portsmouth/paducah project office 2012 annual security refresher lexington office 1 paducah...

Portsmouth/Paducah Project Office

2012 Annual Security Refresher

Lexington Office

1

Paducah SitePortsmouth Site

Welcome


Welcome to the Portsmouth Paducah Project Office Annual Security Refresher for 2012.

2

PPPO Mission


The mission of the U. S. Department of Energy (DOE) Portsmouth/Paducah Project Office (PPPO) is to provide management oversight and support to ongoing Environmental Management (EM) Operations at the DOE Portsmouth, Ohio, and Paducah, Kentucky sites. To facilitate this mission, the PPPO manager and key management functions are located in Lexington, Kentucky between the Portsmouth and Paducah sites. PPPO serves as the EM line management for both Portsmouth and Paducah. The PPPO Site Security Plan facilitates management of security assets for the PPPO operations at the Lexington Office. Site-specific Security Plans for Paducah, Kentucky and Portsmouth, Ohio are developed/implemented by the Infrastructure Contractor for Paducah and the Facility Support Services Contractor for Portsmouth and are designated as the site Officially Designated Security Authority (ODSA) for each site. Every DOE or Contractor organization must appoint a Facility Security Officer (FSO) to serve as a security point of contact (POC). The FSO is responsible for administering the requirements of the Safeguards and Security Program within his or her facility in accordance with DOE requirements and the Site Security Plan. Contract DE-AC30-10CC40021 identifies Swift & Staley Security as the ODSA for Paducah Contract DE-CI0000004 identifies Wastren-EnergX Mission Support (WEMS) as the ODSA for

Portsmouth

3

Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing.

Course Objectives


This briefing is intended for all cleared and uncleared DOE employees, contractors, and subcontractors at the Portsmouth Site, Paducah Site, and Lexington Office. The objectives of the 2012 Annual Security Refresher are to:

Remind individuals of their safeguards and security responsibilities Promote continuing awareness of required security practices Help individuals maintain an appreciation for the need to protect our country’s national security

interests

Guidance for this briefing is in accordance with U.S. Department of Energy (DOE) Order 470.4B, Section 3, “Safeguards and Security Awareness” and DOE/PPPO implementing instructions. Final approval for briefing contents is given by the DOE/Oak Ridge Office, Officially Designated Federal Security Authority (ODFSA).

Individuals who possess DOE access authorizations (security clearances) shall receive refresher briefings to reinforce and update awareness of safeguards and security policies and their responsibilities

Mandatory every 12 months Failure to complete the annual security refresher may result in administrative actions determined

by the ODFSA to include suspension of access authorization

4

About the Briefing


The Annual Security Refresher is composed of the following topical areas. At the end of the briefing there will be a test from the content covered in these areas:

Access Control PPPO Recognized Badges Badge Responsibilities Prohibited and Controlled Articles Reporting Requirements for Cleared Individuals Incidents of Security Concern (IOSC) Classified Matter/Information Need-to-know Unauthorized Disclosure Penalties Unclassified Controlled Information (UCI) Nuclear Material Control & Accountability Technical Surveillance Countermeasures, Operations Security and Cyber Security Hosting Foreign National Visits and Assignments and Foreign Travel Counterintelligence Escort Responsibilities Safeguards and Security Program

5

Access Control


The Portsmouth, Paducah & Lexington sites maintain General Access Areas (GAA), Property Protection Areas (PPA), and Limited Areas (LA) to protect DOE assets. Access to PPA and LA security areas require approval in accordance with DOE Directives and site ODSA procedures.

GAAs are designated areas that are accessible to all personnel, including the public.

PPAs are designed to protect DOE assets and personnel, and are accessible to authorized personnel only. There are no classified holdings within this security area.

LAs are designed to protect classified matter and Category III quantities of Special Nuclear Material (SNM). Individuals without an access authorization are not permitted within this security area unless they are escorted and have a need-to-know.

Access into security areas must be controlled in conjunction with a DOE Security Badge or Local Site Specific Only badge:

Protective Force or authorized personnel performing visual inspection of a badge Automated access controls (e.g. card readers) reading an HSPD-12 badge

6

PPPO Recognized Badges


7

HSPD 12 Credential or DOE Security Badge

DOE Standard Badge for “Q” access authorization

DOE Standard Badge for “L” access authorization

DOE PIV (no access authorization)

DOE Foreign National (no access authorization)

Lexington site specific Paducah site specific Portsmouth site specific

These badges are generally recognized by PPPO sites:

Site specific badges may be issued to address a variety of unique local badging requirements including local site specific badge, temporary visitor badge, and foreign national badge, etc. Site specific badges are not HSPD-12 compliant.

Badge Responsibilities


Your badge must be replaced or reissued if: Your name changes or your physical appearance changes Your badge is faded or damaged Your clearance level changesBadge cautions: It is illegal to counterfeit, alter, copy, or misuse your badge DO NOT use your badge for purposes other than official government business DO NOT wear the badge in public places Report the loss or theft of your badge immediately to your ODSAOther badge reminders: The badge is to be prominently displayed (outermost garment, above the waist, and below

the neck) at all times while on site (to include Lexington) unless prohibited by health or safety considerations

Protect your badge from theft when you are off site Your badge is the property of DOE and must be returned to the ODSA if it has expired, is no

longer required, or upon termination of employment

8

HSPD-12 Badges

During the remainder of 2012 and 2013, all employees will be issued an HSPD-12 badge, as per Homeland Security Presidential Directive (HSPD) 12 and Environmental Management Memorandum dated October 10th, 2012 titled “Office of Environmental Management Policy for Homeland Security Presidential Directive 12 Implementation”:

This badge will be used for:

Physical access to all facilities within the PPPO (PPAs and LAs) Logical access to unclassified information systems that support PPPO mission objectives

Your HSPD-12 badge will be of increased importance as time goes on. It will eventually be used for activities such as email encryption and verification of your security clearance (if applicable). Ensure you protect your badge and associated PIN as you would protect what it replaces – an authentication token and/or your password.


