doc_fn: draftord/473/c4731-1.html
DocType: Draft
ID: DOE C 473.1-1
Title: CRD for Physical Protection of Safeguards and Security
Summary:
Org: NN
Date_Issue: 06/18/1997
Date_Close:
VdkVgwKey: draftord-15
Directive: 473.1
Text:
CONTRACTOR MANUAL FOR PHYSICAL PROTECTION OF SAFEGUARDS AND
SECURITY INTERESTS REQUIREMENTS
All of the Department of Energy (DOE) contractors and their employees shall adhere to the same
standards for physical protection of safeguards and security interests, (e.g., special nuclear
materials (SNM), nuclear weapons, vital equipment, classified matter, assets, facilities) and other
property of interest to the Department's Safeguards and Security Program against loss, theft,
sabotage, or other hostile acts, as those required by DOE Elements and their personnel.
This contractor requirements document for DOE Manual 473.1-1 is composed of fourteen
chapters that provide detailed contractor and contractor employee requirements for the physical
protection of safeguards and security interests as supplemental requirement for the
implementation of DOE O 470.1. Chapter I addresses five essential ingredients for a successful
program; site specific characteristics; design basis threat; protection strategy; planning documents;
and graded protection. Chapters II and III address the protection of special nuclear material and
classified matter. Chapter IV addresses the protection of Departmental facilities against
radiological and toxicological sabotage. Chapter V discusses Security Areas that are used to
protect the safeguards and security interests discussed in Chapters II and III. Chapters VI to XIII
provide supporting information and requirements for effective implementation of safeguards and
security programs. Chapter XI is a collection of the security design criteria taken from DOE O
6430.1A, GENERAL DESIGN CRITERIA, that was canceled by DOE O 240.1, and O 440.1
and which did not capture security requirements.
Chapter I
PROTECTION PLANNING
1. Site-specific Characteristics. Contractors shall tailor protection programs to address
specific site characteristics and requirements, current technology, ongoing programs,
operational needs, and to achieve acceptable protection levels that reduce inherent risks on
a cost-effective basis.
2. Threat. Contractors shall base the physical protection afforded safeguards and security
interests upon the "Design Basis Threat for the Department of Energy Programs and
Facilities (U)". Consideration should also be given to site and regional threats and
emergency situations such as civil disturbances and disasters.
3. Protection Strategy.
a. Strategies for the physical protection of special nuclear material and vital
equipment shall incorporate the applicable requirements established in Chapter II.
Protection strategies may be graduated to address varying circumstances and may
range from denial, to containment, to recapture/recovery, and/or, to pursuit.
(1) A denial strategy shall be used when unauthorized access presents an
unacceptable risk for the theft of Category I SNM as well as an
unauthorized opportunity to initiate or credibly threaten to initiate a nuclear
dispersal or detonation, or to use available nuclear materials for onsite
assembly of an improvised nuclear device.
(2) A containment strategy shall be used to prevent the unauthorized removal
of Category II or greater special nuclear material that can roll-up to
Category I.
(3) Should denial and/or containment referenced in (1) and (2) above fail, a
recapture/recovery and/or pursuit strategy would then be required. Forces
capable of rapid reaction are vital to the implementation of recapture or
recovery contingencies.
b. Strategies for the physical protection of classified matter shall incorporate the
applicable requirements established in Chapter III. The strategy shall be based on
efforts that will detect or deter unauthorized disclosure or modification or the loss
of availability of classified, and sensitive but unclassified information, and its
unauthorized removal from a site or facility.
c. Strategies for the physical protection of radiological/toxicological sabotage targets
shall incorporate the applicable requirements established in Chapter IV. Protection
strategies shall be designed to prevent radiological/toxicological sabotage acts that
would pose significant dangers to health and safety of employees, the public, or the
environment. These strategies may be graduated to address varying circumstances
and may range from denial, to containment, and/or to mitigate the consequences if
such acts occur.
d. Strategies for the physical protection of other safeguards and security interests
shall be developed to be commensurate with the safeguard and security interest
importance.
(1) A strategy ranging from detection to deterrence shall be used for security
interests whose loss, theft, compromise, and/or unauthorized use will have
serious impact on the national security and/or the health and safety of DOE
and contractor employees, the public, the environment, or DOE programs.
(2) A strategy of detection and deterrence shall be used for safeguard and
security interests whose loss or theft will have a negative financial impact
on the Department.
(3) A strategy of denial shall be used to address the introduction of certain
articles into Departmental facilities that would impact the health and safety
of DOE and contractor employees (e.g., hand carried, mailed, and vehicle-
transported explosives, firearms, and chemical and biological agents).
4. Planning.
a. Site Safeguards and Security Plans. The details of site physical protection
measures shall be addressed in the Site Safeguards and Security Plan, as required
by DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM.
b. Security Plans. At locations where a Site Safeguards and Security Plan is not
required due to the limited scope of safeguards and security interests, a security
plan shall be developed to describe the protection program in place.
5. Graded Protection.
a. Graded Protection.
(1) Protection shall be applied in a graded manner. The level of effort and
magnitude of resources expended for the protection of a security interest is
commensurate with the security interest's importance or the impact of its
loss, destruction, or misuse. Security interests whose loss, theft,
compromise, sabotage, and/or unauthorized use will have serious impact
on the national security, financial security and/or the health and safety of
DOE and contractor employees, the public, the environment, or
Department of Energy programs, shall be given the highest level of
protection. For example, use of a weapon of mass destruction by a
terrorist(s) could have severe consequences necessitating the highest
reasonably attainable level of security.
