats. A few primary human intelligence collection efforts are briefly described here.

Interrogation. Interrogation is the systematic effort to procure information to answer specific collection requirements by direct and indirect questioning techniques of a person who is in the custody of the forces conducting the questioning. Proper questioning of enemy combatants, enemy prisoners of war, or other detainees by trained and certified Department of Defense interrogators may result in information provided either willingly or unwittingly.

Source Operations. Designated and fully trained military human intelligence collection personnel may develop information through the elicitation of sources, to include: "walk-in" sources who, without solicitation, make the first contact with human intelligence personnel; developed sources who are met over a period of time and provide information based on operational requirements; unwitting persons with access to sensitive information.

Debriefing. Debriefing is the process of questioning cooperating human sources to satisfy intelligence requirements, consistent with applicable law. The source usually is not in custody and is usually willing to cooperate. Debriefing may be conducted at all echelons and in all operational environments. Through debriefing, face-to-face meetings, conversations, and elicitation, information may be obtained from a variety of human sources.

Document and Media Exploitation. Captured documents and media, when properly processed and exploited, may provide valuable information, such as adversary plans and intentions, force locations, equipment capabilities, and logistical status. The category of "captured documents and media" includes all media capable of storing fixed information, as well as computer storage material. This operation is not a primary human intelligence function, but may be conducted by any intelligence personnel with appropriate language support.

Human Intelligence Threat Areas. A few primary threat areas are briefly described here.

Espionage. The act of obtaining, delivering, transmitting, communicating, or receiving information about national defense with intent or reason to believe the information may be used to the injury of the United States or to the advantage of any foreign nation.

Subversion. An act or acts inciting military or civilian personnel of the Department of Defense to violate laws, disobey lawful orders or regulations, or disrupt military activities with the willful intent, thereby to interfere with or impair the loyalty, morale, or discipline of the U.S. Armed Forces.

Sabotage. An act or acts with intent to injure, interfere with, or obstruct the national defense of a country by willfully injuring or destroying, or attempting to injure or destroy, any national defense or war material, premises, or utilities, as well as human and natural resources.

Terrorism. The calculated use of unlawful violence or threat of unlawful violence to inculcate fear intended to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

2021 E6 Study Guide

17.25. Incident Reporting

AFI 71-101, Volume 4, Counterintelligence, requires individuals who have reportable contacts or acquire reportable information, to immediately (within 30 days of the contact) report the contact or information either verbally or in writing to AFOSI. The AFOSI initiates and conducts all counterintelligence investigations, operations, collections, and other related activities for the Air Force. When appropriate, or when overseas, AFOSI coordinates these activities with the Central Intelligence Agency and the Federal Bureau of Investigation. The AFOSI is also the installation-level training agency for counterintelligence awareness briefings, and is the sole Air Force repository for the collection and retention of reportable information.

Contact is defined as any exchange of information directed to an individual, including solicited or unsolicited telephone calls, e-mail, radio contact, and face-to-face meetings. Examples include: contact with a foreign diplomatic establishment; a request by anyone for illegal or unauthorized access to classified or unclassified controlled information; personal contact with any individual who suggests that a foreign intelligence or any terrorist organization may have targeted him or her or others for possible intelligence exploitation; or receipt of information indicating military members, civilian employees, or Department of Defense contractors have contemplated, attempted, or effected the deliberate compromise or unauthorized release of classified or unclassified controlled information.

AFI, 10-245, The Eagle Eyes program is a DAF Antiterrorism initiative that enlists the eyes and ears of all AF military, civilians, contractors, and dependents. The Eagle Eyes program is a reporting mechanism for the base community on how to report suspicious behavior or possible terrorist activity. Each installation shall outline procedures in the installation AT plan on how to receive and log suspicious activity reports and suspicious incident reports and to pass those reports expeditiously to their servicing Air Force Office of Special Investigations

2022 E6 Study Guide

17.31. Incident Reporting

AFI 71-101, Volume 4, Counterintelligence, 2 July 2019, requires individuals who have reportable contacts or acquire reportable information, to immediately (within 30 days of the contact) report the contact or information either verbally or in writing to AFOSI. The AFOSI initiates and conducts all counterintelligence investigations, operations, collections, and other related activities for the USAF. When appropriate, or when overseas, AFOSI coordinates these activities with the Central Intelligence Agency and the Federal Bureau of Investigation. The AFOSI is also the installation-level training agency for counterintelligence awareness briefings, and is the sole USAF repository for the collection and retention of reportable information.

Contact is defined as any exchange of information directed to an individual, including solicited or unsolicited telephone calls, e-mail, radio contact, and face-to-face meetings. Examples include: contact with a foreign diplomatic establishment; a request by anyone for illegal or unauthorized access to classified or unclassified controlled information; personal contact with any individual who suggests that a foreign intelligence or any terrorist organization may have targeted him or her or others for possible intelligence exploitation; or receipt of information indicating military members, civilian employees, or Department of Defense contractors have contemplated, attempted, or effected the deliberate compromise or unauthorized release of classified or unclassified controlled information.

AFI 10-245, Antiterrorism (AT), 25 June 2015, The Eagle Eyes program is a USAF Antiterrorism initiative that enlists the eyes and ears of all AF military, civilians, contractors, and dependents. The Eagle Eyes program is a reporting mechanism for the base community on how to report suspicious behavior or possible terrorist activity. Each installation shall outline procedures in the installation AT plan on how to receive and log suspicious activity reports and suspicious incident reports and to pass those reports expeditiously to their servicing Air Force Office of Special Investigations

2021 E6 Study Guide

17.26. Protection of the President and Others

As stated in AFI 71-101, Volume 2, Protective Service Matters, as a result of a formal agreement between the Department of Defense and U.S. Secret Service, individuals affiliated with the U.S. Armed Forces have a special obligation to report information regarding the safety and protection of the U.S. President or anyone else anyone under the protection of the U.S. Secret Service. This includes the Vice President, the President- and Vice President-elect, and visiting heads of foreign states or foreign governments. In most cases, former Presidents and their spouses are also afforded lifetime protection of the U.S. Secret Service.

2022 E6 Study Guide

17.32. Protection of the President and Others

As stated in AFI 71-101, Volume 2, Protective Service Matters, 21 May 2019, as a result of a formal agreement between the Department of Defense and U.S. Secret Service, individuals affiliated with the U.S. Armed Forces have a special obligation to report information regarding the safety and protection of the U.S. President or anyone else under the protection of the U.S. Secret Service. This includes the Vice President, the President- and Vice President-elect, and visiting heads of foreign states or foreign governments. In most cases, former Presidents and their spouses are also afforded lifetime protection of the U.S. Secret Service.











9 Feb 2022. The 2021 Air Force Handbook is not available yet. The E-5 and E-6 Study Guides were released and posted to the official Air Force website (https://www.studyguides.af.mil/) on 1 Feb 2022. This website was updated using the content from the E-6 Study Guide under the assumption that because both study guides were excerpts taken from the Air Force Handbook, they would be the same. However, there are differences between the two study guides as noted below. Questions related to these differences have been removed or edited, as necessary, to ensure accuracy.


The phrase, "Air Force" was replaced globally by "USAF" in the E-5 Study Guide.

Paragraph 17.25. Eagle Eyes Program, is new content. The rest of this chapter is the same as the last (2019) edition's Chapter 18, Security.

In Section C, Information Protection, the information about FOUO was removed in the E-5 Study Guide but remains in the E-6 Study Guide.

The numbering for every paragraph in this chapter of the E-5 Study Guide is different than the E-6 Study Guide. The questions in this chapter have been updated with both paragraph references (E-5 and E-6) for clarity.


2021 E5 Study Guide

17.7. USAF Operations Security Program
The purpose of operations security is to reduce the vulnerability of USAF missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security uses a cycle to identify, analyze, and control critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. USAF personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting combat operations. USAF units utilize a profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers and signature managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security signature managers also recommend modifying the day-to-day activities at an installation or organization to create variations in the status quo. Operations security involves attentiveness to:

2021 E6 Study Guide

17.1. Air Force Operations Security Program
The purpose of operations security is to reduce the vulnerability of Air Force missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security uses a cycle to identify, analyze, and control critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. Air Force personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting combat operations. Air Force units utilize a profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers and signature managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security signature managers also recommend modifying the day-to-day activities at an installation or organization to create variations in the status quo. Operations security involves attentiveness to:

2021 E5 Study Guide

17.9. Information Protection Procedures
Information protection is a subset of the USAF security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and CUI that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2021 E6 Study Guide

17.3. Information Protection Procedures
Information protection is a subset of the Air Force security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and controlled unclassified information that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2021 E5 Study Guide

17.10. Information Security
All personnel in the USAF are responsible for protecting classified information and CUI under their custody and control. DoDM5200.01V1_AFMAN16-1404V1, Information Security Program: Overview, Classification, and Declassification, 10 January 2021, provide the guidance for managing classified information and CUI.

2021 E6 Study Guide

17.4. Information Security
All personnel in the Air Force are responsible for protecting classified information and controlled unclassified information under their custody and control. DoD Manual 5200.01, Department of Defense Information Security Program, and AFI 16-1404, Air Force Information Security Program, provide the guidance for managing classified information and controlled unclassified information.

2021 E5 Study Guide

17.11. CUI
CUI is information that requires access and distribution controls and protective measures, and may be referred to accordingly as: for official use only, law enforcement sensitive, Department of Defense unclassified controlled nuclear information, and limited distribution. Requirements, controls, and protective measures developed for these materials are found in DoDI 5200.48, Controlled Unclassified Information, 6 March, 2020.

