Key Benefits:
DECREE NO-7,845, DE November 14, 2012
Regulates procedures for security and information processing classification in any degree of secrecy, and has on the Core of Security and Credential.
THE PRESIDENT OF THE REPUBLIC, in the use of the assignments that confers him on art. 84, caput, incisos IV and VI, paragraph "a", of the Constitution, and in view of the provisions of the arts. 25, 27, 29, 35, § 5º, and 37 of Law No. 12,527 of November 18, 2011,
D E C R E T A:
CHAPTER I
GENERAL PROVISIONS
Art. 1º This Decree regulates procedures for the security and information handling accreditation classified in any degree of secrecy within the federal Executive Power, and has on the Core of Security and Credential, as per the willing in the arts. 25, 27, 29, 35, § 5º, and 37 of Law No 12,527 of November 18, 2011.
Art. 2º For the purposes of this Decree, you consider yourself:
I-state algorithm-mathematical function used in the cyfraction and deciphment, developed by the State, for exclusive use in the interest of the service of organs or entities of the federal Executive Power ;
II-cyfraction-act of cifrar upon use of symmetrical or asymmetric algorithm, with cryptographic feature, to replace clear language signals by other unintelligible by unauthorized persons to know it ;
III-indexation code-alphanumeric code that indexes document with classified information in any degree of secrecy ;
IV-commitment-loss of security resulting from unauthorized access ;
V-sigylous contract-adjustment, arrangement or term of cooperation whose object or execution involves classified information processing ;
VI-security credential-certificate that authorizes person for the treatment of classified information ;
VII-security accreditation-process used to enable organ or public or private entity, and to credential person for the treatment of classified information ;
VIII-deciphering-act of decipher upon use of symmetrical or asymmetric algorithm, with cryptographic capability, to reverse original cyfraction process ;
IX-mobile devices-portable equipment endowed with computational capacity or removable memory devices for storage ;
X-safety manager and accreditation-responsible for the security of the classified information in any degree of secrecy in the registration body and checkpoint ;
XI-marking-mark-affixing that indicates the degree of secrecy of the classified information ;
XII-security measures-measures aimed at ensuring the secrecy, inviolability, integrity, authenticity and availability of the classified information in any degree of secrecy ;
XIII-registration organ level 1-ministry or equivalent level organ enabled by the Security and Credential Core ;
XIV-registration organ level 2-organ or public entity linked to registration body level 1 and by this enabled ;
XV-rank of control-unit of organ or public or private entity, enabled, responsible for the storage of classified information in any degree of secrecy ;
XVI-breach of security-action or omission that implies commitment or risk of compromised information in any degree of secrecy ;
XVII-cryptographic feature-system, program, process, isolated or networked equipment that uses symmetrical or asymmetric algorithm to perform cyfraction or deciphment ; and
XVIII-treatment of classified information-set of actions regarding production, reception, classification, use, access, reproduction, transport, transmission, distribution, archiving, storage, disposal, evalu destination or control of classified information in any degree of secrecy.
CHAPTER II
DO SECURITY ACCREDITATION
I Section
The Organs
Art. 3º The Security and Credential Core, the central security accreditation body, instituted within the framework of the Institutional Security Office of the Presidency of the Republic, pursuant to the art. 37 of Law No. 12,527, 2011:
I-enable registration bodies level 1 for the security accreditation of organs and public and private entities, and persons for the treatment of classified information ;
II-enable checkpoints of registration bodies level 1 for information storage classified in any degree of secrecy ;
III-enable private entity to maintain bond of any nature with the Office of the Institutional Security of the Presidency of the Republic for the processing of classified information ;
IV-accreditation person who maintains bond of any nature with the Office of the Institutional Security of the Presidency of the Republic for the processing of classified information ;
V-conduct inspection and investigation for safety accreditation required to perform the forecasted, respectively, in the incisos III and IV of the caput; and
VI-scrutinize compliance with standards and procedures for security accreditation and classified information processing.
