Presentation is loading. Please wait.

Presentation is loading. Please wait.

Portsmouth/Paducah Project Office

Similar presentations

Presentation on theme: "Portsmouth/Paducah Project Office"— Presentation transcript:

1 Portsmouth/Paducah Project Office
2012 Annual Security Refresher Lexington Office Portsmouth Site Paducah Site

2 Portsmouth/Paducah Project Office
Welcome Portsmouth/Paducah Project Office Welcome to the Portsmouth Paducah Project Office Annual Security Refresher for 2012.

3 Portsmouth/Paducah Project Office
PPPO Mission Portsmouth/Paducah Project Office The mission of the U. S. Department of Energy (DOE) Portsmouth/Paducah Project Office (PPPO) is to provide management oversight and support to ongoing Environmental Management (EM) Operations at the DOE Portsmouth, Ohio, and Paducah, Kentucky sites.  To facilitate this mission, the PPPO manager and key management functions are located in Lexington, Kentucky between the Portsmouth and Paducah sites. PPPO serves as the EM line management for both Portsmouth and Paducah.  The PPPO Site Security Plan facilitates management of security assets for the PPPO operations at the Lexington Office.  Site-specific Security Plans for Paducah, Kentucky and Portsmouth, Ohio are developed/implemented by the Infrastructure Contractor for Paducah and the Facility Support Services Contractor for Portsmouth and are designated as the site Officially Designated Security Authority (ODSA) for each site. Every DOE or Contractor organization must appoint a Facility Security Officer (FSO) to serve as a security point of contact (POC). The FSO is responsible for administering the requirements of the Safeguards and Security Program within his or her facility in accordance with DOE requirements and the Site Security Plan. Contract DE-AC30-10CC40021 identifies Swift & Staley Security as the ODSA for Paducah Contract DE-CI identifies Wastren-EnergX Mission Support (WEMS) as the ODSA for Portsmouth Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing.

4 Portsmouth/Paducah Project Office
Course Objectives Portsmouth/Paducah Project Office This briefing is intended for all cleared and uncleared DOE employees, contractors, and subcontractors at the Portsmouth Site, Paducah Site, and Lexington Office. The objectives of the 2012 Annual Security Refresher are to: Remind individuals of their safeguards and security responsibilities Promote continuing awareness of required security practices Help individuals maintain an appreciation for the need to protect our country’s national security interests Guidance for this briefing is in accordance with U.S. Department of Energy (DOE) Order 470.4B, Section 3, “Safeguards and Security Awareness” and DOE/PPPO implementing instructions. Final approval for briefing contents is given by the DOE/Oak Ridge Office, Officially Designated Federal Security Authority (ODFSA). Individuals who possess DOE access authorizations (security clearances) shall receive refresher briefings to reinforce and update awareness of safeguards and security policies and their responsibilities Mandatory every 12 months Failure to complete the annual security refresher may result in administrative actions determined by the ODFSA to include suspension of access authorization

5 Portsmouth/Paducah Project Office
About the Briefing Portsmouth/Paducah Project Office Access Control PPPO Recognized Badges Badge Responsibilities Prohibited and Controlled Articles Reporting Requirements for Cleared Individuals Incidents of Security Concern (IOSC) Classified Matter/Information Need-to-know Unauthorized Disclosure Penalties Unclassified Controlled Information (UCI) Nuclear Material Control & Accountability Technical Surveillance Countermeasures, Operations Security and Cyber Security Hosting Foreign National Visits and Assignments and Foreign Travel Counterintelligence Escort Responsibilities Safeguards and Security Program The Annual Security Refresher is composed of the following topical areas. At the end of the briefing there will be a test from the content covered in these areas:

6 Portsmouth/Paducah Project Office
Access Control Portsmouth/Paducah Project Office The Portsmouth, Paducah & Lexington sites maintain General Access Areas (GAA), Property Protection Areas (PPA), and Limited Areas (LA) to protect DOE assets. Access to PPA and LA security areas require approval in accordance with DOE Directives and site ODSA procedures. GAAs are designated areas that are accessible to all personnel, including the public. PPAs are designed to protect DOE assets and personnel, and are accessible to authorized personnel only. There are no classified holdings within this security area. LAs are designed to protect classified matter and Category III quantities of Special Nuclear Material (SNM). Individuals without an access authorization are not permitted within this security area unless they are escorted and have a need-to-know. Access into security areas must be controlled in conjunction with a DOE Security Badge or Local Site Specific Only badge: Protective Force or authorized personnel performing visual inspection of a badge Automated access controls (e.g. card readers) reading an HSPD-12 badge

7 PPPO Recognized Badges
Portsmouth/Paducah Project Office These badges are generally recognized by PPPO sites: HSPD 12 Credential or DOE Security Badge DOE Standard Badge for “Q” access authorization DOE Standard Badge for “L” access authorization DOE PIV (no access authorization) DOE Foreign National (no access authorization) Site specific badges may be issued to address a variety of unique local badging requirements including local site specific badge, temporary visitor badge, and foreign national badge, etc. Site specific badges are not HSPD-12 compliant. Lexington site specific Paducah site specific Portsmouth site specific

8 Badge Responsibilities
Portsmouth/Paducah Project Office Your badge must be replaced or reissued if: Your name changes or your physical appearance changes Your badge is faded or damaged Your clearance level changes Badge cautions: It is illegal to counterfeit, alter, copy, or misuse your badge DO NOT use your badge for purposes other than official government business DO NOT wear the badge in public places Report the loss or theft of your badge immediately to your ODSA Other badge reminders: The badge is to be prominently displayed (outermost garment, above the waist, and below the neck) at all times while on site (to include Lexington) unless prohibited by health or safety considerations Protect your badge from theft when you are off site Your badge is the property of DOE and must be returned to the ODSA if it has expired, is no longer required, or upon termination of employment

9 Portsmouth/Paducah Project Office
HSPD-12 Badges Portsmouth/Paducah Project Office During the remainder of 2012 and 2013, all employees will be issued an HSPD-12 badge, as per Homeland Security Presidential Directive (HSPD) 12 and Environmental Management Memorandum dated October 10th, 2012 titled “Office of Environmental Management Policy for Homeland Security Presidential Directive 12 Implementation”: This badge will be used for: Physical access to all facilities within the PPPO (PPAs and LAs) Logical access to unclassified information systems that support PPPO mission objectives Your HSPD-12 badge will be of increased importance as time goes on. It will eventually be used for activities such as encryption and verification of your security clearance (if applicable). Ensure you protect your badge and associated PIN as you would protect what it replaces – an authentication token and/or your password.