2021 E6 Study Guide

17.5. Controlled Unclassified Information
Controlled unclassified information is information that requires access and distribution controls and protective measures, and may be referred to accordingly as: for official use only, law enforcement sensitive, Department of Defense unclassified controlled nuclear information, and limited distribution. Requirements, controls, and protective measures developed for these materials are found in DoDI 5200.48 Controlled Unclassified Information (CUI)
For Official Use Only Information. For official use only (FOUO) information is the most commonly used controlled unclassified information category. The classification is used as a dissemination control applied by the Department of Defense to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest as identified in the Freedom of Information Act. No person may have access to information designated as FOUO unless they have a valid need for access in connection with the accomplishment of a lawful and authorized government purpose. FOUO information shall be indicated by markings that identify the originating office. FOR OFFICIAL USE ONLY or UNCLASSIFIED//FOR OFFICIAL USE ONLY will be marked at the bottom of the outside of the front cover (if there is one), the title page, the first page, all applicable internal pages (to include specific sections and paragraphs), and the outside of the back cover (if there is one).
During work hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel, such as not leaving FOUO status information unattended where unauthorized personnel are present. After working hours, store the information in unlocked containers, desks, or cabinets if the building is provided security by government or government-contract personnel. If building security is not provided or deemed inadequate, store the information in locked desks, file cabinets, bookcases, or locked rooms.


Removed from E-5 quiz for Section 17C, paragraph 17.5.:

4. Unclassified information that requires access and distribution controls and protective measures is collectively referred to as Controlled Unclassified Information. The most commonly used category of Controlled Unclassified Information is: (17.5.)

A. Confidential
B. LIMITED DISTRIBUTION
*C. For Official Use Only
D. Law Enforcement Sensitive

5. For Official Use Only is a dissemination control applied to unclassified information when disclosure to the public of that particular record would reasonably be expected to cause: (17.5.)

A. damage to national security
B. serious damage to national security
C. exceptionally grave damage to national security
*D. a foreseeable harm to an interest as identified in the Freedom of Information Act

6. A person may not have access to information designated as For Official Use Only unless they: (17.5.)

A. have a security clearance
B. have been "read into" the program
C. have signed a nondisclosure agreement
*D. have a valid need for access for a lawful and authorized Government purpose

7. During work hours, reasonable steps shall be taken to protect content designated as For Official Use Only (FOUO) from access by unauthorized personnel. After working hours, material designated as FOUO should be stored: (17.5.)

A. in a safe approved for classified storage
B. in the base COMSEC vault if the building is not continuously occupied
C. in unlocked containers, desks, or cabinets if there is no building security
*D. in unlocked containers, desks, or cabinets if building security is provided by Government or Government-contract personnel



2021 E5 Study Guide (17.11.)

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoDM5200.01V2_AFMAN16-1404V2, Information Security Program: Marking of Classified Information, 6 January 2021. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

2021 E6 Study Guide (17.5.)

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoD Manual 5200.01, Vol 2, Department of Defense Information Security Program: Marking of Classified Information. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

2021 E5 Study Guide (17.11.)

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoDM5200.01V2_AFMAN16-1404V2, for additional information and marking illustrations.

2021 E6 Study Guide (17.5.)

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoD Manual 5200.01, Volume 2, DoD Information Security Program: Marking of Classified Information, for additional information and marking illustrations.

2021 E5 Study Guide (17.11.)

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed Standard Form (SF) 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret (Cover Sheet), SF 704, Secret (Cover Sheet), and SF 705, Confidential (Cover Sheet).

2021 E6 Study Guide (17.5.)

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed SF 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret, SF 704, Secret, and SF 705, Confidential.

2021 E5 Study Guide

17.12. Security Incidents Involving Classified Information
Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoDM5200.01V3_AFMAN16-1404V3, DoD Information Security Program: Protection of Classified Information, 22 December 2020. The general security incident characteristics are briefly described here.

2021 E6 Study Guide

17.6. Security Incidents Involving Classified Information
Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoD Manual 5200.01 Volume 3, DoD Information Security Program: Protection of Classified Information. The general security incident characteristics are briefly described here.

2021 E5 Study Guide (17.15.)

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332.

2021 E6 Study Guide (17.9.)

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332, Air Force Privacy and Civil Liberties Program.

2021 E5 Study Guide

17.16. Freedom of Information Act
The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.
Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R_AFMAN 33-302 for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2021 E6 Study Guide

17.10. Freedom of Information Act
The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.
Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R/AFMAN 33-302, Freedom of Information Act Program, for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2021 E5 Study Guide

17.18. Computer Security
Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.
Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the USAF or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, and must be consistent with the requirements of DoD 5500.07-R.

2021 E6 Study Guide

17.12. Computer Security
Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.
Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the Air Force or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, Operations Security, and must be consistent with the requirements of DoD 5500.07-R, Joint Ethics Regulation.

2021 E5 Study Guide

17.19. Information Systems
An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable Federal Information Processing Standard (FIPS) Publication 140-2, Security Requirements for Cryptographic Modules, 25 May 2001.

2021 E6 Study Guide

17.13. Information Systems
An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable FIPS 140-2, Security Requirements for Cryptographic Modules.

2021 E5 Study Guide

17.21. Public Computing Facilities or Services
Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident.

2021 E6 Study Guide

17.15. Public Computing Facilities or Services
Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident according to the current Air Force guidance on computer security.

2021 E5 Study Guide

17.24. Antiterrorism Efforts
The USAF seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all USAF members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.
HAF. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.
The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead USAF agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the USAF single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

2021 E6 Study Guide

17.18. Antiterrorism Efforts
The Air Force seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all Air Force members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.
Headquarters Air Force. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.
The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead Air Force agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the Air Force single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

2021 E5 Study Guide (17.31.)

AFI 10-245, Antiterrorism (AT), 25 June 2015, The Eagle Eyes program is a USAF Antiterrorism initiative that enlists the eyes and ears of all AF military, civilians, contractors, and dependents. The Eagle Eyes program is a reporting mechanism for the base community on how to report suspicious behavior or possible terrorist activity. Each installation shall outline procedures in the installation AT plan on how to receive and log suspicious activity reports and suspicious incident reports and to pass those reports expeditiously to their servicing Air Force Office of Special Investigations

2021 E6 Study Guide (17.25.)

AFI, 10-245, The Eagle Eyes program is a DAF Antiterrorism initiative that enlists the eyes and ears of all AF military, civilians, contractors, and dependents. The Eagle Eyes program is a reporting mechanism for the base community on how to report suspicious behavior or possible terrorist activity. Each installation shall outline procedures in the installation AT plan on how to receive and log suspicious activity reports and suspicious incident reports and to pass those reports expeditiously to their servicing Air Force Office of Special Investigations

The correct title for AFI 10-245 is "Antiterrorism (AT)". Changed the relevant question in the quiz for Section E from "AFI, 10-245, The Eagle Eyes program" to "AFI 10-245, Antiterrorism (AT)".






Changes Since 2019 Air Force Handbook

This chapter (Chapter 17, Security) is taken from the 2019 edition of the Air Force Handbook's chapter 18, Security.

Section 17B, Operations Security.

Paragraph 17.1., Air Force Operations Security Program: Minor editing

Paragraph 17.2., Operations Security Indicators: No changes

2021 E6 Study Guide

17.1. Air Force Operations Security Program

The purpose of operations security is to reduce the vulnerability of Air Force missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security uses a cycle to identify, analyze, and control critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. Air Force personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting combat operations. Air Force units utilize a profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers and signature managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security signature managers also recommend modifying the day-to-day activities at an installation or organization to create variations in the status quo. Operations security involves attentiveness to:

- Identify those actions that can be observed by adversary intelligence systems.

- Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.

- Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Operational Effectiveness. Operations security involves a series of analyses to examine the planning, preparation, execution, and post-execution phases of any operation or activity across the entire spectrum of military action and in any operational environment. Operations security analysis provides decision-makers with a means of weighing the risk to their operations. Decision-makers must determine the amount of risk they are willing to accept in particular operational circumstances in the same way as operational risk management allows commanders to assess risk in mission planning. Operational effectiveness is enhanced when commanders and other decision-makers apply operations security from the earliest stages of planning.

Operations Security Principles. Operations security principles must be integrated into operational, support, exercise, acquisition planning, and day-to-day activities to ensure a seamless transition to contingency operations. The operations security cycle consists of the following distinct actions:

- Identify critical information.

- Analyze threats.

- Analyze vulnerabilities.

- Assess risk.

- Apply appropriate operations security countermeasures.

2019 Air Force Handbook

18.7. Operations Security Program

The purpose of operations security is to reduce the vulnerability of Air Force missions by eliminating or reducing successful adversary collection and exploitation of critical information. Operations security is a process of identifying, analyzing, and controlling critical information that applies to all activities used to prepare, sustain, or employ forces during all phases of operations. Air Force personnel can be under observation at their peacetime bases and locations, in training or exercises, while moving, or when deployed and conducting actual operations. Air Force units utilize the base profiling process to identify vulnerabilities and indicators of their day-to-day activities. With this understanding, operations security program managers use the signature management methodology to apply measures or countermeasures to hide, control, or simulate indicators. Operations security involves attentiveness to:

- Identify those actions that can be observed by adversary intelligence systems.

- Determine what specific indications could be collected, analyzed, and interpreted to derive critical information in time to be useful to adversaries.

- Select and execute measures that eliminate or reduce to an acceptable level the vulnerabilities of friendly actions to adversary exploitation.

Operational Effectiveness. Operations security involves a series of analyses to examine the planning, preparation, execution, and post-execution phases of any operation or activity across the entire spectrum of military action and in any operational environment. Operations security analysis provides decision-makers with a means of weighing the risk to their operations. Decision-makers must determine the amount of risk they are willing to accept in particular operational circumstances in the same way as operational risk management allows commanders to assess risk in mission planning. Operational effectiveness is enhanced when commanders and other decision-makers apply operations security from the earliest stages of planning.

