Welcome Portsmouth/Paducah Project Office Welcome to the Portsmouth Paducah Project Office Annual Security Refresher for
PPPO Mission Portsmouth/Paducah Project Office The mission of the U. S. Department of Energy (DOE) Portsmouth/Paducah Project Office (PPPO) is to provide management oversight and support to ongoing Environmental Management (EM) Operations at the DOE Portsmouth, Ohio, and Paducah, Kentucky sites. To facilitate this mission, the PPPO manager and key management functions are located in Lexington, Kentucky between the Portsmouth and Paducah sites. PPPO serves as the EM line management for both Portsmouth and Paducah. The PPPO Site Security Plan facilitates management of security assets for the PPPO operations at the Lexington Office. Site-specific Security Plans for Paducah, Kentucky and Portsmouth, Ohio are developed/implemented by the Infrastructure Contractor for Paducah and the Facility Support Services Contractor for Portsmouth and are designated as the site Officially Designated Security Authority (ODSA) for each site. Every DOE or Contractor organization must appoint a Facility Security Officer (FSO) to serve as a security point of contact (POC). The FSO is responsible for administering the requirements of the Safeguards and Security Program within his or her facility in accordance with DOE requirements and the Site Security Plan. Contract DE-AC30-10CC40021 identifies Swift & Staley Security as the ODSA for Paducah Contract DE-CI identifies Wastren-EnergX Mission Support (WEMS) as the ODSA for Portsmouth 3 Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing.
Course Objectives Portsmouth/Paducah Project Office This briefing is intended for all cleared and uncleared DOE employees, contractors, and subcontractors at the Portsmouth Site, Paducah Site, and Lexington Office. The objectives of the 2012 Annual Security Refresher are to: Remind individuals of their safeguards and security responsibilities Promote continuing awareness of required security practices Help individuals maintain an appreciation for the need to protect our countrys national security interests Guidance for this briefing is in accordance with U.S. Department of Energy (DOE) Order 470.4B, Section 3, Safeguards and Security Awareness and DOE/PPPO implementing instructions. Final approval for briefing contents is given by the DOE/Oak Ridge Office, Officially Designated Federal Security Authority (ODFSA). Individuals who possess DOE access authorizations (security clearances) shall receive refresher briefings to reinforce and update awareness of safeguards and security policies and their responsibilities Mandatory every 12 months Failure to complete the annual security refresher may result in administrative actions determined by the ODFSA to include suspension of access authorization 4
About the Briefing Portsmouth/Paducah Project Office The Annual Security Refresher is composed of the following topical areas. At the end of the briefing there will be a test from the content covered in these areas: Access Control PPPO Recognized Badges Badge Responsibilities Prohibited and Controlled Articles Reporting Requirements for Cleared Individuals Incidents of Security Concern (IOSC) Classified Matter/Information Need-to-know Unauthorized Disclosure Penalties Unclassified Controlled Information (UCI) Nuclear Material Control & Accountability Technical Surveillance Countermeasures, Operations Security and Cyber Security Hosting Foreign National Visits and Assignments and Foreign Travel Counterintelligence Escort Responsibilities Safeguards and Security Program 5
Access Control Portsmouth/Paducah Project Office The Portsmouth, Paducah & Lexington sites maintain General Access Areas (GAA), Property Protection Areas (PPA), and Limited Areas (LA) to protect DOE assets. Access to PPA and LA security areas require approval in accordance with DOE Directives and site ODSA procedures. GAAs are designated areas that are accessible to all personnel, including the public. PPAs are designed to protect DOE assets and personnel, and are accessible to authorized personnel only. There are no classified holdings within this security area. LAs are designed to protect classified matter and Category III quantities of Special Nuclear Material (SNM). Individuals without an access authorization are not permitted within this security area unless they are escorted and have a need-to-know. Access into security areas must be controlled in conjunction with a DOE Security Badge or Local Site Specific Only badge: Protective Force or authorized personnel performing visual inspection of a badge Automated access controls (e.g. card readers) reading an HSPD-12 badge 6
PPPO Recognized Badges Portsmouth/Paducah Project Office 7 HSPD 12 Credential or DOE Security Badge DOE Standard Badge for Q access authorization DOE Standard Badge for L access authorization DOE PIV (no access authorization) DOE Foreign National (no access authorization) Lexington site specificPaducah site specificPortsmouth site specific These badges are generally recognized by PPPO sites: Site specific badges may be issued to address a variety of unique local badging requirements including local site specific badge, temporary visitor badge, and foreign national badge, etc. Site specific badges are not HSPD-12 compliant.
Badge Responsibilities Portsmouth/Paducah Project Office Your badge must be replaced or reissued if: Your name changes or your physical appearance changes Your badge is faded or damaged Your clearance level changes Badge cautions: It is illegal to counterfeit, alter, copy, or misuse your badge DO NOT use your badge for purposes other than official government business DO NOT wear the badge in public places Report the loss or theft of your badge immediately to your ODSA Other badge reminders: The badge is to be prominently displayed (outermost garment, above the waist, and below the neck) at all times while on site (to include Lexington) unless prohibited by health or safety considerations Protect your badge from theft when you are off site Your badge is the property of DOE and must be returned to the ODSA if it has expired, is no longer required, or upon termination of employment 8
HSPD-12 Badges During the remainder of 2012 and 2013, all employees will be issued an HSPD-12 badge, as per Homeland Security Presidential Directive (HSPD) 12 and Environmental Management Memorandum dated October 10 th, 2012 titled Office of Environmental Management Policy for Homeland Security Presidential Directive 12 Implementation: This badge will be used for: Physical access to all facilities within the PPPO (PPAs and LAs) Logical access to unclassified information systems that support PPPO mission objectives Your HSPD-12 badge will be of increased importance as time goes on. It will eventually be used for activities such as encryption and verification of your security clearance (if applicable). Ensure you protect your badge and associated PIN as you would protect what it replaces – an authentication token and/or your password. Portsmouth/Paducah Project Office 9
Prohibited Articles Portsmouth/Paducah Project Office The following articles are prohibited on DOE property: Dangerous weapons and explosives (instruments or materials likely to cause substantial injury to people or damage property) Unauthorized firearms Controlled substances such as illegal drugs and associated paraphernalia (but not prescription medicine) All items that are prohibited by law 10 Note: Registration with the Kentucky Wildlife Management Office is required before hunting/field trials in the surrounding Wildlife Management Areas at Paducah. Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures).