9

Prohibited Articles


The following articles are prohibited on DOE property:

Dangerous weapons and explosives (instruments or materials likely to cause substantial injury to people or damage property)

Unauthorized firearms Controlled substances such as illegal drugs and

associated paraphernalia (but not prescription medicine)

All items that are prohibited by law

10

Note: Registration with the Kentucky Wildlife Management Office is required before hunting/field trials in the surrounding Wildlife Management Areas at Paducah.

Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures).

Controlled Articles


You must have ODSA authorization (Portsmouth and Paducah) or Lexington Information Technology (IT) authorization prior to introducing the following controlled articles in a Limited Area:

Personal Data Assistants (PDA) Laptop or palmtop computers Smart phone devices Two-way pagers Cell phones Cameras of all kinds Recording equipment Digital audio players Thumb and Portable Hard drives and most

gaming devices (check with security) Alcoholic beverages

Note: Authorization is recognized by a property pass (Portsmouth) or controlled article permit (Paducah).

11

Reporting Requirements for Cleared Individuals


Arrests – Report all arrests, including charges that are dismissed Criminal Charges - Report all criminal charges including felony, misdemeanor, public and petty offenses as defined in the statutes of any

state Detention by Law Enforcement - Report any detention by federal, state or other law enforcement authority for violation of law. The only

exception to this reporting requirement is detention for a simple traffic stop Traffic Violations - Report any traffic violations for which you receive a fine of $300 or more unless the traffic violation is alcohol or drug

related. Any traffic violation that is alcohol or drug related must be reported regardless of the amount Ongoing Regular Contact with Foreign Nationals – Report employment, business & personal related associations with any foreign

national or employees/representatives of a foreign-owned interest

Hospitalization - Report hospitalization for treatment of mental illness or other mental condition; treatment for alcohol or drug abuse; any condition that may cause a significant impairment in judgment or reliabilityBankruptcy - Report any personal or business-related bankruptcyWage Garnishment - Report all wage garnishments resulting from, but not limited to, divorce, delinquent debts or child supportChange in marital status - Report marriage or cohabitation (spouse like relationship) within 45 days Name Changes - Report all legal name changes within 45 daysChange in Citizenship - If you are a U.S. citizen who changes citizenship or acquires dual citizenshipFamily Residence Change - An immediate family member assuming residence in a sensitive country

Having a DOE access authorization is a privilege not a right. In order to maintain an access authorization, the following information must be reported within 2 days verbally to your site Personnel Security Office followed within 3 days by written notification, unless otherwise instructed:

12

Incidents of Security Concern (IOSC)


Pose threats to national security interests and/or critical DOE assets Create potentially serious or dangerous security situations Potentially endanger the health and safety of the workforce or public Degrade the effectiveness of the safeguards and security program Adversely impact the ability of organizations to protect DOE safeguards and security interests

An incident of security concern occurs any time there is a potential or actual compromise of classified or Unclassified Controlled Information (UCI) or when a security directive is violated. Incidents of security concern are actions, inactions, or events that have occurred at a site that:

Remember, if you observe, find, or have knowledge of, or information regarding an IOSC, you must immediately report the incident to your respective IOSC POC and/or FSO or the Plant Shift Superintendent in person or by secure means. If you discover a potential IOSC, you must take reasonable and prudent steps to contain the incident, protect the scene, and secure classified matter or UCI as appropriate.

Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing.

13

Metric of IOSC


Unauthorized electronic disclosure of Unclassified Controlled Information

Introducing controlled item into a LA (e.g. camera cell phone, MP3, etc.)

Circumvention of established procedures (e.g. property pass violations)

Vandalism of Government property Loss of escort controls

The following incidents of security concern were the most common for the Portsmouth, Paducah, and Lexington sites in 2012:

14

23 29

Total incidents for 2011 Total incidents for 2012

Classified Matter/Information


Classified matter/information is any combination of documents or materials that needs to be protected in the interest of national security. Classification can be applied to: classified equipment, components, parts, tooling, gauges, liquids, powder, scrap, molds,

and packaging container inserts classified documents, electronic media, or communications

All classified matter/information is protected according to federal statutes and Presidential Executive Orders. DOE is responsible, under the Atomic Energy Act of 1954, as amended, for classifying information and material relating to atomic energy and its use in weapons and under Executive Orders for other aspects of national security. The Atomic Energy Act of 1954 and Executive Order 13526 govern classification policy.

Classifying information establishes protective barriers that ensure that classified matter and information do not fall into unauthorized hands. Through the process of classification, we protect important information from adversaries, yet allow the same information to be used by scientists, statesmen, military planners, and others with applicable access authorization and who meet the need-to-know criterion.

15

Note: At Portsmouth, Paducah, and Lexington there are specific Limited Areas approved for impromptu classified discussions. Please contact your ODSA or FSO for specific locations.

Levels of Classified Matter


Top Secret (TS)-Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.

Secret (S)-Unauthorized disclosure could reasonably be expected to cause serious damage to national security.

Confidential (C)-Unauthorized disclosure could reasonably be expected to cause undue risk to the common defense and security and be expected to cause damage to national security.

Classified matter/information is designated by both a classification level and a category. The classification level is based on how much our national security could be damaged if the information were to be released to unauthorized person(s). There are three classification levels:

16

Categories of Classified Matter


Restricted Data (RD) is information that is related to the design, manufacturing, and utilization of atomic weapons; production of special nuclear material; or use of special nuclear material in the production of energy.

Formerly Restricted Data (FRD) is information that pertains to the military utilization of atomic weapons and has been removed by DOE from the Restricted Data category.

National Security Information (NSI) is information that requires protection in the interest of national defense or foreign relations of the United States that is not related to nuclear weapon design, manufacturing, testing, or utilization. For example, a site security vulnerability may be protected as NSI.

17

There are three categories that describe classified matter :

Access to Classified Matter


Restricted Data Formerly Restricted Data

National Security Information

Top Secret Q Q Q

Secret Q L L

Confidential L L L

The following table illustrates the minimum clearance level required for access to each level and category of classified matter:

Access to classified matter requires an individual to have:Appropriate access authorization (or necessary security clearance)A need-to-know (which means access to classified matter is necessary to perform an official or contractual duty)

Note: Access is not obtained or granted by position only.