(2) Protection of other interests shall be graded accordingly. Protection-
related plans shall describe, and document the rational used for selecting
the graded protection provided the various safeguards and security
interests. Asset valuation, threat analysis, and vulnerability assessments
shall be considered, along with the acceptable level of risk and any
uncertainties, to determine if the risk is significant and what protection
measures should be applied. Heads of Departmental Elements shall
provide a rational, and cost-effective, protection framework applying risk
management as the underlying basis for making security-related decisions.
b. A rational, and cost-effective, protection framework shall be provided applying
risk management as the underlying basis for making security-related decisions. It
should be recognized that risks will be accepted, i.e., that actions cannot be taken
to reduce the potential for or consequences of all malevolent events to zero;
however, an acceptable level of risk will be determined based on evaluation of a
variety of facility-specific goals and considerations.
c. Protection plans shall describe, justify, and document the graded protection
provided the various safeguards and security interests.
6. Performance Assurance. Safeguards and security systems shall be tested as required by
DOE O 470.1 Safeguards and Security Program to ascertain effectiveness in providing
countermeasures to address design basis threats.
Chapter II
PROTECTION OF SPECIAL NUCLEAR MATERIAL AND VITAL EQUIPMENT
1. General. This chapter outlines contractor requirements for the protection of Categories I
through IV quantities of special nuclear material and vital equipment. The following
requirements shall apply:
a. A facility shall not receive, process, transmit, or store special nuclear material until
that facility has been approved as required by DOE O 470.1, SAFEGUARDS
AND SECURITY PROGRAM.
b. Nuclear material production reactors and fuel shall be protected consistent with the
category of special nuclear material involved and/or the consequences of
radiological sabotage.
c. An integrated system of positive measures shall be developed and implemented for
the protection of Category I, SNM (nuclear weapons).
d. Protection afforded special nuclear material shall be graded according to the
nuclear material safeguards category, as defined in Figure I-2 of DOE 5633.3B,
CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, and shall
reflect the specific nature of special nuclear material existing at each site. DOE
5633.3B shall be used to determine if there is a potential to accumulate a Category
I quantity of special nuclear material by theft of material from more than one
location (roll up) within the same Protected Area.
e. Factors, such as ease of separability, accessibility, and concealment; quantity,
chemical form, isotopic composition, purity, and containment; portability;
protection strategies; radioactivity; and self-protecting features, shall be considered
in determining physical protection for each category of special nuclear material.
f. When special nuclear material is classified because of its configuration or content,
or because it is part of a classified item, it shall receive the physical protection
required by the highest level of classification of the configuration, content, or item,
or category of special nuclear material involved, whichever is greater.
g. Protective force personnel shall be available and positioned to respond to a verified
threat occurrence to contain, interrupt, and/or neutralize adversaries within the
required response times.
h. Intrusion detection shall be accomplished through a combination of intrusion
sensors and tamper-indicating devices, material surveillance procedures, material
accounting and tracking, and/or specialized nuclear measurement techniques.
i. Delay mechanisms shall be employed to prevent removal or unauthorized use of
Categories I and II quantities of special nuclear material. Delay mechanisms may
include passive barriers (e.g., walls, ceilings, floors, windows, doors, security
bars), activated barriers (e.g., sticky foam, pop-up barriers), and obscurants (e.g.,
cold smoke).
j. Specific protection requirements, such as systems and protective personnel
response capabilities necessary to satisfy identified protection needs, shall be
documented.
2. Access. Contractor access controls systems shall be in place to ensure that only properly
cleared and authorized personnel are permitted unescorted access to special nuclear
material and vital equipment. Access authorizations (security clearances) shall be
accomplished according to DOE O 472.1, PERSONNEL SECURITY ACTIVITIES. See
Table II-1 of this manual for access authorization required for special nuclear material.
Access authorization requirements for vital equipment shall be comparable to Category I
special nuclear material.
3. Protective Force Posts. See DOE 5632.7A
4. Storage. Each facility shall have controls for all categories of nuclear materials held in
storage (see Chapter IX for elaboration) consistent with the graded safeguards approach.
Controls for storage shall:
a. Be formally documented;
b. Assure that only authorized personnel have access to the storage repositories (see
I);
c. Prevent and/or detect unauthorized access;
d. Describe procedures used to authenticate material movements into or out of a
repository;
e. Include procedures for investigating and reporting abnormal conditions;
f. Provide a record system to document ingress/egress to repositories; and
g. Define procedures for conducting inventories and daily administrative checks.
TABLE II-1
ACCESS AUTHORIZATION REQUIREMENTS
SPECIAL NUCLEAR
MATERIAL CATEGORY
MINIMUM LEVEL OF
ACCESS
AUTHORIZATION
REQUIRED
REMARKS
I
II with credible roll up to I
Q
Hands-on access or
transportation of Category I
quantities of SNM may require
additional measures, such as
Personnel Security Assurance
Program participation and/or
enhanced material surveillance
procedures, to further reduce
the probability of insider acts.
II and III
L
Unless special circumstances
determined by site
vulnerability assessment
require Q access authorization
to minimize risk. Document in
Site Safeguards and Security
Plan.