Operations Security Principles. Operations security principles must be integrated into operational, support, exercise, acquisition planning, and day-to-day activities to ensure a seamless transition to contingency operations. The operations security process consists of the following five distinct steps:

- Identify critical information.

- Analyze threats.

- Analyze vulnerabilities.

- Assess risk.

- Apply appropriate operations security countermeasures.

2021 E6 Study Guide

17.2. Operations Security Indicators

Operations security indicators are friendly, detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information. The five basic characteristics of operations security indicators that make them potentially valuable to an adversary are briefly described here.

Signatures. A signature is a characteristic of an indicator that is identifiable or stands out. Signature management is the active defense or exploitation of operational profiles at a given military installation. Defense of operational profiles is accomplished by implementing measures to deny adversary collection of critical information.

Associations. An association is the relationship of an indicator to other information or activities.

Profiles. Each functional activity generates its own set of more-or-less unique signatures and associations. The sum of these signatures and associations is the activity's profile. A profiling process is used to map the local operating environment and capture process points that present key signatures and profiles with critical information value.

Contrasts. A contrast is any difference observed between an activity's standard profile and most recent or current actions.

Exposure. Exposure refers to when and for how long an indicator is observed. The longer an indicator is observed, the better chance an adversary can form associations and update the profile of operational activities.

2019 Air Force Handbook

18.8. Operations Security Indicators

Operations security indicators are friendly, detectable actions and open-source information that can be interpreted or pieced together by an adversary to derive critical information. The five basic characteristics of operations security indicators that make them potentially valuable to an adversary are briefly described here.

Signatures. A signature is a characteristic of an indicator that is identifiable or stands out. Signature management is the active defense or exploitation of operational profiles at a given military installation. Defense of operational profiles is accomplished by implementing measures to deny adversary collection of critical information.

Associations. An association is the relationship of an indicator to other information or activities.

Profiles. Each functional activity generates its own set of more-or-less unique signatures and associations. The sum of these signatures and associations is the activity's profile. A profiling process is used to map the local operating environment and capture process points that present key signatures and profiles with critical information value.

Contrasts. A contrast is any difference observed between an activity's standard profile and most recent or current actions.

Exposure. Exposure refers to when and for how long an indicator is observed. The longer an indicator is observed, the better chance an adversary can form associations and update the profile of operational activities.




Section 17C, Information Protection

Paragraph 17.3. Information Protection Procedures: No Changes

Paragraph 17.4. Information Security: No changes

Paragraph 17.5. Controlled Unclassified Information: the reference cited in the first paragraph changed (see below)

Paragraph 17.6. Security Incidents Involving Classified Information: No changes

Paragraph 17.7. Industrial Security: No changes

Paragraph 17.8. Personnel Security: No changes

2021 E6 Study Guide

17.3. Information Protection Procedures

Information protection is a subset of the Air Force security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and controlled unclassified information that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2019 Air Force Handbook

18.9. Information Protection Procedures

Information protection is a subset of the Air Force security enterprise and consists of the core security disciplines (personnel, industrial, and information security) used to determine military, civilian, and contractor personnel eligibility to access classified information, ensure the protection of classified information released or disclosed to industry in connection with classified contracts, and protect classified information and controlled unclassified information that, if subject to unauthorized disclosure, could reasonably be expected to cause damage to national security.

2021 E6 Study Guide

17.4. Information Security

All personnel in the Air Force are responsible for protecting classified information and controlled unclassified information under their custody and control. DoD Manual 5200.01, Department of Defense Information Security Program, and AFI 16-1404, Air Force Information Security Program, provide the guidance for managing classified information and controlled unclassified information.

Classified Information. Classified information is designated accordingly to protect national security. There are three levels of classification: Top Secret, Secret, and Confidential. Each individual is responsible for providing the proper safeguards for classified information, reporting security incidents, and understanding the sanctions for noncompliance.

Top Secret. Top Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

Secret. Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

Confidential. Confidential shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

2019 Air Force Handbook

18.10. Information Security

All personnel in the Air Force are responsible for protecting classified information and controlled unclassified information under their custody and control. DoD Manual 5200.01, Department of Defense Information Security Program, and AFI 16-1404, Air Force Information Security Program, provide the guidance for managing classified information and controlled unclassified information.

Classified Information. Classified information is designated accordingly to protect national security. There are three levels of classification: Top Secret, Secret, and Confidential. Each individual is responsible for providing the proper safeguards for classified information, reporting security incidents, and understanding the sanctions for noncompliance.

Top Secret. Top Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security that the original classification authority is able to identify or describe.

Secret. Secret shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause serious damage to the national security that the original classification authority is able to identify or describe.

Confidential. Confidential shall be applied to information that the unauthorized disclosure of which reasonably could be expected to cause damage to the national security that the original classification authority is able to identify or describe.

2021 E6 Study Guide

17.5. Controlled Unclassified Information

Controlled unclassified information is information that requires access and distribution controls and protective measures, and may be referred to accordingly as: for official use only, law enforcement sensitive, Department of Defense unclassified controlled nuclear information, and limited distribution. Requirements, controls, and protective measures developed for these materials are found in DoDI 5200.48 Controlled Unclassified Information (CUI)

For Official Use Only Information. For official use only (FOUO) information is the most commonly used controlled unclassified information category. The classification is used as a dissemination control applied by the Department of Defense to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest as identified in the Freedom of Information Act. No person may have access to information designated as FOUO unless they have a valid need for access in connection with the accomplishment of a lawful and authorized government purpose. FOUO information shall be indicated by markings that identify the originating office. FOR OFFICIAL USE ONLY or UNCLASSIFIED//FOR OFFICIAL USE ONLY will be marked at the bottom of the outside of the front cover (if there is one), the title page, the first page, all applicable internal pages (to include specific sections and paragraphs), and the outside of the back cover (if there is one).

During work hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel, such as not leaving FOUO status information unattended where unauthorized personnel are present. After working hours, store the information in unlocked containers, desks, or cabinets if the building is provided security by government or government-contract personnel. If building security is not provided or deemed inadequate, store the information in locked desks, file cabinets, bookcases, or locked rooms.

Original Classification. Original classification is the initial decision by an original classification authority that an item of information could reasonably be expected to cause identifiable or describable damage to the national security subjected to unauthorized disclosure and requires protection in the interest of national security. Only officials designated in writing may make original classification decisions.

Derivative Classification. Air Force policy is to identify, classify, downgrade, declassify, mark, protect, and destroy classified information consistent with national policy. Controlled unclassified information will also be protected per national policy. Within the Department of Defense all cleared personnel are authorized to derivatively classify information, if: 1) they have received initial training before making derivative classification decisions, and 2) they have received refresher training at least once every two years. Derivative classification is the incorporating, paraphrasing, restating, or generating classified information in a new form or document. Derivative classifiers must use authorized types of sources for making decisions. One of the most important responsibilities of the derivative classifier is to observe and respect the classification determinations made by an original classification authority.

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoD Manual 5200.01, Vol 2, Department of Defense Information Security Program: Marking of Classified Information. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoD Manual 5200.01, Volume 2, DoD Information Security Program: Marking of Classified Information, for additional information and marking illustrations.

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed SF 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret, SF 704, Secret, and SF 705, Confidential.

End-of-Day Security Checks. Use SF 701, Activity Security Checklist, to record the end of the day security checks. This form is required for any area where classified information is used or stored. Ensure all vaults, secure rooms, and containers used for storing classified material are checked. Classified information systems should specifically be stored in a general services administration approved safe or in buildings or areas cleared for open storage of classified.

2019 Air Force Handbook

18.11. Controlled Unclassified Information

Controlled unclassified information is information that requires access and distribution controls and protective measures, and may be referred to accordingly as: for official use only, law enforcement sensitive, Department of Defense unclassified controlled nuclear information, and limited distribution. Requirements, controls, and protective measures developed for these materials are found in DoD Manual 5200.01 Volume 4, Department of Defense Information Security Program: Controlled Unclassified Information.

For Official Use Only Information. For official use only (FOUO) information is the most commonly used controlled unclassified information category. The classification is used as a dissemination control applied by the Department of Defense to unclassified information when disclosure to the public of that particular record, or portion thereof, would reasonably be expected to cause a foreseeable harm to an interest as identified in the Freedom of Information Act. No person may have access to information designated as FOUO unless they have a valid need for access in connection with the accomplishment of a lawful and authorized government purpose. FOUO information shall be indicated by markings that identify the originating office. FOR OFFICIAL USE ONLY or UNCLASSIFIED//FOR OFFICIAL USE ONLY will be marked at the bottom of the outside of the front cover (if there is one), the title page, the first page, all applicable internal pages (to include specific sections and paragraphs), and the outside of the back cover (if there is one).

During work hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel, such as not leaving FOUO status information unattended where unauthorized personnel are present. After working hours, store the information in unlocked containers, desks, or cabinets if the building is provided security by government or government-contract personnel. If building security is not provided or deemed inadequate, store the information in locked desks, file cabinets, bookcases, or locked rooms.

Original Classification. Original classification is the initial decision by an original classification authority that an item of information could reasonably be expected to cause identifiable or describable damage to the national security subjected to unauthorized disclosure and requires protection in the interest of national security. Only officials designated in writing may make original classification decisions.

Derivative Classification. Air Force policy is to identify, classify, downgrade, declassify, mark, protect, and destroy classified information consistent with national policy. Controlled unclassified information will also be protected per national policy. Within the Department of Defense all cleared personnel are authorized to derivatively classify information, if: 1) they have received initial training before making derivative classification decisions, and 2) they have received refresher training at least once every two years. Derivative classification is the incorporating, paraphrasing, restating, or generating classified information in a new form or document. Derivative classifiers must use authorized types of sources for making decisions. One of the most important responsibilities of the derivative classifier is to observe and respect the classification determinations made by an original classification authority.

