Safeguards and Security
Frequently Asked Questions
Safeguards and security (S&S) policies
and systems provide a formal, organized process
to establish the roles and responsibilities
for the U.S. Department of Energy (DOE) S&S
Program. This process facilitates planning,
performing, assessing, and improving the secure
conduct of work and protection of important
DOE assets in accordance with risk-based protection
strategies. Specific requirements for each of
the key elements are contained in their respective
programmatic Manuals. The requirements are based
on national level policy promulgated in laws,
regulations, Executive orders, and Presidential
directives and are designed to prevent unacceptable
impacts on national security, the health and
safety of DOE and contractor employees, the
public, or the environment.
The following frequently asked questions (FAQs)
are organized by the topical areas and offer
answers to recurring questions or policy clarification
requests. All FAQs can be viewed by scrolling
through the whole document or viewed by clicking
on the following topical areas:
Program Planning and Management
On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a
memorandum establishing policy panels to increase feedback from the implementers of DOE policy.
How will the PPM policy panel be organized?
The PPM panel will be a new policy panel, as there has not been a quality panel in this topical area.
Because so many possible topics fall under the broad topic of "program planning and management"
(safeguards and security planning, surveys and assessments, facility clearances and FOCI, awareness
and training, etc.), it will probably be necessary to organize sub-panels or interest groups within
the larger panel. One organization which may serve as a model is the existing Security Awareness
Special Interest Group (SASIG). The steering committee for that group also serves as the quality
panel for security awareness, and it is planned that this group will continue to fill its
traditional policy assistance role. HS-70 will provide additional information as we continue
to develop this new topical policy panel.
The terms "critical system element" and "essential element" are used in many contexts in DOE M 470.4-1,
Safeguards and Security Program Planning and Management. When these terms are used in the context of
vulnerability analyses and performance assurance program evaluations, what is the difference between
them, or are they interchangeable?
The connection between planning and the performance assurance program is important to understand.
As we plan, we have the opportunity to identify protection system elements that are of greatest
importance to the overall success of the site/facility protection system. If additional testing
of these elements, beyond that required for topical compliance, would provide additional assurance
that these elements will perform as expected, these additional tests are incorporated into a formal
Performance Assurance Program Plan. The terms "critical system element" and "essential element"
used in DOE Manual 470.4-1 Chg. 1, Safeguards and Security Protection Program Planning and Management,
to establish requirements governing this process are broadly synonymous. HSS believes that, to
eliminate confusion, it is acceptable to use a single term, "critical element," when discussing
system elements identified during vulnerability analyses that are then required to be tested under
the performance assurance program. The use of this term will be incorporated into the re-write of
DOE M-470.4-1 to replace the two existing terms.
There are all kinds of testing of security system elements required to meet compliance
requirements under Protective Force, physical protection, and other programs. Isn't the testing
required by the Performance Assurance Program (PAP) redundant?
The PAP has been established specifically to provide for additional testing above
compliance-level requirements. The purpose of testing done under the PAP is to demonstrate
effective performance of protection measures that have been determined to fall into the
category of "critical elements" as described above. Tests conducted under the PAP are
intended to ensure that all identified essential elements are performing as represented
in safeguards and security plans and in any supporting analyses for those plans.
The intent is to demonstrate that the elements identified as "critical elements", separately
and together, do in fact provide the required levels of performance.
Why should DOE field activities be required to conduct comprehensive periodic surveys of
their security activities and those of their contractors, if they and their contractors are
already subject to testing, special surveys, self-assessments of specific activities, and
reviews or inspections by other DOE elements?
The periodic survey provides an opportunity for local DOE management to form a
comprehensive view of a site's entire security posture and to understand the mutual
dependencies among the various components of its protection program. The survey is
designed to identify areas of redundancy which will allow better use of resources,
identify conflicts between components that may lead to weaknesses not readily apparent
when only one of the components is considered, and identify areas in which correction of
identified problems in one component creates unexpected performance issues in another
component. While reports of special inspections and reviews may be useful in developing
the comprehensive periodic survey and evaluating the survey results, taken individually
they do not provide the "big picture" overview of a site's security posture which allows
identification of a program's overall strengths and weaknesses and produces results which
can correct and improve the program as a whole. Even when "continuous" or "rolling"
special surveys are conducted to spread the survey activity more uniformly over a survey
period, a comprehensive review and analysis of these "point-in-time" data points should
be made to complete each required survey period to provide a truly integrated review of
site protection.
