Understanding Information Security (INFOSEC): A Guide for DoD Personnel

Last updated 4 days ago. Our resources are updated regularly but please keep in mind that links, programs, policies, and contact information do change.

Information Security, commonly known as INFOSEC, is a cornerstone of the Department of Defense (DoD) mission and the security of the United States. In an era of persistent threats and evolving technology, safeguarding information is a fundamental duty for every member of the DoD workforce.

Military personnel, civilian employees, and supporting contractors all share the responsibility of protecting sensitive information and the systems that process it.

This guide provides the essential basics of INFOSEC within the DoD context, outlining:

• Key principles
• Common threats
• Mandatory policies
• Best practices
• Training requirements
• Consequences of non-compliance
• Where to turn for help

Adherence to these principles and practices is critical for mission success and protecting national interests.

What is INFOSEC in the DoD?

INFOSEC is a broad discipline focused on protecting information and the systems that store, process, and transmit it. The National Institute of Standards and Technology (NIST) and the Committee on National Security Systems (CNSS) define Information Security as “The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”

Within the Department of Defense, INFOSEC goes beyond just protecting computer networks; it includes safeguarding information in all its forms—electronic data, physical documents, hardware, software, facilities, and even spoken words.

The DoD Information Security Program is specifically designed to manage and protect various types of sensitive information critical to national security, including:

• Classified National Security Information (CNSI): Information requiring protection against unauthorized disclosure pursuant to an Executive Order, marked as Top Secret, Secret, or Confidential.
• Controlled Unclassified Information (CUI): Unclassified information requiring safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy.
• Sensitive Compartmented Information (SCI): Classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled within formal access control systems.
• Special Access Programs (SAPs): Programs imposing safeguarding and access requirements exceeding those normally required for information at the same classification level.
• Foreign Government Information (FGI): Information provided to the U.S. government by a foreign government or international organization with the expectation that the information is held in confidence.

The term “Cybersecurity” is formally adopted by DoD Instruction (DoDI) 8500.01 to replace the older term “Information Assurance (IA).” Cybersecurity specifically focuses on the prevention of damage to, protection of, and restoration of computers, electronic communications systems, services, and the information contained therein.

While Cybersecurity is a critical component, INFOSEC remains the broader umbrella term within the DoD, covering the protection of information regardless of its form or location.

The overarching goals of the DoD Information Security Program are to:

• Identify and protect national security information and CUI
• Promote necessary information sharing for mission accomplishment
• Facilitate the judicious use of resources
• Simplify management through the implementation of uniform and standardized processes across the Department

Every DoD member’s adherence to INFOSEC principles is vital to achieving these goals.

The Core of INFOSEC: Confidentiality, Integrity, Availability (CIA Triad)

The Confidentiality, Integrity, and Availability (CIA) triad is a widely accepted model that forms the cornerstone of information security. It provides a framework for thinking about the security objectives necessary to protect DoD information and systems.

These three principles are interconnected; a failure in one area often impacts the others, potentially compromising missions and endangering personnel.

Confidentiality

This principle involves preserving authorized restrictions on information access and disclosure. In simple terms, it means keeping secrets secret and ensuring that only authorized individuals, processes, or systems can access sensitive information.

Within the DoD, confidentiality is paramount for protecting a vast range of information, such as:

• Operational plans
• Troop deployment schedules
• Intelligence collection data
• Specifications for advanced weaponry
• Personnel records containing Personally Identifiable Information (PII)
• All levels of classified information (CNSI)

Unauthorized disclosure of such information could provide adversaries with critical advantages, compromise operations, or violate personal privacy.

Mechanisms used to ensure confidentiality include:

• Robust access control measures (verifying security clearances and need-to-know)
• Encryption of data both when stored (at rest) and when transmitted (in transit)
• Network segmentation to isolate sensitive systems
• Proper physical handling and storage of classified documents and CUI
• The use of secure communication channels, often involving Public Key Infrastructure (PKI) for digital signatures and encryption
• Strong authentication methods like passwords, PINs, and multi-factor authentication (MFA)

Integrity

This principle focuses on guarding against improper modification or destruction of information and ensuring its authenticity and non-repudiation. Integrity means that data is accurate, complete, consistent, and trustworthy, and that it hasn’t been altered in an unauthorized manner, whether accidentally or maliciously.

