Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Chg #DateChangeSlide #Completed By Reason. 2 Approval Sheets.

Similar presentations


Presentation on theme: "1 Chg #DateChangeSlide #Completed By Reason. 2 Approval Sheets."— Presentation transcript:

1 1 Chg #DateChangeSlide #Completed By Reason

2 2 Approval Sheets

3 MODULE #80183 REV.F0 FSS-4121 Export Controlled Information 3

4 ISMS The Integrated Safety Management System (ISMS) is a systematic, common sense approach to working safely. The objective of ISMS is to integrate working safely into management and work practices at all levels, addressing all types of work and all types of hazards to ensure safety for the workers, the public, and the environment. ISMS integrates working safely into planning and execution of work. 4

5 Purpose This procedure establishes guidelines, security measures, and practices for the handling and control of “export controlled information” (ECI), in all forms [such as documents, data, and matter (equipment, tools, etc.)]. 5

6 Scope This procedure applies to all DOE contractors at PORTS (including subcontractors) who handle ECI (in any form — including information, material, equipment, etc.). This procedure applies to ECI that is also company proprietary. This procedure applies to ECI that is also unclassified controlled nuclear information (UCNI), in conjunction with FSS-4117, Processing Unclassified Controlled Nuclear Information (UCNI) at Portsmouth. This procedure does not apply to ECI that is also classified information. (While classified information may also be ECI, “classified” controls take precedence and provide more than adequate control for ECI; thus, it is not necessary to also apply ECI controls.) At time of writing, contractors at PORTS could encounter ECI primarily through decontamination and decommissioning (D&D) records (in hard copy and electronic format), certain legacy records and documents, and the computerized management systems that house some of those records/documents or their indexes. Additionally, contractors could potentially encounter ECI through new documentation (e.g.-such as procurements) and through disposal (e.g. during D&D). Contractors should contact the WEMS facility support serviced (FSS) export control coordinator for guidance as needed. 6

7 Other Documents Needed FSS/PORTS-0306, Style Guide FSS-4109, Unclassified Controlled Information Manual for the Formerly Operating Portsmouth Gaseous Diffusion Plant Piketon, Ohio FSS-4330-Reporting Security Incidents and Conducting Inquires to Incidents of Security Concern FSSF-4108, Export Controlled Information (ECI) Cover Sheet 7

8 Identifying ECI Note: Two major categories of ECI exist — “trigger list” items and “dual use” items. The following lists provide examples of ECI. However, the items comprise only general categories; the WEMS FSS export control coordinator can provide more precise guidance on ECI criteria. Major categories of ECI “Trigger List” items that PORTS contractors may encounter Unclassified information on gaseous diffusion assemblies and components, such as: Barriers Diffuser housings Compressors Gas blowers Rotary shaft seals Heat exchangers 8

9 Identifying ECI Unclassified information on gaseous diffusion auxiliary systems, equipment, and components such as: Feed systems Product and tails withdrawal systems Header piping systems Vacuum systems Shut-off and control valves Mass spectrometers and ion sources 9

10 Identifying ECI Major categories of ECI “Dual Use” items that PORTS contractors may encounter Contractors may encounter dual-use information about: High-strength aluminum or maraging steel, beryllium, bismuth, boron, calcium, chlorine trifluoride, “fibrous or filamentary materials” and pre-pregs, hafnium, lithium, magnesium, radium, titanium, tungsten, zirconium, nickel powder, tritium, helium-3, and alpha-emitting radionuclides. Corrosion-resistant valves Direct current high-power supplies (100 volts or greater) Corrosion-resistant pressure instruments Large vacuum pumps Certain seals Pressure transducers Mass spectrometers 10

11 Identifying ECI NOTE: All personnel should review the major categories of trigger list and dual-use list items that may be encountered (shown above), to know when to invoke ECI reviews. However, only designated personnel are authorized to perform ECI reviews. 11