Marking Classified Information. All classified information shall be clearly identified by marking, designation, or electronic labelling in accordance with DoD Manual 5200.01, Vol 2, Department of Defense Information Security Program: Marking of Classified Information. Marking classified information serves to: alert holders to the presence of classified information; identify the information needing protection; indicate the level of classification assigned to the information; provide guidance on downgrading (if any) and declassification; give information on the sources of and reasons for classification; notify holders of special access, control, or safeguarding requirements; and promote information sharing, facilitate judicious use of resources, and simplify management through implementation of uniform and standardized processes.

Specific Markings on Documents. Every classified document must be marked to show the highest classification of information contained within the document. The marking must be conspicuous enough to alert anyone handling the document that the document is classified. Every document will contain the overall classification of the document, banner lines, portion markings indicating the classification level of specific classified information within the document, the classification authority block, date of origin, and downgrading instructions, if any, and declassification instructions. The three most common markings on a classified document are the banner lines, portion markings, and the classification authority block. Refer to DoD Manual 5200.01, Volume 2, DoD Information Security Program: Marking of Classified Information, for additional information and marking illustrations.

Safeguarding Classified Information. Everyone who works with classified information is personally responsible for taking proper precautions to ensure unauthorized persons do not gain access to classified information. Before granting access to classified information, the person must have: (1) security clearance eligibility, (2) a signed SF 312, Classified Information Non-Disclosure Agreement, and (3) a need-to-know. The individual with authorized possession, knowledge, or control of the information must determine whether the person receiving the information has been granted the appropriate security clearance access by proper authority. An authorized person shall keep classified material removed from storage under constant surveillance. The authorized person must place coversheets on classified documents not in secure storage to prevent unauthorized persons from viewing the information. The following forms will be used to cover classified information outside of storage: SF 703, Top Secret, SF 704, Secret, and SF 705, Confidential.

End-of-Day Security Checks. Use SF 701, Activity Security Checklist, to record the end of the day security checks. This form is required for any area where classified information is used or stored. Ensure all vaults, secure rooms, and containers used for storing classified material are checked. Classified information systems should specifically be stored in a general services administration approved safe or in buildings or areas cleared for open storage of classified.

2021 E6 Study Guide

17.6. Security Incidents Involving Classified Information

Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoD Manual 5200.01 Volume 3, DoD Information Security Program: Protection of Classified Information. The general security incident characteristics are briefly described here.

Infraction. An infraction is a security incident involving failure to comply with requirements which cannot reasonably be expected to, and does not, result in the loss, suspected compromise, or compromise of classified information. An infraction may be unintentional or inadvertent, and does not constitute a security violation; however, if left uncorrected, could lead to a security violation or compromise. Infractions require an inquiry to facilitate immediate corrective action.

Violation. Violations are security incidents that indicate knowing, willful negligence for security regulations, and result in, or could be expected to result in, the loss or compromise of classified information. Security violations require an inquiry or investigation.

Compromise. A compromise is a security incident (violation) in which there is an unauthorized disclosure of classified information. This could include the disclosure of information to a person(s) who does not have a valid clearance, authorized access, or a need to know.

Loss. A loss occurs when classified information cannot be physically located or accounted for. This could include classified information/equipment being discovered as missing during an audit and cannot be immediately located.

Data Spills. Classified data spills occur when classified data is introduced either onto an unclassified information system, to an information system with a lower level of classification, or to a system not accredited to process data of that restrictive category.

Information in the Public Media. If classified information appears in the media or public internet sites, or if approached by a media representative, personnel shall not confirm or verify the information. Immediately report the matter to a supervisor, security manager, or commander, but do not discuss with anyone without an appropriate security clearance and a need to know.

2019 Air Force Handbook

18.12. Security Incidents Involving Classified Information

Anyone finding classified material out of proper control must take custody of and safeguard the material and immediately notify their commander, supervisor, or security manager. The terms associated with security incidents are formally defined in DoD Manual 5200.01 Volume 3, DoD Information Security Program: Protection of Classified Information. The general security incident characteristics are briefly described here.

Infraction. An infraction is a security incident involving failure to comply with requirements which cannot reasonably be expected to, and does not, result in the loss, suspected compromise, or compromise of classified information. An infraction may be unintentional or inadvertent, and does not constitute a security violation; however, if left uncorrected, could lead to a security violation or compromise. Infractions require an inquiry to facilitate immediate corrective action.

Violation. Violations are security incidents that indicate knowing, willful negligence for security regulations, and result in, or could be expected to result in, the loss or compromise of classified information. Security violations require an inquiry or investigation.

Compromise. A compromise is a security incident (violation) in which there is an unauthorized disclosure of classified information. This could include the disclosure of information to a person(s) who does not have a valid clearance, authorized access, or a need to know.

Loss. A loss occurs when classified information cannot be physically located or accounted for. This could include classified information/equipment being discovered as missing during an audit and cannot be immediately located.

Data Spills. Classified data spills occur when classified data is introduced either onto an unclassified information system, to an information system with a lower level of classification, or to a system not accredited to process data of that restrictive category.

Information in the Public Media. If classified information appears in the media or public internet sites, or if approached by a media representative, personnel shall not confirm or verify the information. Immediately report the matter to a supervisor, security manager, or commander, but do not discuss with anyone without an appropriate security clearance and a need to know.

2021 E6 Study Guide

17.7. Industrial Security

Air Force policy is to identify, in classified contracts, specific information and sensitive resources that must be protected against compromise or loss while entrusted to industry. Security policies, requirements, and procedures are applicable to Air Force personnel and on-base Department of Defense contractors performing services under the terms of a properly executed contract and associated security agreement or similar document, as determined by the installation commander.

2019 Air Force Handbook

18.13. Industrial Security

Air Force policy is to identify, in classified contracts, specific information and sensitive resources that must be protected against compromise or loss while entrusted to industry. Security policies, requirements, and procedures are applicable to Air Force personnel and on-base Department of Defense contractors performing services under the terms of a properly executed contract and associated security agreement or similar document, as determined by the installation commander.

2021 E6 Study Guide

17.8. Personnel Security

The Personnel Security Program entails policies and procedures that ensure military, civilian, and contractor personnel who access classified information or occupy a sensitive position are consistent with interests of national security. For most personnel, this involves procedures for obtaining proper security clearances required for performing official duties. It involves the investigation process, adjudication (approval) for eligibility, and the continuous evaluation for maintaining eligibility. Commanders and supervisors must continually observe and evaluate their subordinates with respect to these criteria and immediately report any unfavorable conduct or conditions that might bear on the subordinates' trustworthiness and eligibility to occupy a sensitive position or have eligibility to classified information.

Adjudicative Guidelines. The Department of Defense Central Adjudication Facility is the designated authority to grant, deny, and revoke security clearance eligibility using the Department of Defense 13 adjudicative guidelines, while applying the whole person concept and mitigating factors. Individuals are granted due process and may appeal if the security clearance eligibility is denied or revoked. For additional details, refer to the DoDM 5200.02_AFMAN 16-1405, Air Force Personnel Security Program. The 13 Adjudicative Guidelines include:

Allegiance to the United States
Foreign Influence
Foreign Preference
Sexual Behavior
Personal Conduct
Financial Considerations
Alcohol Consumption

Drug Involvement
Psychological Conditions
Criminal Conduct
Handling Protected Information
Outside Activities
Use of Information Technology

2019 Air Force Handbook

18.14. Personnel Security

The Personnel Security Program entails policies and procedures that ensure military, civilian, and contractor personnel who access classified information or occupy a sensitive position are consistent with interests of national security. For most personnel, this involves procedures for obtaining proper security clearances required for performing official duties. It involves the investigation process, adjudication (approval) for eligibility, and the continuous evaluation for maintaining eligibility. Commanders and supervisors must continually observe and evaluate their subordinates with respect to these criteria and immediately report any unfavorable conduct or conditions that might bear on the subordinates' trustworthiness and eligibility to occupy a sensitive position or have eligibility to classified information.

Adjudicative Guidelines. The Department of Defense Central Adjudication Facility is the designated authority to grant, deny, and revoke security clearance eligibility using the Department of Defense 13 adjudicative guidelines, while applying the whole person concept and mitigating factors. Individuals are granted due process and may appeal if the security clearance eligibility is denied or revoked. For additional details, refer to the DoDM 5200.02_AFMAN 16-1405, Air Force Personnel Security Program. The 13 Adjudicative Guidelines include:

Allegiance to the United States
Foreign Influence
Foreign Preference
Sexual Behavior
Personal Conduct
Financial Considerations
Alcohol Consumption

Drug Involvement
Psychological Conditions
Criminal Conduct
Handling Protected Information
Outside Activities
Use of Information Technology




Section 17D, Information Access, Cyber Security and Mobility

Paragraph 17.9. The Privacy Act: No changes

Paragraph 17.10. Freedom of Information Act: No changes

Paragraph 17.11. Cybersecurity: No changes

Paragraph 17.12. Computer Security: No changes

Paragraph 17.13. Information Systems: No changes

Paragraph 17.14. Mobile Computing Devices: No changes

Paragraph 17.15. Public Computing Facilities or Services: No changes

Paragraph 17.16. Communications Security: No changes

Paragraph 17.17. TEMPEST: No changes

2021 E6 Study Guide

17.9. The Privacy Act

The Privacy Act of 1974 (as amended) establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal information about individuals that is maintained in a system of records by federal agencies. The Privacy Act provides individuals with a means by which to seek access to and amend their records, and sets forth agency record-keeping requirements.