Art. 4º The Safety Credential Gestor Committee, integrated by representatives, holder and supplier, of the following bodies:
I-Office of Institutional Security of the Presidency of the Republic, which will coordinate it ;
II-Civil House of the Presidency of the Republic ;
III-Ministry of Justice ;
IV-Ministry of Foreign Affairs ;
V-Ministry of Defence ;
VI-Ministry of Science, Technology and Innovation ;
VII-Ministry of Planning, Budget and Management ; and
VIII-Controller-General of the Union.
§ 1º The titular and alternate members shall be appointed by the maximum leaders of the bodies represented, and appointed by the Chief Minister of the Office of the Institutional Security Office of the Presidency of the Republic.
§ 2º Participation in the Committee shall be deemed to be relevant, unpaid public service provision.
§ 3º Poor will be invited to Committee meetings representatives of public and private bodies and entities, or experts, to issue opinions and provide information.
Art. 5º Competes with the Safety Credential Gestor Committee:
I-propose general guidelines of security accreditation for classified information processing ;
II-set minimal parameters and requirements for:
a) technical qualification of organs and public and private entities, for security accreditation, in the terms of the arts. 10 and 11 ; and
b) provision of security credential for people, in the terms of art. 12 ; and
III-periodically assess compliance with the provisions of this Decree.
Art. 6º Competes to the Office of Institutional Security of the Presidency of the Republic:
I-expedite complementary acts and establish procedures for the security accreditation and for the processing of classified information ;
II-participate in treaty negotiations, agreements or international acts relating to the processing of classified information, in articulation with the Ministry of Foreign Affairs ;
III-monitoring enquiries and processes of assessment and recovery of damage arising from breach of security ;
IV-inform about any damage referred to in the inciso III of the caput to the country or international organization of origin, where necessary, by the diplomatic track ; and
V-advising the President of the Republic on matters relating to security accreditation for the processing of classified information, including with regard to treaties, agreements or international acts, observed as competences of the Ministry of Foreign Affairs.
Single Paragraph. The Office of the Institutional Security of the Presidency of the Republic shall exercise the functions of national security authority for processing classified information arising from treaties, agreements or international acts.
Art. 7º Competes to register body level 1:
I-enable registration organ level 2 to credential person for the classified information treatment ;
II-enable checkpoint of the organs and public or private entities that with it maintain bond of any nature, for the storage of classified information in any degree of secrecy ;
III-accreditation person who with him to maintain bond of any nature for the treatment of classified information ;
IV-conduct inspection and investigation for security accreditation required to run the forecast in the inciso III of the caput; and
V-scrutinize compliance with standards and procedures for security accreditation and classified information processing, within the framework of their competencies.
Art. 8º Competes the level 2 registration body to conduct investigation and accreditation person who with it maintains bond of any nature for the treatment of classified information.
Single Paragraph. The competence for conducting inspection and investigation of which treats the inciso IV of the caput of art. 7º can be delegated to registration body level 2.
Art. 9º Competes to the checkpoint:
I-carry out the control of the security credentials of the people that with it maintain bond of any nature ; and
II-ensure the security of the classified information in any degree of secrecy under your responsibility.
Section II
Of procedures
Art. 10. The habilitation of the organs and public entities for the security accreditation is conditioned to the following requirements:
I-proof of technical qualification necessary to the security of classified information in any degree of secrecy ; and
II-assignment of safety manager and accreditation, and of his replacement.
Art. 11. The granting of private entity habilitation as a checkpoint is conditional on the following requirements:
I-fiscal regularity ;
II-proof of technical qualification necessary to the security of classified information in any degree of secrecy ;
III-expectation of sigylous contract subscription ;
IV-designation of safety and accreditation manager, and of his replacement ; and
V-approval in inspection for safety habilitation.
Art. 12. The provision of security credential to a person is conditioned to the following requirements:
I-solicitation of the public or private body or entity in which the person exercises activity ;
II-form filling with personal data and authorization for investigation ;
III-fitness for the treatment of classified information, verified in the investigation ; and
IV-declaration of knowledge of the standards and procedures for security accreditation and classified information processing.
Art. 13. The habilitation for security accreditation and the granting of security credential will result from the objective analysis of the requirements provided for in this Decree.