In processing a request for a facility clearance (FCL), must personnel security clearances
be in place for company officials designated as key management personnel (KMPs) before the FCL is granted?
Certain company officials must be in process or possess active security clearances in order
for a company to be eligible for an FCL involving classified information or matter or special nuclear
material (SNM). These company officials include the owners, officers, directors, partners, regents,
trustees, or executive personnel (i.e., those individuals considered to be KMPs.) The clearances
held by these individuals may be pre-existing from another classified contract, or the individuals
may be submitted for security clearances concurrently with the processing of the FCL.
Return to Top of Page
Physical Protection:
On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a memorandum
establishing policy panels to increase feedback from the implementers of DOE policy. How will the
Physical Protection policy panel be organized?
At this point we are looking to use the organization structure previously utilized on physical
protection quality panels but modified through the experience we have had in performing the zero
based policy review and it's resultant re-write of DOE M 470.4-2. This may be modified further
as we do not plan to have the number of individual policy panels as we did quality panels and
we will not be able to have as many face to face meetings. We will attempt to leverage current
technology, such as video conferencing, to have meaningful panels without the resource drain
resulting from many face-to face meetings requiring large numbers of people to travel. As this
is in the early "conceptual" stage future updates will be available upon request.
What is the most significant change in the draft DOE M 470.4-2?
The most significant change is that the manual has been reorganized into what are being referred
to as "tiers". The attempt is to have all the physical protection requirements that apply to everyone
in DOE/NNSA appear in the first tier. Sites that do not have classified documents, classified matter
or SNM would only have to apply relevant requirements in this tier, and would not need to delve
deeper into the document. The next tier would include all those requirements that apply to sites
that have classified matter and no more than CAT III SNM. These requirements as well as those for
the first tier would be what security personnel at those sites would be required to implement.
Finally the third tier would have requirements that apply only to CAT I and CAT II sites. These
major facilities would be responsible for implementing all the DOE physical protection requirements.
What are the most significant changes in DOE M 470.4-2 the requirements regarding physical protection?
The most significant changes are associated with the implementation of Homeland Security Presidential
Directive 12 (HSPD-12). In 2005 President Bush signed out HSPD-12 requiring a common identification badge
or credential for all government employees and contractors. A working group has developed DOE's
implementation plan for HSPD-12 and the draft physical protection manual has been updated as these
plans have been provided to HSS. As the technical specifications for the HSPD-12 badges have been
made public, DOE will no longer have an OUO section of the physical protection manual where these
specifications have been published in the past.
Return to Top of Page
Information Security
On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a memorandum
establishing policy panels to increase feedback from the implementers of DOE policy. How will the
Information Security policy panel be organized?
The Information Security Policy Panel (ISPP) will be divided into three separate Policy Panels:
Classified Matter Protection and Control (CMPC), Operations Security (OPSEC), and Technical Surveillance
Countermeasures (TSCM). The policy panels will be organized to provide expert opinion to the Office of
Security Policy on policy implementation issues, legal and technology factors that affect information
security policy and other relevant topics as they are identified. Temporary or permanent subcommittees
may be formed as needed to provide specific input to issues raised, and participants or topics may
span across more than one of the ISPP sub-elements as needed. HSS will attempt to leverage
technology to conduct meaningful panels without the financial and administrative burden posed by
many face-to-face meetings. Meetings may consist of teleconferences, videoconferences and in-person events.
Does the Information Security manual apply to anything besides paper documents?
Yes, the Information Security manual applies to all classified information, in all forms.
These forms include, but are not limited to paper, electronic, parts, waste, and auditory
(for example, spoken information). Although this manual provides requirements for all classified
information, there are other DOE directives that provide additional requirements for certain forms
of classified information. Two prime examples are requirements for protecting classified special
nuclear material (SNM), which are found in DOE M 470.4-2, Physical Protection and DOE M 470.4-6, Nuclear Material
Control and Accountability, and cyber security requirements (for classified information in electro
nic form), that are promulgated by the DOE Office of the Chief Information Officer (OCIO).