12 Documents NOTE: Documents containing ECI must be generated on DOE certified and accredited computer systems and must be reviewed by a WEMS FSS designated ECI reviewer [or, for centrifuge or depleted uranium hexafluoride (DUF6) information, the applicable company’s security personnel] prior to distribution (because all reviewers must meet applicable security criteria — e.g., a clearance, need to know, designation as a “US person” [see Appendix A] government direct or subcontract employment, etc.). NOTE: Contractors at PORTS may need to purchase items (e.g., software) that, once in place, could allow the supplier to gain access to ECI (e.g., electronic records); such procurements must first undergo ECI review, as many suppliers are considered foreign persons. NOTE: Contractors likely will never need to turn ECI over to suppliers during a bidding or purchase process; if such an occasion arose, ECI controls must be flowed down to all bidders/suppliers (e.g., via terms and conditions) and an ECI review of any technical information distributed must be obtained. 12

13 Documents Employee/Subcontractor: Contact the FSS export control coordinator for guidance before drafting a document that may incorporate or address any item on the trigger list or dual-use list above. INFCIRC 254, If in doubt whether your document may address a listed item, then consult the FSS export control coordinator before initiating a draft. If your document involves a procurement action (RFP, RFI, etc.), then also consult your respective contracts/procurement manager to ensure ECI controls are properly flowed down to intended recipients. NOTE: Some listed items also apply for gaseous centrifuge and DUF6 technologies, which are controlled by other companies on site and thus fall outside the purview of the FSS export control coordinator. If you receive or intend to reference any listed information pertaining to centrifuge or DUF6, then contact those companies for guidance regarding use and security reviews of their ECI (preferably, use the site’s “shared-site process”—but at least formally document all correspondence via letter or memo, and track resolution). 13

14 Documents If your document likely contains ECI, then obtain review from a designated ECI reviewer before distributing the document for review. For a list of designated FSS ECI reviewers, consult the list maintained on the security tab of the WEMS intranet portal, or contact the FSS export control coordinator. If the classification office deems that the document contains ECI, then proceed to FSS-4121 section B.1 (to handle the document as ECI). Otherwise, exit this procedure. 14

15 Matter (Materials, Equipment, Tools, Etc. If you encounter any item on the trigger list or dual- use list in Section A above (and the item is not marked or is exempt from marking as a major system component), then contact the FSS export control coordinator to obtain an ECI review of the item. If the item is determined to be ECI, then mark the item per FSS-4121 section B.2. 15

16 MARKING ECI Documents Employee /Subcontractor: Ensure any document determined to contain ECI has the following markings: FSS-4109 NOTE: “Cognizant program manager” refers to the appropriate DOE Headquarters program manager. EXPORT CONTROLLED INFORMATION Contains technical information whose export is restricted by statute. Violations may result in administrative, civil, or criminal penalties. Limit dissemination to US Department of Energy employees and contractors and other US government agencies. The cognizant program manager must approve other dissemination. This notice shall not be separated from the attached document. Reviewer (Signature): ____________________________ Date: _______________ Figure 1. Example of ECI Document Marking 16

17 Marking ECI Ensure that all documents containing ECI are properly reviewed and marked with the information in Figure 1 [to include the reviewer (signature) block and date, on the front cover or the bottom of the first page of the document. Ensure “Export Controlled Information” or if space is limited, “ECI,” is placed at the bottom of each page, or on just those pages containing ECI. If desired, attach FSSF-4108, Export Controlled Information (ECI) Cover Sheet. 17

18 Marking ECI Mark documents (purchase orders, transmittal letters, drawing lists, etc.) that do not contain ECI, but that transmit or refer to items that do, as follows: Document/material transmitted contains: (Element [type] of information) When separated from enclosures, this transmittal document is not: (Element [type] of information) NOTE: ECI handling requirements (e.g., for faxing, ing, etc.) still apply to non-ECI documents transmitted with ECI items. Ensure that all ECI removable media are marked with the words “EXPORT CONTROLLED INFORMATION.” 18

19 MARKING ECI Caution: The originator of ECI document(s) is responsible for ensuring that the document(s) are reviewed and properly marked. (These documents may also include item descriptions on requisitions, drawings, specifications, and statements of work.) Note: In some cases, it may be advantageous to mark documents as not containing ECI. (Examples may include documents reviewed for ECI during an audit.) However, use of such markings constitutes a best- management practice and is not driven by regulations or by contract. At the discretion of the ECI reviewer, mark documents found not to contain ECI as follows, at the bottom of either the cover or title page: This document does not contain export controlled information (ECI). ECI reviewer: Date: Figure 2. Example of Marking To Indicate Document Does Not Contain ECI (Used Only at the Discretion of the Export Control Coordinator) 19