For the DoD, data integrity is vital. Imagine the consequences if:

• Targeting coordinates were altered
• Intelligence reports were falsified
• Personnel pay records were manipulated
• Critical system configurations were changed without authorization

Such breaches could lead directly to mission failure, loss of life, financial fraud, or flawed decision-making based on corrupted information.

Methods to maintain integrity include:

• Strict access controls to limit who can modify data
• Version control systems to track changes
• Cryptographic methods like hashing and checksums to verify data hasn’t been altered
• Digital signatures (often using CAC/PKI) to prove authenticity and non-repudiation
• Detailed audit logs to track system and data access/modifications
• Regular data backups to allow recovery from corruption

Availability

This principle ensures that information and systems are accessible and usable upon demand by authorized users. It means that personnel can access the networks, systems, and data they need to perform their duties, when they need to, without undue delay.

Availability is critical for operational continuity in the DoD. During routine operations, crises, or conflicts, personnel rely on uninterrupted access to:

• Communication networks
• Command and control (C2) systems
• Logistics databases
• Intelligence feeds
• Supporting infrastructure

Attacks aimed at denying access, such as Distributed Denial of Service (DDoS) attacks, or system failures due to hardware issues, software bugs, or natural disasters, can severely disrupt or halt military operations.

Ensuring availability involves:

• Implementing system redundancy (having backup systems)
• Maintaining comprehensive backup and disaster recovery plans
• Actively monitoring network performance and security
• Employing defenses against DoS/DDoS attacks
• Performing regular hardware maintenance and software patching
• Ensuring adequate network bandwidth and processing power

It’s important to recognize that many security controls support multiple pillars of the triad. For example, strong authentication using a CAC and PIN helps ensure Confidentiality by preventing unauthorized login, and also supports Integrity by linking actions back to a specific, authenticated user.

Similarly, encryption primarily protects Confidentiality but can also support Integrity if it includes mechanisms to detect tampering.

While a failure in Availability (like a network outage) might be the most immediately obvious disruption to users, compromises in Confidentiality or Integrity can have equally or even more severe long-term consequences for national security and mission success. All three pillars are essential and must be addressed holistically.

Common Threats Facing DoD Personnel

The DoD operates in a complex threat environment. Personnel must be aware of the various ways adversaries, criminals, or even insiders (both intentional and unintentional) can attempt to compromise information, systems, and missions. These threats can be broadly categorized into cyber, insider, and physical risks.

Cyber Threats

These involve malicious activities conducted via computer networks and systems. DoD personnel are frequent targets due to the value of the information they handle. Common cyber threats include:

Phishing, Vishing, and Smishing

These are forms of social engineering where attackers use deceptive emails (phishing), voice calls (vishing), or text messages (smishing) to trick individuals into revealing sensitive information like passwords, CAC PINs, PII, or financial details. They might also try to convince users to click malicious links or open infected attachments that install malware.

Spear phishing is a particularly dangerous variant that targets specific individuals or groups, using personalized information gathered from open sources (OSINT) or previous breaches to make the communication appear highly legitimate, perhaps seeming to come from a supervisor, colleague, help desk, or trusted external entity.

Be wary of emails with:

• Suspicious sender addresses (check closely for slight misspellings)
• Generic greetings (“Dear Valued Customer”)
• Poor grammar or spelling
• Urgent requests for sensitive data
• Links where the hover-over URL doesn’t match the displayed text
• Unexpected attachments, especially those demanding immediate action

Malware and Ransomware

Malware (malicious software) encompasses a wide range of threats like viruses, worms, spyware, and trojans designed to infiltrate systems, steal data, disrupt operations, or grant unauthorized access. Malware is often delivered through phishing emails, malicious websites, or infected removable media like USB drives.

Ransomware is a specific type of malware that encrypts the victim’s files or entire system, making them inaccessible until a ransom (typically in cryptocurrency) is paid. Attackers may also engage in data extortion, threatening to publicly release sensitive data stolen during the ransomware attack if the ransom isn’t paid.