Controlled Articles Portsmouth/Paducah Project Office You must have ODSA authorization (Portsmouth and Paducah) or Lexington Information Technology (IT) authorization prior to introducing the following controlled articles in a Limited Area: Personal Data Assistants (PDA) Laptop or palmtop computers Smart phone devices Two-way pagers Cell phones Cameras of all kinds Recording equipment Digital audio players Thumb and Portable Hard drives and most gaming devices (check with security) Alcoholic beverages Note: Authorization is recognized by a property pass (Portsmouth) or controlled article permit (Paducah). 11
Reporting Requirements for Cleared Individuals Portsmouth/Paducah Project Office Arrests – Report all arrests, including charges that are dismissed Criminal Charges - Report all criminal charges including felony, misdemeanor, public and petty offenses as defined in the statutes of any state Detention by Law Enforcement - Report any detention by federal, state or other law enforcement authority for violation of law. The only exception to this reporting requirement is detention for a simple traffic stop Traffic Violations - Report any traffic violations for which you receive a fine of $300 or more unless the traffic violation is alcohol or drug related. Any traffic violation that is alcohol or drug related must be reported regardless of the amount Ongoing Regular Contact with Foreign Nationals – Report employment, business & personal related associations with any foreign national or employees/representatives of a foreign-owned interest Hospitalization - Report hospitalization for treatment of mental illness or other mental condition; treatment for alcohol or drug abuse; any condition that may cause a significant impairment in judgment or reliability Bankruptcy - Report any personal or business-related bankruptcy Wage Garnishment - Report all wage garnishments resulting from, but not limited to, divorce, delinquent debts or child support Change in marital status - Report marriage or cohabitation (spouse like relationship) within 45 days Name Changes - Report all legal name changes within 45 days Change in Citizenship - If you are a U.S. citizen who changes citizenship or acquires dual citizenship Family Residence Change - An immediate family member assuming residence in a sensitive country Having a DOE access authorization is a privilege not a right. In order to maintain an access authorization, the following information must be reported within 2 days verbally to your site Personnel Security Office followed within 3 days by written notification, unless otherwise instructed : 12
Incidents of Security Concern (IOSC) Portsmouth/Paducah Project Office Pose threats to national security interests and/or critical DOE assets Create potentially serious or dangerous security situations Potentially endanger the health and safety of the workforce or public Degrade the effectiveness of the safeguards and security program Adversely impact the ability of organizations to protect DOE safeguards and security interests An incident of security concern occurs any time there is a potential or actual compromise of classified or Unclassified Controlled Information (UCI) or when a security directive is violated. Incidents of security concern are actions, inactions, or events that have occurred at a site that: Remember, if you observe, find, or have knowledge of, or information regarding an IOSC, you must immediately report the incident to your respective IOSC POC and/or FSO or the Plant Shift Superintendent in person or by secure means. If you discover a potential IOSC, you must take reasonable and prudent steps to contain the incident, protect the scene, and secure classified matter or UCI as appropriate. Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing. 13
Metric of IOSC Portsmouth/Paducah Project Office Unauthorized electronic disclosure of Unclassified Controlled Information Introducing controlled item into a LA (e.g. camera cell phone, MP3, etc.) Circumvention of established procedures (e.g. property pass violations) Vandalism of Government property Loss of escort controls The following incidents of security concern were the most common for the Portsmouth, Paducah, and Lexington sites in 2012: Total incidents for 2011Total incidents for 2012
Classified Matter/Information Portsmouth/Paducah Project Office Classified matter/information is any combination of documents or materials that needs to be protected in the interest of national security. Classification can be applied to: classified equipment, components, parts, tooling, gauges, liquids, powder, scrap, molds, and packaging container inserts classified documents, electronic media, or communications All classified matter/information is protected according to federal statutes and Presidential Executive Orders. DOE is responsible, under the Atomic Energy Act of 1954, as amended, for classifying information and material relating to atomic energy and its use in weapons and under Executive Orders for other aspects of national security. The Atomic Energy Act of 1954 and Executive Order govern classification policy. Classifying information establishes protective barriers that ensure that classified matter and information do not fall into unauthorized hands. Through the process of classification, we protect important information from adversaries, yet allow the same information to be used by scientists, statesmen, military planners, and others with applicable access authorization and who meet the need-to-know criterion. 15 Note: At Portsmouth, Paducah, and Lexington there are specific Limited Areas approved for impromptu classified discussions. Please contact your ODSA or FSO for specific locations.