20 Marking ECI Matter Employees/Subcontractor: Mark ECI or tag ECI matter [e.g., hardware, tools, products, and materials whose characteristics (dimensions, configuration, etc.) comprise ECI]. Exception: Marking and tagging is not required for ECI that has been destroyed beyond its intended use. Ensure ECI markings are securely affixed, legible, and conspicuous (from more than one angle if appropriate). Direct any questions regarding marking and labeling of ECI matter to the FSS export control coordinator. Contact the FSS export control coordinator to identify and implement any other requirements for ECI matter (e.g., concerning visibility, etc.). 20

21 Managing ECI Internally NOTE: This section applies strictly to internal activities (that is, activities limited to persons who meet all of the following criteria (per Appendix B): Is a US person and Has a need to know (determined by WEMS Security) and Is an employee, contractor, or subcontractor of: DOE or A US federal agency funding DOE work or A potential supplier to which appropriate ECI controls have been flowed down Any external activities (that is, activities involving foreigners; see Appendix A for examples) require an export license; in absence of an export license, such activities constitute unauthorized disclosure and must be reported immediately. 21

22 Generating Hard-Copy ECI Documents Employee/Subcontractor: Print ECI documents using a standard unclassified printer, if desired. Reproduce ECI documents using a standard unclassified copying machine, if desired. Limit the number of print-outs/copies to the minimum needed. FSSF-4108 Ensure ECI prints/copies are marked and protected in the same manner as the original(s).FSSF-4108 Do not leave prints/copies of ECI unattended on the printer or copying machine. 22

23 Generating Hard-Copy ECI Documents If the printer/copier jams, then ensure all paper paths are checked/cleared of ECI. FSSF-4108 Manually clear the printer or copier memory. NOTE: Do not place ECI in trash cans or recycling bins. ECI may be placed in locked shred bins authorized for on- site shredding. Destroy any partial prints/copies in accordance with Section C.4. If necessary to have ECI reproduced off-site by a commercial vendor, then contact Contracts/Procurement to ensure appropriate controls are flowed into subcontracts and purchase orders. 23

24 Transmitting ECI Documents Hand-Carrying ECI Documents Caution: The authorized individual(s) must prevent unauthorized access to ECI in transit. Employee/Subcontractor: If hand-carrying or personally transporting ECI (on or off site), then: Conceal the ECI in a briefcase, piece of hand-carried luggage, or other opaque covering that will prevent unauthorized access. Ensure an authorized user remains in control of it during transit. FSSF

25 Transmitting ECI Documents Mailing ECI Documents Employee/Subcontractor: Place ECI in an opaque envelope and seal the envelope. FSSF-4108 Mark the outside of the envelope with the words “To Be Opened By Addressee Only.” FSSF-4108 If transmitting ECI via the unclassified Plant mail system, then place the marked envelope in a normal intra-plant mailing envelope addressed to the intended recipient.FSSF-4108 If sending ECI off site, then utilize the US postal service (first class,express, certified, or registered mail) or any US commercial carrier that requires a recipient’s signature (Federal Express; United Parcel Service, etc).FSSF

26 Transmitting ECI Documents Faxing ECI Documents Employee/Subcontractor: Before using a standard, unclassified machine to fax ECI, contact the intended recipient and verify that he/she is available to receive the fax and control access to it. FSSF-4108 Attach a cover sheet to the fax that identifies the intended recipient, indicates that ECI is being transmitted, and specifies the total number of pages (including the coversheet). FSSF-4108 Immediately after transmitting the fax, contact the intended recipient again: Verify that he/she received the fax.FSSF-4108 Request him/her to manually clear the memory on his/her fax machine. FSSF-4108 Manually clear the fax memory on your fax machine. FSSF

27 Transmitting ECI Documents ing ECI Documents Employee/Subcontractor: Encrypt all ECI via Entrust before ing it. s containing or transmitting ECI should be encrypted whenever possible, regardless of who the recipient is, what address is used, or what computer/server the is sent from/to. If the itself contains ECI, then enter verbiage such as “This contains export controlled information” in the first line of the message body. FSSF-4108 If encryption is not available, ECI may be included in a Word or PDF file that is password protected and attached to the message. Call the recipient with the password so that he or she can access the file. If the itself contains no ECI but transmits an attachment that does, then enter verbiage such as “Attachment contains export controlled information” in the first line of the message body.FSSF