10 Portsmouth/Paducah Project Office
Prohibited Articles Portsmouth/Paducah Project Office The following articles are prohibited on DOE property: Dangerous weapons and explosives (instruments or materials likely to cause substantial injury to people or damage property) Unauthorized firearms Controlled substances such as illegal drugs and associated paraphernalia (but not prescription medicine) All items that are prohibited by law Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures). Note: Registration with the Kentucky Wildlife Management Office is required before hunting/field trials in the surrounding Wildlife Management Areas at Paducah.

11 Portsmouth/Paducah Project Office
Controlled Articles Portsmouth/Paducah Project Office You must have ODSA authorization (Portsmouth and Paducah) or Lexington Information Technology (IT) authorization prior to introducing the following controlled articles in a Limited Area: Personal Data Assistants (PDA) Laptop or palmtop computers Smart phone devices Two-way pagers Cell phones Cameras of all kinds Recording equipment Digital audio players Thumb and Portable Hard drives and most gaming devices (check with security) Alcoholic beverages Note: Authorization is recognized by a property pass (Portsmouth) or controlled article permit (Paducah).

12 Reporting Requirements for Cleared Individuals
Portsmouth/Paducah Project Office Having a DOE access authorization is a privilege not a right. In order to maintain an access authorization, the following information must be reported within 2 days verbally to your site Personnel Security Office followed within 3 days by written notification, unless otherwise instructed: Arrests – Report all arrests, including charges that are dismissed Criminal Charges - Report all criminal charges including felony, misdemeanor, public and petty offenses as defined in the statutes of any state Detention by Law Enforcement - Report any detention by federal, state or other law enforcement authority for violation of law. The only exception to this reporting requirement is detention for a simple traffic stop Traffic Violations - Report any traffic violations for which you receive a fine of $300 or more unless the traffic violation is alcohol or drug related. Any traffic violation that is alcohol or drug related must be reported regardless of the amount Ongoing Regular Contact with Foreign Nationals – Report employment, business & personal related associations with any foreign national or employees/representatives of a foreign-owned interest Hospitalization - Report hospitalization for treatment of mental illness or other mental condition; treatment for alcohol or drug abuse; any condition that may cause a significant impairment in judgment or reliability Bankruptcy - Report any personal or business-related bankruptcy Wage Garnishment - Report all wage garnishments resulting from, but not limited to, divorce, delinquent debts or child support Change in marital status - Report marriage or cohabitation (spouse like relationship) within 45 days Name Changes - Report all legal name changes within 45 days Change in Citizenship - If you are a U.S. citizen who changes citizenship or acquires dual citizenship Family Residence Change - An immediate family member assuming residence in a sensitive country

13 Incidents of Security Concern (IOSC)
Portsmouth/Paducah Project Office An incident of security concern occurs any time there is a potential or actual compromise of classified or Unclassified Controlled Information (UCI) or when a security directive is violated. Incidents of security concern are actions, inactions, or events that have occurred at a site that: Pose threats to national security interests and/or critical DOE assets Create potentially serious or dangerous security situations Potentially endanger the health and safety of the workforce or public Degrade the effectiveness of the safeguards and security program Adversely impact the ability of organizations to protect DOE safeguards and security interests Remember, if you observe, find, or have knowledge of, or information regarding an IOSC, you must immediately report the incident to your respective IOSC POC and/or FSO or the Plant Shift Superintendent in person or by secure means. If you discover a potential IOSC, you must take reasonable and prudent steps to contain the incident, protect the scene, and secure classified matter or UCI as appropriate. Your ODSA or FSO POC telephone numbers are listed in site POC listing at the end of this briefing.

14 Portsmouth/Paducah Project Office
Metric of IOSC Portsmouth/Paducah Project Office The following incidents of security concern were the most common for the Portsmouth, Paducah, and Lexington sites in 2012: Unauthorized electronic disclosure of Unclassified Controlled Information Introducing controlled item into a LA (e.g. camera cell phone, MP3, etc.) Circumvention of established procedures (e.g. property pass violations) Vandalism of Government property Loss of escort controls Total incidents for 2011 Total incidents for 2012 29 23

15 Classified Matter/Information
Portsmouth/Paducah Project Office Classified matter/information is any combination of documents or materials that needs to be protected in the interest of national security. Classification can be applied to: classified equipment, components, parts, tooling, gauges, liquids, powder, scrap, molds, and packaging container inserts classified documents, electronic media, or communications All classified matter/information is protected according to federal statutes and Presidential Executive Orders. DOE is responsible, under the Atomic Energy Act of 1954, as amended, for classifying information and material relating to atomic energy and its use in weapons and under Executive Orders for other aspects of national security. The Atomic Energy Act of 1954 and Executive Order govern classification policy. Classifying information establishes protective barriers that ensure that classified matter and information do not fall into unauthorized hands. Through the process of classification, we protect important information from adversaries, yet allow the same information to be used by scientists, statesmen, military planners, and others with applicable access authorization and who meet the need-to-know criterion. Note: At Portsmouth, Paducah, and Lexington there are specific Limited Areas approved for impromptu classified discussions. Please contact your ODSA or FSO for specific locations.

16 Levels of Classified Matter
Portsmouth/Paducah Project Office Classified matter/information is designated by both a classification level and a category. The classification level is based on how much our national security could be damaged if the information were to be released to unauthorized person(s). There are three classification levels: TOP SECRET CONFIDENTIAL Top Secret (TS)-Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security. Secret (S)-Unauthorized disclosure could reasonably be expected to cause serious damage to national security. Confidential (C)-Unauthorized disclosure could reasonably be expected to cause undue risk to the common defense and security and be expected to cause damage to national security.

17 Categories of Classified Matter
Portsmouth/Paducah Project Office There are three categories that describe classified matter : Restricted Data (RD) is information that is related to the design, manufacturing, and utilization of atomic weapons; production of special nuclear material; or use of special nuclear material in the production of energy. Formerly Restricted Data (FRD) is information that pertains to the military utilization of atomic weapons and has been removed by DOE from the Restricted Data category. National Security Information (NSI) is information that requires protection in the interest of national defense or foreign relations of the United States that is not related to nuclear weapon design, manufacturing, testing, or utilization. For example, a site security vulnerability may be protected as NSI.