IV
None
Unless special circumstances
determined by site
vulnerability assessment
require access authorization to
mitigate risk. Document in
Site Safeguards and Security
Plan.
5. Category I Quantities of Special Nuclear Material.
a. In-Process. Material shall be used or processed within Material Access Areas.
DOE 5633.3B, page III-3, paragraph 3b(1) requires a material surveillance
program to detect unauthorized material flows and transfers. Any location within
a Material Access Area that contains unattended Category I quantities of special
nuclear material in use or process shall be equipped with intrusion detection
systems or other effective means of detection approved by the cognizant local
Departmental authority for safeguards and security.
b. Storage. Material shall be stored within a Material Access Area.
(1) When not in process or when unattended, material falling under
Attractiveness Level A shall be stored in a vault. Storage facilities for
Category I special nuclear material Attractiveness Level A, constructed
after 7-14-94, shall be underground or below-grade construction.
(2) Material falling under Attractiveness Level B shall be stored in a vault or be
provided enhanced protection that exceeds vault-type room storage (e.g.,
collocated protective force response station and/or activated barrier(s)).
(3) Material falling under Attractiveness Level C shall, as a minimum, be
stored in a vault-type room.
c. In-Transit. Protection requirements for material in transit shall be as follows:
(1) Domestic offsite shipments of Category I quantities of special nuclear
material shall be made by the Transportation Safeguards System, operated
under the auspices of the Albuquerque Operations Office.
(2) Packages or containers containing special nuclear material shall be sealed
with tamper-indicating devices.
(3) Protection measures for movements of material between Protected Areas at
the same site, or between Protected Areas and staging areas at the same
site, shall be under direct surveillance by the number of Security Police
Officers necessary to protect against threats as established in the Design
Basis Threat for Department of Energy Programs and Facilities (U), and
documented in the Site Safeguards and Security Plan.
6. Category II Quantities of Special Nuclear Material.
a. In-Process. Material shall be used or stored only within a Protected Area. DOE
5633.3B, page III-3, paragraph 3b(1) requires a material surveillance program to
detect unauthorized material flows and transfers. Any location within a Protected
Area that contains unattended Category II quantities of special nuclear material in
use or process shall be equipped with intrusion detection systems or other effective
means of detection approved by the cognizant local Departmental authority for
safeguards and security.
b. Storage. When not in process or when unattended, material shall be stored in a
vault or a vault-type room located within a Protected Area.
c. In-Transit. Shipments shall conform to the shipment requirements for Category I
quantities of special nuclear material (See paragraph 5c above).
7. Category III Quantities of Special Nuclear Material.
a. In-Process. Material shall be processed within a Security Area that provides, at a
minimum, the protection of a Limited Area.
b. Storage. When not in process or when unattended, material shall be stored, at a
minimum, within a Limited Area and secured within a locked security container or
a locked room. The container or locked room containing the matter shall be under
the protection of an intrusion detection system or protective patrol at intervals not
to exceed 8 hours.
c. In-Transit.
(1) Domestic offsite shipments of classified configurations of Category III
quantities of special nuclear material may be made by the Transportation
Safeguards System.
(2) Methods of shipping unclassified configurations:
(a) Truck or Train. Truck or train shipments shall meet the following
requirements:
1 Government-owned or exclusive-use truck, commercial
carrier, or rail may be used to ship Category III quantities of
special nuclear material.
2 A detailed inspection of the transport vehicle shall be
conducted before loading and shipment. Cargo
compartments shall be locked and sealed while en route.
3 Personnel assigned to escort shipments shall maintain
periodic communication with a control station operator who
can request appropriate local law enforcement agency
response, if needed.
4 Shipments shall be made without intermediate stops except
for emergency reasons, driver relief, meals, refueling, or
transfer of cargo.
(b) Air Shipment. Air shipments of Category III quantities of special
nuclear material may take place if not otherwise prohibited by
statute or otherwise limited by implementing instructions. The
shipments shall be under the direct observation of the authorized
escorts during all land movements and loading and unloading
operations.
(3) Movements of Category III quantities of special nuclear material between
Security Areas at the same site shall be according to the appropriate
locally-developed security plan.
8. Category IV Quantities of Special Nuclear Material.
a. In-Process. Material shall be processed according to procedures approved by the
cognizant local Departmental authority for safeguards and security.
b. Storage. When not in process or when unattended, material shall be stored
according to the procedures approved by the cognizant local authority for
safeguards and security.
c. In-Transit.
(1) Domestic offsite shipments of classified configurations of Category IV
quantities of special nuclear material may be made by means of the
Transportation Safeguards System, under procedures approved by the
Albuquerque Operations Office as deemed appropriate, and by agreements
between the Manager, Albuquerque Operations Office, and the respective
Heads of Field Elements.
(2) Shipments of unclassified configurations of material may be made by truck,
rail, or water, in commercial, for-hire, or leased vehicles. If not otherwise
prohibited by state or federal laws, Category IV quantities of special
nuclear material may also be shipped by air.
(a) Shipments (except laboratory analysis samples or reference
materials) shall be arranged with a capability to trace and identify,
within 24 hours of request, the precise location where a shipment
went astray, in the event that it fails to arrive at the destination at
the prescribed time.
(b) Shipper shall be required to give the consignee an estimated time of
arrival before dispatch, and follow-up with a written confirmation
not later than 48 hours after dispatch.
(c) Consignee shall promptly notify the shipper by telephone and
written confirmation upon determination that a shipment has not
arrived by the scheduled time.
