Security infraction vs. violation: what gets logged, what costs you the clearance

If you've worked in a SCIF long enough, you've seen both words in incident emails and never quite known which one you should worry about. The short answer: one is a paperwork moment, the other is a clearance event. Most cleared workers, and most recruiters reading resumes, treat them as a single category. They aren't.

This is the practical version: the legal definition, the reporting path, the adjudicative consequence, and what actually shows up the next time DCSA looks at your record.

The definitions, with the part that actually matters

The current authority is 32 CFR Part 117 (the NISPOM Rule, effective February 2021 with full contractor implementation by August 2021) and DoD Manual 5200.01 Volume 3 for the reporting and handling side. The definitions live in 32 CFR 117.3:

• Security violation. A failure to comply with the policy and procedures established by the rule that reasonably could result in the loss or compromise of classified information. Examples: classified material left in an unsecured area overnight, classified discussed on an unclassified line, or sharing classified with a cleared person who lacks the specific need-to-know or compartment access.
• Security infraction. Any knowing, willful, or negligent action contrary to the requirements of the rule that is not a security violation: one that could not reasonably have resulted in loss or compromise. The canonical example: a security container left briefly unsecured in a SCIF where no uncleared persons had access, caught and locked before anything was actually exposed.

The decisive question isn't what happened — it's what could have happened. A locked SCIF door propped open with a coffee cup might be an infraction if the only people in the area were cleared at the SCI level for that compartment. The same propped door becomes a violation if a custodian without an SCI indoctrination could have walked through.

This is what makes the call hard, and why two FSOs at two facilities can classify the same fact pattern differently.

Same act, different classification

Three short scenarios that recruiters tend to lump together:

1. A printed Secret document left out on a desk for thirty minutes during the workday in an open-storage closed area, all suite occupants Secret-cleared. No outside access during that window. Most FSOs call this an infraction: handling lapse, no realistic compromise. Same fact pattern overnight, outside an approved closed-area configuration, leans hard toward a violation because GSA-approved storage rules don't care that everyone in the suite is cleared.
2. A Secret document left on a desk overnight, drawer unlocked, in a suite where the cleaning crew (uncleared, escorted by day, unescorted at night) has access. This is a violation. Compromise was possible.
3. A cleared engineer emails a Secret-tagged design file to a colleague who holds Secret but is not on the program access list. This is a violation even though both endpoints are cleared, because need-to-know was breached.

The third one trips people up because both parties were cleared. Clearance is necessary; access (program list, compartment, formal access approval) is the second gate. NISPOM treats a need-to-know breach as a compromise event.

What gets logged where

This is the part most "what is X" articles skip. Where the incident lives determines whether it follows you.

The FSO at the contractor facility runs a preliminary inquiry under 32 CFR 117.8(d)(1). Three outputs are possible:

• Internal record only. Most infractions stop here. The facility logs it, counsels the employee, and the file stays in the contractor's records. Nothing flows to DISS unless a pattern emerges.
• DISS Incident Report. Required for confirmed or suspected compromise (i.e., violations). The FSO files an incident report into DISS (Defense Information System for Security, which became the system of record on March 31, 2021, replacing JPAS), making the event visible to every contractor who later vets you and to DCSA adjudicators at reinvestigation.
• Formal compromise inquiry. Triggered when classified is reasonably believed to be in unauthorized hands. For DoD-cognizant contractors, DCSA leads or oversees; non-DoD Cognizant Security Agencies (DOE, NRC, ODNI, DHS) lead inquiries for their own facilities. The resulting report can drive a Statement of Reasons (SOR) and a clearance review.

A single infraction logged internally is usually invisible at your next job. A DISS incident report is not.

The adjudicative consequence

The standard the adjudicator applies is SEAD 4 — the National Security Adjudicative Guidelines, issued by the DNI as Security Executive Agent in 2017 and the current operative authority. (An older parallel codification appears at 32 CFR Part 147; SEAD 4 supersedes it for current adjudications.) The relevant section is Guideline K: Handling Protected Information.