Disclosure of Information. Privacy Act rights are personal to the individual who is the subject of the record and cannot be asserted derivatively by others. The Privacy Act prohibits the disclosure of information from a system of records without the written consent of the subject individual. Individuals have the right to request access or amendment to their records in a system. The parent of any minor, or the legal guardian of an incompetent, may act on behalf of that individual.

Collection of Information. The Privacy Act limits the collection of information to what the law or executive orders authorize. System of records notices must be published in the federal register allowing the public a 30-day comment period. Such collection must not conflict with the rights guaranteed by the First Amendment to the U.S. Constitution. A Privacy Act statement must be given when individuals are asked to provide personal information about themselves for collection in a system of records.

System of Records Maintenance. Privacy Act system of records is a group of any records under the control of any agency from which information is retrieved by the individual's name, number, or unique identifier.

Note: Department of Defense personnel may disclose records to other offices in the Department of Defense when there is "an official need to know" and to other federal government agencies or individuals when a discloser of record is a "routine use" published in the system of records notices or as authorized by a Privacy Act exception. In addition, information may be released for a disclosed specified purpose with the subject's consent. The office of primary responsibility of the data should keep an account of all information they've released.

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332, Air Force Privacy and Civil Liberties Program.

2019 Air Force Handbook

18.15. The Privacy Act

The Privacy Act of 1974 (as amended) establishes a code of fair information practices that govern the collection, maintenance, use, and dissemination of personal information about individuals that is maintained in a system of records by federal agencies. The Privacy Act provides individuals with a means by which to seek access to and amend their records, and sets forth agency record-keeping requirements.

Disclosure of Information. Privacy Act rights are personal to the individual who is the subject of the record and cannot be asserted derivatively by others. The Privacy Act prohibits the disclosure of information from a system of records without the written consent of the subject individual. Individuals have the right to request access or amendment to their records in a system. The parent of any minor, or the legal guardian of an incompetent, may act on behalf of that individual.

Collection of Information. The Privacy Act limits the collection of information to what the law or executive orders authorize. System of records notices must be published in the federal register allowing the public a 30-day comment period. Such collection must not conflict with the rights guaranteed by the First Amendment to the U.S. Constitution. A Privacy Act statement must be given when individuals are asked to provide personal information about themselves for collection in a system of records.

System of Records Maintenance. Privacy Act system of records is a group of any records under the control of any agency from which information is retrieved by the individual's name, number, or unique identifier.

Note: Department of Defense personnel may disclose records to other offices in the Department of Defense when there is "an official need to know" and to other federal government agencies or individuals when a discloser of record is a "routine use" published in the system of records notices or as authorized by a Privacy Act exception. In addition, information may be released for a disclosed specified purpose with the subject's consent. The office of primary responsibility of the data should keep an account of all information they've released.

Personally Identifiable Information. Personally identifiable information in a system of records must be safeguarded to ensure "an official need to know" access of the records and to avoid actions that could result in harm, embarrassment, or unfairness to the individual. The Office of Management and Budget defines a personally identifiable information breach as, "A loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic." For further information, definitions, exemptions, exceptions, or responsibilities and procedures for safeguarding and reporting of personally identifiable information breaches, refer to AFI 33-332, Air Force Privacy and Civil Liberties Program.

2021 E6 Study Guide

17.10. Freedom of Information Act

The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.

Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R/AFMAN 33-302, Freedom of Information Act Program, for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2019 Air Force Handbook

18.16. Freedom of Information Act

The Freedom of Information Act provides access to federal agency records (or parts of these records) except those protected from release by specific exemptions. Freedom of Information Act requests are written requests that cite or imply the Freedom of Information Act. The law establishes rigid time limits for replying to requesters and permits assessing fees in certain instances. The Freedom of Information Act imposes mandatory time limits of 20 workdays to either deny the request or release the requested records. The law permits an additional 10-workday extension in the event that specific unusual circumstances exist.

Note: Denials require notification of appeal rights. Requesters can file an appeal or litigate. Refer to DoDM 5400.07-R/AFMAN 33-302, Freedom of Information Act Program, for specific policy and procedures on the Freedom of Information Act and for guidance on disclosing records to the public.

2021 E6 Study Guide

17.11. Cybersecurity

Cybersecurity is defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications systems, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Cybersecurity disciplines include: Air Force Risk Management Framework, IT controls/countermeasures, communications security, TEMPEST (formerly known as emissions security), AF Assessment and Authorization (formerly known as Certification and Accreditation Program), and Cybersecurity Workforce Improvement Program. AFI 17-130, Cybersecurity Program Management, describes risk management and cybersecurity as representations of dynamic, multi-disciplinary sets of challenges. Processes and practices must continuously evolve and improve to match the ever-changing threat environment.

Cybersecurity Program Risk Management Strategy. The Air Force's Cybersecurity Program's risk management strategy must ensure that the confidentiality, integrity, and availability of all information owned or held in trust by the Air Force is protected. The program strategy must also be integrated into all key mission and business processes. To ensure operational agility, cybersecurity capabilities will be balanced to include safety, reliability, interoperability, and ease of use, while maximizing performance, as well as promoting transparency and interoperability with Air Force mission partners. All Air Force personnel are required to complete Information Assurance Awareness training prior to system access and annually thereafter.

Five Functions of the Air Force Cybersecurity Program. The Air Force Cybersecurity Program encompasses the five functions briefly described here.

- Identify. Develop and maintain the organizational understanding required to manage cybersecurity risk.

- Protect. Implement controls to ensure the delivery of mission critical infrastructure services.

- Detect. Possess the ability to detect cybersecurity events when they occur.

- Respond. Possess the ability to take action regarding detected cybersecurity events.

- Recover. Possess the ability to remain operationally resilient and to restore capabilities or services that were impaired due to cybersecurity events.

2019 Air Force Handbook

18.17. Cybersecurity

Cybersecurity is defined as the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications systems, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. Cybersecurity disciplines include: Air Force Risk Management Framework, IT controls/countermeasures, communications security, TEMPEST (formerly known as emissions security), AF Assessment and Authorization (formerly known as Certification and Accreditation Program), and Cybersecurity Workforce Improvement Program. AFI 17-130, Cybersecurity Program Management, describes risk management and cybersecurity as representations of dynamic, multi-disciplinary sets of challenges. Processes and practices must continuously evolve and improve to match the ever-changing threat environment.

Cybersecurity Program Risk Management Strategy. The Air Force's Cybersecurity Program's risk management strategy must ensure that the confidentiality, integrity, and availability of all information owned or held in trust by the Air Force is protected. The program strategy must also be integrated into all key mission and business processes. To ensure operational agility, cybersecurity capabilities will be balanced to include safety, reliability, interoperability, and ease of use, while maximizing performance, as well as promoting transparency and interoperability with Air Force mission partners. All Air Force personnel are required to complete Information Assurance Awareness training prior to system access and annually thereafter.

Five Functions of the Air Force Cybersecurity Program. The Air Force Cybersecurity Program encompasses the five functions briefly described here.

- Identify. Develop and maintain the organizational understanding required to manage cybersecurity risk.

- Protect. Implement controls to ensure the delivery of mission critical infrastructure services.

- Detect. Possess the ability to detect cybersecurity events when they occur.

- Respond. Possess the ability to take action regarding detected cybersecurity events.

- Recover. Possess the ability to remain operationally resilient and to restore capabilities or services that were impaired due to cybersecurity events.

2021 E6 Study Guide

17.12. Computer Security

Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.

Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the Air Force or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, Operations Security, and must be consistent with the requirements of DoD 5500.07-R, Joint Ethics Regulation.

2019 Air Force Handbook

18.18. Computer Security

Computer security consists of measures and controls that ensure confidentiality, integrity, and availability of information systems assets including: hardware, software, firmware, and information being processed, stored, and communicated.

Limited Authorized Personal Use. Government-provided hardware and software are for official use and limited authorized personal use only. Limited personal use must be of reasonable duration and frequency that has been approved by the supervisor and does not adversely affect performance of official duties, overburden systems, or reflect adversely on the Air Force or the Department of Defense. Internet-based capabilities include collaborative tools, such as simple notification service, social media, user-generated content, e-mail, instant messaging, and online discussion forums. When accessing internet-based capabilities using federal government resources in an authorized personal or unofficial capacity, individuals shall comply with operations security guidance in AFI 10-701, Operations Security, and must be consistent with the requirements of DoD 5500.07-R, Joint Ethics Regulation.

2021 E6 Study Guide

17.13. Information Systems

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable FIPS 140-2, Security Requirements for Cryptographic Modules.

Countermeasures. A countermeasure is any action, device, procedure, or technique that meets or opposes (counters) a threat, vulnerability, or attack by eliminating, preventing, or minimizing damage, or by discovering and reporting the event so corrective action can be taken.

Threats. Every Air Force information system has vulnerabilities and is susceptible to exploitation. Threats to information systems include, but are not limited to, any circumstance or event with the potential to adversely impact any operation or function through an information system via unauthorized access, destruction, disclosure, modification of information, or denial of service. There are three steps involved in protecting information systems from viruses and other forms of malicious logic. These steps include a combination of human and technological countermeasures to ensure the protection is maintained throughout the lifecycle of the information system.

- Infection. Infection is the invasion of information system applications, processes, or services by a virus or malware code causing the information system to malfunction.

- Detection. Detection is a signature or behavior-based antivirus system that signals when an anomaly caused by a virus or malware occurs.

- Reaction. When notified of a virus or malware detection, react by immediately notifying your information system security officer and following local procedures.

2019 Air Force Handbook

18.19. Information Systems

An information system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, such as industrial/process controls, telephone switching and private branch systems, and environmental controls. All authorized users must protect information systems against tampering, theft, and loss. Protection occurs by controlling physical access to facilities and data; ensuring user access to information system resources is based upon a favorable background investigation, security clearance, and need to know (for classified); and ensuring protection of applicable unclassified, sensitive, and classified information through encryption, according to the applicable FIPS 140-2, Security Requirements for Cryptographic Modules.