18 Access to Classified Matter
Portsmouth/Paducah Project Office The following table illustrates the minimum clearance level required for access to each level and category of classified matter: Restricted Data Formerly Restricted Data National Security Information Top Secret Q Secret L Confidential Access to classified matter requires an individual to have: Appropriate access authorization (or necessary security clearance) A need-to-know (which means access to classified matter is necessary to perform an official or contractual duty) Note: Access is not obtained or granted by position only.

19 Protection and Control Measures
Portsmouth/Paducah Project Office Cover sheets must be used any time a classified document is removed from a special approved General Services Administration container (sometimes referred to as a safe or repository), vault, or vault-type room. The purpose of a classified cover sheet is to prevent unauthorized visual access, serve as an immediate identifier that the attached document or material is classified, and identify the classification level of the document. Classified cover sheets are identified as follows: For additional protection and control measures, including training/briefing requirements, contact site Classified Matter Protection and Control (CMPC) point of contact. Portsmouth, Paducah, and Lexington telephone numbers are listed in the POC listing at the end of this briefing.

20 Derivative Classifiers (DC)/Derivative Declassifiers (DD)
Portsmouth/Paducah Project Office The following appointed positions are provided to coordinate classification activities: Derivative Classifiers (DC): An individual authorized to determine that matter is unclassified or classified as restricted data, formerly restricted data, and/or national security information and at what level based on classification guidance or source documents. Derivative Declassifiers (DD): An individual authorized to declassify or downgrade matter in specific areas based on classification or declassification guidance or source documents. When it is reasonable to expect that documents or materials contain classified information or when regulations or other requirements apply, you are personally responsible to ensure the matter is reviewed by an approved DC or the site Classification Officer. Portsmouth, Paducah, and Lexington Classification Officer or Classification POC telephone numbers are listed in the site POC listing at the end of this briefing.

21 Challenging Classification Decisions
Portsmouth/Paducah Project Office Every employee is encouraged and expected to challenge the classification of information, documents, or material that he or she believes is improperly classified. Challenges should be directed to your site Classification Office or classification POC.

22 Portsmouth/Paducah Project Office
No Comment Policy Portsmouth/Paducah Project Office Sometimes classified information appears in the public domain (e.g. newspapers, websites, speeches, etc.). If approached about the disclosed classified information do not comment on accuracy, classification, or technical merit. Individuals are prohibited from commenting on classified information in the public domain Avoid using the phrase “no comment” because its use may implicitly reveal classified information Appearance in the public domain does not declassify the information

23 Portsmouth/Paducah Project Office
Your Responsibility Portsmouth/Paducah Project Office Each employee is responsible for having documents and material reviewed by a DC for classified information prior to dissemination to uncleared individuals by physical or electronic means. Types of Documents to be reviewed include: Information pertaining to Gaseous Diffusion Technology/Processes or Work for Others Newly generated documents or material prepared in a potential classifiable subject area Existing unmarked documents or material that an employee believes may contain classified information Existing documents or material that an employee believes may contain information classified at a higher level or more restrictive category Documents or material in a potential classified subject area intended for public release (web page, Congress, press release) must be reviewed by the site Derivative Classifier Newly generated documents that contain extracts from an existing classified document (e.g. chapter or appendix) must be reviewed by a DC. If the extract is found to be unclassified then an additional review by a Derivative Declassifier is required

24 Portsmouth/Paducah Project Office
Need-to-Know Portsmouth/Paducah Project Office If an individual needs to know information in order to perform an official or contractual duty, they may have access to that information. Access to classified information requires the appropriate DOE access authorization AND the need to know to perform an official duty. Does that person require this information to do their job?

25 Unauthorized Disclosure
Portsmouth/Paducah Project Office Unauthorized disclosure is any communication or physical transfer of classified matter or Unclassified Controlled Information (UCI) to an unauthorized recipient. Concerning classified matter, unauthorized disclosure: Always occurs when the recipients do not have the appropriate access authorization and the need-to-know Can occur when an individual intends to transfer or transmit classified matter Could potentially cause damage or irreparable injury to the United States, or could be used to advantage by a foreign nation

26 Portsmouth/Paducah Project Office
Penalties Portsmouth/Paducah Project Office There can be potential penalties for mishandling classified information or other sensitive information such as: Termination of access authorization Removal from any position of special confidence and trust requiring a clearance Termination of employment Prosecution Monetary fines

27 Portsmouth/Paducah Project Office
Penalties Portsmouth/Paducah Project Office Civil penalties for contractor violations of classified information are issued in accordance with Title 10, Code of Federal Regulations Part 824 (10 CFR Part 824).  This CFR was published by the Department of Energy (DOE) to implement Section 234B of the Atomic Energy Act of 1954, 42 U.S.C. 2282B.  Section 234B stipulates that a contractor or subcontractor to the DOE who violates any rule, regulation, or order relating to the safeguarding or security of Restricted Data, other classified information, or sensitive information shall be subject to a civil penalty (fine) not to exceed $110,000 per offense.  In publishing 10 CFR Part 824, DOE has determined that civil penalties under Part 824 will only be assessed for violations of requirements for the protection of classified information (Restricted Data, Formerly Restricted Data and National Security Information).  The rule does not include civil penalties relating to failure to protect sensitive but unclassified information.  

28 Unclassified Controlled Information (UCI)
Portsmouth/Paducah Project Office UCI is broadly defined as information that may be exempt from public release either by statute, or under the Freedom of Information Act and for which disclosure, loss, misuse, alteration or destruction would adversely affect national security, government interests, or personal interests. There are four basic types of UCI most addressed at the sites: Official Use Only (OUO) Personally Identifiable Information (PII)* Unclassified Controlled Nuclear Information (UCNI) Export Controlled Information (ECI)** *PII is marked and protected as OUO, FOIA Exemption 6, Personal Privacy ** ECI is dual marked ECI and OUO, FOIA Exemption 3, Statutory Exemption Note: An uncleared person may be granted access to Unclassified Controlled Information (UCI) if that person has a need-to-know the specific information in the performance of official or contractual duties.