For information in electronic format, the Information Security manual provides general requirements
for protecting classified information that apply, and provides requirements for protecting the physical
aspects of classified (cyber) information. Please note that the following examples do not include all
relevant requirements as they are just provided here for illustration.
Examples of General Requirements:
- Classified information and matter that is generated, received, transmitted, used, stored, reproduced, or destroyed must be protected and controlled.
- Controls must be established to prevent, deter, and detect unauthorized access to classified matter.
- Classified information may be disclosed only to individuals who have appropriate access authorization for the level and category of the information involved, all required formal access approval(s), and a legitimate need-to-know.
Examples of Physical Aspect Requirements:
- All classified information systems media must be marked with the accreditation level of the information system unless an appropriate classification review has been conducted. All classified electronic storage media (ESM) must have the overall classification level and category (if RD or FRD) visible on the front and back.
- Classified Removable Electronic Media (CREM) that contain Sigma 1, 2, 14, or 15; a combination of nuclear weapons design/test data; or Top Secret or Special Access Program (SAP) matter must be separated from and not commingled with other classified information/media.
- Vaults or VTRs that are used to store ACREM must be configured to provide limited access to ACREM by only the ACREM custodian(s) or alternate ACREM custodian(s).
Why was non-standard storage deleted from DOE policy?
Current DOE policy considers non-standard storage as a deviation from required storage conditions for
classified matter since non-standard storage is not included in the current Information Security manual.
The subject of non-conforming storage is addressed in a draft revision of DOE M 470.4-4 C1, Information
Security. Generally, it recognizes that due to size, nature, operational necessity, or other factors,
certain classified matter cannot be protected by the established standards and requirements for storing
classified matter. If this draft becomes Departmental policy, it will include certain additional
requirements, but the overarching strategy would be that non-Conforming Storage must result in protection
effectiveness equivalent to that provided to similar level(s) and categories of classified matter in
standard storage configurations.
Does the Information Security manual address verbal discussion of classified information?
Yes, the Information Security manual addresses the auditory form of classified information in
Section A, Paragraph 2, which states, in part:
- Classified information and matter that is generated, received, transmitted, used, stored, reproduced, or destroyed must be protected and controlled.
- Buildings and rooms containing classified matter must be provided the security measures necessary to deter unauthorized persons from gaining access to classified matter; specifically, security measures that prevent unauthorized visual and/or aural access.
- Classified information may be disclosed only to individuals who have appropriate access authorization for the level and category of the information involved, all required formal access approval(s), and a legitimate need-to-know.
What is an "Ad Hoc Working Group" as used in the Information Security Manual?
An Ad Hoc Working Group (AHWG), in the context of the manual, is a formally defined (documented by or
in accordance with line management) group of individuals participating in a specific activity, project
or group of activities in which all members have been determined to have the appropriate access authorization,
any required formal access approvals, and need-to-know. The AHWG must have the ability to limit access to
on-line activities to only those members of the AHWG and use that ability when transmitting classified
information which is not marked as a final document. Limiting access to on-line information is essentially
a cyber security issue. Questions regarding requirements and guidance for such access limitations should
be directed to the DOE Office of the Chief Information Officer.
This terminology was developed primarily to allow a defined group of individuals the ability to work
together on draft documents without requiring any individual document to be marked as a final document
just because control of the document changed from one person to another in the same working group.
Each AHWG is required to be formally defined to increase the assurance that all marking and other
requirements are met and that individuals are accountable for classified matter entrusted to them.
What were the major changes for the Information Security manual when DOE M 470.4-4 Change 1 was published?
The manual was changed to reflect input from various field/program activities and updates CMPC
requirements. These changes were designed to allow more efficient application and management of
program resources and to provide increased flexibility in implementation of departmental security
requirements, bounded by required performance levels. Changes include:
- Requirements for protection, handling and accountability of Classified Removable Electronic Media (CREM) were changed to eliminate unnecessary resource burdens while maintaining protection and accountability by:
- modifying the number of allowable custodians/alternate custodians based on site specific procedures, operational need and associated risk;
- providing for appropriate temporary storage of ACREM when necessary;
- modifying required inventory frequency, depending on risk and other site-specific factors,
- The current Confidential Foreign Government Information-Modified Handling Authorized (C/FGI-MOD) coversheet was replaced with an updated version.