9. Vital Equipment. Site Safeguards and Security Plans shall define applicable threats and
measures to protect vital equipment from hostile actions.
Chapter III
PROTECTION OF CLASSIFIED MATTER
1. General. Contractors shall protect classified special nuclear material in accordance with
Chapter II of this Manual if SNM categories and Attractiveness Levels dictate more
stringent requirements, otherwise the provisions of this chapter apply. DOE Order 471.2,
"INFORMATION SECURITY PROGRAM," of 9-26-95, establishes the Information
Security Program for the control of classified and sensitive information in use.
a. Classification levels shall be used in determining the degree of protection and
control required for classified matter.
b. Classified information, regardless of its form, shall be afforded a level of protection
against loss or compromise commensurate with its level of classification.
c. Classified matter shall be stored in a manner that will detect and deter
unauthorized access.
d. When possible, classified matter shall be processed, handled and stored in security
areas providing control measures equal to or greater than those present in Limited
Areas. When classified matter is not processed, handled and/or stored within
Limited Areas or above, additional control measures shall be required. Control
measures shall include technical, physical, personnel, and/or administrative
measures.
e. Facilities, buildings, rooms, structures etc, shall be afforded the protection
measures necessary to prevent unauthorized persons from gaining access to
classified matter.
(1) Measures shall be in place to prevent persons from viewing or hearing
classified information.
(2) Conference rooms and areas specifically designated for classified
discussions shall follow Technical Surveillance Countermeasures Program
requirements.
f. Sensitive Compartmented Information Facilities shall be afforded physical
protection in accordance with the Director of Central Intelligence Directives
1/21(see Attachment 1). Any unresolved issues pertaining to this subject shall be
referred to the Director of Safeguards and Security for coordination.
2. Storage Requirements
a. Restrictions on Use of Secure Storage Repositories.
(1) Funds, firearms, medical items, controlled substances, precious metals, or
other items susceptible to theft shall not be stored in the same secure
storage repository that is used to store classified matter.
(2) Secure storage repositories shall not bear any external classification or
other type markings that would indicate the level of classified matter
authorized to be stored within the container. For identification purposes,
each security container shall externally bear an assigned number.
b. Requirements. Security containers required for the storage of classified matter
shall conform to the GSA standards and specifications and applicable requirements
of Chapter IX of this Manual. Classified matter that is not under the personal
control of an authorized person shall be stored as prescribed below.
NOTE: Inspections by the protective force shall consist of examination of the
exposed surfaces of the container, vault, vault-type-room and steel filing cabinets
to determine if there has been any force entry and to ensure that the container is
locked.
(1) Top Secret Matter. Top Secret matter may be stored in one of the
following ways:
(a) In a locked, General Services Administration-approved security
container with one of the following supplemental controls:
1 Under intrusion detection alarm protection with protective
force response within 15 minutes of annunciation of the
alarm;
2 Protective force, with inspections on a 2-hour basis;
3 The security container be equipped with a lock meeting
Federal Specification FF-L-2740 only if the container is
located in a Limited, Exclusion, Protected or Material
Access Area.
4 Within a Limited Area or above, random protective force
patrols at least once every 8 hours during nonworking
hours. Facilities with large numbers of security containers
shall patrol at least 25 percent of the containers once every
24 hours.
(b) In a vault approved by the cognizant DOE element. The vault shall
be designed and constructed of masonry units or steel lined
construction and equipped with GSA-approved vault door. (A
GSA-approved modular vault meeting Federal Specification
FFV-2737 may be used in lieu of the above.) The vault shall be
equipped with intrusion detection protection with protective force
response within 15 minutes of alarm annunciation;
(c) In a vault-type room approved by the cognizant DOE element. The
vault-type-room shall be under intrusion detection alarm protection
with protective force response within 15 minutes of alarm
annunciation. The vault-type-room shall be located within a
Limited, Exclusion, Protected or Material Access Area.
(2) Secret Matter. Secret matter shall be stored in a manner authorized for
Top Secret matter or in one of the following ways:
NOTE: Secret matter not stored in security areas providing control
measures equal to or greater than those present in Limited Areas shall be
maintained in an accountability system as required in DOE 471.2.
(a) In a locked General Services Administration approved security
container.
(b) In a vault approved by the cognizant DOE element which is
designed and constructed of masonry units or steel lined
construction and equipped with GSA vault door. (A GSA-
approved modular vault meeting Federal Specification FFV-2737
may be used in lieu of the above.)
(c) In steel filing cabinets not meeting General Services Administration
requirements (such containers approved for use prior to 7-15-94
may continue to be used until there is a need for replacement)
equipped with an automatic unit locking mechanism and three-
position, dial-type, built-in combination lock. In addition, one of
the following supplementary controls is required:
1 Within a Security Area providing, as a minimum, the
protection level of a Limited Area or above;
2 Under intrusion detection alarm protection with protective
force response within 30 minutes of alarm annunciation; or
3 Inspections of the container every four hours by protective
force.
(d) In a vault-type room approved by the cognizant DOE element with
one of the following supplemental controls:
1 Within a Security Area providing as a minimum the
protection level of a Limited Area or above;
2 Under intrusion detection alarm protection with protective
force response within 30 minutes of alarm annunciation; or,
3 Inspections of the area every four hours by protective force.
(3) Confidential Matter. Confidential matter shall be stored in a manner
authorized for Secret matter except that supplemental controls are notrequired.
d. Nonstandard Methods of Storage
Within the minimum protection level of a Limited Area, nonstandard methods of
storage may be applied for Top Secret, Secret and Confidential material whose
size, weight, construction, or other characteristic precludes storage as discussed in
the subparagraphs above.