Ransomware attacks against critical infrastructure, including DoD systems and contractors, are a significant concern.

Social Engineering

This threat exploits human psychology—trust, urgency, helpfulness, fear, curiosity—to manipulate individuals into bypassing security procedures or divulging information.

Phishing is a primary example, but social engineering can also occur in person (e.g., someone impersonating a technician to gain facility access) or over the phone (vishing).

Other tactics include:

• Baiting (leaving an infected USB drive labeled “Payroll Info” in a common area hoping someone plugs it in)
• Pretexting (creating a believable scenario or pretext to elicit information)

Vigilance and skepticism are key defenses—always verify identities and requests through separate, trusted channels before providing sensitive information or access.

Other Cyber Threats

Personnel should also be aware of:

• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks, which aim to overwhelm systems or networks with traffic, making them unavailable to legitimate users
• Man-in-the-Middle (MitM) attacks involve an attacker secretly intercepting and possibly altering communications between two parties
• Zero-Day Exploits target vulnerabilities in software or hardware that are not yet known to the vendor or the public, making them particularly difficult to defend against initially
• Database attacks like SQL Injection and automated login attempts using breached credentials (Credential Stuffing) are also common

Insider Threats

An insider threat originates from individuals who have, or previously had, authorized access to DoD networks, systems, facilities, or information. This includes military personnel, civilian employees, contractors, and even trusted partners. The threat arises when these individuals, either wittingly (intentionally) or unwittingly (unintentionally), commit an act that violates law or policy and causes, or could cause, harm to U.S. interests.

Malicious Insiders

Act with intent to harm. This can manifest as:

• Espionage (stealing secrets for foreign powers)
• Sabotage (damaging systems or data)
• Unauthorized disclosure (leaking classified or sensitive information)
• Data theft for personal gain
• Fraud
• Workplace violence

Unintentional Insiders

Cause harm through negligence, carelessness, lack of awareness, or by being tricked by external actors (e.g., falling victim to phishing or social engineering).

Common unintentional acts include:

• Mishandling CUI or classified information
• Using weak passwords
• Clicking malicious links
• Losing GFE
• Misconfiguring security settings

Human error remains a significant factor in many security breaches. Because these actions are not driven by malicious intent, awareness training and adherence to best practices are crucial mitigation strategies.

Potential Indicators

While not definitive proof, certain behaviors might indicate an elevated insider risk and warrant reporting through appropriate channels. These can include:

• Unexplained affluence
• Attempts to access information beyond one’s need-to-know
• Unusual work hours
• Unreported foreign contacts or travel
• Downloading or copying excessive amounts of data
• Expressing disgruntlement or allegiance concerns
• Repeated security violations

Physical Security Risks

Breaches in physical security can directly enable information compromises or other harmful events. These risks pertain to the physical protection of DoD assets:

Facilities

Unauthorized physical access to DoD buildings, secure rooms, data centers, or Sensitive Compartmented Information Facilities (SCIFs) can lead to:

• Theft of equipment or documents
• Installation of rogue devices
• Espionage
• Sabotage
• Violence

Maintaining access control, visitor management, and perimeter security is essential.

Documents

Classified information or CUI in hardcopy form is vulnerable if:

• Left unattended on desks
• Improperly stored in unlocked containers
• Disposed of incorrectly (e.g., thrown in regular trash instead of shredded using approved equipment)

Equipment

Loss or theft of Government-Furnished Equipment (GFE) like laptops, smartphones, CACs, or removable media (USB drives) poses a significant risk, as these devices often contain or provide access to sensitive data.

Leaving devices unattended and unlocked, even briefly, creates opportunities for unauthorized access or data theft (“shoulder surfing”).

Plugging devices into unknown public USB charging ports without a data blocker can also expose them to risk.

Understanding these diverse threats highlights the interconnected nature of security. A successful phishing attack (cyber) might steal credentials used by an insider to access sensitive data, or a physical security lapse (leaving a door unlocked) could allow an intruder to install malware on a system. Therefore, a comprehensive approach addressing cyber, insider, and physical security is necessary for effective INFOSEC.