28 Transmitting ECI Documents Communicating ECI Via Telephone Caution: Speaker phones should be avoided except in controlled environments (e.g., closed offices, conference rooms, etc.). Caution: Cellular (mobile) phones shall not be used to discuss ECI. Employee/Subcontractor: Before discussing ECI by standard, land-line telephone (do not use a cell phone), ensure the following conditions are met: Verify that the phone is not on speaker (unless the phone is in a controlled environment). Verify that the person being called is authorized to receive the information and has a need to know. Verify (to the extent practical) that no one without a need to know can overhear the conversation (e.g., be sensitive to the fact that often sound carries outside of rooms and through walls even when doors are closed; use caution when discussing ECI in areas where people have offices nearby or tend to congregate). 28

29 Storing ECI Employee/Subcontractor: Treat suspected ECI the same as ECI. Electronic Media Employee/Subcontractor: Use only DOE-owned removable media (CD/DVDs, USB drives, etc.). If you physically control an encrypted, WEMS-managed laptop, then store ECI on the laptop without further encryption if desired. (WEMS-managed encrypted laptops automatically encrypt all data at rest.) 29

30 Transmitting ECI Documents Encrypt all other ECI and suspected ECI with Entrust (or DOE- authorized equivalent). Do not store ECI or suspected ECI unencrypted on a company network (e.g., “M drives,” “home drives,” or departmental areas unless access is restricted specifically to personnel having a need to know). Do not post ECI or suspected ECI (even when you encrypt it first) to internet sites that are openly accessible to all employees or to the public. Encrypt ECI and suspected ECI before storing it on removable media (e.g., CDs, DVDs, USB drives, etc.). Mark and control removable media containing ECI (regardless of location) to ensure only authorized individuals with a need to know can access the media. 30

31 Storing ECI Hard Copies Employee/Subcontractor: Note: Do not read or display ECI in public places (e.g., cafeteria, lobby, public transportation, etc.) ECI must be reasonably protected to prevent access by persons who do not have the need to know the information to perform their jobs or other DOE authorized activities. Documents must be stored in a locked room or other locked receptacle (e.g., a locked file cabinet, desk, bookcase, or briefcase) when not in use. FSSF

32 Destroying ECI Caution: In all cases, the person possessing ECI is responsible for protecting it. Employee/Subcontractor: Dispose of ECI documents using a crosscut or strip shredder with residue not exceeding ¼ inch. Destruction must occur prior to off-site recycling processes. (Do not place ECI in trash cans or unlocked recycling bins, it may be placed in the locked shred bins for onsite shredding) FSSF-4108 Destroy ECI on CDs/DVDs using a shredder designed to accommodate disks.  Contact Security to destroy all other types of electronic media. Destroy ECI matter (e.g., equipment and materials) beyond its intended use or design; contact the FSS export control coordinator for specific guidance on proper destruction methods. During destruction, protect ECI from being viewed by unauthorized persons. 32

33 DISCLOSING ECI EXTERNALLY Obtaining ECI Export Licenses NOTE: The FSS export control coordinator processes all requests for export licenses, which can be granted only by the Department of State, Department of Commerce, Nuclear Regulatory Commission, or secretary of energy. (WEMS has no authority to issue an export license.) NOTE: Appendix A provides examples of “US persons” and “foreign persons.” Caution: In all cases, the person possessing the ECI is ultimately responsible for ensuring its protection. Penalties for unauthorized disclosure of ECI can be quite severe and include substantial fines (e.g., $1,000,000), prison terms, or both. 33

34 Obtaining ECI Export Licenses Contact the FSS export control coordinator to obtain an export license before transferring ECI to: A foreign national, including one within the US — i.e., a “deemed export” A foreign government A foreign-owned company A foreign organization (e.g., United Nations, etc.) US agents of foreign governments or foreign owned companies Do not transfer any ECI until a license is granted. If a license request is denied, then do not transfer any ECI. 34