Art. 14. Registration bodies level 1 and level 2 will be able to firm adjustments, arrangements, or terms of cooperation with other public bodies or entities, enabled, to:
I-security accreditation and classified information treatment ; and
II-conduct of inspection and investigation for security accreditation.
Art. 15. Each registration organ will have at least one checkpoint, enabled.
Art. 16. In the hypothesis of exchange and treatment of classified information in any degree of secrecy with country or foreign organization, security accreditation in the national territory shall only give if there is treaty, agreement, memorandum of understanding or technical adjustment firmed between the country or foreign organization and the Federative Republic of Brazil.
CHAPTER III
DO CLASSIFIED INFORMATION TREATMENT
I Section
General provisions
Art. 17. The organs and entities shall adopt arrangements for public servants to meet the standards and observe the procedures for security and information processing accreditation.
Single Paragraph. The provisions of caput apply to the person or private entity who, on the grounds of any link with the Public Power, perform security credentialing or classified information processing activity.
Art. 18. Access, disclosure and treatment of classified information will be restricted to persons with a need to know it and who are accredited in the form of this Decree, without prejudice to the assignments of authorized public servants in the legislation
Single Paragraph. Access to information classified in any degree of secrecy to non-accredited or unauthorised person by legislation may exceptionally be permitted upon signature of the Term of Appointment of Sigyl Maintenance-TCMS, constant of the Annex I, by which the person will force himself to maintain the secrecy of the information, under penalty of criminal, civil and administrative liability in the form of thelaw.
Art. 19. The decision of classification, declassification, reclassification or reduction of the information secrecy period classified in any degree of secrecy will observe the procedures provided for in the arts 31 and 32 of Decree No. 7,724 of May 16, 2012, and shall be formalized in a decision substantiated in Term of Information Classification.
Art. 20. The publication of normative acts concerning information classified in any degree of secrecy or protected by legal or judicial secrecy may be limited, where necessary, to their respective numbers, expedition dates and amendments, written from non-compromisation of secrecy.
Section II
The Controlled Document
Art. 21. For document processing with classified information in any degree of secrecy or provided for in the legislation as a sigilous the organ or entity may adopt the following additional control procedures:
I-identification of the recipients in specific protocol and receipt ;
II-custodial term washbasin and registration in specific protocol ;
III-annual inventory term washbasin, by the dispatcher organ or entity and by the receiving organ or entity ; and
IV-transfer term lavage of custody or guard.
§ 1º The document provided for in the caput will be named Controlled Document-DC.
§ 2º The inventory term provided for in the inciso III of the caput should contain at a minimum the following elements:
I-sequential numbering and date ;
II-producer and custodian organs of the DC ;
III-rol of controlled documents ; and
IV-location and subscription.
§ 3º The transfer term provided for in the inciso IV of the caput should contain at a minimum the following elements:
I-sequential numbering and date ;
II-surrogate public agents and replaced ;
III-identification of the documents or terms of inventory to be transferred ; and
IV-location and subscription.
Art. 22. The ultrasecast document is considered DC since its classification or reclassification.
Section III
From Marking
Art. 23. The tag will be done on the headers and footers of the pages that contain classified information and in the document covers.
§ 1º The pages will be numbered below, each of which shall contain indication of the total pages which compose the document.
§ 2º The marking must be made in such a way as not to impair the understanding of the information.
Art. 24. The DC will own the marking that it treats the art. 23 and contain, on the cover and on all pages, the diagonal expression "Controlled Document (DC)" and the control number, which will indicate the custodian public agent.
Art. 25. The indication of the degree of secrecy on maps, photocarts, letters, photographs, any other types of images and electronic means of storage will comply with the complementary procedures adopted by the organs and entities.
Section IV
The Expedition, Tramping and Communication
Art. 26. The expedition and the plotting of classified documents should observe the following procedures:
I-will be packaged in double envelopes ;
II-in the external envelope will not contain indication of the degree of secrecy or the content of the document ;
III-in the internal envelope will contain the recipient and the degree of secrecy of the document, so as to be identified as soon as removed the external envelope ;
IV-the internal envelope will be closed, lacquered and exclaimed upon receipt, which will indicate sender, recipient and number or other indicative identifying the document ; and
V-will be entered the word "PESSOAL" in the envelope which contains document of exclusive interest of the recipient.