Key DoD INFOSEC Rules and Regulations

Information Security within the Department of Defense is governed by a structured hierarchy of official issuances that establish mandatory policies, assign responsibilities, and prescribe detailed procedures. Understanding the key governing documents is essential for all personnel. These issuances typically fall into categories:

• DoD Directives (DoDDs): Broad policy documents establishing fundamental principles and assigning major responsibilities.
• DoD Instructions (DoDIs): Provide more detailed implementation guidance for policies established in DoDDs.
• DoD Manuals (DoDMs): Offer specific, detailed procedures and standards for implementing DoDIs.

Compliance with these issuances is mandatory for all DoD personnel and, where applicable, contractors. Key documents relevant to INFOSEC basics include:

Finding Official Policies

The definitive source for current, official DoD Directives, Instructions, and Manuals is the Washington Headquarters Services (WHS) Directives Division website. It is crucial to rely on this official source, as policies are frequently updated, reissued, or superseded. Using outdated guidance can lead to non-compliance and security risks.

Other valuable official portals for specific information include:

• DoD Chief Information Officer (CIO) Library: Contains strategies, playbooks, and memos related to IT, cybersecurity, cloud, software development, etc.
• DoD CUI Program Website: Provides access to the DoD CUI Registry, policy links, training resources, and FAQs
• DoD Cyber Exchange: Offers STIGs, Security Requirements Guides (SRGs), training resources (including the Cyber Awareness Challenge), and cybersecurity news/announcements

Navigating these policies reveals their interconnectedness. For example, DoDI 8500.01 establishes the cybersecurity program and mandates STIGs, while DoDI 8510.01 defines the RMF process used to assess systems against those STIGs and other controls.

DoDD 8140.01 mandates workforce qualifications relevant to executing these cybersecurity functions, and the DoDM 5200.01 series and DoDI 5200.48 dictate how the actual information (classified or CUI) processed by these systems and personnel must be handled.

Effective INFOSEC requires understanding how these personnel, process, technology, and data protection policies work together.

Your Role: Essential INFOSEC Best Practices

Every member of the DoD community has a personal responsibility to practice good information security habits. These practices combine technical configurations, adherence to established procedures, and mindful user behavior. They are essential for protecting DoD information and systems from the threats outlined earlier.

Strong Authentication: Passwords and Beyond

Password Creation

Passwords are a primary defense layer.

DoD Standard (Non-MFA Systems): Historically, DoD policy and STIGs have mandated strong complexity for systems lacking Multi-Factor Authentication (MFA). This typically requires a minimum length of 15 characters, including at least one character from each of these four groups: uppercase letters, lowercase letters, numbers, and special characters (e.g., !@#$%^&*()).

Some devices unable to support this (like older mobile OS) may have a lower minimum, such as 6 characters.

NIST Guidance & Modern Trends: Current NIST guidelines (SP 800-63B), which increasingly influence STIGs and policy, emphasize password length as the primary factor for strength, rather than forcing complex character combinations.

NIST recommends a minimum of 8 characters but suggests allowing lengths up to 64 characters or more to encourage passphrases (e.g., CorrectHorseBatteryStaple!). Passphrases, using multiple random words, are often easier to remember and type yet significantly harder to crack than shorter, complex passwords.

While DoD policy may still enforce complexity on some systems, using a long passphrase is a good strategy to meet length requirements effectively.

What to Avoid:

• Never use personal information (names, birthdays, phone numbers)
• Avoid common dictionary words
• Don’t use easily guessable patterns
• Never reuse passwords across different accounts, especially between your government/work accounts and personal accounts
• DoD policy forbids reusing recent passwords; systems often enforce a history, preventing reuse of the last 10 to 24 passwords
• Do not write passwords down where they can be easily found

Password Management

Password Managers: Consider using an approved password manager application. These tools can generate highly complex, random passwords for each account and store them securely, eliminating the need for memorization. If used for government systems, ensure the manager meets any applicable FIPS compliance standards.