Countermeasures. A countermeasure is any action, device, procedure, or technique that meets or opposes (counters) a threat, vulnerability, or attack by eliminating, preventing, or minimizing damage, or by discovering and reporting the event so corrective action can be taken.

Threats. Every Air Force information system has vulnerabilities and is susceptible to exploitation. Threats to information systems include, but are not limited to, any circumstance or event with the potential to adversely impact any operation or function through an information system via unauthorized access, destruction, disclosure, modification of information, or denial of service. There are three steps involved in protecting information systems from viruses and other forms of malicious logic. These steps include a combination of human and technological countermeasures to ensure the protection is maintained throughout the lifecycle of the information system.

- Infection. Infection is the invasion of information system applications, processes, or services by a virus or malware code causing the information system to malfunction.

- Detection. Detection is a signature or behavior-based antivirus system that signals when an anomaly caused by a virus or malware occurs.

- Reaction. When notified of a virus or malware detection, react by immediately notifying your information system security officer and following local procedures.

2021 E6 Study Guide

17.14. Mobile Computing Devices

Mobile computing devices are information systems, such as portable electronic devices, laptops, smartphones, and other handheld devices that can store data locally and access Air Force managed networks through mobile access capabilities. All wireless systems (including associated peripheral devices, operating systems, applications, network connection methods, and services) must be approved prior to processing Department of Defense information. The information systems security officer will maintain documented approval authority and inventory information on all approved devices. All mobile computing devices not assigned or in use must be secured to prevent tampering or theft. Users of mobile devices will sign a detailed user agreement outlining the responsibilities and restrictions for use.

2019 Air Force Handbook

18.20. Mobile Computing Devices

Mobile computing devices are information systems, such as portable electronic devices, laptops, smartphones, and other handheld devices that can store data locally and access Air Force managed networks through mobile access capabilities. All wireless systems (including associated peripheral devices, operating systems, applications, network connection methods, and services) must be approved prior to processing Department of Defense information. The information systems security officer will maintain documented approval authority and inventory information on all approved devices. All mobile computing devices not assigned or in use must be secured to prevent tampering or theft. Users of mobile devices will sign a detailed user agreement outlining the responsibilities and restrictions for use.

2021 E6 Study Guide

17.15. Public Computing Facilities or Services

Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident according to the current Air Force guidance on computer security.

2019 Air Force Handbook

18.21. Public Computing Facilities or Services

Do not use public computing facilities or services, such as hotel business centers, to process government-owned unclassified, sensitive, or classified information. Public computing facilities or services include any information technology resources not under your private or U.S. Governmental control. Use of e-mail applications, messaging software, or web applications to access web-based government services constitutes a compromise of login credentials and must be reported as a security incident according to the current Air Force guidance on computer security.

2021 E6 Study Guide

17.16. Communications Security

Communications security refers to measures and controls taken to deny unauthorized persons information derived from information systems of the U.S. Government related to national security and to ensure the authenticity of such information systems. Communications security protection results from applying security measures to communications and information systems generating, handling, storing, processing, or using classified or sensitive information, the loss of which could adversely affect national security interests. Communications security also entails applying physical security measures to communications security information or materials.

Cryptosecurity. Cryptosecurity is a component of communications security resulting from the provision and proper use of technically sound cryptosystems.

Transmission Security. Transmission security is a component of communications security resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptoanalysis. Examples of transmission security measures include using secured communications systems, registered mail, secure telephone and facsimile equipment, manual cryptosystems, call signs, or authentication to transmit classified information.

Physical Security. Physical security is communications security resulting from the use of all physical measures necessary to safeguard communications security material from access by unauthorized persons. Physical security measures include the application of control procedures and physical barriers. Physical security also ensures continued integrity, prevents access by unauthorized persons, and controls the spread of communications security techniques and technology when not in the best interest of the United States and our allies. Common physical security measures include verifying the need to know and clearance of personnel granted access, following proper storage and handling procedures, accurately accounting for all materials, transporting materials using authorized means, and immediately reporting the loss or possible compromise of materials.

2019 Air Force Handbook

18.22. Communications Security

Communications security refers to measures and controls taken to deny unauthorized persons information derived from information systems of the U.S. Government related to national security and to ensure the authenticity of such information systems. Communications security protection results from applying security measures to communications and information systems generating, handling, storing, processing, or using classified or sensitive information, the loss of which could adversely affect national security interests. Communications security also entails applying physical security measures to communications security information or materials.

Cryptosecurity. Cryptosecurity is a component of communications security resulting from the provision and proper use of technically sound cryptosystems.

Transmission Security. Transmission security is a component of communications security resulting from the application of measures designed to protect transmissions from interception and exploitation by means other than cryptoanalysis. Examples of transmission security measures include using secured communications systems, registered mail, secure telephone and facsimile equipment, manual cryptosystems, call signs, or authentication to transmit classified information.

Physical Security. Physical security is communications security resulting from the use of all physical measures necessary to safeguard communications security material from access by unauthorized persons. Physical security measures include the application of control procedures and physical barriers. Physical security also ensures continued integrity, prevents access by unauthorized persons, and controls the spread of communications security techniques and technology when not in the best interest of the United States and our allies. Common physical security measures include verifying the need to know and clearance of personnel granted access, following proper storage and handling procedures, accurately accounting for all materials, transporting materials using authorized means, and immediately reporting the loss or possible compromise of materials.

2021 E6 Study Guide

17.17. TEMPEST

TEMPEST, formerly known as emissions security, is protection resulting from all measures taken to deny unauthorized persons information of value that may be derived from the interception and analysis of compromising emanations from cryptographic equipment, information systems, and telecommunications systems. The objective of TEMPEST is to deny access to classified, and in some instances unclassified, information that contains compromising emanations within an inspectable space. The inspectable space is considered the area in which it would be difficult for an adversary with specialized equipment to attempt to intercept compromising emanations without being detected. TEMPEST countermeasures, such as classified and unclassified equipment separation, shielding, and grounding, are implemented to reduce the risk of compromising emanations.

2019 Air Force Handbook

18.23. TEMPEST

TEMPEST, formerly known as emissions security, is protection resulting from all measures taken to deny unauthorized persons information of value that may be derived from the interception and analysis of compromising emanations from cryptographic equipment, information systems, and telecommunications systems. The objective of TEMPEST is to deny access to classified, and in some instances unclassified, information that contains compromising emanations within an inspectable space. The inspectable space is considered the area in which it would be difficult for an adversary with specialized equipment to attempt to intercept compromising emanations without being detected. TEMPEST countermeasures, such as classified and unclassified equipment separation, shielding, and grounding, are implemented to reduce the risk of compromising emanations.




Section 17E, Antiterrorism

Paragraph 17.18. Antiterrorism Efforts: No changes

Paragraph 17.19. Ground Transportation Security: No changes

Paragraph 17.20. Commercial Air Transportation Security Overseas: No changes

Paragraph 17.21. Suspicious Packages or Mail: No changes

Paragraph 17.22. General Antiterrorism Personal Protection: No changes

Paragraph 17.23. Home and Family Security: No changes

Paragraph 17.24. Human Intelligence and Counterintelligence: No changes

Paragraph 17.25. Incident Reporting: Last paragraph is new content

Paragraph 17.26. Protection of the President and Others: No changes

2021 E6 Study Guide

17.18. Antiterrorism Efforts

The Air Force seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all Air Force members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.

Headquarters Air Force. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.

The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead Air Force agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the Air Force single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

Commanders. Commanders at all levels who understand the threat can assess their ability to prevent, survive, and prepare to respond to an attack. A terrorism threat assessment requires the identification of a full range of known or estimated terrorist threat capabilities (including the use or threat of use of chemical, biological, radiological, nuclear, or high-yield explosives and weapons of mass destruction). In addition to tasking appropriate agencies to collect information, commanders at all levels should encourage personnel under their command to report information on individuals, events, or situations that could pose a threat to the security of Department of Defense personnel, families, facilities, and resources.

Antiterrorism Training. At least annually, commanders conduct comprehensive field and staff training to exercise antiterrorism plans, to include antiterrorism physical security measures, continuity of operations, critical asset risk management, and emergency management plans. Antiterrorism training should include terrorism scenarios specific to the location and be based on current enemy tactics, techniques, procedures, and lessons learned. Additionally, the current baseline through force protection condition 'Charlie' measures shall be exercised annually at installations and self-supported separate facilities.

Random Antiterrorism Measures Program

Installation commanders shall develop and implement a random antiterrorism measures program that will include all units on the installation. The intent of the program is to provide random, multiple security measures that consistently change the look of an installation's antiterrorism program.

Random antiterrorism measures introduce uncertainty to an installation's overall force protection program to defeat surveillance attempts and to make random antiterrorism measures difficult for a terrorist to accurately predict our actions. The program shall be included in antiterrorism plans and tie directly with all force protection conditions, including force protection condition 'normal', to ensure continuity and standardization, should threats require Air Force-wide implementation. Random antiterrorism measures times for implementation, location, and duration shall be regularly changed to avoid predictability. Random antiterrorism measures execution shall be broad based and involve all units and personnel.

2019 Air Force Handbook

18.24. Antiterrorism Efforts

The Air Force seeks to deter or limit the effects of terrorist acts by giving guidance on collecting and disseminating timely threat information, providing training to all Air Force members, developing comprehensive plans to deter and counter terrorist incidents, allocating funds and personnel, and implementing antiterrorism measures.