18

Protection and Control Measures


Cover sheets must be used any time a classified document is removed from a special approved General Services Administration container (sometimes referred to as a safe or repository), vault, or vault-type room. The purpose of a classified cover sheet is to prevent unauthorized visual access, serve as an immediate identifier that the attached document or material is classified, and identify the classification level of the document.

Classified cover sheets are identified as follows:

For additional protection and control measures, including training/briefing requirements, contact site Classified Matter Protection and Control (CMPC) point of contact. Portsmouth, Paducah, and Lexington telephone numbers are listed in the POC listing at the end of this briefing.

19

Derivative Classifiers (DC)/Derivative Declassifiers (DD)


20

The following appointed positions are provided to coordinate classification activities:

Derivative Classifiers (DC): An individual authorized to determine that matter is unclassified or classified as restricted data, formerly restricted data, and/or national security information and at what level based on classification guidance or source documents.Derivative Declassifiers (DD): An individual authorized to declassify or downgrade matter in specific areas based on classification or declassification guidance or source documents.

When it is reasonable to expect that documents or materials contain classified information or when regulations or other requirements apply, you are personally responsible to ensure the matter is reviewed by an approved DC or the site Classification Officer.

Portsmouth, Paducah, and Lexington Classification Officer or Classification POC telephone numbers are listed in the site POC listing at the end of this briefing.

Challenging Classification Decisions


21

Every employee is encouraged and expected to challenge the classification of information, documents, or material that he or she believes is improperly classified. Challenges should be directed to your site Classification Office or classification POC.

No Comment Policy


Sometimes classified information appears in the public domain (e.g. newspapers, websites, speeches, etc.). If approached about the disclosed classified information do not comment on accuracy, classification, or technical merit. Individuals are prohibited from commenting on classified information in the public

domain Avoid using the phrase “no comment” because its use may implicitly reveal classified

information Appearance in the public domain does not declassify the information

22

Your Responsibility


Each employee is responsible for having documents and material reviewed by a DC for classified information prior to dissemination to uncleared individuals by physical or electronic means.

Types of Documents to be reviewed include:

Information pertaining to Gaseous Diffusion Technology/Processes or Work for OthersNewly generated documents or material prepared in a potential classifiable subject areaExisting unmarked documents or material that an employee believes may contain classified informationExisting documents or material that an employee believes may contain information classified at a higher level or more restrictive categoryDocuments or material in a potential classified subject area intended for public release (web page, Congress, press release) must be reviewed by the site Derivative ClassifierNewly generated documents that contain extracts from an existing classified document (e.g. chapter or appendix) must be reviewed by a DC. If the extract is found to be unclassified then an additional review by a Derivative Declassifier is required

23

Need-to-Know


If an individual needs to know information in order to perform an official or contractual duty, they may have access to that information. Access to classified information requires the appropriate DOE access authorization AND the need to know to perform an official duty.

Does that person require this

information to do their job?

24

Unauthorized Disclosure


Unauthorized disclosure is any communication or physical transfer of classified matter or Unclassified Controlled Information (UCI) to an unauthorized recipient. Concerning classified matter, unauthorized disclosure: Always occurs when the recipients do not have the appropriate access authorization

and the need-to-know Can occur when an individual intends to transfer or transmit classified matter Could potentially cause damage or irreparable injury to the United States, or could be

used to advantage by a foreign nation

25

Penalties


There can be potential penalties for mishandling classified information or other sensitive information such as:

Termination of access authorization Removal from any position of special confidence and trust requiring a clearance Termination of employment Prosecution Monetary fines

26

Penalties


Civil penalties for contractor violations of classified information are issued in accordance with Title 10, Code of Federal Regulations Part 824 (10 CFR Part 824). This CFR was published by the Department of Energy (DOE) to implement Section 234B of the Atomic Energy Act of 1954, 42 U.S.C. 2282B. Section 234B stipulates that a contractor or subcontractor to the DOE who violates any rule, regulation, or order relating to the safeguarding or security of Restricted Data, other classified information, or sensitive information shall be subject to a civil penalty (fine) not to exceed $110,000 per offense. In publishing 10 CFR Part 824, DOE has determined that civil penalties under Part 824 will only be assessed for violations of requirements for the protection of classified information (Restricted Data, Formerly Restricted Data and National Security Information). The rule does not include civil penalties relating to failure to protect sensitive but unclassified information.

27

Unclassified Controlled Information (UCI)


Note: An uncleared person may be granted access to Unclassified Controlled Information (UCI) if that person has a need-to-know the specific information in the performance of official or contractual duties.

*PII is marked and protected as OUO, FOIA Exemption 6, Personal Privacy ** ECI is dual marked ECI and OUO, FOIA Exemption 3, Statutory Exemption

28

Protecting UCI


UCI must be protected from unauthorized disclosure. Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided). When working with UCI from home or in transit, the above protection requirements are the same.

29

Transmission of UCI


Transmission by e-mail: UCI should be encrypted when electronically transmitted outside the site’s network. Encryption should be accomplished by using Entrust for e-mail. If Entrust is unavailable then password protect(excluding UCNI which is not accredited on PPPO systems)

Transmission by Fax: When faxing UCI (excluding UCNI which must be sent via a secure telephone facsimile), the sender must contact the recipient prior to faxing the UCI document. The sender is responsible for making a follow-up call to confirm that the entire UCI document was received

Transmission by Mail Off site: Place documents in a sealed opaque envelope or wrapping, stamp or write the words “To Be Opened by Addressee Only.” The document can be mailed First Class, Express, Certified or Registered Mail or sent via any commercial carrier and must contain a return address

Transmission by Mail On site: Place documents in a sealed, opaque envelope or wrapping, stamp or write the words “To Be Opened by Addressee Only”

The number one security incident at the sites is transmitting UCI by unsecured or inappropriate methods. Follow the guidelines listed here when transmitting UCI:

30

Note: Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures).