Guideline K lists conditions that may raise a security concern. The ones that show up most:

• Deliberate or negligent disclosure of classified or other protected information to unauthorized persons.
• Failure to comply with rules for the protection of classified or other sensitive information.
• Loading, drafting, editing, modifying, storing, or transmitting classified material on unapproved equipment (the "spill" case).
• Negligence or lax security habits that persist despite counseling by management.

Mitigating conditions explicitly include: the conduct happened so infrequently or under such unusual circumstances that recurrence is unlikely, the individual responded favorably to counseling or remedial training, and the violations were due to improper or inadequate training. A single infraction with prompt corrective action is almost always mitigable. A pattern, even of "minor" infractions, is the failure mode.

For violations, the adjudicator weighs intent (deliberate vs. negligent), severity (actual compromise vs. potential), and the response (self-reporting vs. discovered by audit). Self-reporting under SEAD 3 is heavily mitigating; concealment is the opposite.

What survives a reinvestigation

DISS records persist. An incident report from 2021 is still visible to a 2026 adjudicator, even if it was resolved without action at the time. What changes is the weight: a clean five years post-incident is itself a mitigating factor under Guideline K.

A few specifics worth knowing:

• DISS incident reports are widely reported by clearance practitioners to persist indefinitely absent a successful challenge. The system is not known to auto-purge.
• An infraction that never made it into DISS (handled at the FSO) does not migrate later. Facility records stay with the facility.
• The SF-86 itself doesn't ask about "infractions" or "violations" by name. Section 25 covers clearance denials, suspensions, and revocations; Section 27 covers IT system misuse. But adjudicators see DISS records regardless, and a subject interview can probe anything in your file. Honest disclosure is the only safe play.
• DISS is a shared system of record across DoD and applicable agencies, so an incident logged by one cleared employer is visible to the next contractor's FSO at reciprocity check. The reciprocity policy itself flows from EO 13467 (as amended by EO 13764). There is no clean break by changing companies.

The candidate-side view

For cleared talent on the job market, three practical implications:

• An infraction in your past is almost never a hiring blocker. If it was logged at the facility level and resolved with counseling, no contractor sees it during recruiting. It surfaces only at a reinvestigation, and even then is usually mitigated.
• A violation with a DISS incident report is a different posture. It will be visible to the next contractor's FSO during the access reciprocity check. Recruiters generally won't see it; security teams will at offer time. Be ready to discuss it with your FSO before the conversation gets to that stage.
• Self-reported events almost always weather adjudication better than discovered ones. SEAD 3 puts the reporting obligation on the cleared individual for several categories (foreign travel, financial events, and certain conduct), and the reporting itself is a mitigating factor at the next review.

What this looks like inside ClearMatch

The matcher reads clearance as a tier (Confidential through TS/SCI + Full Scope Poly), but the candidate's clearance state (active, current, expired, in periodic reinvestigation) is a separate field, and SEAD-3-style events are not modeled at all. We don't ask, and contractors verify everything that matters via DISS at offer time.

Two things follow from that:

• An infraction or violation in your history is not something the matcher will ever surface or score against you. We don't have access to DISS, and we wouldn't use it for ranking if we did.
• The agent's job is to find the roles where your clearance, agency history, and program experience are the best fit. The security review at offer time is the FSO's job, and they'll do it from DISS regardless of which platform you applied through.

The cleaner story for a candidate with a past incident: deploy the agent, get matched, and let the FSO conversation happen on its own track at offer time. There's no field for it on your profile because there shouldn't be.

---

Sources: 32 CFR Part 117 (NISPOM Rule), SEAD 4 — National Security Adjudicative Guidelines (2017), 32 CFR Part 147 (older parallel codification), DoD Manual 5200.01 Volume 3, SEAD 3 (Reporting Requirements), EO 13467, and current DCSA DISS guidance. Specific reporting thresholds and timelines vary by Cognizant Security Agency — verify with your FSO.