5 Violations of a Failure to Obey Army Regulation 25-2 and 380-5 | US v Pfc. Manning

Manning pled not guilty to four violations of a failure to obey Army Regulation 25-2, concerning Information Assurance, for allegedly adding Wget to two separate Army computers, trying to crack the administrator password on his one of his computers, and using an Army information system other than intended by downloading the unclassified U.S. Forces – Iraq Microsoft SharePoint Server Global Address List.

Manning pled guilty for a failure to obey The Army’s Information Security Program, Army Regulation 380-5, for wrongfully storing classified information.

Each of the five violation of Article 92 carries a sentence of two years.

Pled Not Guilty

Army Regulation 25-2 “Information Assurance” paragraph 4-5(a)(4) “attempting to bypass network or information system security mechanisms” (1 November 2009 to 8 March 2010)

a. Prohibited activities. In addition to the prohibited activities listed in AR 25-1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection:

(4) Attempts to strain, test, circumvent, or bypass network or IS security mechanisms, or to perform network or keystroke monitoring. RCERTs, Red Team, or other official activities, operating in their official capacities only, may be exempted from this requirement.

Army Regulation 25-2 “Information Assurance” paragraph 4-5(a) (3) “adding unauthorized software to a Secret Internet Protocol Router Network computer” (11 February 2010 to 3 April 2010)

a. Prohibited activities. In addition to the prohibited activities listed in AR 25-1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection:

(3) Modification of the IS or software, use of it in any manner other than its intended purpose, or adding user-configurable or unauthorized software such as, but not limited to, commercial instant messaging, commercial Internet chat, collaborative environments, or peer-to-peer client applications. These applications create exploitable vulnerabilities and circumvent normal means of securing and monitoring network activity and provide a vector for the introduction of malicious code, remote access, network intrusions or the exfiltration of protected data.

Army Regulation 25-2 “Information Assurance” paragraph 4-5(a)(3) “adding unauthorized software to a Secret Internet Protocol Router Network computer” (October 24 2007)

a. Prohibited activities. In addition to the prohibited activities listed in AR 25-1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection:

(3) Modification of the IS or software, use of it in any manner other than its intended purpose, or adding user-configurable or unauthorized software such as, but not limited to, commercial instant messaging, commercial Internet chat, collaborative environments, or peer-to-peer client applications. These applications create exploitable vulnerabilities and circumvent normal means of securing and monitoring network activity and provide a vector for the introduction of malicious code, remote access, network intrusions or the exfiltration of protected data.

Army Regulation 25-2 “Information Assurance” paragraph 4-5(a)(3) “adding unauthorized software to a Secret Internet Protocol Router Network computer” (11 to 27 May 2010

a. Prohibited activities. In addition to the prohibited activities listed in AR 25-1, the following activities are specifically prohibited by any authorized user on a Government provided IS or connection:

(3) Modification of the IS or software, use of it in any manner other than its intended purpose, or adding user-configurable or unauthorized software such as, but not limited to, commercial instant messaging, commercial Internet chat, collaborative environments, or peer-to-peer client applications. These applications create exploitable vulnerabilities and circumvent normal means of securing and monitoring network activity and provide a vector for the introduction of malicious code, remote access, network intrusions or the exfiltration of protected data.

Pled Guilty

Army Regulation 380-5 “Department of the Army Information Security Program” paragraph 7-4 “wrongfully storing classified information” (1 November 2009 to 27 May 2010)

a. Classified information that is not under the personal control and observation of an authorized person, is to be guarded or stored in a locked security container, vault, room, or area, pursuant to the level of classification and this regulation by one or more of the following methods:

(1) TOP SECRET information will be stored as identified below:

(a) A GSA-approved security container with one of the following supplemental controls:

1. The location that houses the security container will be subject to continuous protection by cleared guard or duty
personnel.

2. Cleared guard or duty personnel will inspect the security container once every two hours, but not in a way that
indicates a pattern.

3. An Intrusion Detection System (IDS), meeting the requirements of section III of this Chapter, with personnel responding to the alarm, arriving within 15 minutes of the alarm annunciation.

4. Security-in-depth when the GSA-approved container is equipped with a lock meeting Federal Specification FF-L-2740A. See appendix J for a definition of security-in-depth.

(b) A vault, modular vault, or security room constructed in accordance with section III of this Chapter, and equipped with an IDS with the personnel responding to the alarm within 15 minutes of the alarm annunciation if the area is covered by security-in-depth, or a 5 minute alarm response time if it is not. Other rooms that were approved under former policy for the storage of TOP SECRET in the U.S. can continue to be used.

(c) New purchases of combination locks for GSA-approved security containers, vault doors and secure rooms will conform to Federal Specification FF-L-2740A. Existing, non-FF-L-2740A mechanical combination locks will not be repaired. If they should fail, they will be replaced with locks meeting FF-L-2740A. See section IV for information on retrofitting locks (replacing locks with those meeting Federal Specification FF-L-2740A) on existing containers where the lock is not in need of repair.

(d) Under field conditions, during military operations, commanders can prescribe the measures deemed adequate to meet the storage standard contained in subparagraphs 1 and 2 above.