29 Portsmouth/Paducah Project Office
Protecting UCI Portsmouth/Paducah Project Office UCI must be protected from unauthorized disclosure. Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided). When working with UCI from home or in transit, the above protection requirements are the same.

30 Portsmouth/Paducah Project Office
Transmission of UCI Portsmouth/Paducah Project Office The number one security incident at the sites is transmitting UCI by unsecured or inappropriate methods. Follow the guidelines listed here when transmitting UCI: Transmission by UCI should be encrypted when electronically transmitted outside the site’s network. Encryption should be accomplished by using Entrust for . If Entrust is unavailable then password protect(excluding UCNI which is not accredited on PPPO systems) Transmission by Fax: When faxing UCI (excluding UCNI which must be sent via a secure telephone facsimile), the sender must contact the recipient prior to faxing the UCI document. The sender is responsible for making a follow-up call to confirm that the entire UCI document was received Transmission by Mail Off site: Place documents in a sealed opaque envelope or wrapping, stamp or write the words “To Be Opened by Addressee Only.” The document can be mailed First Class, Express, Certified or Registered Mail or sent via any commercial carrier and must contain a return address Transmission by Mail On site: Place documents in a sealed, opaque envelope or wrapping, stamp or write the words “To Be Opened by Addressee Only” Note: Personnel should contact their employer to ascertain if the company has levied any further restrictions (on local policies or procedures).

31 Official Use Only (OUO)
Portsmouth/Paducah Project Office To be identified as Official Use Only (OUO), information must be unclassified and meet both of the following criteria: Has the potential to damage Governmental, commercial, or private interests if released to persons who are not authorized Falls under one of the Freedom of Information Act (FOIA) exemptions Note: Any Federal or contractor employee with cognizance over the information may make OUO determinations for unclassified documents.

32 Making OUO Determinations
Portsmouth/Paducah Project Office The determination of OUO is based off either: Guidance Approved by the HS-60 Issued by the HS-60, a program office, or DOE/NNSA contractor or An individual evaluation (opinion) Release could cause damage Falls under a FOIA exemption Guidance for Identification of Personal Privacy is located DOE Order 206.1, Department of Energy Privacy Program and The Privacy Act of 1974 (5 U.S.C. 552a) CG-SS-4

33 OUO Determination Tree Portsmouth/Paducah Project Office
BEGIN HERE Portsmouth/Paducah Project Office Potential OUO Is the information OUO by classification guide topic, CG-SS-4 Mark as OUO Yes Yes No No Could the release of this information cause damage to governmental, commercial, or private interests Not OUO No Not OUO Yes Not OUO Does the information fall under a FOIA exemption No Yes Mark as OUO 33

34 Portsmouth/Paducah Project Office
Exemptions Portsmouth/Paducah Project Office Once information is determined to be OUO, potential exemptions to the Freedom of Information Act (FOIA) must be chosen. If no exemption is viable then the information cannot be OUO. Information is OUO Choose a FOIA exemption 3 through 9 Yes No No Marking or Protection required. This information will still require a classification review prior to releasing to the public Note: Exemption 2-Circumvention of Statute for OUO was deleted and should no longer be used. For previous determinations of OUO where exemption 2 was used, the following exemptions may be applied, exemption 7 (Law Enforcement), exemption 4 (Commercial Proprietary), and exemption 5 (Privileged Information). 34

35 Exemption Numbers and Categories for OUO
Portsmouth/Paducah Project Office 3-Statutory Exemption CRADA Information Export Controlled Information Taxpayer Identification Numbers 6-Personal Privacy Medical Condition/History Marital Status Personally Identifiable Information (e.g. Social Security Number, birth date, place of birth) Unlisted Home Phone Number 4-Commercial/Proprietary Trade Secrets (e.g. Coca Cola Formula) Financial Data (e.g. income, profits, losses) Business Plans (e.g. contract proposals) Cost Data Government Credit Card Numbers 7-Law Enforcement On-going Investigative Reports Reports which would Impair Impartial Adjudication Confidential Sources Security Plans (e.g. OPSEC Plan, TSCM Plan, etc.) 5-Privileged Information Recommendations (e.g. budget cuts) Evaluations Appraisal Results Drafts of New Policies Attorney-Client Exchanges 8-Financial Institutions Reports on the Financial Condition of a Bank 9-Wells Resource Maps Well Head Analysis

36 Portsmouth/Paducah Project Office
Marking OUO The employee making the determination must ensure that the front of each document must have an exemption stamp designating the FOIA exemption number and related category name. Also the words “Official Use Only” (or “OUO” if space is limited) are placed on the bottom of each page or, if more convenient, on just those pages containing OUO information. Portsmouth/Paducah Project Office Exemption Stamp OUO Stamp OFFICIAL USE ONLY Sample of front page marking

37 Filling Out Exemption Stamp Portsmouth/Paducah Project Office
Steps to filling out exemption stamp (or notice) based on classification/control guides: Fill in the exemption number and category Name and organization Date of determination Short name of guide, source, and date of guide 7, Law Enforcement Jane Doe/WEMS 07/02/2004 CG-SS-4, DOE OC, June 2002 Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site. 37

38 Filling Out Exemption Stamp Portsmouth/Paducah Project Office
Steps to filling out exemption stamp (or notice) based on individual evaluation (opinion): Fill in the exemption number and category Name and organization Date of determination Enter “N/A” if guidance is not used 6, Personal Privacy John Smith/WEMS 07/02/2004 N/A Example of front page or cover exemption marking – specific stamp design on printed or electronic material may be slightly different at your site. 38

39 Portsmouth/Paducah Project Office
ing OUO Portsmouth/Paducah Project Office If is OUO First line in the body of the must say “Official Use Only” before text If attachment is OUO The first line in the body of the should say “Document attached contains OUO information. When separated from attachment, this is not OUO” Attachment must also be marked appropriately If transmitting outside of firewall PPPO federal and contractor employees are encouraged to encrypt their s prior to transmittals (Entrust is the software that is used for encryption) If Entrust is unavailable, then take other measures to send securely such as password protecting Word or PDF documents Contractors must check site procedures before using password protect option

40 Using Entrust to Encrypt E-Mails Portsmouth/Paducah Project Office
Step 1: Login to Entrust Select your user profile name Type in password Step 2: Encrypting Select “Express” from Outlook tool bar Select “Encrypt” Step 3: Confirm encryption Ensure that the Encrypt message is selected Once confirmed, select “OK” Depending on the version of Entrust used at your site, there may be minor differences in the way the software looks and operates. Contact your Information Technology or Cyber Security group with any questions.