Headquarters Air Force. At the strategic level, the Deputy Chief of Staff for Intelligence, Surveillance and Reconnaissance (Air Force/A2) and the Director for Intelligence, Surveillance, and Reconnaissance Strategy, Doctrine and Force Development (Air Force/A2D), are responsible for ensuring the timely collection processing, analysis, production, and dissemination of foreign intelligence, current intelligence, and national-level intelligence information concerning terrorist activities, terrorist organizations, and force protection issues.

The Air Force Office of Special Investigations. Air Force Office of Special Investigations (AFOSI) is the lead Air Force agency for collection, investigation, analysis, and response for threats arising from terrorists, criminal activity, foreign intelligence, and security services. AFOSI is primarily focused on countering adversary intelligence collection activities against U.S. Armed Forces and will act as the Air Force single point of contact with federal, state, local, and foreign nation law enforcement, counterintelligence, and security agencies.

Commanders. Commanders at all levels who understand the threat can assess their ability to prevent, survive, and prepare to respond to an attack. A terrorism threat assessment requires the identification of a full range of known or estimated terrorist threat capabilities (including the use or threat of use of chemical, biological, radiological, nuclear, or high-yield explosives and weapons of mass destruction). In addition to tasking appropriate agencies to collect information, commanders at all levels should encourage personnel under their command to report information on individuals, events, or situations that could pose a threat to the security of Department of Defense personnel, families, facilities, and resources.

Antiterrorism Training. At least annually, commanders conduct comprehensive field and staff training to exercise antiterrorism plans, to include antiterrorism physical security measures, continuity of operations, critical asset risk management, and emergency management plans. Antiterrorism training should include terrorism scenarios specific to the location and be based on current enemy tactics, techniques, procedures, and lessons learned. Additionally, the current baseline through force protection condition 'Charlie' measures shall be exercised annually at installations and self-supported separate facilities.

Random Antiterrorism Measures Program

Installation commanders shall develop and implement a random antiterrorism measures program that will include all units on the installation. The intent of the program is to provide random, multiple security measures that consistently change the look of an installation's antiterrorism program.

Random antiterrorism measures introduce uncertainty to an installation's overall force protection program to defeat surveillance attempts and to make random antiterrorism measures difficult for a terrorist to accurately predict our actions. The program shall be included in antiterrorism plans and tie directly with all force protection conditions, including force protection condition 'normal', to ensure continuity and standardization, should threats require Air Force-wide implementation. Random antiterrorism measures times for implementation, location, and duration shall be regularly changed to avoid predictability. Random antiterrorism measures execution shall be broad based and involve all units and personnel.

2021 E6 Study Guide

17.19. Ground Transportation Security

Criminal and terrorist acts against individuals usually occur outside the home and after the victim's habits have been established. Your most predictable habit is the route you travel on a regular basis. Always check for fingerprints, smudges, or tampering of the interior and exterior of your vehicle, including the tires and trunk. If you detect something out of the ordinary, do not touch anything. Immediately contact the local authorities. When overseas, travel with a companion. Select a plain car and avoid using government vehicles, when possible. Do not openly display military equipment or decals with military affiliations. Keep doors locked at all times. Do not let someone you do not know direct you to a specific taxi. Ensure taxis are licensed and have safety equipment (seat belts at a minimum). Ensure that the face of the taxi driver and the picture on the license are the same.

2019 Air Force Handbook

18.25. Ground Transportation Security

Criminal and terrorist acts against individuals usually occur outside the home and after the victim's habits have been established. Your most predictable habit is the route you travel on a regular basis. Always check for fingerprints, smudges, or tampering of the interior and exterior of your vehicle, including the tires and trunk. If you detect something out of the ordinary, do not touch anything. Immediately contact the local authorities. When overseas, travel with a companion. Select a plain car and avoid using government vehicles, when possible. Do not openly display military equipment or decals with military affiliations. Keep doors locked at all times. Do not let someone you do not know direct you to a specific taxi. Ensure taxis are licensed and have safety equipment (seat belts at a minimum). Ensure that the face of the taxi driver and the picture on the license are the same.

2021 E6 Study Guide

17.20. Commercial Air Transportation Security Overseas

Before traveling overseas, consult the Foreign Clearance Guide to ensure you meet all requirements for travel to a particular country. Get the required 'area of responsibility' threat briefing from your security officer, antiterrorism officers, or the appropriate counterintelligence or security organization within three months prior to traveling overseas. Use office symbols on travel documents if the word description denotes a sensitive position. Use military contracted flag carriers. Avoid traveling through high-risk areas. Do not use rank or military address on tickets. Do not discuss military affiliation. Have proper identification to show airline and immigration officials. Do not carry classified documents unless absolutely mission essential. Dress conservatively. Wear clothing that covers military or United States-affiliated tattoos. Carry plain civilian luggage. Do not wear or carry distinct military items.

2019 Air Force Handbook

18.26. Commercial Air Transportation Security Overseas

Before traveling overseas, consult the Foreign Clearance Guide to ensure you meet all requirements for travel to a particular country. Get the required 'area of responsibility' threat briefing from your security officer, antiterrorism officers, or the appropriate counterintelligence or security organization within three months prior to traveling overseas. Use office symbols on travel documents if the word description denotes a sensitive position. Use military contracted flag carriers. Avoid traveling through high-risk areas. Do not use rank or military address on tickets. Do not discuss military affiliation. Have proper identification to show airline and immigration officials. Do not carry classified documents unless absolutely mission essential. Dress conservatively. Wear clothing that covers military or United States-affiliated tattoos. Carry plain civilian luggage. Do not wear or carry distinct military items.

2021 E6 Study Guide

17.21. Suspicious Packages or Mail

Look for an unusual or unknown place of origin; no return address; excessive amount of postage; abnormal size or shape; protruding strings; aluminum foil; wires; misspelled words; differing return address and postmark; handwritten labels; unusual odor; unusual or unbalanced weight; springiness in the top or bottom; inflexibility; crease marks; discoloration or oily stains; incorrect titles or title with no name; excessive security material; ticking, beeping, or other sounds; or special instruction markings, such as "personal, rush, do not delay, or confidential" on any packages or mail received. Be vigilant for evidence of powder or other contaminants. Never cut tape, strings, or other wrappings on a suspect package. If the package has been moved, place the package in a plastic bag to prevent any leakage of contents. If handling mail suspected of containing chemical or biological contaminants, wash hands thoroughly with soap and water. Report suspicious mail immediately and make a list of personnel who were in the room when the suspicious envelope or package was identified.

2019 Air Force Handbook

18.27. Suspicious Packages or Mail

Look for an unusual or unknown place of origin; no return address; excessive amount of postage; abnormal size or shape; protruding strings; aluminum foil; wires; misspelled words; differing return address and postmark; handwritten labels; unusual odor; unusual or unbalanced weight; springiness in the top or bottom; inflexibility; crease marks; discoloration or oily stains; incorrect titles or title with no name; excessive security material; ticking, beeping, or other sounds; or special instruction markings, such as "personal, rush, do not delay, or confidential" on any packages or mail received. Be vigilant for evidence of powder or other contaminants. Never cut tape, strings, or other wrappings on a suspect package. If the package has been moved, place the package in a plastic bag to prevent any leakage of contents. If handling mail suspected of containing chemical or biological contaminants, wash hands thoroughly with soap and water. Report suspicious mail immediately and make a list of personnel who were in the room when the suspicious envelope or package was identified.

2021 E6 Study Guide

17.22. General Antiterrorism Personal Protection

Individual vigilance is integral to the antiterrorism program, whether stateside or overseas. Several actions are provided here to help ensure individual protection.

- Dress and behave in a way that does not draw attention.
- Be inconspicuous and avoid publicity.
- Travel in small groups.
- Avoid spontaneous gatherings or demonstrations.
- Be unpredictable.
- Vary daily routines to/from home and work.
- Be alert for anything suspicious or out of place.
- Avoid giving unnecessary personal details to anyone unless their identity can be verified.
- Be alert to strangers who are on government property for no apparent reason.
- Refuse to meet with strangers outside your workplace.
- Always advise associates or family members of your destination and anticipated time of arrival.
- Report unsolicited contacts to authorities.
- Do not open doors to strangers.
- Memorize key telephone numbers and dialing instructions.
- Be cautious about giving information regarding family travel or security measures.
- When overseas, learn and practice a few key phrases in the local language.

2019 Air Force Handbook

18.28. General Antiterrorism Personal Protection

Individual vigilance is integral to the antiterrorism program, whether stateside or overseas. Several actions are provided here to help ensure individual protection.

- Dress and behave in a way that does not draw attention.
- Be inconspicuous and avoid publicity.
- Travel in small groups.
- Avoid spontaneous gatherings or demonstrations.
- Be unpredictable.
- Vary daily routines to/from home and work.
- Be alert for anything suspicious or out of place.
- Avoid giving unnecessary personal details to anyone unless their identity can be verified.
- Be alert to strangers who are on government property for no apparent reason.
- Refuse to meet with strangers outside your workplace.
- Always advise associates or family members of your destination and anticipated time of arrival.
- Report unsolicited contacts to authorities.
- Do not open doors to strangers.
- Memorize key telephone numbers and dialing instructions.
- Be cautious about giving information regarding family travel or security measures.
- When overseas, learn and practice a few key phrases in the local language.

2021 E6 Study Guide

17.23. Home and Family Security

Spouses and children should always practice basic precautions for personal security. Familiarize family members with the local terrorist threat and regularly review protective measures and techniques. Ensure family members know what to do in any type of emergency. Several actions are provided here to help ensure home and family security.

- Restrict the possession of house keys.
- Lock all entrances at night, including the garage.
- Keep the house locked, even if you are home.
- Destroy all envelopes or other items that show your name, rank, or other personal information.
- Remove names and rank from mailboxes.
- Watch for unfamiliar vehicles cruising or parked frequently in the area, particularly if one or more occupants remain in the vehicle for extended periods.
- Post or preprogram emergency telephone numbers for immediate access. Report all threatening phone calls to security officials and the telephone company, making note of any background noise, accent, nationality, or location.