Password Changes: Follow your specific system or organizational policy regarding password expiration (often 60 days in DoD environments). However, be aware that NIST guidance now discourages mandatory periodic changes unless there is evidence of compromise, as frequent changes often lead to weaker password choices. Always change passwords immediately if you suspect they have been compromised.

CAC/PIV and PKI

The Common Access Card (CAC) or Personal Identity Verification (PIV) card is a cornerstone of DoD authentication, providing two factors: something you have (the card) and something you know (your PIN).

Protection:

• Your CAC is a controlled item. Always keep it in your possession.
• Remove it from the reader whenever you leave your workstation, even for a moment.
• Never share your PIN.
• Report a lost or stolen CAC immediately to your security point of contact (POC).
• Using a shielded sleeve can help prevent cloning.

Usage:

• The certificates on your CAC enable identification, email encryption, and digital signatures.
• Use digital signatures on official emails to ensure authenticity and integrity.
• Encrypt emails containing sensitive information.
• Follow rules for using PKI tokens: insert only when needed for a PKI task, never use on public computers, and ensure you use the token designated for the correct classification level (e.g., don’t use a SIPRNet token on NIPRNet).

Multi-Factor Authentication (MFA)

MFA adds layers of security by requiring multiple types of credentials (e.g., CAC/PIN + a code from an app). Use MFA whenever it is offered or required, as it significantly increases account security. It is a standard requirement for systems handling CUI under NIST SP 800-171.

Handling Sensitive Information

Protecting information appropriate to its sensitivity level is a core duty.

Know Your Data

Be able to distinguish between Unclassified information, Controlled Unclassified Information (CUI), and Classified National Security Information (CNSI – Confidential, Secret, Top Secret). Each category has specific handling rules.

Controlled Unclassified Information (CUI)

Governed by DoDI 5200.48.

Identify: Recognize information designated as CUI based on laws, regulations, or government-wide policies listed in the DoD CUI Registry.

Mark: Apply the “CUI” banner at the top and bottom of each page and the CUI Designation Indicator block on the first page/cover, specifying the controlling office, CUI category(ies), any Limited Dissemination Controls (LDCs), and a POC.

Safeguard (Physical):

• During work hours, prevent unauthorized viewing (e.g., use screen privacy filters, position monitors away from view).
• After hours, store in locked desks, cabinets, or rooms unless the building has 24/7 security monitoring.

Safeguard (Electronic):

• Process CUI on systems meeting at least Moderate Confidentiality requirements (NIST SP 800-171 controls apply to non-federal systems handling CUI for DoD).
• Transmit electronically using approved secure methods like encrypted email (using PKI) or DoD SAFE.
• Never use personal email accounts or personal cloud storage (like Google Drive, Dropbox) for CUI.

Disseminate: Share CUI only when it serves a Lawful Government Purpose and is not prohibited by law, regulation, policy, or an applied LDC. LDCs restrict sharing to specific groups (e.g., FED ONLY, FEDCON, NOCON, DL ONLY) or prohibit foreign dissemination (NOFORN).

Always check markings and the DoD CUI Registry for LDC meanings and applicability.

Destroy: Destroy CUI, in physical or electronic form, so it is unreadable, indecipherable, and irrecoverable.

Approved methods include those used for classified information (e.g., cross-cut shredding to specific standards) or other methods meeting NIST SP 800-88 guidelines (e.g., disintegration, pulverization, melting, incineration for physical media; cryptographic erase, overwriting, physical destruction for electronic media).

Classified Information (CNSI)

Governed primarily by DoDM 5200.01, Volumes 1, 2, and 3.

Access: Requires the trifecta:

• An appropriate security clearance
• A signed Non-Disclosure Agreement (SF-312)
• A valid need-to-know for your official duties

Marking: Follow detailed rules in DoDM 5200.01, Vol 2, including overall classification banners, portion markings, and other required notations.

Safeguard:

• When not in approved storage, classified material must be under the constant control of an authorized person.
• Use appropriate cover sheets (SF 703 for Top Secret, SF 704 for Secret, SF 705 for Confidential) when documents are outside storage.
• Store in GSA-approved containers, vaults, or SCIFs appropriate for the classification level.
• Conduct end-of-day security checks using SF 701 (checklist) and SF 702 (container check sheet).