35 Reporting Unauthorized Disclosure of ECI NOTE: All discussions and documents associated with the incident must be handled in accordance with the classification determination of an authorized ECI reviewer. (ECI reviewers can be found on the WEMS Intranet Security page) Employee/Subcontractor: In person or by a secure device, immediately notify WEMS Security (per FSS-4330, Reporting Security Incidents and Conducting Inquires to Incidents of Security Concern) if you suspect any of the following: ECI has been released to the public (see FSS/PORTS-0306 for further criteria regarding public release). ECI has been released to an entity without a need to know. Technical information has been released to suppliers without having been reviewed for ECI. ECI has been released to suppliers without a mechanism in place to flow down ECI requirements. ECI has been released to a foreign national or agent of a foreign national without an export license in place. 35

36 Reporting Unauthorized Disclosure of ECI After notifying WEMS Security, take the following steps as appropriate to contain the release: Attempt to retrieve the ECI. Identify the means of release. Attempt to identify the persons involved in the release. Records Records generated or received must be submitted to WEMS RMDC for record retention and disposition according to FSS-1300, Record Life Cycle and Retrieval. WEMS employees and contractors must not conceal or destroy any information, including non-compliance or potential non- compliance records. (Reference: 18 U.S.C. 2071, Unauthorized Removal and/or Destruction of Records). 36

37 SOURCE DOCUMENTS 10 CFR 110, “Export and Import of Nuclear Equipment and Material.” 10 CFR 810, “Assistance to Foreign Atomic Energy Activities.” 15 CFR Subchapter C, “Export Administration Regulations,” Parts 730–774 (especially Parts 734, 744, and 774). 22 CFR 121, “The United States Munitions List.” US Department of State, Defense Trade Controls – US Munitions List Categories. 22 CFR Subchapter M, “International Traffic in Arms Regulations,” Parts 120–130 (especially Category 16). 42 USC Sect et seq., “Atomic Energy Act of 1954, as amended.” August 1, DOE O 471.6, Admin change 1, Information Security. US Department of Energy, Washington, DC. June 20,

38 SOURCE DOCUMENTS FSSF-4108, Export Controlled Information (ECI) Cover Sheet FSS/PORTS-0306, Style Guide, rev. 0. Wastren-EnergX Mission Support LLC, Piketon, OH. December FSS/PORTS-0307, Glossary, rev. 0. Wastren-EnergX Mission Support LLC, Piketon, OH. December FSS/PORTS-4109, Unclassified Controlled Information Manual for the Formerly Operating Portsmouth Gaseous Diffusion Plant Piketon, Ohio. October Guidelines on Export Control and Nonproliferation, US Department of Energy, Office of Nonproliferation and National Security, Office of Arms Control and Nonproliferation. July INFCIRC/254/Rev.5/Part2, Communications Received from Certain Member States Regarding Guidelines for Transfers of Nuclear-Related Dual-Use Equipment, Materials, Software, and Related Technology. International Atomic Energy Agency. May 16, INFCIRC/254/Rev.6/Part1, Communications Received from Certain Member States Regarding Guidelines for the Export of Nuclear Material, Equipment, and Technology. International Atomic Energy Agency. May 16,

39 DEFINITIONS CD — Compact Disk D&D — Decontamination and Decommissioning DOE — United States Department of Energy DUF6 — Depleted Uranium Hexafluoride DVD — Digital Video Disk ECI — Export Controlled Information FSS — Facility Support Services PORTS — Portsmouth Gaseous Diffusion Plant RMDC — Records Management and Document Control UCNI — Unclassified Controlled Nuclear Information BWCS — Babcock & Wilcox Conversion Services US — United States USB — Universal Serial Bus WEMS — Wastren-EnergX Mission Support LLC 39

40 DEFINITIONS Deemed Export — The release of ECI to a foreign national in the US. (An export license must be obtained from the appropriate US government agency prior to the release of ECI to any foreign national, regardless of where the foreign national is physically located.) Dual-Use Items — Items that have both commercial and military or proliferation applications (that is, items or information on items not normally used in the production of enriched uranium but that could be converted for use in the proliferation of nuclear weapons; see Section A of this procedure for items WEMS may encounter). Adapted from 15 CFR 772, 734.2(a) ECI Matter — ECI in the physical form of materials, equipment, apparatus, tools, etc. ECI Reviewing Official — Individual delegated and authorized in- writing by the DOE representative of Oak Ridge National Laboratories office of Non-Proliferation and International Security to perform ECI reviews of unclassified data to ensure protection of national security against proliferation of nuclear interests. 40