Official Use Only (OUO)


To be identified as Official Use Only (OUO), information must be unclassified and meet both of the following criteria: Has the potential to damage Governmental, commercial, or private interests if released to

persons who are not authorized Falls under one of the Freedom of Information Act (FOIA) exemptions

Note: Any Federal or contractor employee with cognizance over the information may make OUO determinations for unclassified documents.

31

Making OUO Determinations


CG-SS-4

32

Potential OUO

Could the release of this information cause damage to

governmental, commercial, or private interests

Yes

Is the information OUO byclassification guide topic,

CG-SS-4

Does the information fall under a FOIA exemption

Yes

No

No

No

No

Yes

Yes

Not OUO

Not OUO

Not OUO

Mark asOUO

BEGIN HERE

33


OUO Determination Tree

Mark asOUO

33

Information is OUO

No

Yes

34


Exemptions

No Marking or Protection required.

This information will still require a classification

review prior to releasing to the public

Choose a FOIAexemption 3

through 9

Note: Exemption 2-Circumvention of Statute for OUO was deleted and should no longer be used. For previous determinations of OUO where exemption 2 was used, the following exemptions may be applied, exemption 7 (Law Enforcement), exemption 4 (Commercial Proprietary), and exemption 5 (Privileged Information).

Once information is determined to be OUO, potential exemptions to the Freedom of Information Act (FOIA) must be chosen. If no exemption is viable then the information cannot be OUO.

34

Exemption Numbers and Categories for OUO


3-Statutory Exemption CRADA Information Export Controlled Information Taxpayer Identification Numbers

4-Commercial/Proprietary Trade Secrets (e.g. Coca Cola Formula) Financial Data (e.g. income, profits, losses) Business Plans (e.g. contract proposals) Cost Data Government Credit Card Numbers

5-Privileged Information Recommendations (e.g. budget cuts) Evaluations Appraisal Results Drafts of New Policies Attorney-Client Exchanges

6-Personal Privacy Medical Condition/History Marital Status Personally Identifiable Information (e.g. Social

Security Number, birth date, place of birth) Unlisted Home Phone Number7-Law Enforcement On-going Investigative Reports Reports which would Impair Impartial Adjudication Confidential Sources Security Plans (e.g. OPSEC Plan, TSCM Plan, etc.)

8-Financial Institutions Reports on the Financial Condition of a Bank

9-Wells Resource Maps Well Head Analysis

35


The employee making the determination must ensure that the front of each document must have an exemption stamp designating the FOIA exemption number and related category name.

Also the words “Official Use Only” (or “OUO” if space is limited) are placed on the bottom of each page or, if more convenient, on just those pages containing OUO information.

OFFICIAL USE ONLY

Sample of front page marking

Exemption Stamp

OUO Stamp

36

Marking OUO

Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site.

7, Law Enforcement

Jane Doe/WEMS 07/02/2004CG-SS-4, DOE OC, June 2002

Steps to filling out exemption stamp (or notice) based on classification/control guides: Fill in the exemption number and category Name and organization Date of determination Short name of guide, source, and date of guide

37


Filling Out Exemption Stamp

37

Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site.

07/02/2004N/A

Steps to filling out exemption stamp (or notice) based on individual evaluation (opinion): Fill in the exemption number and category Name and organization Date of determination Enter “N/A” if guidance is not used

38


Filling Out Exemption Stamp

John Smith/WEMS

6, Personal Privacy

38


If e-mail is OUO• First line in the body of the e-mail must say

“Official Use Only” before text If attachment is OUO

• The first line in the body of the e-mail should say “Document attached contains OUO information. When separated from attachment, this e-mail is not OUO”

• Attachment must also be marked appropriately

If transmitting outside of firewall• PPPO federal and contractor employees are

encouraged to encrypt their e-mails prior to transmittals (Entrust is the software that is used for encryption)

• If Entrust is unavailable, then take other measures to send securely such as password protecting Word or PDF documents

• Contractors must check site procedures before using password protect option

39

E-Mailing OUO


Using Entrust to Encrypt E-Mails

Step 1: Login to EntrustSelect your user profile nameType in password

Step 2: Encrypting e-mail Select “Express” from Outlook tool bar Select “Encrypt”

Step 3: Confirm encryptionEnsure that the Encrypt message is selectedOnce confirmed, select “OK”

40

Depending on the version of Entrust used at your site, there may be minor differences in the way the software looks and operates. Contact your Information Technology or Cyber Security group with any questions.


Personally Identifiable Information (PII)

Personally Identifiable Information (marked and protected as OUO, Exemption 6, Personal Privacy) is defined as any information collected or maintained by the Department, contractors or subcontractors, about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual.Employees are required to prevent the unauthorized breach of PIIUpon discovery of data breach involving PII, employees must immediately notify their respective ODSA and/or FSO

Note: PII stored on laptops and removable media (CD ROMs, thumb drives) must be encrypted. If PII is no longer required, it must be deleted. Requirements for identification of PII are located in DOE O 206.1.

41

Export Controlled Information (ECI)


ECI includes many nuclear technologies restricted by Federal regulations from export to foreign entities. ECI restrictions may be imposed by the U.S. Department of Energy, Department of Commerce, or Department of State and even if the matter is not classified, it still must not be exported to foreign entities without appropriate approvals.

PPPO operations involve ECI especially regarding gaseous diffusion and DUF6 conversion technologies.

Prior to engaging in decontamination and decommissioning (D&D) and disposal of scientific and technical equipment, contact the ECI POC and/or ODSA or FSO for review requirements prior to release or disposal.

Requirements for identification, protection and control of ECI are located in US DOE Guidelines for Export Control and Nonproliferation dated July 1999.

42

Portsmouth, Paducah, and Lexington ECT POC telephone numbers are listed in the site POC listing at the end of this briefing.

What qualifies as ECI? (continued)

• ECI includes commodities, technology, and software.

• Commodities are tangible assets such as materials (e.g., metals, chemicals) and equipment (e.g., industrial equipment, electronic equipment, nuclear test equipment).

• Technology is information necessary for the development, production, or use of a product. This can include technical data or technical assistance in the form of blueprints, diagrams, engineering designs and specifications, manuals and instructions, and training.