- Marking requirements for automated information system hard copy output were clarified.
- A new intelligence dissemination marking, Releasable by Information Disclosure Official (RELIDO) was added.
- Office names were changed to conform with DOE organizational changes (e.g. Office of Security to Office of Health, Safety and Security).
Regarding the reproduction section of the Information Security manual, why not just recognize
that all accountable CREM will be placed into accountability?
The associated requirement was written as a result of extensive discussions with individuals from
various sites and programs regarding their local implementations. There were occasions when it was
asserted that it was possible to copy some of the data from a piece of ACREM onto separate media in
such a way as for that new media to not contain information that requires it to be placed into accountability
and that it would not need to be marked at the accreditation level of the system where the source
ACREM resided. The expanded language in the Reproduction section is, in part, responsive to this scenario.
So, if someone creates a new piece of ACREM, he or she must place it into accountability before
writing any information to it that would make the media accountable or placing it into an information
system which is accredited for S/RD or higher. No CSA action is required in these cases. However,
to EXTRACT a file (say an unclassified document or appendix) from a piece of ACREM - to media that
will not be designated as ACREM, the process for doing so, and ensuring that ACREM is not
inadvertently created, requires Classification Officer and Designated Approving Authority
involvement and CSA approval. Please also refer to the General Requirements section in
Chapter II of DOE M 470.4-4, Chg. 1.
The Operations Security section of the Information Security manual refers to Critical Program
Information (CPI). Is this just a form of Official Use Only information?
Critical Information is not a subset of OUO or FOUO. Qualifying for either marking is not a
prerequisite for information to be Critical in this context. CPI has its basis in National Security
Decision Directive (NSDD) 298, National Operations Security Program. This information includes
specific facts about friendly intentions, capabilities, and activities vitally needed by adversaries
for them to plan and act effectively and guarantee failure or unacceptable consequences for friendly
mission accomplishment. Further, this information may be OUO, UCNI and/or classified and still
meet the CPI threshold.
If a document is received from another agency (e.g., DOD) and the classification markings
do not meet current requirements, is the receiving organization required to re-mark the document?
(Implicit in the question is that the document has been properly classified, just the marking is in question).
As long as the classification level and category is correctly marked on the document, DOE is not
required to re-mark other agency documents. If it is necessary to completely and correctly mark a
document from another agency, the other agency should be contacted regarding the marking, or the
document should be returned to that agency for correct markings. There may be cases where the
corrections are minor or the other agency has a waiver from the requirement in question. Contacting
the sender would be necessary to determine whether or not they had a waiver or how to make the
appropriate corrections to the document.
Where on NSI-only documents should we put the new "Derivative Declassifier Review Required Prior
to Declassification" stamp?
According to the Office of Classification, there is no requirement for placement of the marking.
However, for clarity, it is suggested that it be placed on the first page of the document near the
classification stamp that has the "Declassify On" line. That way it serves as a reminder that it
is not automatically declassified as it may seem to indicate. The marking should be legible and
should stand out apart from both the classifier stamp and any other text.
Return to Top of Page
Protective Force
On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a memorandum
establishing policy panels to increase feedback from the implementers of DOE policy. How will the
protective force policy panel be organized?
The Protective Force Policy Panel (PFPP) will be organized to provide expert opinion to the
Director, Office of Security Policy, on policy implementation, firearms, tactics, and other
pertinent issues relating to DOE PF programs. The PFPP will provide a forum where all PF issues,
even if they are already being considered by other entities such as working groups or quality
panels, can be addressed. The PFPP also will provide a forum and mechanism where applicable
draft and existing directives, and guidance can be addressed and reviewed. The PFPP will
consist of three standing task teams or working groups, each consisting of subject matter
experts in firearms, special response teams (SRT), and armory operations. The Protective
Forces Safety Committee (PFSC) will operate in conjunction with the PFPP. Additional working
groups will be formed as needed.
What is the status of the revision to the protective force manual?