Art. 27. The expedition, driving and delivery of document with classified information in grade of ultrasound secrecy shall be effected in person, by authorized public agent, or transmitted by means of electronic means, provided that resources are used to encryption compatible with the grade of information classification, vetting its postage.
Art. 28. The document expedition with classified information in secret or reserved secrecy degree will be made by the available means of communication, with cryptocurrency resources compatible with the degree of secrecy or, if applicable, by diplomatic, without injury of personal delivery.
Art. 29. It is up to those responsible for receipt of the document with classified information in any degree of secrecy, independent of the medium and format:
I-register the receipt of the document ;
II-check the integrity of the receiving medium and record evidence of violation or irregularity, communicating to the recipient, who will immediately inform the sender ; and
III-inform the sender of receipt of the information, within the shortest possible time.
§ 1º In case the tramway occurs by expedient or correspondence, the internal envelope will only be opened by the recipient, his authorized representative or hierarchically superior authority.
§ 2º Internal Envelopes containing the "PESSOAL" brand will only be able to be opened by the recipient.
Art. 30. Information classified in any degree of secrecy shall be kept or filed under special security conditions.
§ 1º For maintenance and archiving of classified information in the degree of outright and secret secrecy is mandatory the use of equipment, environment, or structure that offers security compliant with the degree of secrecy.
§ 2º For storage in electronic means of document with classified information in any degree of secrecy is mandatory the use of up-to-date information technology systems in such a way as to prevent breach threats of security, observed the provisions of the art. 38.
§ 3º The media for storage could be integrated with equipment connected to the internet, provided that by secure channel and with access control levels appropriate to the treatment of classified information, admitting to also the connection to internal computer networks, as long as safe and controlled.
Art. 31. Electronic means of storage of classified information in any degree of secrecy, including mobile devices, must use cryptographic resources appropriate to the degree of secrecy.
Art. 32. Officers responsible for the custody or custody of controlled document shall transmit it to their substitutes, duly conferred, when of the passage or transfer of responsibility.
Single Paragraph. The provisions of this article shall apply to those responsible for the custody or custody of restricted access material.
V Section
Of Reproduction
Art. 33. The reproduction of the whole or part of document with classified information in any degree of secrecy shall have the same degree of secrecy of the document.
§ 1º The total or partial reproduction of classified information in any degree of secrecy shall be conditional on the express authorisation of the classifier authority or hierarchically superior authority with equal prerogative.
§ 2º The copies will be authenticated by the classifier authority or hierarchically superior authority with equal prerogative.
Art. 34. In case the preparation, printing or reproduction of classified information in any degree of secrecy is carried out in typography, printer, graphic or similar workshop, this operation will be accompanied by officially designated person, responsible for the guarantee of secrecy during the confection of the document.
Section VI
From Preservation and the Guard
Art. 35. The evaluation and selection of document with unclassified information, for the purpose of permanent guard or disposal, shall observe the provisions of Law No. 8,159 of January 8, 1991 and in Decree No 4,073 of January 3, 2002.
Art. 36. The permanent watchdog document that contains information classified in any degree of secrecy shall be forwarded, in the event of declassification, to the National Archive or to the permanent file of the public body, the public entity or the institution of public character, for organization purposes, preservation and access.
Art. 37. The permanent guard document may not be disfigured or destroyed, under penalty of criminal, civil and administrative liability in the form of the law.
Section VII
From Information Systems
Art. 38. In the treatment of classified information should be used information systems and secure communication channels that meet the minimum standards of quality and safety defined by the federal Executive Power.
§ 1º The transmission of classified information in any degree of secrecy by means of information systems should be carried out, within the corporate network, by means of secure channel, as a way of mitigating the risk of breaking down security.
§ 2º The authenticity of the identity of the network user must be guaranteed, at the very least, by the use of digital certificate.