41 Personally Identifiable Information (PII)
Portsmouth/Paducah Project Office Personally Identifiable Information (marked and protected as OUO, Exemption 6, Personal Privacy) is defined as any information collected or maintained by the Department, contractors or subcontractors, about an individual, including but not limited to, education, financial transactions, medical history and criminal or employment history, and information that can be used to distinguish or trace an individual's identity, such as his/her name, Social Security number, date and place of birth, mother’s maiden name, biometric data, and including any other personal information that is linked or linkable to a specific individual. Employees are required to prevent the unauthorized breach of PII Upon discovery of data breach involving PII, employees must immediately notify their respective ODSA and/or FSO Note: PII stored on laptops and removable media (CD ROMs, thumb drives) must be encrypted. If PII is no longer required, it must be deleted. Requirements for identification of PII are located in DOE O

42 Export Controlled Information (ECI)
Portsmouth/Paducah Project Office ECI includes many nuclear technologies restricted by Federal regulations from export to foreign entities. ECI restrictions may be imposed by the U.S. Department of Energy, Department of Commerce, or Department of State and even if the matter is not classified, it still must not be exported to foreign entities without appropriate approvals. PPPO operations involve ECI especially regarding gaseous diffusion and DUF6 conversion technologies. Prior to engaging in decontamination and decommissioning (D&D) and disposal of scientific and technical equipment, contact the ECI POC and/or ODSA or FSO for review requirements prior to release or disposal. Requirements for identification, protection and control of ECI are located in US DOE Guidelines for Export Control and Nonproliferation dated July 1999. Portsmouth, Paducah, and Lexington ECT POC telephone numbers are listed in the site POC listing at the end of this briefing.

43 What qualifies as ECI? (continued)
Portsmouth/Paducah Project Office ECI includes commodities, technology, and software. Commodities are tangible assets such as materials (e.g., metals, chemicals) and equipment (e.g., industrial equipment, electronic equipment, nuclear test equipment). Technology is information necessary for the development, production, or use of a product. This can include technical data or technical assistance in the form of blueprints, diagrams, engineering designs and specifications, manuals and instructions, and training. Software includes commercial off the shelf (COTS) applications and applications developed in-house that directly relate to the development, production, or use of a product.

44 What is an export? (continued)
Portsmouth/Paducah Project Office An export is the sending of export controlled items (e.g., information, technology, material) outside of the United States in any manner (e.g., physical shipment, , website). An export occurs from within the United States to a foreign country. A deemed export is the release of technology or source code to a foreign national within the United State in any manner (e.g., physical shipment, , website). A deemed export occurs completely within the United States. A re-export occurs when an item controlled under United States export law is shipped from a foreign country to another foreign country. A re-export occurs completely outside of the United States.

45 Authorization to export? (continued)
Portsmouth/Paducah Project Office 10 CFR and .8 allow for an authorization to export be granted as long as a specific approval process is followed by the party who wishes to export the commodity, technology, or software in question. The authorization is a time-intensive and politically sensitive process which requires concurrence from the Department of State, and consultation with the Nuclear Regulatory Commission, Department of Commerce, and Department of Defense. An application for export authorization may be submitted through the Secretary of Energy’s Office. Contact your ECI POC as far in advance as possible if an export, deemed export, or re-export is required.

46 What are the penalties? (continued)
Portsmouth/Paducah Project Office In the event of an illegal export: Administrative or criminal penalties may be levied against a company or an individual depending on the seriousness of the offense and whether the export was willful or negligent. Administrative penalties can result in up to ten (10) years in prison and fines of up to $250k per offense, depending which agency has regulatory oversight of the item(s) in question. Criminal penalties can result in up to life in prison and fines of up to $1m per offense, depending on which agency has regulatory oversight of the item(s) in question. Department of Commerce, Department of State, Department of Energy, and Department of Treasury can all levy fines depending on the item(s) in question.

47 Unclassified Controlled Nuclear Information (UCNI)
Portsmouth/Paducah Project Office UCNI is certain unclassified information about nuclear facilities and nuclear weapons that must be controlled because its unauthorized release could have a significant adverse effect on the national security or public health and safety. The Director, Office of Classification (OC), decides what specific information is UCNI. UCNI Reviewing Officials use guidance to decide if documents contain UCNI. Any document that may contain UCNI must be reviewed by an UCNI Reviewing Official to determine if it contains UCNI. The PPPO sites have existing UCNI specifically related to gaseous diffusion technologies. Intentional or inappropriate release of UCNI information may include civil or criminal penalties. Guidance for the UCNI program can be referenced in: Section 148, Atomic Energy Act of 1954 10 CFR Part 1017, Identification and Protection of Unclassified Controlled Nuclear Information DOE O 471.1B, Identification and Protection of Unclassified Controlled Nuclear Information Note: PPPO information systems are not accredited for UCNI. Therefore, UCNI may not be generated, processed, or stored on any PPPO information system components (e.g., workstations, laptops, flashdrives, CD/DVDs).

48 Handling, Storing, Copying, and Destroying of UCI
Portsmouth/Paducah Project Office Handling UCI requires taking reasonable precautions to prevent unauthorized access (ensure the need-to-know) Storing of UCI within a PPA or LA must be locked in a room, file cabinet, desk, or bookcase (when internal building security is not provided) Storing of UCI at home or during transit must be under control at all times or in a locked room, receptacle, or briefcase Copying of UCI requires no permission; however, print only the minimum number of copies needed, and mark and protect appropriately Destroying of UCI is accomplished by using a shredder (¼ “ wide strip-cuts) or by other site approved methods (e.g. shred bins) Destruction of UCI outside of the workplace (e.g. home, travel) requires the above shredder requirements (¼ “ wide strip-cuts). If not available, protect UCI until you return to the office