• Software includes commercial off the shelf (COTS) applications and applications developed in-house that directly relate to the development, production, or use of a product.


43

What is an export? (continued)

• An export is the sending of export controlled items (e.g., information, technology, material) outside of the United States in any manner (e.g., physical shipment, email, website).

– An export occurs from within the United States to a foreign country.

• A deemed export is the release of technology or source code to a foreign national within the United State in any manner (e.g., physical shipment, email, website).

– A deemed export occurs completely within the United States.

• A re-export occurs when an item controlled under United States export law is shipped from a foreign country to another foreign country.

– A re-export occurs completely outside of the United States.


44

Authorization to export? (continued)

• 10 CFR 810.7 and .8 allow for an authorization to export be granted as long as a specific approval process is followed by the party who wishes to export the commodity, technology, or software in question.

• The authorization is a time-intensive and politically sensitive process which requires concurrence from the Department of State, and consultation with the Nuclear Regulatory Commission, Department of Commerce, and Department of Defense.

• An application for export authorization may be submitted through the Secretary of Energy’s Office. Contact your ECI POC as far in advance as possible if an export, deemed export, or re-export is required.


45

What are the penalties? (continued)

In the event of an illegal export:

•Administrative or criminal penalties may be levied against a company or an individual depending on the seriousness of the offense and whether the export was willful or negligent.

•Administrative penalties can result in up to ten (10) years in prison and fines of up to $250k per offense, depending which agency has regulatory oversight of the item(s) in question.

•Criminal penalties can result in up to life in prison and fines of up to $1m per offense, depending on which agency has regulatory oversight of the item(s) in question.

•Department of Commerce, Department of State, Department of Energy, and Department of Treasury can all levy fines depending on the item(s) in question.


46

Unclassified Controlled Nuclear Information (UCNI)


UCNI is certain unclassified information about nuclear facilities and nuclear weapons that must be controlled because its unauthorized release could have a significant adverse effect on the national security or public health and safety. The Director, Office of Classification (OC), decides what specific information is UCNI. UCNI Reviewing Officials use guidance to decide if documents contain UCNI. Any document that may contain UCNI must be reviewed by an UCNI Reviewing Official to determine if it contains UCNI.

Note: PPPO information systems are not accredited for UCNI. Therefore, UCNI may not be generated, processed, or stored on any PPPO information system components (e.g., workstations, laptops, flashdrives, CD/DVDs).

The PPPO sites have existing UCNI specifically related to gaseous diffusion technologies. Intentional or inappropriate release of UCNI information may include civil or criminal penalties. Guidance for the UCNI program can be referenced in:Section 148, Atomic Energy Act of 195410 CFR Part 1017, Identification and Protection of Unclassified Controlled Nuclear InformationDOE O 471.1B, Identification and Protection of Unclassified Controlled Nuclear Information

47

Handling, Storing, Copying, and Destroying of UCI


Handling UCI requires taking reasonable precautions to prevent unauthorized access (ensure the need-to-know)

Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided)

Storing of UCI at home or during transit must be under control at all times or in a locked room, receptacle, or briefcase

Copying of UCI requires no permission; however, print only the minimum number of copies needed, and mark and protect appropriately

Destroying of UCI is accomplished by using a shredder (¼ “ wide strip-cuts) or by other site approved methods (e.g. shred bins)

Destruction of UCI outside of the workplace (e.g. home, travel) requires the above shredder requirements (¼ “ wide strip-cuts). If not available, protect UCI until you return to the office

48

Nuclear Material Control & Accountability (NMC&A)


49

The purpose of NMC&A is to control and account for nuclear materials. NMC&A combined with physical security of nuclear materials is the “Safeguards” of Safeguards and Security. Portsmouth and Paducah have a large inventory of UF6 including low enriched, normal (.711%), and Depleted (<.710%) UF6. Additionally, the sites have uranium compounds in the lab in the form of samples and some quantity of low enriched non-UF6 in the form of Process Gas dust, trap material, oxides, contaminated scrap, etc.

Graded Safeguards TableIn security terms, the nuclear materials at Paducah are considered Category IV Attractiveness Level E, which is the lowest grade safeguard category and attractiveness level. Most of the Portsmouth inventory is also Category IV, but also has some Category III Attractiveness Level C material. Access to Category III Special Nuclear Material (SNM) requires an “L” or “Q” access authorization.

Technical Surveillance Countermeasures


TSCM is an electronic counterintelligence program designed to detect, deter, isolate and nullify technical penetrations and technical security hazards. These technical penetrations and security hazards are used to gain unauthorized access to classified information, unclassified controlled information, or personal information and range from simple mechanical to sophisticated electronic and fiber-optic techniques. The more common techniques include hidden audio and radio frequency (RF) transmitting devices (microphones), telephone bugging equipment, and visual tools such as binoculars, telescopes, mini cams and fiber optic cameras. The sale of these devices is not restricted. They are readily available to anyone on the commercial market.

If you discover what you consider to be a technical surveillance device, immediately cease all activity in the area as discreetly as possible

Do not voice the discovery within the immediate area, which includes the suspect room and all other rooms that are above, below and adjacent to it

Secure the room and do not touch or remove the device Immediately notify your TSCM POC via secure communications, outside of the

area where the suspected device has been found. During off-shift hours notify the Plant Shift Superintendent’s Offices.

Note: Any action related to TSCM information or possible vulnerability should be safeguarded at the highest level of classification approved for that area.

50

Operations Security (OPSEC)


OPSEC is a process focused on protecting critical and sensitive information by: Identifying threats and vulnerabilities which can be exploited by an adversary Identifying and assessing the risk Developing and implementing countermeasures The principles of OPSEC are based on asking five questions: What information do you want to protect? Who wants your information? How is your information vulnerable? What is the risk for your information? How can you protect your information? OPSEC: How can I do my part? Use strong passwords to access your government computers Destroy Unclassified Controlled Information (UCI) in an approved strip shredder Do not transmit sensitive information without following proper security procedures Do not discuss UCI or classified information in public Guard against phone calls seeking personal and sensitive information Use appropriate markings on UCI and classified correspondence Be aware of possible ways in which an adversary can collect information in an open environment (e.g. overheard

conversations, notes left in open vehicles, etc.) Be mindful of the information posted on social networking sites Utilize the OPSEC Working Group for assistance during the initial stages and throughout project planning

51

Cyber Security


The Information Technology (IT) Program establishes requirements for protecting DOE electronic information and information systems in accordance with the Program Cyber Security Plan (PCSP). These requirements include provisions for ensuring that the protection is commensurate with the risk and damage that could result from the loss, misuse, disclosure or unauthorized modification of information that is processed, stored or transmitted using DOE information systems.