Levels of Classified Matter Portsmouth/Paducah Project Office TOP SECRET CONFIDENTIAL Top Secret (TS)-Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security. Secret (S)-Unauthorized disclosure could reasonably be expected to cause serious damage to national security. Confidential (C)-Unauthorized disclosure could reasonably be expected to cause undue risk to the common defense and security and be expected to cause damage to national security. Classified matter/information is designated by both a classification level and a category. The classification level is based on how much our national security could be damaged if the information were to be released to unauthorized person(s). There are three classification levels: 16
Categories of Classified Matter Portsmouth/Paducah Project Office Restricted Data (RD) is information that is related to the design, manufacturing, and utilization of atomic weapons; production of special nuclear material; or use of special nuclear material in the production of energy. Formerly Restricted Data (FRD) is information that pertains to the military utilization of atomic weapons and has been removed by DOE from the Restricted Data category. National Security Information (NSI) is information that requires protection in the interest of national defense or foreign relations of the United States that is not related to nuclear weapon design, manufacturing, testing, or utilization. For example, a site security vulnerability may be protected as NSI. 17 There are three categories that describe classified matter :
Access to Classified Matter Portsmouth/Paducah Project Office Restricted DataFormerly Restricted Data National Security Information Top Secret QQQ Secret QLL Confidential LLL The following table illustrates the minimum clearance level required for access to each level and category of classified matter : Access to classified matter requires an individual to have: Appropriate access authorization (or necessary security clearance) A need-to-know (which means access to classified matter is necessary to perform an official or contractual duty) Note: Access is not obtained or granted by position only. 18
Protection and Control Measures Portsmouth/Paducah Project Office Cover sheets must be used any time a classified document is removed from a special approved General Services Administration container (sometimes referred to as a safe or repository), vault, or vault-type room. The purpose of a classified cover sheet is to prevent unauthorized visual access, serve as an immediate identifier that the attached document or material is classified, and identify the classification level of the document. Classified cover sheets are identified as follows: For additional protection and control measures, including training/briefing requirements, contact site Classified Matter Protection and Control (CMPC) point of contact. Portsmouth, Paducah, and Lexington telephone numbers are listed in the POC listing at the end of this briefing. 19
Derivative Classifiers (DC)/Derivative Declassifiers (DD) Portsmouth/Paducah Project Office 20 The following appointed positions are provided to coordinate classification activities: Derivative Classifiers (DC): An individual authorized to determine that matter is unclassified or classified as restricted data, formerly restricted data, and/or national security information and at what level based on classification guidance or source documents. Derivative Declassifiers (DD): An individual authorized to declassify or downgrade matter in specific areas based on classification or declassification guidance or source documents. When it is reasonable to expect that documents or materials contain classified information or when regulations or other requirements apply, you are personally responsible to ensure the matter is reviewed by an approved DC or the site Classification Officer. Portsmouth, Paducah, and Lexington Classification Officer or Classification POC telephone numbers are listed in the site POC listing at the end of this briefing.
Challenging Classification Decisions Portsmouth/Paducah Project Office 21 Every employee is encouraged and expected to challenge the classification of information, documents, or material that he or she believes is improperly classified. Challenges should be directed to your site Classification Office or classification POC.
No Comment Policy Portsmouth/Paducah Project Office Sometimes classified information appears in the public domain (e.g. newspapers, websites, speeches, etc.). If approached about the disclosed classified information do not comment on accuracy, classification, or technical merit. Individuals are prohibited from commenting on classified information in the public domain Avoid using the phrase no comment because its use may implicitly reveal classified information Appearance in the public domain does not declassify the information 22
Your Responsibility Portsmouth/Paducah Project Office Each employee is responsible for having documents and material reviewed by a DC for classified information prior to dissemination to uncleared individuals by physical or electronic means. Types of Documents to be reviewed include: Information pertaining to Gaseous Diffusion Technology/Processes or Work for Others Newly generated documents or material prepared in a potential classifiable subject area Existing unmarked documents or material that an employee believes may contain classified information Existing documents or material that an employee believes may contain information classified at a higher level or more restrictive category Documents or material in a potential classified subject area intended for public release (web page, Congress, press release) must be reviewed by the site Derivative Classifier Newly generated documents that contain extracts from an existing classified document (e.g. chapter or appendix) must be reviewed by a DC. If the extract is found to be unclassified then an additional review by a Derivative Declassifier is required 23
Need-to-Know Portsmouth/Paducah Project Office If an individual needs to know information in order to perform an official or contractual duty, they may have access to that information. Access to classified information requires the appropriate DOE access authorization AND the need to know to perform an official duty. Does that person require this information to do their job? 24
Unauthorized Disclosure Portsmouth/Paducah Project Office Unauthorized disclosure is any communication or physical transfer of classified matter or Unclassified Controlled Information (UCI) to an unauthorized recipient. Concerning classified matter, unauthorized disclosure: Always occurs when the recipients do not have the appropriate access authorization and the need-to-know Can occur when an individual intends to transfer or transmit classified matter Could potentially cause damage or irreparable injury to the United States, or could be used to advantage by a foreign nation 25
Penalties Portsmouth/Paducah Project Office There can be potential penalties for mishandling classified information or other sensitive information such as: Termination of access authorization Removal from any position of special confidence and trust requiring a clearance Termination of employment Prosecution Monetary fines 26
Penalties Portsmouth/Paducah Project Office Civil penalties for contractor violations of classified information are issued in accordance with Title 10, Code of Federal Regulations Part 824 (10 CFR Part 824). This CFR was published by the Department of Energy (DOE) to implement Section 234B of the Atomic Energy Act of 1954, 42 U.S.C. 2282B. Section 234B stipulates that a contractor or subcontractor to the DOE who violates any rule, regulation, or order relating to the safeguarding or security of Restricted Data, other classified information, or sensitive information shall be subject to a civil penalty (fine) not to exceed $110,000 per offense. In publishing 10 CFR Part 824, DOE has determined that civil penalties under Part 824 will only be assessed for violations of requirements for the protection of classified information (Restricted Data, Formerly Restricted Data and National Security Information). The rule does not include civil penalties relating to failure to protect sensitive but unclassified information. 27
Unclassified Controlled Information (UCI) Portsmouth/Paducah Project Office UCI is broadly defined as information that may be exempt from public release either by statute, or under the Freedom of Information Act and for which disclosure, loss, misuse, alteration or destruction would adversely affect national security, government interests, or personal interests. There are four basic types of UCI most addressed at the sites: Official Use Only (OUO) Personally Identifiable Information (PII)* Unclassified Controlled Nuclear Information (UCNI) Export Controlled Information (ECI)** Note: An uncleared person may be granted access to Unclassified Controlled Information (UCI) if that person has a need-to-know the specific information in the performance of official or contractual duties. *PII is marked and protected as OUO, FOIA Exemption 6, Personal Privacy ** ECI is dual marked ECI and OUO, FOIA Exemption 3, Statutory Exemption 28
Protecting UCI Portsmouth/Paducah Project Office UCI must be protected from unauthorized disclosure. Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided). When working with UCI from home or in transit, the above protection requirements are the same. 29
Transmission of UCI Portsmouth/Paducah Project Office Transmission by UCI should be encrypted when electronically transmitted outside the sites network. Encryption should be accomplished by using Entrust for . If Entrust is unavailable then password protect(excluding UCNI which is not accredited on PPPO systems) Transmission by Fax: When faxing UCI (excluding UCNI which must be sent via a secure telephone facsimile), the sender must contact the recipient prior to faxing the UCI document. The sender is responsible for making a follow-up call to confirm that the entire UCI document was received Transmission by Mail Off site: Place documents in a sealed opaque envelope or wrapping, stamp or write the words To Be Opened by Addressee Only. The document can be mailed First Class, Express, Certified or Registered Mail or sent via any commercial carrier and must contain a return address Transmission by Mail On site: Place documents in a sealed, opaque envelope or wrapping, stamp or write the words To Be Opened by Addressee Only The number one security incident at the sites is transmitting UCI by unsecured or inappropriate methods. Follow the guidelines listed here when transmitting UCI: 30 Note: Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures).
