Frequently Asked Questions

Can a Civil Penalties fine be applied against me personally?

Why did DOE feel compelled to apply civil penalties against contractors?

Specifically, to what will DOE apply civil penalties?

What about "sensitive information"?

What is Section 234B?

What is a Compliance Order?

What about non-profit contractors?

Can a contractor be assessed with both a civil penalty (under 10CFR824) and an award fee reduction (under 48CFR parts 904, 923, 952 and 970) for the same violation?

Can a Civil Penalties fine be applied against me personally?

Civil penalties for failure to protect classified information will not be assessed against individual employees. Civil penalties will only be assessed against a company that has entered into a contract or agreement with DOE.

Why did DOE feel compelled to apply civil penalties against contractors?

Over the years periodic contractor lapses in adherence to processes designed to safeguard Restricted Data or other classified information have given rise to concerns about the adequacy of efforts by contractors to protect this kind of information. In order to give DOE an additional tool to assure that these processes are being followed, Congress enacted section 234B of the Atomic Energy Act of 1954. The rule grants DOE new authority to impose civil penalties for violations of DOE regulations and orders directed to the safeguarding of this kind of information, as well as confirming DOE's preexisting authority to withhold portions of a contractor's fee by reason of poor performance arising out of such violations. DOE had previously promulgated regulations specifying how it would carry out this latter authority, and today's rule specifies the manner in which it will carry out its civil penalty authority. DOE believes that this rule will assist in providing greater emphasis on a culture of security awareness in existing DOE operations, and strong incentives for contractors to identify and correct noncompliance conditions and processes in order to protect classified information of vital significance to this nation. It will also facilitate, encourage and support contractor initiatives for the prompt identification and correction of security problems.

Specifically, to what will DOE apply civil penalties?

DOE will apply civil penalties only to violations of requirements for the protection of classified information. Classified information is defined as "Restricted Data" or "Formerly Restricted Data" protected against unauthorized disclosure pursuant to the Atomic Energy Act and "National Security Information" protected against unauthorized disclosure pursuant to Executive Order 12958, as amended on March 25, 2003, or any predecessor or successor order.

What about "sensitive information"?

DOE has not included violations of requirements to protect "sensitive information" in its security enforcement process. The only exception to this is violations of requirements to protect Unclassified Controlled Nuclear Information under the procedures outlined in 10CFR1017. This approach was taken because: (1) neither statute nor legislative history defines the term; (2) there is no commonly accepted definition of "sensitive information" within DOE or the Executive Branch; and (3) in establishing the requirement for DOE to establish a civil penalties program for security violations, Congress was concerned with unauthorized disclosures of classified information.

What is Section 234B?

Section 3147 of the National Defense Authorization Act for Fiscal Year 2000 (Public Law 106-65) added a new section 234B to the Atomic Energy Act of 1954 (the Act) (42 U.S.C. 2282b). Over the years periodic contractor lapses in adherence to processes designed to safeguard Restricted Data or other classified information have given rise to concerns about the adequacy of efforts by contractors to protect this kind of information. In order to give DOE an additional tool to assure that these processes are being followed, Congress enacted section 234B of the Atomic Energy Act of 1954. This section grants DOE new authority to impose civil penalties for violations of DOE regulations and orders directed to the safeguarding of this kind of information, as well as confirming DOE's preexisting authority to withhold portions of a contractor's fee by reason of poor performance arising out of such violations. DOE had previously promulgated regulations specifying how it would carry out this latter authority, and today's rule specifies the manner in which it will carry out its civil penalty authority. DOE believes that implementation of the rule will assist in providing greater emphasis on a culture of security awareness in existing DOE operations, and strong incentives for contractors to identify and correct noncompliance conditions and processes in order to protect classified information of vital significance to this nation. It will also facilitate, encourage and support contractor initiatives for the prompt identification and correction of security problems.

Section 234B has two subsections. The first subsection, subsection a., provides that any person who: (1) has entered into a contract or agreement with DOE, or a subcontract or subagreement thereto, and (2) violates (or whose employee violates) any applicable rule, regulation, or order prescribed or otherwise issued by the Secretary of Energy pursuant to the Act relating to the safeguarding or security of Restricted Data or other classified or sensitive information, shall be subject to a civil penalty not to exceed $100,000 for each such violation. The second subsection, subsection b., requires that each DOE contract contain provisions which provide an appropriate reduction in the fees or amounts paid to the contractor under the contract in the event of a violation by the contractor or contractor employee of any rule, regulation or order relating to the safeguarding or security of Restricted Data or other classified or sensitive information.

What is a Compliance Order?

Section 161 of the Atomic Energy Act broadly authorizes DOE to prescribe regulations and issue orders deemed necessary to protect the common defense and security (42 U.S.C. 2201). 10CFR part 824 implements this authority by providing that the Secretary may issue a compliance order requiring a person to take corrective action if a person by act or omission causes, or creates a risk of, the loss, compromise or unauthorized disclosure of classified information even if that person has not violated a rule or regulation specified in Section 824.4(a) of part 824. Violation of the compliance order may also result in the assessment of a civil penalty if the order so specifies. While the recipient of a compliance order may request the Secretary to rescind or modify the compliance order, the request does not stay the effectiveness of the order unless the Secretary issues a new order to that effect. The compliance order provisions in 10CFR824.4(b) and (c) are modeled after a similar mechanism in 10CFR820, the rule implementing procedures for section 234A of the Act with respect to nuclear safety.

What about non-profit contractors?

Subsection d. of section 234B sets limitations on civil penalties assessed against certain nonprofit entities specified at subsection d. of section 234A (hereafter the "named contractors"). For each of the named contractors, the statute provides that no civil penalty may be assessed until the entity enters into a new contract with DOE after October 5, 1999 (the date of enactment) or an extension of a current contract with DOE after October 5, 1999. The statute also limits the total amount of civil penalties assessed against the named contractors in any fiscal year to the total amount of fees paid to that entity in that fiscal year. It should be noted that the limitations applicable to the named contractors also apply to their subcontractors and suppliers regardless of whether they are for-profit or nonprofit.

The fee that represents the cap for civil penalties of nonprofits will be determined pursuant to the provisions of the specific contracts covered by the limitation on nonprofits in section 234B.d.(2). DOE decided not to finalize its proposal to cap civil penalties assessed against other DOE contractors that are nonprofit educational institutions under the United States Internal Revenue Code in the same manner as penalties are capped for the named contractors. The statute identifies only the named contractors as those that should receive this treatment. While Congress gave DOE authority to mitigate civil penalties, DOE has concluded that there is not a strong enough case to warrant using that authority in a categorical fashion to cap these penalties without regard to any other consideration for contractor security violations by entities other than those that Congress determined should have their penalties capped in this fashion. Rather, DOE concluded that its mitigation authority would be better exercised on a case-by-case basis, taking into account all circumstances, both aggravating and extenuating. The final rule and enforcement policy make clear that DOE plans to exercise that authority to mitigate civil penalties based on many considerations, including an entity's financial circumstances. That should be sufficient to ensure that the civil penalty authority is not exercised in a manner that discourages non-profit institutions from seeking DOE contracts. Finally, the Departmental decision is consistent with DOE's proposed regulations for 10CFR851 to implement section 234C of the Atomic Energy Act (civil penalties for worker health and safety violations), the most recent legislation providing DOE civil penalty authority.

Can a contractor be assessed with both a civil penalty (under 10CFR824) and an award fee reduction (under 48CFR parts 904, 923, 952 and 970) for the same violation?

Yes, each of these processes will operate independently from each other and each may result in a financial impact on a contractor.