TREASURY DIRECTIVE 15-03

DATE: March 29, 2024

SUBJECT: Delegation of Authority for Intelligence Information System Security Policy

  1. PURPOSE. This Directive establishes policy for the security of Treasury intelligence information systems and designates an authorizing official for Treasury Intelligence Information Systems. It also authorizes the issuance of the Department of the Treasury Intelligence Information System Security Policy Manual (TD P 15-03).
  2. SCOPE. This Directive applies to all bureaus, offices, and organizations in the Department of the Treasury, including the Offices of Inspector General. The provisions of this Directive shall not be construed to interfere with or impede the authorities or independence of the Offices of Inspector General.
  3. DESIGNATION. The Assistant Secretary for Intelligence and Analysis, Office of Terrorism and Financial Intelligence (A/S OIA), is the IC Element Head for Treasury. The Chief Information Officer (CIO) for Intelligence Information Systems (IIS CIO) is designated as the Authorizing Official to make security authorization decisions for Treasury IIS on behalf of the A/S OIA.
  4. RESPONSIBILITIES.
    1. The A/S OIA shall:
      1. 1) approve for publication policy and procedures for the security of Treasury IIS in the Treasury IIS Security Policy Manual, TD P 15-03;
      2. 2) review and approve bureau issuances implementing and/or supplementing the Treasury IIS Security Policy Manual;
      3. 3) act for Departmental Offices with respect to the Treasury IIS Security Program;
      4. 4) as appropriate, designate one or more Authorizing Officials to make security authorization decisions for Treasury IIS on their behalf; and
      5. 5) retain ultimate responsibility for all authorization and associated risk management decisions made by the Authorizing Official on their behalf.
    2. The IIS CIO shall:
      1. 1) ensure that the policies and procedures set forth in the Treasury IIS Security Policy Manual are implemented with respect to DO;
      2. 2) ensure that the Department is represented in IC meetings and coordinate with the Treasury CIO to ensure consistent and appropriate risk management for national security systems within the Department; and
      3. 3) as the designated Authorizing Official for Treasury IIS, evaluate risk and make security authorization decisions for Treasury IIS in accordance with Intelligence Community Directive 503 and other applicable authorities; be accountable to the A/S OIA for the authorization and associated risk management decision, for which the A/S OIA is ultimately responsible and accountable; and work closely with the Treasury CIO to ensure consistent and appropriate risk management for national security systems within the Department.
    3. The Assistant Secretary for Management, in their capacity as the Senior Agency Official for Privacy and Chief Privacy and Civil Liberties Officer, shall:
      1. 1) review and approve for privacy and civil liberties the impact of any new or revised bureau security directives, regulations, handbooks, or publications implementing or supplementing the Treasury IIS Security Policy Manual in support of the A/S OIA’s approval of the publication.
    4. Heads of Bureaus that electronically process, store, produce, or communicate foreign intelligence information shall:
      1. 1) implement the policies and procedures set forth in the Treasury IIS Security Policy Manual; and
      2. 2) submit new or revised bureau security directives, regulations, handbooks, or publications implementing or supplementing the Treasury IIS Security Policy Manual to the A/S OIA for review and approval prior to publication.
        1. a) no issuance listed above shall be published, implemented, adopted, or used until approved by the A/S OIA. Bureau issuances currently in use shall be reviewed for compliance with the Treasury IIS Security Manual and updated where appropriate. Such existing issuances must be submitted to the A/S OIA, whenever revised or rewritten.
  5. AUTHORITIES.
    1. 31 U.S.C. § 312
    2. 31 U.S.C. § 311
    3. Executive Order 12333, United States Intelligence Activities, December 4, 1981, as amended.
    4. Executive Order 13526, Classified National Security Information, December 29, 2009.
    5. Intelligence Community Directive Number 502, Integrated Defense of the Intelligence Community Information Environment, March 11, 2011.
    6. Intelligence Community Directive Number 503, Intelligence Community Information Technology Systems Security Risk Management, July 21, 2015.
  6. REFERENCES.
    1. a. Treasury Directive 40-01, “Responsibilities of and to the Inspector General,” October 14, 2021.
    2. Treasury Directive 85-01, “Treasury Information Technology Security Program,” March 10, 2008.
    3. Treasury Order 102-17, “Delegation of Authority Concerning the Personnel Security Program,” April 1, 2020.
  7. CANCELLATION. Treasury Directive 15-03, “Department of the Treasury Intelligence Information System Security Policy Manual,” dated September 16, 2013, is superseded.
  8. OFFICE OF PRIMARY INTEREST. Office of Intelligence and Analysis.
 
 
 
/S/
Michael Neufeld
Principal Deputy Assistant Secretary
Office of Intelligence and Analysis