Official Use Only (OUO) Portsmouth/Paducah Project Office To be identified as Official Use Only (OUO), information must be unclassified and meet both of the following criteria: Has the potential to damage Governmental, commercial, or private interests if released to persons who are not authorized Falls under one of the Freedom of Information Act (FOIA) exemptions Note: Any Federal or contractor employee with cognizance over the information may make OUO determinations for unclassified documents. 31
Making OUO Determinations Portsmouth/Paducah Project Office The determination of OUO is based off either: Guidance Approved by the HS-60 Issued by the HS-60, a program office, or DOE/NNSA contractor or An individual evaluation (opinion) Release could cause damage Falls under a FOIA exemption Guidance for Identification of Personal Privacy is located DOE Order 206.1, Department of Energy Privacy Program and The Privacy Act of 1974 (5 U.S.C. 552a) CG-SS-4 32
Potential OUO Could the release of this information cause damage to governmental, commercial, or private interests Yes Is the information OUO by classification guide topic, CG-SS-4 Does the information fall under a FOIA exemption Yes No Yes Not OUO Mark as OUO BEGIN HERE 33 Portsmouth/Paducah Project Office OUO Determination Tree Mark as OUO 33
Information is OUO No Yes 34 Portsmouth/Paducah Project Office Exemptions No Marking or Protection required. This information will still require a classification review prior to releasing to the public Choose a FOIA exemption 3 through 9 Note: Exemption 2-Circumvention of Statute for OUO was deleted and should no longer be used. For previous determinations of OUO where exemption 2 was used, the following exemptions may be applied, exemption 7 (Law Enforcement), exemption 4 (Commercial Proprietary), and exemption 5 (Privileged Information). Once information is determined to be OUO, potential exemptions to the Freedom of Information Act (FOIA) must be chosen. If no exemption is viable then the information cannot be OUO. 34
Exemption Numbers and Categories for OUO Portsmouth/Paducah Project Office 3-Statutory Exemption CRADA Information Export Controlled Information Taxpayer Identification Numbers 4-Commercial/Proprietary Trade Secrets (e.g. Coca Cola Formula) Financial Data (e.g. income, profits, losses) Business Plans (e.g. contract proposals) Cost Data Government Credit Card Numbers 5-Privileged Information Recommendations (e.g. budget cuts) Evaluations Appraisal Results Drafts of New Policies Attorney-Client Exchanges 6-Personal Privacy Medical Condition/History Marital Status Personally Identifiable Information (e.g. Social Security Number, birth date, place of birth) Unlisted Home Phone Number 7-Law Enforcement On-going Investigative Reports Reports which would Impair Impartial Adjudication Confidential Sources Security Plans (e.g. OPSEC Plan, TSCM Plan, etc.) 8-Financial Institutions Reports on the Financial Condition of a Bank 9-Wells Resource Maps Well Head Analysis 35
Portsmouth/Paducah Project Office The employee making the determination must ensure that the front of each document must have an exemption stamp designating the FOIA exemption number and related category name. Also the words Official Use Only (or OUO if space is limited) are placed on the bottom of each page or, if more convenient, on just those pages containing OUO information. OFFICIAL USE ONLY Sample of front page marking Exemption Stamp OUO Stamp 36 Marking OUO
Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site. 7, Law Enforcement Jane Doe/WEMS 07/02/2004 CG-SS-4, DOE OC, June 2002 Steps to filling out exemption stamp (or notice) based on classification/control guides: Fill in the exemption number and category Name and organization Date of determination Short name of guide, source, and date of guide 37 Portsmouth/Paducah Project Office Filling Out Exemption Stamp 37
Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site. 07/02/2004 N/A Steps to filling out exemption stamp (or notice) based on individual evaluation (opinion): Fill in the exemption number and category Name and organization Date of determination Enter N/A if guidance is not used 38 Portsmouth/Paducah Project Office Filling Out Exemption Stamp John Smith/WEMS 6, Personal Privacy 38
Portsmouth/Paducah Project Office If is OUO First line in the body of the must sayOfficial Use Only before text If attachment is OUO The first line in the body of the should say Document attached contains OUO information. When separated from attachment, this is not OUO Attachment must also be marked appropriately If transmitting outside of firewall PPPO federal and contractor employees are encouraged to encrypt their s prior to transmittals (Entrust is the software that is used for encryption) If Entrust is unavailable, then take other measures to send securely such as password protecting Word or PDF documents Contractors must check site procedures before using password protect option 39 ing OUO
Portsmouth/Paducah Project Office Using Entrust to Encrypt s Step 1: Login to Entrust Select your user profile name Type in password Step 2: Encrypting Select Express from Outlook tool bar Select Encrypt Step 3: Confirm encryption Ensure that the Encrypt message is selected Once confirmed, select OK 40 Depending on the version of Entrust used at your site, there may be minor differences in the way the software looks and operates. Contact your Information Technology or Cyber Security group with any questions.