(2) SECRET information will be stored–

(a) In the same manner as prescribed for TOP SECRET.

(b) In a GSA-approved security container or vault without supplemental controls.

(c) In secure rooms that were approved for the storage of SECRET or CONFIDENTIAL information by the 28 February 1988 edition of this regulation, provided that the approval for storage occurred prior to 1 October 1995.

(d) Until 1 October 2002, in a non-GSA-approved container having a built-in combination lock, or in a non-GSA-approved container secured with a rigid metal lock-bar and a GSA-approved padlock with one or more of the following supplemental controls.

1. The location that houses the container is subject to continuous protection by cleared guard or duty personnel.

2. Cleared guard or duty personnel will inspect the security container once every four hours, using random times.

3. An IDS with the personnel responding to the alarm arriving within 30 minutes of the alarm. In order to reduce the risk of the lock being swapped while the container is opened, the padlock will be secured to the hasp in the locked position, or the padlock will be locked and placed inside the cabinet. Commands are encouraged to replace the non-GSA-approved cabinets with GSA-approved security containers as soon as feasible, prior to the mandatory replacement date of 1 October 2002. New lock-bar cabinets will not be fabricated from either existing or new containers, nor will any existing lock-bar container, that was not previously used for the protection of classified information, be put into use for that purpose.

(3) CONFIDENTIAL information will be stored in the same manner as prescribed for TOP SECRET and SECRET information except that supplemental controls are not required. Where lock-bar cabinets are used, in order to reduce the risk of the lock being swapped while the container is open, the padlock will be secured to the hasp in the locked position, or the padlock will be locked and placed inside the cabinet. Commands are encouraged to replace the non-GSA-approved cabinets with GSA-approved security containers as soon as feasible prior to the mandatory replacement date of 1 October 2002. New lock-bar cabinets will not be fabricated from either existing or new containers, nor will any existing lock-bar container, that was not previously used for the protection of classified information, be put into use for that purpose.

b. Specialized security equipment.

(1) GSA-approved field safes and special purpose, one and two drawer, light-weight, security containers, approved by the GSA, are used primarily for storage of classified information in the field and in military platforms, and will be used only for those or similar purposes. Such containers will be securely fastened to the structure or under sufficient surveillance to prevent their theft or compromise.

(2) GSA-approved map and plan files are available for storage of odd-sized items such as computer media, maps, charts, and classified equipment.

(3) GSA-approved modular vaults, meeting Federal Specification AA-V-2737, can be used to store classified information as an alternative to vault requirements described in section III of this Chapter.

c. Replacement of combination locks. The mission and location of the command, the classification level and sensitivity of the information, and the overall security posture of the activity, are factors used in determining the priority for replacement of existing combination locks. All system components and supplemental security measures, including electronic security systems (e.g., intrusion detection systems, automated entry control subsystems, and video assessment subsystems), and level of operations, must be evaluated by the command when determining the priority for replacement of security equipment.

Section IV of this Chapter provides a matrix illustrating a prioritization scheme for the replacement of existing combination locks on GSA-approved security containers and vault doors, and can be used as a guide for this purpose. The prioritization scheme can be tailored to specific environments and sensitivity of information stored. Priority 1 requires immediate replacement. Replacement is generally considered to be accomplished when the equipment is obtained and installed within the framework of the command budget constraints, but in no event will exceed two years from the effective date of this regulation.

d. Storage areas. Storage areas, for bulky material containing SECRET or CONFIDENTIAL information, can have access openings secured by GSA-approved, changeable, combination padlocks (Federal Specification FF-P-110 series) or high security, key-operated padlocks (Military Specification MIL-P-43607). Other security measures are required, in accordance with paragraph 7-4a(1), above, for TOP SECRET material, and are strongly recommended for all other levels of classified material.

(1) Commands will establish administrative procedures for the control and accountability of keys and locks whenever key-operated, high-security padlocks are utilized. The level of protection provided such keys will be equivalent to that afforded the classified information being protected by the padlock. As a minimum, the following procedures will be implemented.

(a) A key and lock custodian will be appointed in writing to ensure proper custody and handling of keys and locks.

(b) A key and lock control register will be maintained to identify keys for each lock and their current location and custody.

(c) Keys and locks will be audited at least quarterly.

(d) Keys will be inventoried with each change of custodian. Keys will not be removed from the premises.

(e) Keys and spare locks will be protected in a security container or other secure container;

(f) In order to reduce the risk of the padlock being swapped while the container is opened, the padlock and the key will be either placed in the security container, or the padlock will be locked to the hasp and the key either personally retained, retained at a central location, or placed inside the unlocked container.

(g) Since there is a lesser degree of risk of compromise with key operated locks, they will be changed or rotated at a minimum of once every two years, and will be immediately replaced upon loss or compromise of their keys.

(2) Section 1386 of Title 18, United States Code, makes unauthorized possession of keys, key-blanks, key-ways or locks adopted by any part of the Department of Defense for use in the protection of conventional arms, ammunition, or explosives, special weapons, and classified equipment, a criminal offense punishable by fine or imprisonment for up to
10 years, or both.