European Commission – DG Enterprise & Industry E-M. EngdahlWork programme 2009 – Info Day

Information Day16th September 2009

REA - Brussels

Seventh Framework

Programme 2007-2013

Security Research

A “Sensitive” Project is handling:

– Data or information requiring protection against unauthorised disclosure:

classified information

– Information or materials subject to security restrictions

– Material subject to export- or transfer-control

No “Classified” Proposals are allowed in the call

(no classified information in a proposal)

BUT: a Proposal could lead to a “Sensitive” Project

(project that could use classified/sensitive background

and/or produce classified/sensitive foreground)

“Sensitive” Projects:What is a sensitive project?

Security issues:Principles and legal base

• Originator consent• Need to know

• 2001/844/EC amended by 2006/548/ECOJ L215, 5.8.2006

• National laws

• rules for submission, evaluation, etc…

“Sensitive” Projects: Sensitive proposals with non-EU participants

• EU classification is limited to EU Member States

• Sensitive projects can include participants from associated or third countries

• Countries having a security agreement with the EU (Council level) could refer to

that security agreement for handling sensitive information and material

• Special MoU (Memorandum of Understanding) could be agreed between the

countries involved in the handling of sensitive information/material of a project

limited to that project

No restriction for the participation to sensitive projects for associated countries and

from third countries if no access foreseen to sensitive information/material

“Sensitive” Projects:Use of classified information

• No classified information to be used in the proposal

• However, the project could use classified/sensitive background and/or produce

classified/sensitive foreground

• In that case, The proposal should be flagged on page 1 of the part B of the proposal as security

sensitive The table of deliverables must specify the level of classification for each

deliverable A Security Aspect Letter (SAL) + a Security Classification Guide (SCG) must be

attached to the proposal

“Sensitive” Projects:Security Scrutiny Procedure

For each sensitive project proposal of the selection list:

The Security Committee Members/Observers will be requested (via their national

security authority representative) to verify that all security aspects are properly

addressed and to reach an agreement among themselves

the scrutiny procedure is done, in a 2 months period, following the evaluation and

before the start of the negotiation of the projects

The results of the scrutiny could be:

go ahead with negotiation;

recommendations for the negotiation without classification;

recommendations for the negotiation with classification;

Recommendation not to finance the proposal

Proposers receive the conclusions of the scrutiny procedure with the “Invitation letter”

(negotiation mandate)

“Sensitive” Projects: Some recommendations

• Be serious about the sensitivity declaration

• Consider carefully the requirements for accessing sensitive information/material in

a project (limit it as far as possible)

• Get reference of all applicable EU and national legislation

• Contact your National Contact Point (NCP) – see CORDIS

• Contact your NSA for sensitive proposals (OJ L193 of 23.7.2005 p.31-36)

• For non-EU countries find out if there are some security agreement between your

country and EU

“Sensitive” Projects:Grant specificities

• Core Grant Agreement:the main special clauses 21 and 22

• Annex 1 (DoW)• SAL (Security Aspect Letter• SCG (Security Classification Guide)

• Guideline for handling classified informationin FP7 project (Draft)

“Sensitive” Projects:Grant specificities

• Core Grant Agreement : special clause 21When classified information is used as background, or is planned to be generated as foreground, or is actually generated as foreground, or if export or transfer licences are required for the transfer of dangerous materials or substances or where a topic is subject to specific national or European security related legal restrictions, a Security Aspect Letter (SAL) is annexed to this grant agreement as an integral part of Annex I.

• Core Grant Agreement : special clause 221. Each beneficiary shall comply with any security requirements prescribed by the Security Aspect

Letter (SAL) attached to Annex I of this grant agreement. The Commission may terminate the grant agreement or the participation of the beneficiary(ies), in accordance with Article II.38, in case of non compliance with this obligation. Such action shall be without prejudice to any further legal action.

2. This SAL is valid throughout the duration of the project.3. The beneficiaries of this grant agreement shall via the Coordinator inform the Commission of any

change of security requirements emerging during the performance of the project. Any such change shall be introduced in the SAL by means of an amendment following the rules on amendments of Annex I.

4. In cases where a beneficiary cannot comply with increased security requirements, the grant agreement shall be terminated.

5. The beneficiaries shall ensure that any subcontractor or other third party complies with the security requirements set out in the SAL.

“Sensitive” Projects:Grant specificities

Annex 1 (DoW) : SAL (Security Aspect Letter)

• The performance of the grant agreement will involve information classified CONFIDENTIAL UE.

• [A Facility Security Clearance is required]. • Persons who need to access EU classified information must [have an EU personal security

clearance and] be briefed as to their responsibility for security[1].• The beneficiaries concerned shall take all measures prescribed by the National Security

Authority/Designated Security Authority (NSA/DSA) for safeguarding EUCI.• The beneficiaries concerned shall appoint a Facility Security Officer (FSO).• The beneficiaries concerned, through the FSO, shall maintain a continuing relationship with his

NSA/DSA.• The beneficiaries concerned shall maintain a record of his employees taking part in the project

and who have been cleared for access to EUCI. • EU classified information for the purpose of these instructions is to be understood as

information classified and marked CONFIDENTIAL UE or its equivalent national classification. • Information generated by the beneficiaries concerned will require EU classification and

marking.

Continued on next slide

“Sensitive” Projects:Grant specificities

Annex 1 (DoW) : SAL (Security Aspect Letter – continued)

• The beneficiaries concerned must obtain the approval of the Contracting Authority before beginning negotiations with a view to subcontract.

• The Commission Security Directorate may - in co-ordination with the responsible NSA/DSA - conduct inspections at beneficiaries’ facilities concerned to verify the implementation of the security requirements for the handling of EUCI.

• The beneficiaries concerned shall report all cases of unauthorised disclosure or loss of EUCI to the responsible NSA/DSA, the Commission Security Directorate and the Contracting Authority.

• All EUCI provided or generated under this grant agreement shall continue to be protected in the event of termination of the grant agreement.

• The beneficiaries concerned shall undertake not to utilise the EUCI provided or generated, other than for the specific purpose of the grant agreement XXXXXX

• Handling and storage instructions for information classified CONFIDENTIAL UE [2]

[1] Commission Decision 2001/844/EC, Rules on Security Section 19.1[2] Idem above note 1

“Sensitive” Projects:Grant specificities

Annex 1 (DoW) : SCG (Security Classification Guide)

• Guideline for handling CONFIDENTIEL EU classified information in FP7 project (Draft)

IntroductionProduction of a classified document Anatomy of a classified document Stamping Classified digital media

The Classified Document Register – Receipt The Classified Document register – Disposal Filing & storage

Maintenance of files and folders Personal retention of documents

Reproduction Downgrading Declassification Destruction Transmission

Receipting Packaging Transmission methods Returned receipts

“Sensitive” Projects:Guidelines.

WORK IN

PROGRESS

Comment welcome

Further information

CORDIS site: http://cordis.europa.eu/fp7/security/home_en.html

Work Programme Call for proposals Guide for applicants etc.

All topics (but 7.0-4):REA-security-projects@ec.europa.eu

Demos phase 1 and 2; topic 7.0-4; Security issues:entr-security-research@ec.europa.eu