Transmission/Transportation: Use only authorized methods.

• Top Secret requires highly controlled channels like direct contact, secure comms, or Defense Courier Service (DCS).
• Secret and Confidential allow additional methods like specific USPS services (Registered/Certified Mail within US), cleared carriers, or authorized hand-carry, all with strict packaging and procedural requirements.

Destruction: Must render the information completely irrecoverable.

• Use only NSA-evaluated and approved destruction equipment (shredders meeting specific cross-cut standards, disintegrators, degaussers for magnetic media, etc.)
• Approved methods (burning, pulping, chemical decomposition) appropriate for the material type and classification level

Secure Use of Technology

Apply security best practices to the tools you use daily.

Email Security

• Remain vigilant against phishing
• Use your CAC/PKI to digitally sign official emails and encrypt emails containing CUI or PII/PHI
• Use DoD SAFE for transferring large files or sensitive files to recipients who cannot receive encrypted email
• Never use personal email or auto-forward official email to personal accounts

Safe Internet Browsing

• Avoid using untrusted public Wi-Fi networks for official business
• If necessary, always use a GFE device with an approved VPN connection
• Be cautious about the websites you visit; look for HTTPS and verify legitimacy before entering credentials
• Limit personal browsing, streaming, and social media use on GFE

Government-Furnished Equipment (GFE)

GFE is provided for official duties and must be protected accordingly.

• Always follow your organization’s Acceptable Use Policy (AUP), which you typically acknowledge annually with your Cyber Awareness training
• Keep the operating system and approved software patched and updated
• Do not install unauthorized software or connect unauthorized hardware
• Report lost or stolen GFE immediately
• Use GFE for telework whenever possible and follow guidance regarding personal peripherals
• Never process or store classified information on unclassified GFE
• Avoid processing or storing CUI/PII/PHI on non-GFE devices unless explicitly authorized under strict conditions (e.g., approved BYOD policy with containerization)

Removable Media (USB Drives, CDs, etc.)

The use of removable media is often restricted or prohibited due to the high risk of malware introduction and data loss.

If authorized:

• Use only government-approved and issued media
• Never plug personal USB drives into GFE, or GFE drives into personal computers
• Follow strict procedures for scanning (before/after use), wiping (before first use with approved tools), encrypting sensitive data (FIPS 140-2 validated for CUI), labeling, secure storage, and proper destruction
• Never download classified data to removable media without specific authorization and adherence to protocols
• Be suspicious of any “found” USB drives

Physical Security Measures

Your physical actions directly impact information security.

• Secure your workspace, especially when handling classified information or CUI. Lock desks, cabinets, and offices as required.
• Be aware of your surroundings to prevent “shoulder surfing” when viewing sensitive information on screens or documents.
• Use approved cross-cut shredders or other authorized methods to destroy sensitive documents (both classified and CUI) when no longer needed.
• Practice good access control: wear your badge visibly, challenge individuals without proper identification, and escort visitors as required.
• Physically secure your GFE: lock your screen when stepping away (remove CAC), store laptops and mobile devices securely when not in use, and report loss or theft immediately.

Recognizing and Reporting Security Incidents

Prompt reporting is crucial for mitigating damage and is a mandatory requirement. Failure to report is a security violation itself.

What to Report

Any event, suspected or confirmed, that violates security policy or puts information/systems at risk. This includes:

• Phishing attempts
• Malware detection
• Data spills (e.g., classified on unclassified network, CUI sent unencrypted)
• Lost/stolen GFE or CACs
• Unauthorized access attempts
• Potential insider threat behaviors
• Physical security breaches
• Any deviation from required security procedures

How/When

• Report immediately upon discovery or suspicion
• Do not try to delete, fix, or investigate the issue yourself unless specifically instructed by security personnel, as this can destroy valuable forensic evidence
• Preserve any evidence, such as suspicious emails or affected media, if possible and safe to do so

Who to Report To

Follow your specific command or organization’s incident reporting procedures. Common points of contact include:

• Your local Security Manager
• Facility Security Officer (FSO) (for contractors)
• Information System Security Officer (ISSO) or Manager (ISSM)
• IT Help Desk/Service Desk

Specific incidents may have dedicated channels (e.g., DIBnet for contractor cyber incidents, DITMAC for insider threats, DoD Hotline for fraud/waste/abuse).