Unclassified computer systems MUST NOT be used to process classified information. Always check with a DC before initiating a document related to a classifiable subject area. Classified information must be processed ONLY on accredited information systems in a designated security area, such as a Limited Area. If you require access to a classified computer contact the site Cyber Security POC or ODSA. UCI must be processed according to site level requirements. PPPO systems are not approved for UCNI.There are some basic principles to follow when using e-mail systems at work. Handle e-mails from an unknown source cautiously. Ensure the sender is a reliable source before clicking on a link embedded in the e-mail. Do not open or reply to suspicious e-mails Permanently delete from your inbox Notify Cyber Security POC if assistance is needed

52

Hosting Foreign National Visits and Assignments


DOE is a world leader in developing and advancing new technologies requiring international scientific and technical collaboration with foreign nationals.

Hosting foreign nationals at DOE facilities and/or discussing DOE information, technology, or programs off site requires multiple subject matter expert reviews and approval by an authorized approval authority.Hosting requirements are identified in DOE Order 142.3A Unclassified Foreign National Visits and Assignments Program. Visit requests should be submitted to the site ODSA or Lexington FSO 90 days in advance.Providing any DOE program information to a foreign national, on site or off site, must be preceded by a security plan unless the information is available to the public at large.If planning to host foreign nationals in support of DOE business operations, on site or off site, your site Foreign National Visits POC can provide detailed documentation and approval guidance which includes the required Host Training provided from the Office of Counterintelligence.

Portsmouth, Paducah, and Lexington Hosting Foreign Nationals POC telephone numbers are listed in the site POC listing at the end of this briefing.

53

Foreign Travel


Notify the foreign travel point of contact prior to travelling to a sensitive country

The listing for sensitive countries is maintained at the site ODSA and is available upon request

If the country is sensitive, a pre-travel briefing must be provided by DOE Counterintelligence

All official travel must be reported even if travel is to a non-sensitive country

Portsmouth, Paducah, and Lexington Foreign Travel POC telephone numbers are listed in the site POC listing at the end of this briefing.

54

Counterintelligence (CI)


PPPO Counterintelligence activities are supported by the DOE Office of Intelligence and Counterintelligence, Oak Ridge Field Office (ORFO).

All questions on this topic should be directed to:

Portsmouth: Mark Allen at (270)441-6842 or (859)219-4060, or Dale King at (740)897-3677Paducah/Lexington: Mark Allen at (270)441-6842 or (859)219-4060

Note: ORFO CI Organization can be contacted at (865)241-0233

Counterintelligence is information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for, or on behalf of foreign powers, organizations or persons, or international terrorist activities, but not including personnel, physical, document, or communications security programs. Executive Order 12333, December 4, 1981, "United States Intelligence Activities”

55

CI Program Priorities


The priorities of the ORFO are as follows: Nuclear Security Counterterrorism Economic Espionage – Protected Technologies Cyber CI Threat Protect Science and Technology Counterintelligence Insider Threats Foreign Travel Programs Foreign Visits and Assignments

All potential espionage or terrorism related concerns should be promptly reported to the ORFO. All reports made to this office are held in strict confidentiality. Please visit the ORFO website at www.ornl.gov/oci for specific program information, detailed reporting requirements, foreign travel and visit information, and more.

56

http://www.ornl.gov/oci

CI Insider Threat Indicators


57

CI Insider Threat Indicators (cont.)


Espionage IndicatorsUnexplained affluenceFailing to report overseas travelUnexplained travelUnexplained absencesShowing unusual interest in information outside of responsibilitiesUnusual work hoursTaking classified or sensitive material homeUnreported contact with foreign government, military, or intelligence officials, Attempting to gain access without the need-to-knowExcessive use of copy machinesUnwillingness to take vacationResistance to sharing duties or separation of dutiesExploitable conductUnexplained or extensive technical computer-related knowledge

More information is available on the DOE Counterintelligence website or call 865-241-0233.

58


Recruiting Methods

Visits to the U.S., especially hosted visits American travelers to foreign countries International conferences, conventions, seminars and exhibits Professional associations and publications Collaborative research and development Unsolicited requests for information They want to see who responds

Foreign intelligence officers do not typically obtain information themselves. They recruit citizens from a target country who have legitimate access to the information being sought.

They will attempt to “fill a void" or “meet a need" in the target’s life They will ask for something and probably provide something in return The sensitivity or perceived value of the information requested will increase over

time

How do Intelligence Officers identify potential sources?


Insider Threat

The insider threat is identified as one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise giving them opportunity to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm.

60

An insider could be current or former employees, contractors, vendors, or visitors. They are often times people placed in a position of trust. In fact, most spies in the U.S. once held a security clearance.

An insider threat could be anyone


Various kinds of information can be gathered through secret or covert methods. While some information is indeed collected through clandestine operations, others can be gathered by widely available means. These are commonly called the “intelligence collection disciplines” or the “INTs”:

61

Human Intelligence (HUMINT) is the collection of information from human resources (e.g., interviews, social engineering, etc.)

Signals Intelligence (SIGINT) is the collection of information by intercepting electronic signals between two parties

Imagery Intelligence (IMINT) is the collection of information through photos (e.g., via satellites)

Open-Source Intelligence (OSINT) is the collection of information generally available to the public (e.g., newspapers, internet, TV, etc.)

Foreign Intelligence Collecting

Intercepting Signals


The security readiness state is reflected in the following SECON levels when conditions reflect a risk of terrorist activity, continuity conditions, environmental, and/or severe weather conditions.