49 Nuclear Material Control & Accountability (NMC&A)
Portsmouth/Paducah Project Office The purpose of NMC&A is to control and account for nuclear materials. NMC&A combined with physical security of nuclear materials is the “Safeguards” of Safeguards and Security. Portsmouth and Paducah have a large inventory of UF6 including low enriched, normal (.711%), and Depleted (<.710%) UF6. Additionally, the sites have uranium compounds in the lab in the form of samples and some quantity of low enriched non-UF6 in the form of Process Gas dust, trap material, oxides, contaminated scrap, etc. In security terms, the nuclear materials at Paducah are considered Category IV Attractiveness Level E, which is the lowest grade safeguard category and attractiveness level. Most of the Portsmouth inventory is also Category IV, but also has some Category III Attractiveness Level C material. Access to Category III Special Nuclear Material (SNM) requires an “L” or “Q” access authorization. Graded Safeguards Table

50 Technical Surveillance Countermeasures
Portsmouth/Paducah Project Office TSCM is an electronic counterintelligence program designed to detect, deter, isolate and nullify technical penetrations and technical security hazards. These technical penetrations and security hazards are used to gain unauthorized access to classified information, unclassified controlled information, or personal information and range from simple mechanical to sophisticated electronic and fiber-optic techniques. The more common techniques include hidden audio and radio frequency (RF) transmitting devices (microphones), telephone bugging equipment, and visual tools such as binoculars, telescopes, mini cams and fiber optic cameras. The sale of these devices is not restricted. They are readily available to anyone on the commercial market. If you discover what you consider to be a technical surveillance device, immediately cease all activity in the area as discreetly as possible Do not voice the discovery within the immediate area, which includes the suspect room and all other rooms that are above, below and adjacent to it Secure the room and do not touch or remove the device Immediately notify your TSCM POC via secure communications, outside of the area where the suspected device has been found. During off-shift hours notify the Plant Shift Superintendent’s Offices. Note: Any action related to TSCM information or possible vulnerability should be safeguarded at the highest level of classification approved for that area.

51 Operations Security (OPSEC)
Portsmouth/Paducah Project Office OPSEC is a process focused on protecting critical and sensitive information by: Identifying threats and vulnerabilities which can be exploited by an adversary Identifying and assessing the risk Developing and implementing countermeasures The principles of OPSEC are based on asking five questions: What information do you want to protect? Who wants your information? How is your information vulnerable? What is the risk for your information? How can you protect your information? OPSEC: How can I do my part? Use strong passwords to access your government computers Destroy Unclassified Controlled Information (UCI) in an approved strip shredder Do not transmit sensitive information without following proper security procedures Do not discuss UCI or classified information in public Guard against phone calls seeking personal and sensitive information Use appropriate markings on UCI and classified correspondence Be aware of possible ways in which an adversary can collect information in an open environment (e.g. overheard conversations, notes left in open vehicles, etc.) Be mindful of the information posted on social networking sites Utilize the OPSEC Working Group for assistance during the initial stages and throughout project planning

52 Portsmouth/Paducah Project Office
Cyber Security Portsmouth/Paducah Project Office The Information Technology (IT) Program establishes requirements for protecting DOE electronic information and information systems in accordance with the Program Cyber Security Plan (PCSP). These requirements include provisions for ensuring that the protection is commensurate with the risk and damage that could result from the loss, misuse, disclosure or unauthorized modification of information that is processed, stored or transmitted using DOE information systems. Unclassified computer systems MUST NOT be used to process classified information. Always check with a DC before initiating a document related to a classifiable subject area. Classified information must be processed ONLY on accredited information systems in a designated security area, such as a Limited Area. If you require access to a classified computer contact the site Cyber Security POC or ODSA. UCI must be processed according to site level requirements. PPPO systems are not approved for UCNI. There are some basic principles to follow when using systems at work. Handle s from an unknown source cautiously. Ensure the sender is a reliable source before clicking on a link embedded in the . Do not open or reply to suspicious s Permanently delete from your inbox Notify Cyber Security POC if assistance is needed

53 Hosting Foreign National Visits and Assignments
Portsmouth/Paducah Project Office DOE is a world leader in developing and advancing new technologies requiring international scientific and technical collaboration with foreign nationals. Hosting foreign nationals at DOE facilities and/or discussing DOE information, technology, or programs off site requires multiple subject matter expert reviews and approval by an authorized approval authority. Hosting requirements are identified in DOE Order 142.3A Unclassified Foreign National Visits and Assignments Program. Visit requests should be submitted to the site ODSA or Lexington FSO 90 days in advance. Providing any DOE program information to a foreign national, on site or off site, must be preceded by a security plan unless the information is available to the public at large. If planning to host foreign nationals in support of DOE business operations, on site or off site, your site Foreign National Visits POC can provide detailed documentation and approval guidance which includes the required Host Training provided from the Office of Counterintelligence. Portsmouth, Paducah, and Lexington Hosting Foreign Nationals POC telephone numbers are listed in the site POC listing at the end of this briefing.

54 Portsmouth/Paducah Project Office
Foreign Travel Portsmouth/Paducah Project Office The listing for sensitive countries is maintained at the site ODSA and is available upon request If the country is sensitive, a pre-travel briefing must be provided by DOE Counterintelligence All official travel must be reported even if travel is to a non-sensitive country Notify the foreign travel point of contact prior to travelling to a sensitive country Portsmouth, Paducah, and Lexington Foreign Travel POC telephone numbers are listed in the site POC listing at the end of this briefing.

55 Counterintelligence (CI)
Portsmouth/Paducah Project Office Counterintelligence is information gathered and activities conducted to protect against espionage, other intelligence activities, sabotage, or assassinations conducted for, or on behalf of foreign powers, organizations or persons, or international terrorist activities, but not including personnel, physical, document, or communications security programs. Executive Order 12333, December 4, 1981, "United States Intelligence Activities” PPPO Counterintelligence activities are supported by the DOE Office of Intelligence and Counterintelligence, Oak Ridge Field Office (ORFO). All questions on this topic should be directed to: Portsmouth: Mark Allen at (270) or (859) , or Dale King at (740) Paducah/Lexington: Mark Allen at (270) or (859) Note: ORFO CI Organization can be contacted at (865)

56 Portsmouth/Paducah Project Office
CI Program Priorities Portsmouth/Paducah Project Office The priorities of the ORFO are as follows: Nuclear Security Counterterrorism Economic Espionage – Protected Technologies Cyber CI Threat Protect Science and Technology Counterintelligence Insider Threats Foreign Travel Programs Foreign Visits and Assignments All potential espionage or terrorism related concerns should be promptly reported to the ORFO. All reports made to this office are held in strict confidentiality. Please visit the ORFO website at for specific program information, detailed reporting requirements, foreign travel and visit information, and more.