Mandatory Training: Staying Cyber Aware

Continuous learning and awareness are critical components of the DoD’s defense-in-depth security strategy. Recognizing that personnel are both a key asset and a potential vulnerability, the DoD mandates regular security training for all individuals who access its information systems and handle sensitive information.

This training is not optional; it is a federal and DoD requirement essential for maintaining network access privileges and ensuring everyone understands their security responsibilities in a constantly evolving threat landscape.

Beyond these core requirements, individuals in specific roles may need additional mandatory training, such as:

• Privileged User Training: For system administrators and others with elevated access privileges, covering enhanced responsibilities
• Classification Training: For personnel involved in Derivative Classification or serving as Original Classification Authorities (OCAs)
• PII Handling: Specific training on safeguarding Personally Identifiable Information
• Operations Security (OPSEC): Training on protecting critical information related to operations

Accessing Training

Most mandatory training can be accessed through central DoD portals or your Component’s Learning Management System (LMS):

• DoD Cyber Exchange: Hosts the Cyber Awareness Challenge and other cybersecurity resources
• Center for Development of Security Excellence (CDSE): Provides a wide range of security training, including mandatory CUI and Insider Threat courses, often accessible via their STEPP platform or the Security Awareness Hub
• Component LMS: Platforms like Navy’s TWMS or the Marine Corps’ MarineNet are often the preferred method for tracking compliance within those services

It is essential to complete training annually or as required and to maintain proof of completion, typically through certificates generated by the training platform. If training is completed outside your primary LMS, ensure you follow procedures to provide the certificate to your training manager or security POC for proper record-keeping.

Why Compliance Matters: Consequences of Violations

Adherence to DoD information security policies and procedures is not merely suggested; it is a condition of employment and access. Failure to comply constitutes a security violation or infraction, representing a breach of the trust placed in personnel to protect sensitive information and systems.

Such failures can have serious repercussions for the individual, their unit, the DoD mission, and national security. The consequences vary based on the nature and severity of the violation, intent, and whether classified information was compromised, but can include a range of administrative, disciplinary, contractual, and legal actions.

Administrative Actions

For less severe or unintentional violations, actions might include:

• Documented verbal or written warnings
• Mandatory retraining
• Temporary suspension of network or system access
• Removal from specific sensitive duties

Disciplinary Actions (Civilian Personnel)

DoD civilian employees are subject to disciplinary actions under Title 5, U.S. Code, and applicable agency regulations (e.g., Table of Penalties like AFI 36-704).

Depending on factors like intent (negligent vs. willful) and whether compromise occurred, actions can range from:

• An official reprimand
• Suspension without pay
• Removal (termination) from federal service

Disciplinary Actions (Military Personnel)

Military members fall under the Uniform Code of Military Justice (UCMJ). Security violations often constitute offenses under Article 92 (Failure to Obey Order or Regulation / Dereliction of Duty).

Depending on the severity and the command’s discretion, this can lead to:

• Non-judicial punishment (NJP) under Article 15 (e.g., extra duty, restriction, forfeiture of pay, reduction in rank)
• Trial by court-martial

A court-martial conviction for serious violations can result in significant confinement time, total forfeiture of pay and allowances, and punitive discharges like a Bad Conduct Discharge (BCD) or Dishonorable Discharge (DD), which carry lifelong consequences.

Loss or Suspension of Security Clearance

Security violations, particularly those that are deliberate, involve gross negligence, or demonstrate a pattern of carelessness, raise serious questions about an individual’s judgment, reliability, and trustworthiness—the core tenets of security clearance eligibility.

Such incidents can trigger a review and potential suspension or permanent revocation of one’s security clearance, which is often a requirement for continued employment in national security positions.

Contractual Consequences (Contractors)

For defense contractors, failure to meet cybersecurity requirements mandated in their contracts, such as implementing NIST SP 800-171 controls under DFARS clause 252.204-7012, can be deemed a material breach of contract.

