SECTION 1. PURPOSE.

.01 This Order prescribes the responsibilities that govern the management of security programs in the Department of Commerce (the Department) and outlines the preparation, issuance, and maintenance of the Department's Manual of Security Policies and Procedures (the Security Manual) that provides guidance for the administration of those security programs.

.02 This revision reflects the reorganization of designated security programs within the Office of Security (see Department Organization Order 20-6, "Director for Security").

SECTION 2. AUTHORITY.

The provisions of this Order comply with and implement applicable Executive Orders, statutes, directives, and regulations issued within the Federal Government that pertain to security.

SECTION 3. DISSEMINATION.

This Order provides for the preparation, issuance, and maintenance of the Security Manual covering policies, procedures, and responsibilities for the Department's security programs (see Section 4 of this Order). The Manual applies to all Departmental operating units, offices, facilities, employees, contractors, and associates of the Department, and others who have access to Departmental facilities, information, personnel, or information technology (IT) systems.

SECTION 4. RESPONSIBILITIES.

.01 The Director for Security is responsible for managing the Department's security programs, and:

a. Shall develop and issue the Security Manual. The Manual has the status and effect of a Department Administrative Order and covers various elements of Departmental security programs. The elements described in the Security Manual include the following:

1. Security Administration involves the planning, coordination, and implementation of security programs in the Department to protect personnel, facilities, property, information, and IT systems;

2. The Department Personnel Security program ensures that employees are suitable for employment and are trustworthy;

3. The Department Information Security program provides guidance to protect and safeguard classified National Security Information (NSI);

4. The Department Physical Security program establishes plans and procedures to review, assess, evaluate, and recommend countermeasures to ensure the physical protection of domestic and overseas Departmental assets;

5. The Department Continuity and Emergency Preparedness programs provide guidance to establish, develop, implement, and maintain preparedness plans to ensure the safety of employees, protection of facilities and their occupants, protection of other assets, and continuity of the Department's mission during any emergency situation that disrupts normal operations; and

6. The Department Investigations and Intelligence program initiates and completes complex and sensitive criminal and administrative investigative functions, as well as due diligence and exploratory inquiries across varied program areas including conducting counterintelligence investigations involving personnel (e.g., foreign national visitors), classified/sensitive information and critical programs, as well as protective intelligence investigations related to the Secretary or his designees.

b. Shall participate in and chair a Departmental Security Council consisting of representatives from each operating unit.

c. Shall establish and maintain field security offices to provide security services and support to one or more operating units in the Department. Servicing Security Offices shall be established to provide security services and support to one specific operating unit or bureau and shall be headed by a Servicing Security Officer (SSO). Regional Security Offices shall be established to provide security services and support to all Departmental organizations within a specified geographical area and shall be headed by a Regional Security Officer (RSO).

d. Shall coordinate with the Chief Information Officer to ensure that coverage of the program elements listed in subparagraph 4.01a. of this Order are appropriately addressed within the IT Security Program, and other related areas of security.

e. Shall serve as the SSO for the Office of the Secretary. (For the purpose of administering the Department's security programs, the Office of the Secretary is considered an "operating unit" and is subject to policy and procedural requirements levied on all other Departmental units.)

.02 In order to provide security services and support to a specified operating unit in the Department, each SSO shall:

a. Implement and administer the Department's security programs within one operating unit;

b. Administer a comprehensive security program within the operating unit's headquarters component;

c. Supplement, as necessary, the Department's security programs with operating unit-specific procedures and requirements, in accordance with Section 6 of this Order;

d. Coordinate with and support the RSOs who service the operating unit field offices;

e. Coordinate IT and telecommunications security matters with IT security officials as necessary within the operating unit's jurisdiction;

f. Review periodically the effectiveness of the operating unit's security programs, including areas serviced by an RSO, report findings, and make recommendations to the appropriate operating unit;

g. Conduct investigations at the request of the Director or Deputy Director for Security; and

h. Maintain liaison when necessary with local, state, and national law enforcement agencies within the local area.