57 CI Insider Threat Indicators
Portsmouth/Paducah Project Office Cyber Insider Indicators Unsolicited Unusual surfing habits Spoofed addresses Unusual network traffic Suspicious links or attachments Misconfigured Systems Network scans Unauthorized modems or sniffers Malicious code attempting external communications Hidden or unexplained accounts Attempts to install software not approved for the computing environment Unauthorized File Transfer Protocol (FTP) or web servers Excessive login attempts Attacks on network security infrastructure Unusual file server access Beaconing activity Attempts to circumvent security procedures Files compressed and staged for removal Unusual questions about vulnerabilities, policies, procedures, or configurations Unusual interest in penetration testing or vulnerability assessment of networks Serious vulnerability that remains uncorrected Refusal or resistance to fixing external vulnerabilities Documents staged for removal

58 CI Insider Threat Indicators (cont.)
Portsmouth/Paducah Project Office Espionage Indicators Unexplained affluence Failing to report overseas travel Unexplained travel Unexplained absences Showing unusual interest in information outside of responsibilities Unusual work hours Taking classified or sensitive material home Unreported contact with foreign government, military, or intelligence officials, Attempting to gain access without the need-to-know Excessive use of copy machines Unwillingness to take vacation Resistance to sharing duties or separation of duties Exploitable conduct Unexplained or extensive technical computer-related knowledge More information is available on the DOE Counterintelligence website or call

59 Portsmouth/Paducah Project Office
Recruiting Methods Portsmouth/Paducah Project Office Foreign intelligence officers do not typically obtain information themselves. They recruit citizens from a target country who have legitimate access to the information being sought. They will attempt to “fill a void" or “meet a need" in the target’s life They will ask for something and probably provide something in return The sensitivity or perceived value of the information requested will increase over time How do Intelligence Officers identify potential sources? Visits to the U.S., especially hosted visits American travelers to foreign countries International conferences, conventions, seminars and exhibits Professional associations and publications Collaborative research and development Unsolicited requests for information They want to see who responds

60 Portsmouth/Paducah Project Office An insider threat could be anyone
The insider threat is identified as one or more individuals with the access and/or inside knowledge of a company, organization, or enterprise giving them opportunity to exploit the vulnerabilities of that entity’s security, systems, services, products, or facilities with the intent to cause harm. An insider could be current or former employees, contractors, vendors, or visitors. They are often times people placed in a position of trust. In fact, most spies in the U.S. once held a security clearance. An insider threat could be anyone

61 Foreign Intelligence Collecting Portsmouth/Paducah Project Office
Various kinds of information can be gathered through secret or covert methods. While some information is indeed collected through clandestine operations, others can be gathered by widely available means. These are commonly called the “intelligence collection disciplines” or the “INTs”: Human Intelligence (HUMINT) is the collection of information from human resources (e.g., interviews, social engineering, etc.) Signals Intelligence (SIGINT) is the collection of information by intercepting electronic signals between two parties Imagery Intelligence (IMINT) is the collection of information through photos (e.g., via satellites) Open-Source Intelligence (OSINT) is the collection of information generally available to the public (e.g., newspapers, internet, TV, etc.) Intercepting Signals

62 Security Condition Threat Level
Portsmouth/Paducah Project Office The Deputy Secretary of the DOE establishes the Security Condition (SECON) levels. The SECON levels reflect a multitude of conditions that may adversely impact Departmental and/or site security to include terrorism, continuity conditions, environmental (e.g., fire, chemical, radiological, etc.) and/or severe weather conditions. The security readiness state is reflected in the following SECON levels when conditions reflect a risk of terrorist activity, continuity conditions, environmental, and/or severe weather conditions. SECON 1: Severe Condition SECON 2: High Condition SECON 3: Elevated Condition SECON 4: Guarded Condition SECON 5: Low Condition Personnel will be alerted to changes in the security conditions over the plant PA system and through appropriate security and emergency management staff.

63 Portsmouth/Paducah Project Office See Something, Say Something
Terrorist Threat Portsmouth/Paducah Project Office Terrorism remains a threat to the security of the homeland. The Department of Homeland Security (DHS) implores all Americans to share responsibility for the nation’s security. “See Something, Say Something” is a nationwide campaign program designed to raise public awareness for indicators of terrorism and violent crime, and to emphasize the importance of reporting suspicious activity to the proper state and local law enforcement authorities. See Something, Say Something Report suspicious activity to ODSA, PSS, or call local law enforcement.

64 Portsmouth/Paducah Project Office
Active Shooter Portsmouth/Paducah Project Office An active shooter is an individual actively engaged in killing or attempting to kill people in a confined and populated area. Active shooters use guns and there is no pattern or method to their selection of victims. Because active shooter situations are often over within 10 to 15 minutes, before law enforcement arrives on scene, individuals must be prepared both mentally and physically to deal with an active shooter. How to Respond: Evacuate-Take note of all exits in your facility Hide-Stay out of shooter’s view. If you are in an office lock the door or block entry Take Action-As a last resort, attempt to subdue the active shooter. When the active shooter is at close range and you cannot flee, your chance of survival is much greater if you try to incapacitate him/her Call or (Portsmouth) or (Paducah) on a cell phone when it is safe to do so! Not an actual scene

65 Escort Responsibilities
Portsmouth/Paducah Project Office Responsibilities for escorting into the Limited Area: Ensure that appropriate measures are taken to prevent a compromise of classified matter and/or Special Nuclear Material (SNM) Maintain continuous visual and unaided voice and/or physical control of escorted individual(s) Ensure that escorted individual(s) have a need-to-know for the security area they are entering Verify and maintain escort ratio: Portsmouth and Paducah standard ratio is one (1) escort to every four (4) visitors/employees Prominently display the “yellow” escort badge (if applicable) on outer most garment, above the waist and below the neck, identifying that uncleared individuals are present Prior to escorting, verbally challenge escorted individual(s) on whether they possess any controlled or prohibited articles (e.g. camera cell phones, thumb drives, etc.) Ensure full compliance with site specific security requirements, plans, and procedures Ensure that access authorization is commensurate with the security area being entered

66 Safeguards and Security Program
Portsmouth/Paducah Project Office To ensure appropriate security measures and avoid project delays, the PPPO management expectations are as follows; the Safeguards and Security considerations , which include NMC&A, are thoroughly integrated with all aspects of mission accomplishment, including all topical areas of safeguards and security (e.g. personnel, physical, information, nuclear safeguards) and related cross-cutting areas (e.g. cyber security, export control, classification, foreign visits and assignments and foreign travel). This integration will ensure the adequate protection of DOE assets (e.g. classified matter, unclassified controlled matter, and government property).