(1) Local safeguards and security authorities shall base their protection
measures upon the results of documented vulnerability analyses. These
vulnerability analyses shall address the nature of the matter to be protected
(e.g., size, weight, composition, radioactivity, and importance to an
adversary and/or the Department) in relation to the threat. Additionally,
vulnerability analyses must consider the portability of the classified matter,
ease of concealment, time needed to gain access, ease of gaining access,
protective force response time, and the potential consequences of gaining
unauthorized access.
(2) Measures (e.g., barriers, locks, intrusion detection systems, and protective
force) tailored to address the specific nonstandard condition, as determined
by local safeguards and security authority, shall be implemented to provide
protection to deter unauthorized access to classified matter.
(3) Measures to be implemented for each nonstandard condition shall be
documented in the applicable security plan and approved by the cognizant
DOE security office.
(4) For protective force to be employed as a specified supplemental protection
measure, due consideration should be given to ensuring the interval for
those inspections is less than the time required for an adversary to gain
undetected access to the classified matter and/or remove the classified
matter and escape detection.
e. Protective Force Personnel.
(1) In the event that an unattended secure storage repository containing
classified matter is found open, the repository shall be secured by
designated protective personnel and a custodian shall be notified
immediately. The contents shall be checked no later than the next
workday. If there is an indication of a violation or compromise, the
contents shall be checked immediately by a custodian, being careful not to
destroy fingerprints or other physical evidence. Report and conduct
inquiries as required by DOE O 471.2, INFORMATION SECURITY
PROGRAM, and DOE O 470.1 SAFEGUARDS AND SECURITY
PROGRAM.
(2) Response to intrusion detection alarms shall be by protective personnel,
private security firms, or local law enforcement personnel, as documented
in approved security plans.
f. Alternate Storage Locations.
(1) With prior written Departmental approval, a bank safe deposit box/vault
may be used for storage of Secret or Confidential matter, provided that the
lock and keys to the box/vault are changed prior to such use and the
customer's key is furnished only to persons authorized access to the
contents.
(2) Federal Records Centers, approved as outlined in DOE O 470.1, may be
used for the storage of classified information.
3. Protecting Container Information:
a. Protection of Security Containers and Combinations. External markings on
the security container that indicate the contents are Top Secret, Secret, or
Confidential shall not be used. Security containers, vaults, and vault-type rooms
used to protect safeguards and security interests shall be kept locked when not
under direct supervision of an authorized individual. Combinations shall be
protected at the classification level and category of the matter being protected. A
minimum number of authorized persons (i.e., personnel having access
authorization for the information kept in that container) shall have the combination
to the storage container or have access to the information stored within the
security container.
(1) To ensure proper protection of the combination, part 2 of SF700 shall be
marked with the highest classification level and category (if RD or FRD) of
the information being stored within the secure storage container. Classifier
information is not required to be affixed to part 2 of the SF700.
(2) To comply with classification guidance, part 2A should be marked onlywith the highest classification level of the combination. The category is notmarked on this part of the form. Classifier information is not required to be
affixed to part 2 of the SF700..
(3) All persons knowledgeable of the container's combination must be listed on
the SF700. If needed, use an additional sheet of paper as a continuation
page.
b. Changing Combinations. Combinations shall be changed by an appropriately
cleared authorized individual. Combinations shall be changed at the earliest
practical time following:
(1) Initial receipt of a General Services Administration-approved security
container or lock.
(2) Reassignment, transfer, or termination of employment of any person having
knowledge of the combination, or when the Departmental access
authorization granted to any such person is downgraded to a level lower
than the category of matter stored, or when the Departmental access
authorization has been administratively terminated, suspended, or revoked.
(3) Compromise or suspected compromise of a security container or its
combination, or discovery of a security container unlocked and unattended.
c. Selection of Combination Settings. Combination numbers shall be selected at
random, avoiding simple ascending or descending series such as 10-20-30 or 50-
40-30. Care shall also be exercised to avoid selecting combinations of numbers
that are easily associated with the person(s) selecting the combination (e.g., birth
dates, anniversaries, social security numbers, or telephone extensions).
d. Security Repository Information. Applicable requirements concerning security
repositories are provided below:
(1) Security Container Information. An SF-700, "Security Container
Information," shall be completed for all security containers, rooms, vaults,
and other approved locations for the storage of classified matter.
(a) Part 1 of the SF-700 shall be affixed to the security container to
ensure high visibility. On rooms or vaults, Part 1 of the SF-700
shall be affixed to the inside of the door containing the combination
lock. On security containers, it shall be placed on the inside (back
front) of the locking drawer or on the front of the locking drawer,
at the user's discretion.
(b) Part 2 and 2a of each completed copy of SF 700 shall be classified
at the highest level of classification of the information authorized
for storage in the repository.
(2) Security Container Check Sheets. An integral part of the security check
system shall be ensuring that classified matter has been properly stored and
that security containers, vaults, or vault-type rooms have been secured.
SF-702, "Security Container Checklist," shall be used to record the end-of-
day security checks.