DoD contracting officers have remedies that include:

• Withholding progress payments
• Choosing not to exercise contract options
• Terminating the contract entirely

Furthermore, knowingly misrepresenting cybersecurity compliance (e.g., in self-assessments submitted to the Supplier Performance Risk System – SPRS) can lead to liability under the False Claims Act (FCA), potentially resulting in treble damages and significant penalties.

The Department of Justice has shown increased focus on pursuing FCA cases related to cybersecurity non-compliance through its Civil Cyber-Fraud Initiative.

Civil and Criminal Penalties

Beyond administrative or contractual actions, certain security violations can lead to legal prosecution. Unauthorized disclosure of classified information is a federal crime with potentially severe penalties, including substantial fines and lengthy imprisonment.

Mishandling specific types of CUI, such as export-controlled data or information protected by privacy laws (like HIPAA for PHI), can also carry specific civil or criminal penalties defined in the underlying laws or regulations.

The severity of the consequences underscores the critical importance of understanding and adhering to all INFOSEC policies and procedures. It also highlights the necessity of reporting any known or suspected violations immediately through the proper channels.

Failure to report a security incident is itself a serious violation. Prompt reporting enables timely investigation, damage assessment, mitigation, and implementation of corrective actions to prevent recurrence.

Where to Find Help and More Information

Navigating the complexities of Information Security requires knowing where to turn for guidance, assistance, and reporting concerns. Several resources are available to DoD personnel:

Local/Organizational Points of Contact

Your first stop for immediate questions, incident reporting, or clarification on command-specific procedures.

• Security Manager / Facility Security Officer (FSO) / Insider Threat Program Senior Official (ITPSO): For general security questions, reporting physical or personnel security incidents, insider threat concerns, classified/CUI handling questions.
• Information System Security Officer (ISSO) / Manager (ISSM): For system-specific security issues, cyber incident reporting, RMF questions, STIG compliance.
• IT Service Desk / Help Desk: Often the initial point of contact for reporting technical issues or suspected cyber incidents.
• Supervisor / Chain of Command: Can provide guidance and direct you to the appropriate resource.

DoD Enterprise Resources (Websites)

Official DoD portals providing policies, guidance, training, and tools.

• DoD Cyber Exchange: Central hub for cybersecurity information, STIGs, SRGs, training (incl. Cyber Awareness Challenge), news.
• Center for Development of Security Excellence (CDSE): Offers extensive security training (incl. CUI, Insider Threat, RMF), toolkits, job aids, and resources.
• DoD CUI Program: Official site for DoD CUI policy, registry, marking guidance, training links.
• WHS Directives Division: Authoritative source for official DoD issuances (DoDDs, DoDIs, DoDMs).
• DoD CIO Website: Information on DoD IT strategy, policies, and initiatives (includes CIO Library).

Incident Reporting Centers

Specific channels for reporting certain types of incidents.

• DoD Hotline: For reporting fraud, waste, abuse, mismanagement, and certain security concerns (including classified reporting options). Unclassified: 1-800-424-9098. Secure reporting details at DoD Hotline
• Defense Cyber Crime Center (DC3) / DCISE (for Contractors): For submitting malicious software related to reported cyber incidents and for contractor cyber incident reporting assistance. DCISE Hotline: (410) 981-0104; Email: [email protected]

External Partner Resources

Other government agencies providing valuable cybersecurity information.

• Cybersecurity & Infrastructure Security Agency (CISA): Provides alerts, advisories, best practices, tools, and resources for cybersecurity threats (ransomware, phishing, etc.).
• National Security Agency (NSA): Publishes cybersecurity advisories and guidance, particularly for national security systems.
• National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC): Develops standards, guidelines (like SP 800 series), and resources for cybersecurity and privacy.

Remember, security is a shared responsibility. If you are unsure about a policy, procedure, or potential security issue, do not hesitate to seek guidance from your local security POC or use the official resources listed above. Proactive engagement and prompt reporting are key to maintaining a strong information security posture within the Department of Defense.

Our articles make government information more accessible. Please consult a qualified professional for financial, legal, or health advice specific to your circumstances.