67 Safeguards and Security Program
Portsmouth/Paducah Project Office The Safeguards and Security Program ensures that the Department of Energy efficiently and effectively meets all its obligations to protect Special Nuclear Material, other nuclear materials, classified matter, sensitive information, government property, and the safety and security of employees, contractors, and the general public. The program helps to: Identify what needs protected Establish clear roles and responsibilities Implement DOE requirements though line management Establish oversight programs to assure requirements are implemented Seek and implement continuous improvement The Safeguards and Security Program incorporates the following principles: Integration of Safeguards and Security with all aspects of mission accomplishment Protection requirements are commensurate with the consequences of loss or misuse of the protected asset Responsibility for the implementation of protection measures resides with DOE line management elements responsible for mission accomplishment Authority is delegated to appropriate levels to promote efficiency and effectiveness

68 Portsmouth/Paducah Project Office
Summary Portsmouth/Paducah Project Office Having a DOE access authorization is a privilege, not a right. You may have been recognized and entrusted by the U.S. Government to protect and handle classified matter; therefore, it is your responsibility to follow DOE requirements as well as site plans and procedures. Failure to adhere to these security requirements could potentially cause damage to governmental, commercial, or private interests Ensure classified information and UCI are appropriately protected and controlled Ensure need-to-know criterion for both classified and UCI is met prior to providing anyone access. In addition, the recipient of classified information must possess the appropriate access authorization Ensure any document prepared in a potentially classified subject area is reviewed by a DC or the site Classification Officer BEFORE publication and distribution Know the security requirements for the area(s) you work in or visit, and follow site guidance for prohibited and controlled items Know the reporting requirements Contact your respective ODSA for guidance or questions regarding any security-related matter (e.g. physical, cyber, personnel, information, classification, protective force, etc.)

69 Portsmouth Security Points of Contact Listing
Portsmouth/Paducah Project Office This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the WEMS security office. Classification Officer and POCs Physical Security Henry Thomas John Jordan Classified Matter Protection and Control (CMPC) Jim Sevens Wayne Conley John Zangri Technical Surveillance and Countermeasures (TSCM) Jim Dixon Rachel Stroth Unclassified Controlled Information (UCI) Rich Kielmar Jim Snodgrass Dave Davis Hosting Foreign Nationals Cyber Security Brian Kirkendall Counterintelligence POC Operations Security (OPSEC) Dale King (Primary) Mark Allen (Alternate) / Visitor Control Reporting Incidents of Security Concern Erica Wiley Export Controlled Information (ECI) Dan Hupp Waste, Fraud, and Abuse Enforcement Coordinator Dan Longpre WEMS Security Manager Foreign Travel POC Rick Coriell Personnel Security Office Site FSOs Megan Bach Wastren-EnergX Mission Support (WEMS) Rick Coriell Linsay Ward Fluor B&W Portsmouth (FBP), Troy Ayres Dana Kirkman Restoration Services Inc. (RSI), Rick Ferguson Lock Smith B&W Conversion Services (BWCS), Beth Keener The American Centrifuge (USEC, Inc.), Angela Wright Emergencies at Portsmouth or 911 (plant phone)

70 Paducah Security Points of Contact Listing
Portsmouth/Paducah Project Office This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the SST security office. Classification Officer and POCs Physical Security Jackie Thompson Dusty Alexander Classified Matter Protection and Control (CMPC) Jeff Harris Melissa Howell Brad Nall Chuck Moreland Cyber Security Technical Surveillance and Countermeasures (TMCS) Bill Offner Operations Security (OPSEC) Unclassified Controlled Information (UCI) Kara Doughty Visitor Control Hosting Foreign Nationals Betty Hart Terri Dorris Ronda Hays Counterintelligence POC Export Control Information (ECI) Mark Allen Reporting Incidents of Security Concern Charlie Cobb Enforcement Coordinator Foreign Travel POC Swift & Staley Inc., Security Manager Site FSOs Personnel Security Office Swift and Staley Inc., (SST) Charlie Cobb LATA of Kentucky, Inc., (LATA) Tim Fralix B&W Conversion Services (BWCS), Mike Stanley Locksmith Bobby Harris Phillip Easley Emergencies at Paducah or 333 (plant phone)

71 Lexington Security Points of Contact Listing
Portsmouth/Paducah Project Office This POC listing is not intended to be a complete listing of telephone numbers. If you have a question, contact the PPPO FSO. Classification Officer and POCs Physical Security Larry Sparks DOE/ORO Mark Allen DOE/PPPO/FSO / Mark Allen DOE/PPPO FSO Sammy Bell PRC/DOE Classified Matter Protection and Control Cyber Security James Woods DOE/PPPO Abe Getchell PRC/DOE Technical Surveillance and Countermeasures (TSCM) Operations Security (OPSEC) Sammy Bell PRC/DOE/POC  Visitor Control Unclassified Controlled Information (UCI) Foreign Travel POC Hosting Foreign Nationals Counterintelligence / Reporting Incidents of Security Concern Waste, Fraud, and Abuse/Enforcement POC Rachel Blumenfeld DOE PPPO Deputy Manager DOE PPPO Security Manager Mark Allen Lock/Key/FOB  Site FSO  Mark Allen DOE/PPPO/FSO /  

72 Portsmouth/Paducah Project Office
Questions Portsmouth/Paducah Project Office If you have any questions concerning the content of this training, or have suggestions for improvement please Missy Howell Wayne Conley or Abe Getchell

73 Portsmouth/Paducah Project Office
Congratulations Portsmouth/Paducah Project Office You have completed the Portsmouth/Paducah Project Office Annual Security Refresher!

Download ppt "Portsmouth/Paducah Project Office"

Similar presentations

Ads by Google