(a) SF-702 shall be used to provide a record of the names and times of
the persons that have opened, closed, or checked a particular
container, room, or vault holding classified information.
(b) The SF-702 shall be used in all situations requiring the use of a
security container check sheet, and shall be affixed to the container
or entrance to a room or vault.
(3) Activity Security Checklist. SF-701, "Activity Security Checklist,"
provides a systematic means of checking end-of-day activities for a
particular work area (e.g., checking security containers, desks, and
wastebaskets for classified matter; ensuring windows and doors are locked;
ribbons for classified typewriters and automated data processing equipment
have been secured; and security alarms have been activated), allowing for
employee accountability in the event that irregularities are discovered. The
use of SF-701 is optional; however, in situations requiring detailed
end-of-day security inspections, the SF-701 shall be used.
(4) Records. Completed SF-701s and SF-702s shall be maintained according
to General Record Schedule 18.
Chapter IV
RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE PROTECTION
1. General. Contractor safeguards and security planning shall include the protection of the
health and safety of employees, the public, and the environment against potential adverse
impacts of Radiological and Toxicological Sabotage (Rad/Tox-Sab). Protection shall be
provided in a graded manner, consistent with the level of hazards present. The following
requirements shall apply:
a. Facilities representing a "significant" Rad/Tox-Sab threat shall document in the
Site Safeguards and Security Plan (SSSP), the sabotage assessment process and
the facility program for protection against such a threat.
b. A facility may be considered to present a "significant" potential Rad/Tox-Sab
threat when any of the following materials are present at the facility.
(1) Special nuclear material which is respirable, or which can be assimilated
into the human body.
(2) Quantities of radioactive materials sufficient to achieve a critical mass.
(3) Radioactive materials in excess of quantities listed in Title 10 CFR 30.72.
(4) Hazardous chemicals in quantities greater than 10,000 lbs, (or 4,540
Kgs).
(5) Extremely hazardous substances in quantities greater than "Threshold
Planning Quantities" (TPQ) listed in SARA Title III, found at 40 CFR 255,
Appendices A and B.
2. Protection Planning
a. Safety analysis reports that have been completed for accident scenarios, emergency
event classification, VARs, protection actions, and consequence assessments, and
other pertinent information that can be used to assess risks and/or consequences of
sabotage release scenarios shall be considered in the radiological/toxicological
sabotage analysis. Section 4 of this Chapter should be considered in the
formulation of rad/tox/sab targets.
d. The methodology for completing a radiological/toxicological sabotage assessment
shall parallel that used for completing vulnerability assessment for theft/diversion
of SNM, and be integrated into the site VAR(s).
c. Consequence values, as shown in Table IV-1, shall consider effects on the public,
employees, and the environment from acts of radiological and toxicological
sabotage.
d. Radiological/toxicological sabotage analysis completed after the date of this
manual shall entail consideration of a wide variety of factors such as materials,
locations, site-specific features, and existing security and safety features. The
analysis shall include the development and analysis of a spectrum of scenarios
leading to Rad/Tox releases.
3. Assessment of Risks The DOE Design Basis Threat, regional threat assessments, and
when available, local threat descriptions, shall be the basis for the site/facility VA and for
which the protection program is designed. The threat, targets, and protection strategies
shall be documented in the SSSP.
a. The radiological/toxicological sabotage assessment shall consider the complete
spectrum of available resources in identifying and developing preventive, response,
and mitigation options.
(1) Within the limits of the DOE Design Basis Threat, every combination of
insider and outsider threat shall be analyzed to determine which threats
apply to specific site facilities.
(2) For the facility and target involved, the protection strategies pertaining to
denial, and mitigation, and the title of the responsible office for each plan
or procedure in which the strategy is described shall be documented.
(3). Procedures for the mitigation of a radiological/toxicological sabotage
event, and risk acceptance shall be documented.
b. Hazardous materials shall be identified. Threshold quantities of hazardous
materials shall be screened to eliminate those facilities whose vulnerability to
sabotage is limited by the lack of sufficient inventory. Note that this evaluation
should be based on a maximum level of hazardous materials that are expected or
may be present at the facility.
4. Protection of Radiological/toxicological Sabotage Targets
a. The analysis of all radiological/ toxicological sabotage targets assessments shall be
included in the Site Safeguards and Security Plan, Vulnerability Analysis Report
(VAR).
(1) All Special Nuclear Material (SNM) identified as theft targets under the
provisions of Chapter II of this manual, shall also be identified as potential
radiological/ toxicological sabotage targets, and afforded a radiological/
toxicological sabotage analysis.
(2). If the radiological/toxicological sabotage targets are not subject to the
SNM theft protection requirements of Chapter II, an evaluation will be
made to determine if the potential targets are afforded protection equal to
or greater than similar material in the commercial or private sector. If the
targets are afforded this level of protection, no further analysis is required.
(3) A radiological/toxicological sabotage analysis must be performed for those
radiological/toxicological sabotage targets not subject to (1), or (2).,
above, and that are not found in the commercial or private sector, and
those targets not afforded a protection level equal to or greater than the
commercial or private sector.
b. The implementation of prevention and mitigation options shall be in a graded
manner, and shall occur based on the results of the radiological/toxicological
sabotage analysis.
(1) Add safeguards and security features to prevent or detect adversary actions
(i.e., access and materials controls, surveillance, additional barriers/alarms,
and entry/exit inspections).