Portsmouth/Paducah Project Office Personally Identifiable Information (PII) Personally Identifiable Information (marked and protected as OUO, Exemption 6, Personal Privacy) is defined as any information collected or maintained by the Department, contractors or subcontractors, about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mothers maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual. Employees are required to prevent the unauthorized breach of PII Upon discovery of data breach involving PII, employees must immediately notify their respective ODSA and/or FSO Note: PII stored on laptops and removable media (CD ROMs, thumb drives) must be encrypted. If PII is no longer required, it must be deleted. Requirements for identification of PII are located in DOE O
Export Controlled Information (ECI) Portsmouth/Paducah Project Office ECI includes many nuclear technologies restricted by Federal regulations from export to foreign entities. ECI restrictions may be imposed by the U.S. Department of Energy, Department of Commerce, or Department of State and even if the matter is not classified, it still must not be exported to foreign entities without appropriate approvals. PPPO operations involve ECI especially regarding gaseous diffusion and DUF6 conversion technologies. Prior to engaging in decontamination and decommissioning (D&D) and disposal of scientific and technical equipment, contact the ECI POC and/or ODSA or FSO for review requirements prior to release or disposal. Requirements for identification, protection and control of ECI are located in US DOE Guidelines for Export Control and Nonproliferation dated July Portsmouth, Paducah, and Lexington ECT POC telephone numbers are listed in the site POC listing at the end of this briefing.
What qualifies as ECI? (continued) ECI includes commodities, technology, and software. Commodities are tangible assets such as materials (e.g., metals, chemicals) and equipment (e.g., industrial equipment, electronic equipment, nuclear test equipment). Technology is information necessary for the development, production, or use of a product. This can include technical data or technical assistance in the form of blueprints, diagrams, engineering designs and specifications, manuals and instructions, and training. Software includes commercial off the shelf (COTS) applications and applications developed in-house that directly relate to the development, production, or use of a product. Portsmouth/Paducah Project Office 43
What is an export? (continued) An export is the sending of export controlled items (e.g., information, technology, material) outside of the United States in any manner (e.g., physical shipment, , website). – An export occurs from within the United States to a foreign country. A deemed export is the release of technology or source code to a foreign national within the United State in any manner (e.g., physical shipment, , website). – A deemed export occurs completely within the United States. A re-export occurs when an item controlled under United States export law is shipped from a foreign country to another foreign country. – A re-export occurs completely outside of the United States. Portsmouth/Paducah Project Office 44
Authorization to export? (continued) 10 CFR and.8 allow for an authorization to export be granted as long as a specific approval process is followed by the party who wishes to export the commodity, technology, or software in question. The authorization is a time-intensive and politically sensitive process which requires concurrence from the Department of State, and consultation with the Nuclear Regulatory Commission, Department of Commerce, and Department of Defense. An application for export authorization may be submitted through the Secretary of Energys Office. Contact your ECI POC as far in advance as possible if an export, deemed export, or re-export is required. Portsmouth/Paducah Project Office 45
What are the penalties? (continued) In the event of an illegal export: Administrative or criminal penalties may be levied against a company or an individual depending on the seriousness of the offense and whether the export was willful or negligent. Administrative penalties can result in up to ten (10) years in prison and fines of up to $250k per offense, depending which agency has regulatory oversight of the item(s) in question. Criminal penalties can result in up to life in prison and fines of up to $1m per offense, depending on which agency has regulatory oversight of the item(s) in question. Department of Commerce, Department of State, Department of Energy, and Department of Treasury can all levy fines depending on the item(s) in question. Portsmouth/Paducah Project Office 46
Unclassified Controlled Nuclear Information (UCNI) Portsmouth/Paducah Project Office UCNI is certain unclassified information about nuclear facilities and nuclear weapons that must be controlled because its unauthorized release could have a significant adverse effect on the national security or public health and safety. The Director, Office of Classification (OC), decides what specific information is UCNI. UCNI Reviewing Officials use guidance to decide if documents contain UCNI. Any document that may contain UCNI must be reviewed by an UCNI Reviewing Official to determine if it contains UCNI. Note: PPPO information systems are not accredited for UCNI. Therefore, UCNI may not be generated, processed, or stored on any PPPO information system components (e.g., workstations, laptops, flashdrives, CD/DVDs). The PPPO sites have existing UCNI specifically related to gaseous diffusion technologies. Intentional or inappropriate release of UCNI information may include civil or criminal penalties. Guidance for the UCNI program can be referenced in: Section 148, Atomic Energy Act of CFR Part 1017, Identification and Protection of Unclassified Controlled Nuclear Information DOE O 471.1B, Identification and Protection of Unclassified Controlled Nuclear Information 47
Handling, Storing, Copying, and Destroying of UCI Portsmouth/Paducah Project Office Handling UCI requires taking reasonable precautions to prevent unauthorized access (ensure the need-to-know) Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided) Storing of UCI at home or during transit must be under control at all times or in a locked room, receptacle, or briefcase Copying of UCI requires no permission; however, print only the minimum number of copies needed, and mark and protect appropriately Destroying of UCI is accomplished by using a shredder (¼ wide strip-cuts) or by other site approved methods (e.g. shred bins) Destruction of UCI outside of the workplace (e.g. home, travel) requires the above shredder requirements (¼ wide strip-cuts). If not available, protect UCI until you return to the office 48
Nuclear Material Control & Accountability (NMC&A) Portsmouth/Paducah Project Office 49 The purpose of NMC&A is to control and account for nuclear materials. NMC&A combined with physical security of nuclear materials is the Safeguards of Safeguards and Security. Portsmouth and Paducah have a large inventory of UF6 including low enriched, normal (.711%), and Depleted (<.710%) UF6. Additionally, the sites have uranium compounds in the lab in the form of samples and some quantity of low enriched non-UF6 in the form of Process Gas dust, trap material, oxides, contaminated scrap, etc. Graded Safeguards Table In security terms, the nuclear materials at Paducah are considered Category IV Attractiveness Level E, which is the lowest grade safeguard category and attractiveness level. Most of the Portsmouth inventory is also Category IV, but also has some Category III Attractiveness Level C material. Access to Category III Special Nuclear Material (SNM) requires an L or Q access authorization.