§ 3º The information systems that it treats caput should have diverse levels of access control and use cryptographic resources appropriate to the degrees of secrecy.
§ 4º The information systems of which it treats caput should maintain control and registration of authorized and unauthorized accesses and transactions carried out by term equal to or higher than that of restriction on access to information.
Art. 39. Equipment and systems used for document production with classified information in any degree of secrecy should be isolated or connected to secure communication channels, which are either physically or logically isolated from any another, and who possess cryptographic and security features suitable for their protection.
Art. 40. The cyfraction and deciphment of classified information in any degree of secrecy should use state algorithm-based cryptographic capability.
Single Paragraph. It is incumbent on the Institutional Security Office of the Presidency of the Republic to establish parameters and standards for the cryptographic resources based on State algorithm, heard the Information Security Gestor Committee provided for in art. 6º of Decree No 3,505 of June 13, 2000.
Art. 41. The information handling procedures classified in any degree of secrecy apply to cryptographic resources, met the following requirements:
I-conducting periodic surveys, with the purpose of ensuring the execution of cryptographic operations ;
II-maintenance of complete and up-to-date inventories of the existing encryption material ;
III-designation of cryptographic systems suitable for each recipient ;
IV-communication, the superior hierarchical or the competent authority, of abnormality concerning secrecy, inviolability, integrity, authenticity, legitimacy and availability of encrypted information ; and
V-identification of evidence of rape, of interception or of irregularities in the transmission or receipt of encrypted information.
Section VIII
The Areas, Facilities and Materials
Art. 42. Areas and facilities containing document with classified information in any degree of secrecy, or that, for their use or purpose, demand protection, will have their restricted access to persons authorized by the organ or entity.
Art. 43. Public bodies and entities will adopt measures for definition, demarcation, signalling, security, and authorization of access to restricted areas under their responsibility.
Single Paragraph. Visits to areas or restricted access facilities will be disciplined by the body or entity responsible for their safety.
Art. 44. Materials which, for their use or purpose, demand protection, will have restricted access to persons authorized by the organ or entity.
Art. 45. Any matter, product, substance or system containing, use or vehicular knowledge or information classified in any degree of secrecy, economic information or information are considered to be restricted access materials. scientific-technological whose disclosure entails risk or damage to the interests of society and the state, such as:
I-equipment, machines, models, moulds, maquets, prototypes, artifacts, appliances, devices, instruments, cartographic representations, systems, supplies and instruction manuals ;
II-terrestrial vehicles, aquaviaries and air, their parts, parts and components ;
III-armaments and their accessories, ammunition and appliances, equipment, supplies and inputs corps ;
IV-appliances, equipment, supplies and programs related to information technology and communications, including to the intelligence of signals and images ;
V-cryptographic resources ; and
VI-explosives, liquids and gases.
Art. 46. Public bodies or entities entrusted with the preparation of plans, research and work on improvement or project-making, proof, production, procurement, storage or employment of restricted access material will expedite instructions additional necessary to the safeguarding of the subjects relating to them.
Art. 47. The means of transport used for displacement of restricted access material is the responsibility of the custodian and should consider the degree of secrecy of the information.
§ 1º The restricted access material may be transported by contracted companies, adopted the measures necessary to maintain the secrecy of the information.
§ 2º The measures necessary for the safety of the transported material will be prior and explicitly established in contract.
Section IX
From The Celebration of Sigilous Agreements
Art. 48. The conclusion of contract, arrangement, agreement, adjustment, term of cooperation or protocol of intent whose object contains information classified in any degree of secrecy, or whose execution involves classified information, is conditional upon signature of TCMS and the establishment of contractual clauses that provide for the following requirements:
I-obligation to maintain secrecy relating to the object and its execution ;
II-possibility of alteration of the object for inclusion or alteration of security clause not previously stipulated ;
III-obligation to adopt appropriate security procedures, within the scope of activities under its control, for the maintenance of the secrecy concerning the object ;
IV-identification, for the purposes of granting security credential and signing of TCMS, of persons who may be able to have access to classified information in any degree of secrecy and restricted access material ;
V-obligation to receive inspections for safety habilitation and their maintenance ; and
VI-liability in relation to security procedures, relating to subcontracting, in whole or in part.