(2) Implement additional controls or add equipment that would prevent the
sabotage release scenario (i.e., providing automatic shut down if
components fail, adding backup systems, or establishing protected/vital
areas.
(3) Take event-mitigating actions such as establishing shelters, emergency
notifications/evacuations, reducing and/or removing inventory quantities or
changing storage locations. TABLE IV-1.
RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE
CONSEQUENCE VALUES TABLE
CONSEQUENCE
VALUE
IMPACT
EFFECTS ON THE PUBLIC, EMPLOYEES, AND
THE ENVIRONMENT FROM ACTS OF
RADIOLOGICAL OR TOXICOLOGICAL
SABOTAGE
1.0
Catastrophic
On and off-site fatalities and injury, long-term denial
(greater than two (2) years) of facility due to damage or
radiation contamination, and off-site denial of food,
water or habitat due to contamination for more than
one (1) year.
0.8
High
Off-site injury and on-site fatalities and injury, on-site
facility denial one to two (1-2) years, and off-site denial
of food, water, or habitat due to contamination for less
than one (1) year.
0.5
Moderate
On-site injury (no off-site injury), on-site facility denial
six (6) months to one (1) year, and denial of food,
water or habitat due to contamination less than six (6)
months.
0.2
Low
On-site injury, on-site facility denial less than one (1)
month and no impact on food, water supply or habitat.
Chapter V
SECURITY AREAS
1. General. Contractor security procedures that determine the application of Security Area
requirements for Property Protection Areas must be approved by the local DOE
safeguards and security authority. The following applies to security areas.
a. Access shall be controlled to limit entry to appropriately cleared and/or authorized
individuals.
(1) Any person allowed to enter a Security Area who does not possess an
access authorization at the appropriate level will be escorted at all times by
a cleared and knowledgeable individual.
(2) Local authorities shall establish escort-to-visitor ratios in a graded manner
for each of these Security Areas.
b. Access control requirements may be layered as appropriate for the situation. At
succeeding boundaries, access controls may be more stringent.
c. A personnel identification system (e.g. security badge system) shall be used to
control access.
d. Automated access control systems may be used as approved by the cognizant local
Departmental authority for safeguards and security.
(1) Automated access controls, when used for access to any security area,
except property protection areas designated by the local authority, shall
require the minimum of the verification of a valid DOE Standard Badge,
and PIN.
(2) When remote automated access control systems are used for access to
security areas, each barrier penetration shall provide the same degree of
penetration resistance as the barrier itself. Anti-tailgating means and
procedures must be implemented.
(3) Automated access control systems used for the protection of Cat I, SNM,
and that Cat II SNM capable of roll-up to Cat I, and Top Secret Matter
shall be monitored in both a Central, and Secondary Alarm Station
(4) Automated access control system events, e.g., door alarm, tamper alarm,
anti-passback indication feature, unauthorized entry attempt, shall be
treated the same as an intrusion alarm for the area being protection.
e. Means shall be provided to deter unauthorized intrusion into Security Areas.
Means include use of intrusion detection sensors and alarm systems, barriers,
random patrols, and/or visual observation. The protection program shall include
suitable means to assess alarms. Intrusion detection and assessment systems used
for the protection of Cat I, SNM, and that Cat II SNM capable of roll-up to Cat I,
and Top Secret Matter shall be monitored in both a Central, and Secondary Alarm
Station. See paragraph 1, page VI-1 for amplified requirements.
f. Entrance/exit inspections, as required, shall be made by protective personnel or
with detection equipment designed to detect prohibited articles (See subparagraph
(2), below). Inspections of personnel, hand-carried items, packages and mail,
and/or vehicles shall provide reasonable assurance that prohibited articles are not
introduced and that safeguards and security interests are not removed from the
area without authorization.
(1) Inspections. Inspection procedures, requirements, and frequencies shall be
developed based on a graded approach and included in the appropriate
security plan. Where random entry or exit inspections are permissible, the
inspection shall be conducted on a percentage basis, determined by the
Departmental cognizant local authority for safeguards and security, using
techniques that ensure randomness.
(2) Prohibited Articles. The following articles are prohibited from all Security
Areas., any explosives, or other dangerous weapon, instrument or material
likely to produce substantial injury or damage to persons or property.
(Reference Title 10 CFR Part 860, and Title 41 CFR Part 101-19.3.) , any
controlled substances (e.g., illegal drugs and associated paraphernalia, but
not prescription medicine), hazardous chemicals, and any other items
prohibited by law. The cognizant Departmental local authority for
safeguards and security may authorize the introduction of explosives and
weapons if they are to be use to conduct official government business.
(3) Controlled Articles. The following privately owned articles are not
permitted in a Limited , Exclusion , Protected , or Material Access Area
without prior authorization of the cognizant Departmental local authority
for safeguards and security.
(a) Recording equipment (audio, video, optical, or data).
(b) Electronic equipment with a data exchange port capable of being
connected to automated information system equipment.
(c) Cellular telephones.
(d) Radio frequency transmitting equipment.
(e) Computers and associated media.
(4) Concentric Security Areas. When a Security Area, excepting Material
Access Areas, is within a larger Security Area, additional entry/exit
inspections are not required at the inner Security Area perimeter if
inspections conducted at the outer Security Area boundary are at the same
level as required for the inner Security Area boundary. Entry and exit
inspections shall be conducted at Material Access Area boundaries
regardless of outer boundary inspections.
g. Clearly defined physical barriers, such as fences, walls, and doors, shall be used to
define the boundary of a Security Area. Barriers shall meet the following
requirements, as well as supplementary requirements at paragraph 1, page VII-1:
(1) Barriers shall direct the flow of personnel and vehicles through designated
entry control portals.