Technical Surveillance Countermeasures Portsmouth/Paducah Project Office TSCM is an electronic counterintelligence program designed to detect, deter, isolate and nullify technical penetrations and technical security hazards. These technical penetrations and security hazards are used to gain unauthorized access to classified information, unclassified controlled information, or personal information and range from simple mechanical to sophisticated electronic and fiber-optic techniques. The more common techniques include hidden audio and radio frequency (RF) transmitting devices (microphones), telephone bugging equipment, and visual tools such as binoculars, telescopes, mini cams and fiber optic cameras. The sale of these devices is not restricted. They are readily available to anyone on the commercial market. If you discover what you consider to be a technical surveillance device, immediately cease all activity in the area as discreetly as possible Do not voice the discovery within the immediate area, which includes the suspect room and all other rooms that are above, below and adjacent to it Secure the room and do not touch or remove the device Immediately notify your TSCM POC via secure communications, outside of the area where the suspected device has been found. During off-shift hours notify the Plant Shift Superintendents Offices. Note: Any action related to TSCM information or possible vulnerability should be safeguarded at the highest level of classification approved for that area. 50
Operations Security (OPSEC) Portsmouth/Paducah Project Office OPSEC is a process focused on protecting critical and sensitive information by: Identifying threats and vulnerabilities which can be exploited by an adversary Identifying and assessing the risk Developing and implementing countermeasures The principles of OPSEC are based on asking five questions: What information do you want to protect? Who wants your information? How is your information vulnerable? What is the risk for your information? How can you protect your information? OPSEC: How can I do my part? Use strong passwords to access your government computers Destroy Unclassified Controlled Information (UCI) in an approved strip shredder Do not transmit sensitive information without following proper security procedures Do not discuss UCI or classified information in public Guard against phone calls seeking personal and sensitive information Use appropriate markings on UCI and classified correspondence Be aware of possible ways in which an adversary can collect information in an open environment (e.g. overheard conversations, notes left in open vehicles, etc.) Be mindful of the information posted on social networking sites Utilize the OPSEC Working Group for assistance during the initial stages and throughout project planning 51
Cyber Security Portsmouth/Paducah Project Office The Information Technology (IT) Program establishes requirements for protecting DOE electronic information and information systems in accordance with the Program Cyber Security Plan (PCSP). These requirements include provisions for ensuring that the protection is commensurate with the risk and damage that could result from the loss, misuse, disclosure or unauthorized modification of information that is processed, stored or transmitted using DOE information systems. Unclassified computer systems MUST NOT be used to process classified information. Always check with a DC before initiating a document related to a classifiable subject area. Classified information must be processed ONLY on accredited information systems in a designated security area, such as a Limited Area. If you require access to a classified computer contact the site Cyber Security POC or ODSA. UCI must be processed according to site level requirements. PPPO systems are not approved for UCNI. There are some basic principles to follow when using systems at work. Handle s from an unknown source cautiously. Ensure the sender is a reliable source before clicking on a link embedded in the . Do not open or reply to suspicious s Permanently delete from your inbox Notify Cyber Security POC if assistance is needed 52
Hosting Foreign National Visits and Assignments Portsmouth/Paducah Project Office DOE is a world leader in developing and advancing new technologies requiring international scientific and technical collaboration with foreign nationals. Hosting foreign nationals at DOE facilities and/or discussing DOE information, technology, or programs off site requires multiple subject matter expert reviews and approval by an authorized approval authority. Hosting requirements are identified in DOE Order 142.3A Unclassified Foreign National Visits and Assignments Program. Visit requests should be submitted to the site ODSA or Lexington FSO 90 days in advance. Providing any DOE program information to a foreign national, on site or off site, must be preceded by a security plan unless the information is available to the public at large. If planning to host foreign nationals in support of DOE business operations, on site or off site, your site Foreign National Visits POC can provide detailed documentation and approval guidance which includes the required Host Training provided from the Office of Counterintelligence. Portsmouth, Paducah, and Lexington Hosting Foreign Nationals POC telephone numbers are listed in the site POC listing at the end of this briefing. 53
Foreign Travel Portsmouth/Paducah Project Office Notify the foreign travel point of contact prior to travelling to a sensitive country The listing for sensitive countries is maintained at the site ODSA and is available upon request If the country is sensitive, a pre-travel briefing must be provided by DOE Counterintelligence All official travel must be reported even if travel is to a non-sensitive country Portsmouth, Paducah, and Lexington Foreign Travel POC telephone numbers are listed in the site POC listing at the end of this briefing. 54
Counterintelligence (CI) Portsmouth/Paducah Project Office PPPO Counterintelligence activities are supported by the DOE Office of Intelligence and Counterintelligence, Oak Ridge Field Office (ORFO). All questions on this topic should be directed to: Portsmouth: Mark Allen at (270) or (859) , or Dale King at (740) Paducah/Lexington: Mark Allen at (270) or (859) Note: ORFO CI Organization can be contacted at (865) Counterintelligence is information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for, or on behalf of foreign powers, organizations or persons, or international terrorist activities, but not including personnel, physical, document, or communications security programs. Executive Order 12333, December 4, 1981, "United States Intelligence Activities 55
CI Program Priorities Portsmouth/Paducah Project Office The priorities of the ORFO are as follows: Nuclear Security Counterterrorism Economic Espionage – Protected Technologies Cyber CI Threat Protect Science and Technology Counterintelligence Insider Threats Foreign Travel Programs Foreign Visits and Assignments All potential espionage or terrorism related concerns should be promptly reported to the ORFO. All reports made to this office are held in strict confidentiality. Please visit the ORFO website at for specific program information, detailed reporting requirements, foreign travel and visit information, and more. 56
CI Insider Threat Indicators Portsmouth/Paducah Project Office Cyber Insider Indicators Unusual surfing habits Unusual network traffic Misconfigured Systems Unauthorized modems or sniffers Hidden or unexplained accounts Attempts to install software not approved for the computing environment Excessive login attempts Unusual file server access Attempts to circumvent security procedures Unusual questions about vulnerabilities, policies, procedures, or configurations Unusual interest in penetration testing or vulnerability assessment of networks Serious vulnerability that remains uncorrected Refusal or resistance to fixing external vulnerabilities Documents staged for removal Unsolicited Spoofed addresses Suspicious links or attachments Network scans Malicious code attempting external communications Unauthorized File Transfer Protocol (FTP) or web servers Attacks on network security infrastructure Beaconing activity Files compressed and staged for removal 57
CI Insider Threat Indicators (cont.) Portsmouth/Paducah Project Office Espionage Indicators Unexplained affluence Failing to report overseas travel Unexplained travel Unexplained absences Showing unusual interest in information outside of responsibilities Unusual work hours Taking classified or sensitive material home Unreported contact with foreign government, military, or intelligence officials, Attempting to gain access without the need-to-know Excessive use of copy machines Unwillingness to take vacation Resistance to sharing duties or separation of duties Exploitable conduct Unexplained or extensive technical computer-related knowledge More information is available on the DOE Counterintelligence website or call
Portsmouth/Paducah Project Office Recruiting Methods Visits to the U.S., especially hosted visits American travelers to foreign countries International conferences, conventions, seminars and exhibits Professional associations and publications Collaborative research and development Unsolicited requests for information They want to see who responds Foreign intelligence officers do not typically obtain information themselves. They recruit citizens from a target country who have legitimate access to the information being sought. They will attempt to fill a void" or meet a need" in the targets life They will ask for something and probably provide something in return The sensitivity or perceived value of the information requested will increase over time How do Intelligence Officers identify potential sources?