SECON 1: Severe ConditionSECON 2: High ConditionSECON 3: Elevated Condition SECON 4: Guarded ConditionSECON 5: Low Condition

Personnel will be alerted to changes in the security conditions over the plant PA system and through appropriate security and emergency management staff.

62

Security Condition Threat Level

The Deputy Secretary of the DOE establishes the Security Condition (SECON) levels. The SECON levels reflect a multitude of conditions that may adversely impact Departmental and/or site security to include terrorism, continuity conditions, environmental (e.g., fire, chemical, radiological, etc.) and/or severe weather conditions.


Terrorism remains a threat to the security of the homeland. The Department of Homeland Security (DHS) implores all Americans to share responsibility for the nation’s security.

63

Terrorist Threat

“See Something, Say Something” is a nationwide campaign program designed to raise public awareness for indicators of terrorism and violent crime, and to emphasize the importance of reporting suspicious activity to the proper state and local law enforcement authorities.

Report suspicious activity to ODSA, PSS, or call local law enforcement.

See Something, Say Something


An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area. Active shooters use guns and there is no pattern or method to their selection of victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on scene, individuals must be prepared both mentally and physically to deal with an active shooter.

64

Active Shooter

How to Respond:Evacuate-Take note of all exits in your facilityHide-Stay out of shooter’s view. If you are in an office lock the door or block entryTake Action-As a last resort, attempt to subdue the active shooter. When the active shooter is at close range and you cannot flee, your chance of survival is much greater if you try to incapacitate him/herCall 9-1-1 or 740-897-2444 (Portsmouth) or 270-441-6211 (Paducah) on a cell phone when it is safe to do so!

Not an actual scene

Escort Responsibilities


Responsibilities for escorting into the Limited Area: Ensure that appropriate measures are taken to prevent a compromise of classified matter and/or Special

Nuclear Material (SNM) Maintain continuous visual and unaided voice and/or physical control of escorted individual(s) Ensure that escorted individual(s) have a need-to-know for the security area they are entering Verify and maintain escort ratio: Portsmouth and Paducah standard ratio is one (1) escort to every four

(4) visitors/employees Prominently display the “yellow” escort badge (if applicable) on outer most garment, above the waist

and below the neck, identifying that uncleared individuals are present

Prior to escorting, verbally challenge escorted individual(s) on whether they possess any controlled or prohibited articles (e.g. camera cell phones, thumb drives, etc.)

Ensure full compliance with site specific security requirements, plans, and procedures

Ensure that access authorization is commensurate with the security area being entered

65

Safeguards and Security Program


66

To ensure appropriate security measures and avoid project delays, the PPPO management expectations are as follows; the Safeguards and Security considerations , which include NMC&A, are thoroughly integrated with all aspects of mission accomplishment, including all topical areas of safeguards and security (e.g. personnel, physical, information, nuclear safeguards) and related cross-cutting areas (e.g. cyber security, export control, classification, foreign visits and assignments and foreign travel). This integration will ensure the adequate protection of DOE assets (e.g. classified matter, unclassified controlled matter, and government property).

Safeguards and Security Program


The program helps to: Identify what needs protected Establish clear roles and responsibilities Implement DOE requirements though line management Establish oversight programs to assure requirements are implemented Seek and implement continuous improvement

The Safeguards and Security Program incorporates the following principles: Integration of Safeguards and Security with all aspects of mission

accomplishment Protection requirements are commensurate with the consequences of loss or

misuse of the protected asset Responsibility for the implementation of protection measures resides with DOE

line management elements responsible for mission accomplishment Authority is delegated to appropriate levels to promote efficiency and

effectiveness

67

The Safeguards and Security Program ensures that the Department of Energy efficiently and effectively meets all its obligations to protect Special Nuclear Material, other nuclear materials, classified matter, sensitive information, government property, and the safety and security of employees, contractors, and the general public.

Summary


Having a DOE access authorization is a privilege, not a right. You may have been recognized and entrusted by the U.S. Government to protect and handle classified matter; therefore, it is your responsibility to follow DOE requirements as well as site plans and procedures. Failure to adhere to these security requirements could potentially cause damage to governmental, commercial, or private interests

Ensure classified information and UCI are appropriately protected and controlled Ensure need-to-know criterion for both classified and UCI is met prior to providing anyone access. In

addition, the recipient of classified information must possess the appropriate access authorization Ensure any document prepared in a potentially classified subject area is reviewed by a DC or the site

Classification Officer BEFORE publication and distribution Know the security requirements for the area(s) you work in or

visit, and follow site guidance for prohibited and controlled items Know the reporting requirements Contact your respective ODSA for guidance or questions

regarding any security-related matter (e.g. physical, cyber, personnel, information, classification, protective force, etc.)

68

Portsmouth Security Points of Contact Listing


This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the WEMS security office.

Emergencies at Portsmouth 740-897-2444 or 911 (plant phone)

69

Classification Officer and POCs Physical Security Henry Thomas 740-897-5245 John Jordan 740-897-3683Classified Matter Protection and Control (CMPC) Jim Sevens 740-897-2022Wayne Conley 740-897-2604 John Zangri 740-897-3247Technical Surveillance and Countermeasures (TSCM) Jim Dixon 740-897-2334Wayne Conley 740-897-2604 Rachel Stroth 740-897-3274Unclassified Controlled Information (UCI) Rich Kielmar 740-897-2603Wayne Conley 740-897-2604 Jim Snodgrass 740-897-2302