.03 In order to provide security services and support to all field organizations of operating units within a specified geographical area, each RSO shall:

a. Monitor implementation of the Department's security programs within the RSO's service area of responsibility;

b. Supplement, as necessary, in accordance with Section 6 of this Order, the Department and operating unit's security programs with approved procedures and requirements to ensure the integrity and protection of operations, personnel, and information within the RSO's service area. All supplemental guidance must be approved by the Director for Security, in coordination with the appropriate operating unit;

c. Provide security guidance, service, and support to operating unit offices within the jurisdiction of the RSO;

d. Assist IT security officials within the RSO's jurisdiction on IT and telecommunications security matters;

e. Assist facility and office managers in the designation of points-of-contact to facilitate the implementation of security programs in a facility or operating unit office;

f. Coordinate as necessary with SSOs to ensure implementation of operating unit-specific security requirements at field offices within the RSO's jurisdiction;

g. Review periodically the effectiveness of security programs established by operating units in the RSO's area of responsibility, report findings, and make recommendations to facility managers, SSOs as necessary, and the Director for Security, as appropriate;

h. Conduct investigations at the request of the Director or Deputy Director for Security; and

i. Maintain liaison when necessary with local, state, and national law enforcement agencies within the local area.

.04 The head of each operating unit is responsible for ensuring the integrity of security programs, plans, and activities within the unit. To carry out this responsibility, he/she shall:

a. Ensure organizational compliance with current laws, regulations, Executive Orders, and Departmental directives concerning security requirements;

b. Designate a senior manager to represent the unit on the Department's Security Council. The names, titles, addresses, and telephone numbers of these employees shall be provided to the Director for Security.

c. Designate a qualified employee to serve as liaison to the Office of Security field offices established to support those units. Designating an employee to act as liaison will not relieve the operating unit head of his/her responsibilities for implementing security activities within their respective operating unit.

.05 Facility and senior office managers of an operating unit shall cooperate with the SSO or RSO to establish and maintain an effective security program within their facility or office. To carry out this responsibility, each facility or senior office manager shall:

a. Designate a point-of-contact within their organization to assist in carrying out security- related activities in locations where an operating unit facility or field office manager cannot maintain effective daily coordination and administration of security program activities. Each manager will provide the name, title, address, telephone number, and the designation of the area of responsibility to the appropriate SSO or RSO;

b. Monitor and coordinate the transmittal of employee, contractor, and associate security forms to the SSO or RSO;

c. Provide appropriate security reports as specified by the SSO or RSO;

d. Coordinate IT and telecommunications security matters with IT security officials within his or her jurisdiction;

e. Maintain liaison, as necessary, with local, state, and national law enforcement agencies within the local area; and

f. Coordinate the issuance of forms of identification with the operating unit offices and the appropriate SSO or RSO.

.06 Personnel serving as the point-of-contact for their operating unit's facility or office shall be responsible for the following security-related activities:

a. Plan and implement a facility or office-specific security program with emphasis on promoting security awareness to ensure that all employees and other individuals who interact with the Department are given appropriate information on security regulations and procedures; and

b. Develop and issue, as necessary, facility or office-specific security procedures and provide a copy to their facility or senior officer manager.

.07 All employees, contractors, associates, visitors, and other building occupants shall comply with Departmental and other applicable security requirements.

SECTION 5. DEVELOPMENT, ISSUANCE, AND MAINTENANCE OF THE MANUAL.

.01 The Director for Security is authorized to develop and issue the Security Manual (see paragraph 4.01a.) in accordance with DAO 200-0, "Department of Commerce Handbooks and Manuals," and DAO 200-3, "Department Administrative Order Services" (see Section 7, Handbooks and Manuals).

.02 Prior to issuance and any subsequent revisions, the Security Manual will be reviewed by the Office of Human Resources Management, Office of Inspector General, and the Office of General Counsel.

.03 The Security Manual will be posted electronically on the Department's Intranet web site. Managers, supervisors, and employees in the Department may access the Security Manual utilizing Departmental IT security safeguards to ensure operational security protection.

.04 The Director for Security will maintain the Security Manual, including preparation and issuance of the Manual and all subsequent changes.

SECTION 6. SUPPLEMENTARY REQUIREMENTS AND GUIDANCE.

Policies, procedures, or substantive written guidance developed by an SSO or RSO to implement the provisions of this Order or the authorized Security Manual, must be approved by the Director for Security prior to issuance.

SECTION 7. EFFECT ON OTHER ORDERS.

This Order supersedes Department Administrative Order 207-1, dated June 24, 1991. Nothing in this Order shall have the effect of, or be construed as, an exception to the responsibilities and authorities of the Department's General Counsel under Department Organization Order 10-6, the Department's Inspector General under the provisions of the Inspector General Act of 1978, as amended, or the responsibilities of the Inspector General under DAO 207-10.

Signed by: Director for Security

Approved by: Chief Financial Officer and Assistant Secretary for Administration

Office of Primary Interest: Office of Security