Portsmouth/Paducah Project Office Insider Threat The insider threat is identified as one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise giving them opportunity to exploit the vulnerabilities of that entitys security, systems, services, products, or facilities with the intent to cause harm. 60 An insider could be current or former employees, contractors, vendors, or visitors. They are often times people placed in a position of trust. In fact, most spies in the U.S. once held a security clearance. An insider threat could be anyone
Portsmouth/Paducah Project Office Various kinds of information can be gathered through secret or covert methods. While some information is indeed collected through clandestine operations, others can be gathered by widely available means. These are commonly called the intelligence collection disciplines or the INTs: 61 Human Intelligence (HUMINT) is the collection of information from human resources (e.g., interviews, social engineering, etc.) Signals Intelligence (SIGINT) is the collection of information by intercepting electronic signals between two parties Imagery Intelligence (IMINT) is the collection of information through photos (e.g., via satellites) Open-Source Intelligence (OSINT) is the collection of information generally available to the public (e.g., newspapers, internet, TV, etc.) Foreign Intelligence Collecting Intercepting Signals
Portsmouth/Paducah Project Office The security readiness state is reflected in the following SECON levels when conditions reflect a risk of terrorist activity, continuity conditions, environmental, and/or severe weather conditions. SECON 1: Severe Condition SECON 2: High Condition SECON 3: Elevated Condition SECON 4: Guarded Condition SECON 5: Low Condition Personnel will be alerted to changes in the security conditions over the plant PA system and through appropriate security and emergency management staff. 62 Security Condition Threat Level The Deputy Secretary of the DOE establishes the Security Condition (SECON) levels. The SECON levels reflect a multitude of conditions that may adversely impact Departmental and/or site security to include terrorism, continuity conditions, environmental (e.g., fire, chemical, radiological, etc.) and/or severe weather conditions.
Portsmouth/Paducah Project Office Terrorism remains a threat to the security of the homeland. The Department of Homeland Security (DHS) implores all Americans to share responsibility for the nations security. 63 Terrorist Threat See Something, Say Something is a nationwide campaign program designed to raise public awareness for indicators of terrorism and violent crime, and to emphasize the importance of reporting suspicious activity to the proper state and local law enforcement authorities. Report suspicious activity to ODSA, PSS, or call local law enforcement. See Something, Say Something
Portsmouth/Paducah Project Office An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area. Active shooters use guns and there is no pattern or method to their selection of victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on scene, individuals must be prepared both mentally and physically to deal with an active shooter. 64 Active Shooter How to Respond: Evacuate-Take note of all exits in your facility Hide-Stay out of shooters view. If you are in an office lock the door or block entry Take Action-As a last resort, attempt to subdue the active shooter. When the active shooter is at close range and you cannot flee, your chance of survival is much greater if you try to incapacitate him/her Call or (Portsmouth) or (Paducah) on a cell phone when it is safe to do so! Not an actual scene
Escort Responsibilities Portsmouth/Paducah Project Office Responsibilities for escorting into the Limited Area: Ensure that appropriate measures are taken to prevent a compromise of classified matter and/or Special Nuclear Material (SNM) Maintain continuous visual and unaided voice and/or physical control of escorted individual(s) Ensure that escorted individual(s) have a need-to-know for the security area they are entering Verify and maintain escort ratio: Portsmouth and Paducah standard ratio is one (1) escort to every four (4) visitors/employees Prominently display the yellow escort badge (if applicable) on outer most garment, above the waist and below the neck, identifying that uncleared individuals are present Prior to escorting, verbally challenge escorted individual(s) on whether they possess any controlled or prohibited articles (e.g. camera cell phones, thumb drives, etc.) Ensure full compliance with site specific security requirements, plans, and procedures Ensure that access authorization is commensurate with the security area being entered 65
Safeguards and Security Program Portsmouth/Paducah Project Office 66 To ensure appropriate security measures and avoid project delays, the PPPO management expectations are as follows; the Safeguards and Security considerations, which include NMC&A, are thoroughly integrated with all aspects of mission accomplishment, including all topical areas of safeguards and security (e.g. personnel, physical, information, nuclear safeguards) and related cross-cutting areas (e.g. cyber security, export control, classification, foreign visits and assignments and foreign travel). This integration will ensure the adequate protection of DOE assets (e.g. classified matter, unclassified controlled matter, and government property).
Safeguards and Security Program Portsmouth/Paducah Project Office The program helps to: Identify what needs protected Establish clear roles and responsibilities Implement DOE requirements though line management Establish oversight programs to assure requirements are implemented Seek and implement continuous improvement The Safeguards and Security Program incorporates the following principles: Integration of Safeguards and Security with all aspects of mission accomplishment Protection requirements are commensurate with the consequences of loss or misuse of the protected asset Responsibility for the implementation of protection measures resides with DOE line management elements responsible for mission accomplishment Authority is delegated to appropriate levels to promote efficiency and effectiveness 67 The Safeguards and Security Program ensures that the Department of Energy efficiently and effectively meets all its obligations to protect Special Nuclear Material, other nuclear materials, classified matter, sensitive information, government property, and the safety and security of employees, contractors, and the general public.