2019 Air Force Handbook

18.29. Home and Family Security

Spouses and children should always practice basic precautions for personal security. Familiarize family members with the local terrorist threat and regularly review protective measures and techniques. Ensure family members know what to do in any type of emergency. Several actions are provided here to help ensure home and family security.

- Restrict the possession of house keys.
- Lock all entrances at night, including the garage.
- Keep the house locked, even if you are home.
- Destroy all envelopes or other items that show your name, rank, or other personal information.
- Remove names and rank from mailboxes.
- Watch for unfamiliar vehicles cruising or parked frequently in the area, particularly if one or more occupants remain in the vehicle for extended periods.
- Post or preprogram emergency telephone numbers for immediate access. Report all threatening phone calls to security officials and the telephone company, making note of any background noise, accent, nationality, or location.

2021 E6 Study Guide

17.24. Human Intelligence and Counterintelligence

Human intelligence is a category of intelligence derived from information collected and provided by human sources and collectors, and where the human being is the primary collection instrument. Counterintelligence is information gathered and activities conducted to protect against such threats. A few primary human intelligence collection efforts are briefly described here.

Interrogation. Interrogation is the systematic effort to procure information to answer specific collection requirements by direct and indirect questioning techniques of a person who is in the custody of the forces conducting the questioning. Proper questioning of enemy combatants, enemy prisoners of war, or other detainees by trained and certified Department of Defense interrogators may result in information provided either willingly or unwittingly.

Source Operations. Designated and fully trained military human intelligence collection personnel may develop information through the elicitation of sources, to include: "walk-in" sources who, without solicitation, make the first contact with human intelligence personnel; developed sources who are met over a period of time and provide information based on operational requirements; unwitting persons with access to sensitive information.

Debriefing. Debriefing is the process of questioning cooperating human sources to satisfy intelligence requirements, consistent with applicable law. The source usually is not in custody and is usually willing to cooperate. Debriefing may be conducted at all echelons and in all operational environments. Through debriefing, face-to-face meetings, conversations, and elicitation, information may be obtained from a variety of human sources.

Document and Media Exploitation. Captured documents and media, when properly processed and exploited, may provide valuable information, such as adversary plans and intentions, force locations, equipment capabilities, and logistical status. The category of "captured documents and media" includes all media capable of storing fixed information, as well as computer storage material. This operation is not a primary human intelligence function, but may be conducted by any intelligence personnel with appropriate language support.

Human Intelligence Threat Areas. A few primary threat areas are briefly described here.

Espionage. The act of obtaining, delivering, transmitting, communicating, or receiving information about national defense with intent or reason to believe the information may be used to the injury of the United States or to the advantage of any foreign nation.

Subversion. An act or acts inciting military or civilian personnel of the Department of Defense to violate laws, disobey lawful orders or regulations, or disrupt military activities with the willful intent, thereby to interfere with or impair the loyalty, morale, or discipline of the U.S. Armed Forces.

Sabotage. An act or acts with intent to injure, interfere with, or obstruct the national defense of a country by willfully injuring or destroying, or attempting to injure or destroy, any national defense or war material, premises, or utilities, as well as human and natural resources.

Terrorism. The calculated use of unlawful violence or threat of unlawful violence to inculcate fear intended to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

2019 Air Force Handbook

18.30. Human Intelligence and Counterintelligence

Human intelligence is a category of intelligence derived from information collected and provided by human sources and collectors, and where the human being is the primary collection instrument. Counterintelligence is information gathered and activities conducted to protect against such threats. A few primary human intelligence collection efforts are briefly described here.

Interrogation. Interrogation is the systematic effort to procure information to answer specific collection requirements by direct and indirect questioning techniques of a person who is in the custody of the forces conducting the questioning. Proper questioning of enemy combatants, enemy prisoners of war, or other detainees by trained and certified Department of Defense interrogators may result in information provided either willingly or unwittingly.

Source Operations. Designated and fully trained military human intelligence collection personnel may develop information through the elicitation of sources, to include: "walk-in" sources who, without solicitation, make the first contact with human intelligence personnel; developed sources who are met over a period of time and provide information based on operational requirements; unwitting persons with access to sensitive information.

Debriefing. Debriefing is the process of questioning cooperating human sources to satisfy intelligence requirements, consistent with applicable law. The source usually is not in custody and is usually willing to cooperate. Debriefing may be conducted at all echelons and in all operational environments. Through debriefing, face-to-face meetings, conversations, and elicitation, information may be obtained from a variety of human sources.

Document and Media Exploitation. Captured documents and media, when properly processed and exploited, may provide valuable information, such as adversary plans and intentions, force locations, equipment capabilities, and logistical status. The category of "captured documents and media" includes all media capable of storing fixed information, as well as computer storage material. This operation is not a primary human intelligence function, but may be conducted by any intelligence personnel with appropriate language support.

Human Intelligence Threat Areas. A few primary threat areas are briefly described here.

Espionage. The act of obtaining, delivering, transmitting, communicating, or receiving information about national defense with intent or reason to believe the information may be used to the injury of the United States or to the advantage of any foreign nation.

Subversion. An act or acts inciting military or civilian personnel of the Department of Defense to violate laws, disobey lawful orders or regulations, or disrupt military activities with the willful intent, thereby to interfere with or impair the loyalty, morale, or discipline of the U.S. Armed Forces.

Sabotage. An act or acts with intent to injure, interfere with, or obstruct the national defense of a country by willfully injuring or destroying, or attempting to injure or destroy, any national defense or war material, premises, or utilities, as well as human and natural resources.

Terrorism. The calculated use of unlawful violence or threat of unlawful violence to inculcate fear intended to coerce or intimidate governments or societies in the pursuit of goals that are generally political, religious, or ideological.

2021 E6 Study Guide

17.25. Incident Reporting

AFI 71-101, Volume 4, Counterintelligence, requires individuals who have reportable contacts or acquire reportable information, to immediately (within 30 days of the contact) report the contact or information either verbally or in writing to AFOSI. The AFOSI initiates and conducts all counterintelligence investigations, operations, collections, and other related activities for the Air Force. When appropriate, or when overseas, AFOSI coordinates these activities with the Central Intelligence Agency and the Federal Bureau of Investigation. The AFOSI is also the installation-level training agency for counterintelligence awareness briefings, and is the sole Air Force repository for the collection and retention of reportable information.

Contact is defined as any exchange of information directed to an individual, including solicited or unsolicited telephone calls, e-mail, radio contact, and face-to-face meetings. Examples include: contact with a foreign diplomatic establishment; a request by anyone for illegal or unauthorized access to classified or unclassified controlled information; personal contact with any individual who suggests that a foreign intelligence or any terrorist organization may have targeted him or her or others for possible intelligence exploitation; or receipt of information indicating military members, civilian employees, or Department of Defense contractors have contemplated, attempted, or effected the deliberate compromise or unauthorized release of classified or unclassified controlled information.

AFI, 10-245, The Eagle Eyes program is a DAF Antiterrorism initiative that enlists the eyes and ears of all AF military, civilians, contractors, and dependents. The Eagle Eyes program is a reporting mechanism for the base community on how to report suspicious behavior or possible terrorist activity. Each installation shall outline procedures in the installation AT plan on how to receive and log suspicious activity reports and suspicious incident reports and to pass those reports expeditiously to their servicing Air Force Office of Special Investigations

2019 Air Force Handbook

18.31. Incident Reporting

AFI 71-101, Volume 4, Counterintelligence, requires individuals who have reportable contacts or acquire reportable information, to immediately (within 30 days of the contact) report the contact or information either verbally or in writing to AFOSI. The AFOSI initiates and conducts all counterintelligence investigations, operations, collections, and other related activities for the Air Force. When appropriate, or when overseas, AFOSI coordinates these activities with the Central Intelligence Agency and the Federal Bureau of Investigation. The AFOSI is also the installation-level training agency for counterintelligence awareness briefings, and is the sole Air Force repository for the collection and retention of reportable information.

Contact is defined as any exchange of information directed to an individual, including solicited or unsolicited telephone calls, e-mail, radio contact, and face-to-face meetings. Examples include: contact with a foreign diplomatic establishment; a request by anyone for illegal or unauthorized access to classified or unclassified controlled information; personal contact with any individual who suggests that a foreign intelligence or any terrorist organization may have targeted him or her or others for possible intelligence exploitation; or receipt of information indicating military members, civilian employees, or Department of Defense contractors have contemplated, attempted, or effected the deliberate compromise or unauthorized release of classified or unclassified controlled information.

2021 E6 Study Guide

17.26. Protection of the President and Others

As stated in AFI 71-101, Volume 2, Protective Service Matters, as a result of a formal agreement between the Department of Defense and U.S. Secret Service, individuals affiliated with the U.S. Armed Forces have a special obligation to report information regarding the safety and protection of the U.S. President or anyone else anyone under the protection of the U.S. Secret Service. This includes the Vice President, the President- and Vice President-elect, and visiting heads of foreign states or foreign governments. In most cases, former Presidents and their spouses are also afforded lifetime protection of the U.S. Secret Service.

2019 Air Force Handbook

18.32. Protection of the President and Others

As stated in AFI 71-101, Volume 2, Protective Service Matters, as a result of a formal agreement between the Department of Defense and U.S. Secret Service, individuals affiliated with the U.S. Armed Forces have a special obligation to report information regarding the safety and protection of the U.S. President or anyone else anyone under the protection of the U.S. Secret Service. This includes the Vice President, the President- and Vice President-elect, and visiting heads of foreign states or foreign governments. In most cases, former Presidents and their spouses are also afforded lifetime protection of the U.S. Secret Service.