Art. 49. To the public bodies and entities with which contractors maintain bond of any nature shall be to adopt information security procedures classified in any degree of secrecy or of restricted access material in power of contractors or subcontractors.
CHAPTER IV
DA DOCUMENT INDEXING WITH INFORMATION
SORTED
Art. 50. The information classified in any degree of secrecy or the document containing it will receive the Document Indexing Code that contains Classified Information-CIDIC.
Single Paragraph. The CIDIC will be composed of elements that will ensure the protection and temporary restriction of access to classified information, and will be structured in two parts.
Art. 51. The first part of the CIDIC will be composed of the Single Number of Protocol -NUP, originally enrolled as documentary management legislation.
§ 1º The information classified in any degree of secrecy or the document containing it, when of its declassification, will retain only the NUP.
§ 2º No matter or nature classification tables will be used, on the grounds of a requirement of temporary restriction of access to classified information in any degree of secrecy, on pain of endanger your protection and confidentiality.
Art. 52. The second part of CIDIC will be composed of the following elements:
I-degree of secrecy: indication of the degree of secrecy, ultrasound (U), secret (S) or reserved (R), with the initials in the red color, when possible ;
II-categories: indication, with two digits, of the category relative, exclusively, to the first level of the Controlled Vocabulary of the Electronic Government (VCGE), as Annex II ;
III-date of production of the classified information: record of the date of production of the classified information, according to the following composition: day (double digits) /month (double digits) /year (four digits) ;
IV-date of declassification of classified information in any degree of secrecy: registration of the potential date of declassification of classified information, effected in the act of classification, according to the following composition: day (double digits) /month (double digits) /year (four digits) ;
V-indication of reclassification: indication of occurrence or non-occurrence, S (yes) or N (no), of reclassification of the classified information, respectively, as per the following situations:
a) reclassification of the information resulting from reassessment ; or
b) first record of the classification ; and
VI-indication of the date of extension of the maintenance of the classification: indication, exclusively, for information classified in the degree of ultra-wide secrecy, according to the following composition: day (double digits) /month (double digits) /y (four digits), in the red color, when possible.
Art. 53. For the purposes of documentary management, the history of CIDIC changes should be kept.
CHAPTER V
FINAL AND TRANSITIONAL PROVISIONS
Art. 54. The implementation of CIDIC is expected to be consolidated by 1º June 2013.
Single Paragraph. While not implemented CIDIC, the Term of Information Classification will be filled with the NUP.
Art. 55. The document with classified information in any degree of secrecy, produced prior to the duration of Law No. 12,527 of 2011, will receive CIDIC for the purposes of the art. 45 of Decree No 7,724 of May 16, 2012.
Art. 56. The organs and entities should adopt the cryptographic resources based on state algorithm within one year of the definition of the parameters and standards of which it treats the single paragraph of art. 40.
Single Paragraph. By the end of the deadline set in the caput, competes with the Institutional Security Office of the Presidency of the Republic to follow and provide technical support to the organs and entities as to the implementation of the cryptographic resources based on state algorithm.
Art. 57. The organs and entities will be able to expedite further instructions within the framework of their competencies, which will detail the procedures relating to the security accreditation and the processing of classified information in any degree of secrecy.
Art. 58. The Rules of Procedure of the Joint Information Reassessment Commission will detail the security procedures necessary for safeguarding classified information in any degree of secrecy during their work and those of their Secretarial-Executive, observed the provisions of this Decree.
Art. 59. This Decree shall enter into force on the date of its publication.
Art. 60. Stay revoked:
I-Decree No 4,553 of December 27, 2002 ; and
II-Decree No 5,301 of December 9, 2004.
Brasilia, November 14, 2012 ; 191º of Independence and 124º of the Republic.
DILMA ROUSSEFF
Marcia Pelegrini
Celso Luiz Nunes Amorim
Miriam Belchior
Marco Antonio Raupp
José Elito Carvalho Siqueira
Louis Inácio Lucena Adams
Jorge Hage Nephew
Attachment