A policy review team consisting of representatives from Headquarters and several sites has
recommended that DOE M 470.4-3 Chg 1, Protective Force, be divided into two separate manuals
addressing requirements for contractor and Federal protective forces respectively. Drafts of
both have been completed and the contractor version has been submitted to the DOE Office of
Management for final preparation for RevCom. The Federal manual, which will contain annexes
with specific requirements for the Office of Secure Transportation, the Headquarters Office
of Special Operations, and Federal Officers, is in the final stages of development.
What is the major difference between the current protective force manual and the draft
contractor protective force revision?
Specific requirements (duties, training, equipment) will be layered for each category of
PF personnel, including security officers and security police officers (Is, IIs, and IIIs)
Dedicated chapters are provided for special response teams, firearms training, firearms
operations, firearms qualifications, and operational assurance.
Will the revised protective force manual address canine operations?
Yes. The revised protective force manual establishes minimum training and testing requirements
for canine teams at Departmental facilities by adding Attachment 2, Appendix 3, Canine Program.
What is CAIRS and why is it important to protective force operations?
The DOE tracks its accidents and injuries via the Computerized Accident and Injury Reporting
System (CAIRS). The Office of Security Policy recognizes that it is not reasonable to compare
injury rates of DOE's office and production workers to those of its protective forces given the
significant differences in mission. For instance, some sites in the past have forbidden its
operating contractor personnel from running on site based on the premise that running is
inherently riskier than walking. On the other hand, protective force personnel are required
to demonstrate the ability to run in order to meet physical fitness requirements. Last year,
the CAIRS database was revised to permit the capture of protective force injury data based
upon the activity in which the individual was engaged when the injury occurred. Recently,
HSS has begun contacting selected sites to obtain data on past incidents in order to
establish an analytical baseline for comparison of like information. This reconstruction
is designed to enable the presentation of a more realistic picture of protective force
experience while the database is populated.
Return to Top of Page
Nuclear Material Control and Accountability
On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a
memorandum establishing policy panels to increase feedback from the implementers of DOE policy.
How will the MC&A policy panel be organized?
The MC&A policy panel will be a continuation of the current MC&A quality panel with emphasis
on creating new opportunities for communications between the HS-71 MC&A policy development team and
end users of MC&A policy. Face-to-face meetings will be organized similarly to current quality
panel meetings, but there will be greater use of alternative means of conducting meetings.
The goals of the panel include identification of MC&A policy issues and increasing the
effectiveness of the MC&A policy development process. The results of all teleconferences
and meetings will be compiled and appropriately distributed. The policy panel's activities
will be centrally monitored to assure continued relevance and utility.
What is a material balance?
A material balance is a calculation evaluating the physical inventory of nuclear
material actually present in an area or a facility using beginning and ending inventories
after considering transfers of nuclear material into and out of the area or facility. The
material balance results in a quantity called the inventory difference (ID) which is defined
by the following equation, commonly known as the material balance equation:
ID = BI + A - R - EI
(BI=beginning inventory; EI=ending physical inventory; A=additions to inventory; R=removal from inventory.)
For material in process, a non-zero ID is expected because of measurement uncertainties
and the nature of processing. For items in storage, a non-zero ID indicates that either
material is missing or an item has been misplaced.
What is a material balance area (MBA)?
An MBA is both a subsidiary account of the nuclear materials account for a facility and a
geographical-bounded location within the facility. MBAs are used to localize nuclear material
losses by subdividing the facility nuclear materials account into smaller units and restricting
material in these accounts to specific geographically-bounded locations and processes within the
facility. Establishing MBAs within the facility allows operations and safeguards personnel to
maintain a better idea of the types and quantities of materials present at various locations in
the facility and enhances internal control of the materials by establishing where within a
facility various types and forms of materials are authorized to be. It also allows for
administrative controls to be put in place to govern movement of materials between authorized
areas of the facility and for materials balances to be closed around areas smaller than the
facility as whole.
MBAs should be defined as geographical areas with defined physical boundaries and under
the control of one person, the MBA custodian, for MC&A purposes. Additionally, transfers
between MBAs should be based on measured values, and ideally, MBA boundaries will not cross
security area boundaries. In fact, DOE M 470.4-6, Chg1, Nuclear Material Control and
Accountability, requires that MBA boundaries not cross material access areas (MAAs) boundaries.