Dave Davis 740-897-2728Hosting Foreign Nationals Cyber Security Wayne Conley 740-897-2604 Brian Kirkendall 740-897-3853Counterintelligence POC Operations Security (OPSEC) Dale King (Primary) 740-897-3677 Rachel Stroth 740-897-3274Mark Allen (Alternate) 270-441-6838/ 859-219-4060 Visitor Control Reporting Incidents of Security Concern Erica Wiley 740-897-2992Wayne Conley 740-897-2604Jim Sevens 740-897-2022 Export Controlled Information (ECI) Jim Dixon 740-897-2334 Dan Hupp 740-897-5747Waste, Fraud, and Abuse Enforcement Coordinator Jim Sevens 740-897-2022 Dan Longpre 740-897-5747WEMS Security Manager Foreign Travel POC Rick Coriell 740-897-3151 Wayne Conley 740-897-2604Personnel Security Office Site FSOs Megan Bach 740-897-3467 Wastren-EnergX Mission Support (WEMS) Rick Coriell 740-897-3151Linsay Ward 740-897-2994 Fluor B&W Portsmouth (FBP), Troy Ayres 740-897-2370Dana Kirkman 740-897-3673 Restoration Services Inc. (RSI), Rick Ferguson 865-574-0884Lock Smith B&W Conversion Services (BWCS), Beth Keener 740-497-5910Jim Snodgrass 740-897-2757 The American Centrifuge (USEC, Inc.), Angela Wright 740-897-2749Jim Dixon 740-897-2334

Paducah Security Points of Contact Listing


This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the SST security office.

Emergencies at Paducah 270-441-6211 or 333 (plant phone)

70

Classification Officer and POCs Physical Security Jackie Thompson 270-441-5659 Dusty Alexander 270-441-5427Classified Matter Protection and Control (CMPC) Jeff Harris 270-441-5253Melissa Howell 270-441-5438 Brad Nall 270-441-5037Chuck Moreland 270-441-5078 Cyber Security Technical Surveillance and Countermeasures (TMCS) Bill Offner 270-441-5107Melissa Howell 270-441-5438 Operations Security (OPSEC) Dusty Alexander 270-441-5427 Melissa Howell 270-441-5438Unclassified Controlled Information (UCI) Kara Doughty 270-441-5252Jackie Thompson 270-441-5659 Jeff Harris 270-441-5253Melissa Howell 270-441-5438 Visitor Control Hosting Foreign Nationals Kara Doughty 270-441-5252Kara Doughty 270-441-5252 Betty Hart 270-441-5417Betty Hart 270-441-5417 Terri Dorris 270-441-5271Terri Dorris 270-441-5271 Ronda Hays 270-441-5099Counterintelligence POC Export Control Information (ECI) Mark Allen 270-441-6838 Jackie Thompson 270-441-5659Reporting Incidents of Security Concern Melissa Howell 270-441-5438Charlie Cobb 270-441-5248 Enforcement Coordinator Chuck Moreland 270-441-5078 Dusty Alexander 270-441-5427Melissa Howell 270-441-5438 Foreign Travel POC Jeff Harris 270-441-5253 Kara Doughty 270-441-5252Kara Doughty 270-441-5252 Betty Hart 270-441-5417Swift & Staley Inc., Security Manager Terri Dorris 270-441-5271Charlie Cobb 270-441-5248 Site FSOs Personnel Security Office Swift and Staley Inc., (SST) Charlie Cobb 270-441-5248Kara Doughty 270-441-5252 LATA of Kentucky, Inc., (LATA) Tim Fralix 270-441-5025

Betty Hart 270-441-5417 B&W Conversion Services (BWCS), Mike Stanley 270-538-2024Terri Dorris 270-441-5271Locksmith Jeff Harris 270-441-5253Bobby Harris 270-441-5004

Phillip Easley 270-441-5004

Lexington Security Points of Contact Listing


Classification Officer and POCs Physical Security

Larry Sparks DOE/ORO 865-576-2659 Mark Allen DOE/PPPO/FSO 270-441-6842/ 859-219-4060

Mark Allen DOE/PPPO FSO 270-441-6842/ 859-219-4060 Sammy Bell PRC/DOE 270-441-6838

Classified Matter Protection and Control Cyber Security

Mark Allen DOE/PPPO FSO 270-441-6842/ 859-219-4060 James Woods DOE/PPPO 859-219-4053

Sammy Bell PRC/DOE 270-441-6838 Abe Getchell PRC/DOE 859-219-4024

Technical Surveillance and Countermeasures (TSCM) Operations Security (OPSEC)

Sammy Bell PRC/DOE/POC 270-441-6838 Abe Getchell PRC/DOE 859-219-4024

Mark Allen DOE/PPPO FSO 270-441-6842/ 859-219-4060 Visitor Control

Unclassified Controlled Information (UCI) Abe Getchell PRC/DOE 859-219-4024

Mark Allen DOE/PPPO/FSO 270-441-6842/ 859-219-4060 Foreign Travel POC

Sammy Bell PRC/DOE 270-441-6838 Mark Allen DOE/PPPO/FSO 270-441-6842/ 859-219-4060

Abe Getchell PRC/DOE 859-219-4024 Sammy Bell PRC/DOE 270-441-6838

Hosting Foreign Nationals Counterintelligence

Mark Allen DOE/PPPO/FSO 270-441-6842 / 859-219-4060 Mark Allen DOE/PPPO/FSO 270-441-6842/ 859-219-4060

Sammy Bell PRC/DOE 270-441-6838 Reporting Incidents of Security Concern

Waste, Fraud, and Abuse/Enforcement POC Mark Allen DOE/PPPO/FSO 270-441-6842/ 859-219-4060

Rachel Blumenfeld DOE PPPO Deputy Manager 859-219-4002 Sammy Bell PRC/DOE 270-441-6838

DOE PPPO Security Manager James Woods DOE/PPPO 859-219-4053

Mark Allen 270-441-6842/ 859-219-4060 Abe Getchell PRC/DOE 859-219-4024

Lock/Key/FOB Site FSO

Abe Getchell PRC/DOE 859-219-4024 Mark Allen DOE/PPPO/FSO 270-441-6842/219-4060

This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the PPPO FSO.

71

Questions


If you have any questions concerning the content of this training, or have suggestions for improvement please e-mail Missy Howell ([email protected]), Wayne Conley ([email protected]), or Abe Getchell ([email protected]).

72

mailto:[email protected]




Congratulations


You have completed the Portsmouth/Paducah Project Office Annual Security Refresher!

73

portsmouth/paducah project office 2012 annual security refresher lexington office 1 paducah...

Documents

security areas

security responsibilities

operations security

security awareness

security program

security policies

management of security

pppo site security plan