41 DEFINITIONS Export Controlled Information (ECI) — Unclassified technical information (such as documents, computer media or code, information, data, material, equipment, apparatus, tools, etc., or some combination thereof) that is subject to export-control laws (primarily under the Export Administration Regulations, 15 CFR 730 – 774) and whose unrestricted dissemination could help proliferants or potential adversaries of the United States. The Department of Energy requires an ECI review before public release of such information and may restrict dissemination of it. Internal distribution — Dissemination to US persons who have a need to know and who are employees or subcontractors of:Adapted from FSS-4110 WEMS or DOE (the US federal agency funding WEMS’s work) or A potential supplier to which the WEMS has flowed down ECI controls Need To Know — A determination made by the WEMS classification officer or security manager that a prospective recipient requires access to specific unclassified controlled information to perform his or her job. 41

42 DEFINITIONS Public Release — Release to the public (accessible to any person), or such widespread internal distribution that release to the public is likely. Examples of public release include:Adapted from FSS-4110 Request for proposal, expression of interest requests, and purchase requisitions Newspaper publications or TV/radio presentations Publication to an internet web site Presentation to a conference or committee outside those who have access authorization and a “need to know,” where the information could be published or open to the public, specifically foreign nationals Any information (drawings, presentations, etc.) forwarded to a vendor, manufacturing partner, contractor, or potential service provider with whom WEMS does not have appropriate procurement controls in place and who may have foreign nationals working for them (unless a specific exception is authorized in writing by DOE). 42

43 DEFINITIONS Trigger List Items — Items or information on items determined to be essential to any effort to proliferate nuclear weapons (see Section A of this procedure for items WEMS may encounter). Unclassified Controlled Nuclear Information (UCNI) — A DOE administrative control marking, established by Section 148 of the Atomic Energy Act, which prohibits the distribution of certain types of unclassified information to both the general public and foreign individuals. 43

44 Appendix A/ US Persons Versus Foreign Persons EntityUS person *All Others Company incorporated in the US (e.g., WEMS)License not neededExport license needed government entity (e.g., DOE, DoD, EPA, DOT, NRC) License not neededExport license needed Company incorporated/organized outside the (e.g., Boeing Toronto, Ltd.; Areva) Export license needed Foreign government entity (e.g., Royal Air Force of the ) Export license needed Foreign organization (e.g., NATO, UN, EU)Export license needed 44

45 Appendix A/ US Persons Versus Foreign Persons * Includes US citizens, US nationals, permanent resident aliens (“green card” holders), alien refugees, aliens granted asylum, amnesty applicants, and special agricultural workers. Definitions: US = United States; WEMS = Wastren-EnergX Mission Support LLC; DoD = US Department of Defense; EPA = US Environmental Protection Agency; DOT = US Department of Transportation; NRC = US Nuclear Regulatory Commission; UK = United Kingdom; NATO = North Atlantic Treaty Organization; UN = United Nations; EU = European Union. Terminology explained: US citizen – native-born or naturalized citizen of the United States. US national – citizen of a US possession that does not have statehood, such as Puerto Rico, Guam, American Samoa, etc. Permanent resident alien – also known as “green card” holder. Holds I-151 or I- 551 document. Alien refugees – granted refugee status; holds I-571 document. Alien granted asylum in the US – granted asylee status. Special agricultural worker/amnesty applicant – someone admitted for temporary residence in one of these categories. Holds I-688 document (not I-688A or I-688B). 45

46 Appendix B/ Who can Access WEMS ECI Without a License Anyone who meets all of the following criteria can have access to WEMS ECI without an export license: Is a US person and Has a need to know (determined by the WEMS FSS security department’s mission support services manager or the FSS classification officer) and Is an employee or subcontractor of: WEMS or A US federal agency funding WEMS’s work (i.e., DOE) or A potential supplier to which the WEMS Contracts/Procurement department has flowed down ECI controls (e.g., via contract terms and conditions) 46


Download ppt "1 Chg #DateChangeSlide #Completed By Reason. 2 Approval Sheets."

Similar presentations


Ads by Google