What is the role of ANSI/ASTM Technical standards in DOE MC&A programs?
Public Law (P.L.) 104-113, the National Technology and Transfer and Advancement Act of 1995,
requires that all Federal agencies and department use technical standards developed and adopted
by voluntary consensus standards bodies as a means to carry out policy objectives or activities
as determined by the agencies and departments. The act further states that Federal agencies and
departments shall consult with voluntary, private sector, consensus standards bodies, and shall
participate with such bodies in the development of technical standards. A copy of P.L. 104-113
can be found at www.gpoaccess.gov/plaws/104publ.html.
Consistent with P. L. 104-113, DOE M 470.4-6, Chg 1, Nuclear Material Control and
Accountability requires that DOE line management assure that technical standards developed or
adopted by voluntary consensus standards bodies, such as the American National Standards Institute (ANSI)
and the American Society for Testing and Materials (ASTM) International, are considered in development
of MC&A programs under their cognizance. The primary ANSI and ASTM standards of interest to MC&A
address measurements, measurement control programs, and SNM portal monitors. Standards addressing
these topics are listed in DOE M 470.4-7, Safeguards and Security Program References.
What is graded safeguards for MC&A?
Graded safeguards is the concept of providing the greatest relative control, accountability,
and protection for the types, quantities, and forms of special nuclear materials that can be
most effectively used in a nuclear device or easily converted to such materials. The level
of control and protection required is based on safeguards categories and attractiveness
levels of the materials, which are described below.
What are MC&A safeguards attractiveness levels?
MC&A safeguards attractiveness levels are a ranking of various types and forms of special
nuclear materials based on their usefulness in constructing a nuclear weapon or an improvised
nuclear device (IND). Generally, the attractiveness of particular physical form is based on
two factors (1) the relative ease of either directly using the material in an IND or
converting it to a usable form, and (2) any self-protecting properties of the material,
such as high levels or radioactivity, that make the material more difficult to handle or
process. Attractiveness levels range from "A" to "E," with A being the most attractive and
E being the least attractive. Attractiveness level A includes nuclear weapons and test
devices. Attractiveness level B consists of pure products (metal and directly convertible material).
Attractiveness level C consists of high grade materials that can easily be converted into B materials.
Attractiveness level D consists of materials that require greater processing time and
complexity to convert to B materials. Attractiveness level E contains other materials not
covered by attractiveness levels A through D, such as highly irradiated materials,
low-enriched uranium, and highly dilute materials (e.g. solutions less than 1gram per liter).
The Office of Health, Safety and Security in conjunction with NNSA and the weapons
laboratories are in the process of reviewing the current attractiveness levels to determine
if they need to be updated to address changing technical capabilities and/or to eliminate
ambiguities. Possible policy changes based upon this technical review are under HSS review.
What are MC&A safeguards categories?
MC&A Safeguard's categories are designations used for ranking of MBAs, facilities,
special nuclear material (SNM) items, and other collections of materials in terms of
required levels of protection, control, and accounting. Safeguards categories are based
on both the amounts of material present and the safeguards attractiveness levels of the
materials. Safeguards categories range from Category I to Category IV, with Category I
requiring the highest level of protection and Category IV the lowest. MC&A and physical
protection requirements for facilities, MBAs, and other collection of materials are based
primarily on the safeguards category of the material. In addition to attractiveness level
and quantities of material present, safeguards categories also depend on material type
(i.e., whether the material is plutonium, uranium enriched in the isotope 235, or
uranium enriched in the isotope 233). For example, 2 kilograms of plutonium metal
would be Category I quantity, but the same amount of uranium-235 contained in highly
enriched uranium metal would only be a Category II quantity. The upper and lower
safeguards category threshold quantities for the various material types and attractiveness
are defined in Table 1-4, Graded Safeguards, DOE M 470.4-6, Chg1, Nuclear Material Control
and Accountability, along with additional instructions for determining safeguards categories.
HSS, in conjunction with NNSA and the weapons laboratories, is in the process of reviewing
the current safeguards categories to determine if changes need to be made based on evolving
technical capabilities and the need for consistency with policy documents of other agencies.
Possible policy changes based upon this technical review are under HSS review.
Return to Top of Page
This page was last updated on
April 15, 2008
|