Summary Portsmouth/Paducah Project Office Having a DOE access authorization is a privilege, not a right. You may have been recognized and entrusted by the U.S. Government to protect and handle classified matter; therefore, it is your responsibility to follow DOE requirements as well as site plans and procedures. Failure to adhere to these security requirements could potentially cause damage to governmental, commercial, or private interests Ensure classified information and UCI are appropriately protected and controlled Ensure need-to-know criterion for both classified and UCI is met prior to providing anyone access. In addition, the recipient of classified information must possess the appropriate access authorization Ensure any document prepared in a potentially classified subject area is reviewed by a DC or the site Classification Officer BEFORE publication and distribution Know the security requirements for the area(s) you work in or visit, and follow site guidance for prohibited and controlled items Know the reporting requirements Contact your respective ODSA for guidance or questions regarding any security-related matter (e.g. physical, cyber, personnel, information, classification, protective force, etc.) 68
Portsmouth Security Points of Contact Listing Portsmouth/Paducah Project Office This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the WEMS security office. Emergencies at Portsmouth or 911 (plant phone) 69 Classification Officer and POCs Physical Security Henry Thomas John Jordan Classified Matter Protection and Control (CMPC) Jim Sevens Wayne Conley John Zangri Technical Surveillance and Countermeasures (TSCM)Jim Dixon Wayne Conley Rachel Stroth Unclassified Controlled Information (UCI) Rich Kielmar Wayne Conley Jim Snodgrass Dave Davis Hosting Foreign Nationals Cyber Security Wayne Conley Brian Kirkendall Counterintelligence POC Operations Security (OPSEC) Dale King (Primary) Rachel Stroth Mark Allen (Alternate) / Visitor Control Reporting Incidents of Security Concern Erica Wiley Wayne Conley Jim Sevens Export Controlled Information (ECI) Jim Dixon Dan Hupp Waste, Fraud, and Abuse Enforcement Coordinator Jim Sevens Dan Longpre WEMS Security Manager Foreign Travel POC Rick Coriell Wayne Conley Personnel Security Office Site FSOs Megan Bach Wastren-EnergX Mission Support (WEMS) Rick Coriell Linsay Ward Fluor B&W Portsmouth (FBP), Troy Ayres Dana Kirkman Restoration Services Inc. (RSI), Rick Ferguson Lock Smith B&W Conversion Services (BWCS), Beth Keener Jim Snodgrass The American Centrifuge (USEC, Inc.), Angela Wright Jim Dixon
Paducah Security Points of Contact Listing Portsmouth/Paducah Project Office This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the SST security office. Emergencies at Paducah or 333 (plant phone) 70 Classification Officer and POCs Physical Security Jackie Thompson Dusty Alexander Classified Matter Protection and Control (CMPC)Jeff Harris Melissa Howell Brad Nall Chuck Moreland Cyber Security Technical Surveillance and Countermeasures (TMCS)Bill Offner Melissa Howell Operations Security (OPSEC) Dusty Alexander Melissa Howell Unclassified Controlled Information (UCI)Kara Doughty Jackie Thompson Jeff Harris Melissa Howell Visitor Control Hosting Foreign Nationals Kara Doughty Kara Doughty Betty Hart Betty Hart Terri Dorris Terri Dorris Ronda Hays Counterintelligence POC Export Control Information (ECI) Mark Allen Jackie Thompson Reporting Incidents of Security Concern Melissa Howell Charlie Cobb Enforcement Coordinator Chuck Moreland Dusty Alexander Melissa Howell Foreign Travel POC Jeff Harris Kara Doughty Kara Doughty Betty Hart Swift & Staley Inc., Security Manager Terri Dorris Charlie Cobb Site FSOs Personnel Security Office Swift and Staley Inc., (SST) Charlie Cobb Kara Doughty LATA of Kentucky, Inc., (LATA) Tim Fralix Betty Hart B&W Conversion Services (BWCS), Mike Stanley Terri Dorris Locksmith Jeff Harris Bobby Harris Phillip Easley
Lexington Security Points of Contact Listing Portsmouth/Paducah Project Office Classification Officer and POCs Physical Security Larry Sparks DOE/ORO Mark Allen DOE/PPPO/FSO / Mark Allen DOE/PPPO FSO / Sammy Bell PRC/DOE Classified Matter Protection and ControlCyber Security Mark Allen DOE/PPPO FSO / James Woods DOE/PPPO Sammy Bell PRC/DOE Abe Getchell PRC/DOE Technical Surveillance and Countermeasures (TSCM)Operations Security (OPSEC) Sammy Bell PRC/DOE/POC Abe Getchell PRC/DOE Mark Allen DOE/PPPO FSO / Visitor Control Unclassified Controlled Information (UCI) Abe Getchell PRC/DOE Mark Allen DOE/PPPO/FSO / Foreign Travel POC Sammy Bell PRC/DOE Mark Allen DOE/PPPO/FSO / Abe Getchell PRC/DOE Sammy Bell PRC/DOE Hosting Foreign Nationals Counterintelligence Mark Allen DOE/PPPO/FSO / Mark Allen DOE/PPPO/FSO / Sammy Bell PRC/DOE Reporting Incidents of Security Concern Waste, Fraud, and Abuse/Enforcement POC Mark Allen DOE/PPPO/FSO / Rachel Blumenfeld DOE PPPO Deputy Manager Sammy Bell PRC/DOE DOE PPPO Security Manager James Woods DOE/PPPO Mark Allen / Abe Getchell PRC/DOE Lock/Key/FOB Site FSO Abe Getchell PRC/DOE Mark Allen DOE/PPPO/FSO / This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the PPPO FSO. 71
Questions Portsmouth/Paducah Project Office If you have any questions concerning the content of this training, or have suggestions for improvement please Missy Howell Wayne Conley or Abe Getchell 72
Congratulations Portsmouth/Paducah Project Office You have completed the Portsmouth/Paducah Project Office Annual Security Refresher! 73