Security Incident Investigations (SIIs) occur when there is a known or suspected loss of national security information (NSI) or controlled unclassified information (CUI). InfoSec personnel conduct SIIs to determine the circumstances surrounding an actual, or potential compromise, of NSI or CUI to determine individual responsibility, notifying outside stakeholders when necessary, and making recommendations to prevent similar occurrences going forward. Such investigations often necessitate partnership with Personnel Security (PerSec) regarding suspension of an individual’s clearance and continued access to NSI, and coordination with Human Resources if such an action would affect an individual’s ability to remain in their current position or regarding individuals who hold positions of trust who are suspected of mishandling or losing CUI.

Security Incidents and Violations

The compromise of National Security Information (NSI) presents a threat to national security. Once a compromise has occurred, the damage to the national security interests of the U.S. must be determined and appropriate measures taken to negate or minimize the adverse effect of the compromise. Whenever possible, action shall be taken to regain custody of the documents or materials that were compromised; however, in all cases, appropriate action must be taken to identify the source of the compromise, determine the reason for the compromise, and identify and take any corrective action necessary to ensure further compromise of NSI does not occur. 

Any person who has knowledge of or suspects there has been a compromise or loss of NSI (in any form) or any person who discovers NSI outside of required controls shall take the following steps: 

1. If applicable, take immediate custody of such information and safeguard it in an appropriate manner. This responsibility includes protecting NSI that is discovered improperly safeguarded or unsecured. 
2. Immediately report the loss or possible compromise of NSI to the Field Security Servicing Officer (FSSO).
3. Complete part one of National Security Information Incident Report and submit to the FSSO. The FSSO completes Part 2 and submits to the Department Security Infraction and Violation Program Manager within the Information Security Division at osy_NSI@doc.gov.
4. If the incident involves any spill of classified information on an unclassified or classified system, notify the Enterprise Security Operations Center (ESOC) at (202) 482-4000 or esoc@doc.gov upon discovery or knowledge of the incident. The ESOC is open 24 hours a day, 7 days a week, 365 days a year.