(2) Barriers and entry control portals, supplemented by other systems such as
patrols or surveillance, shall be used to deter and detect introduction of
prohibited articles or removal of safeguards and security interests.
(3) Barriers shall be used to deter and/or prevent penetration by motorized
vehicles where vehicular access could significantly enhance the likelihood
of a successful malevolent act, associated with protected areas and high
level security areas.
(4) Barriers shall be capable of controlling, impeding, or denying access to a
Security Area.
h. Emergency personnel and vehicles may be authorized immediate entry to security
areas when escorted by properly cleared and authorized personnel. Personnel and
vehicles shall be subject to exit inspections upon completion of the emergency
situation.
i. Signs reflecting information on: the Atomic Weapons and Special Nuclear
Rewards Act; prohibited articles; the inspection of vehicles, packages, or persons
either entering or exiting; notification of video surveillance equipment; and
trespassing, if applicable, shall be posted. Signs prohibiting trespassing shall be
posted around the perimeter and at each entrance to a Security Area except when
one Security Area is located within a larger posted Security Area. See Chapter
XII for further details.
j. Visitor logs are required at Protected Areas, Material Access Areas, and Exclusion
Areas. Requirements for other Security Areas, if any, and procedures for visitor
logs at Security Areas shall be developed and approved by the cognizant local
Departmental authority for safeguards and security. DOE F 1240.1, "Foreign
Visitors Security Register," and DOE F 5630.6, "Visitors Security Register," shall
be used. Logs shall be retained in accordance with DOE 1324.5B, RECORDS
MANAGEMENT PROGRAM and General Records Schedule 18.
2. Property Protection Area. A Property Protection Area is a Security Area established by
local authority for the protection of Departmental property. A Property Protection Area
may be established to protect against damage, destruction, or theft of Government-owned
property, and for public access. Measures taken shall be adequate to give reasonable
assurance of protection and may include physical barriers, access control systems,
protective personnel, intrusion detection systems, and locks and keys. Protective
measures taken shall be determined by local authorities and shall provide appropriate,
graded protection as follows:
a. Access controls may be implemented to protect Departmental property and
facilities. When access to a Property Protection Area is controlled by an
automated access control system, then the system shall verify the following: valid
DOE standard badge (i.e., the badge serial number read by the system matches the
serial number assigned to the badge holder). .
b. Signs prohibiting trespassing, where necessary, shall be posted around the
perimeter and at each entrance to the Property Protection Area in accordance with
Title 10 CFR Part 860, "Trespassing on Administration Property" and Title 41
CFR Part 101-19.3, "Federal Property Management Regulation." See Chapter
XII.
c. Vehicles and hand-carried items entering or exiting are subject to inspection to
deter and/or detect unauthorized introduction of contraband and removal of
Government assets.
d. Physical barriers may be used to protect property and facilities.
e. Property Protection Area security measures may range from facilities open to
public access to that of a Protected Area, at the discretion of the local Authority
and as implemented in the site safeguards and security plan.
3. Limited Area. A Limited Area is a Security Area defined by physical barriers, used for
the protection of classified matter and/or Category III quantities of special nuclear
material, where protective personnel or other internal controls can prevent access by
unauthorized persons to classified matter or special nuclear material.
a. Requirements. A Limited Area shall have barriers identifying its boundaries and
encompassing the designated space, as well as access controls to provide
reasonable assurance that only authorized personnel are allowed to enter and exit
the area, and random entrance/exit contraband inspections. Limited Area access
requirements shall be administered as follows:
(1) Individuals permitted unescorted access shall have access authorization and
need-to-know consistent with the matter under protection within the area.
(2) When access to a Limited Area is authorized for a person without
appropriate access authorization or need-to-know, measures shall be taken
to prevent compromise of classified matter.
(3) Access to safeguards and security interests within a Limited Area, when
not in approved storage, shall be controlled by the custodian(s) or
authorized user(s).
b. Personnel and Vehicle Access Control. Validation of the identity and access
authorization of persons allowed access shall be administered by protective
personnel (e.g., protective force or other appropriately authorized personnel)
and/or automated systems and shall be accomplished at the Limited Area
entrance(s). Access control requirements shall be as follows:
(1) Privately owned Government employee and contractor vehicles shall be
prohibited from a Limited Area.
(2) Government-owned or Government-leased vehicles shall be admitted only
when on official business and only when operated by properly cleared and
authorized drivers, or when escorted by properly cleared, authorized
personnel. Emergency service vehicles, e.g., ambulances, fire trucks,
police, may be granted immediate access when escorted by properly cleared
and authorized personnel. The local S&S authority shall implement
procedures for search and access of service and delivery vehicles on official
business, however, escort by properly cleared and authorized personnel is
required. Entry of service and delivery vehicles shall be kept to an
operational minimum.
(3) Where access to a Limited Area is controlled by an automated access
control system, the system shall verify the following: valid access
authorization, valid Personal Identification Number, and valid DOE
standard badge (i.e., the badge serial number read by the system matches
the serial number assigned to the badge holder).
4. Exclusion Area. An Exclusion Area is a Security Area defined by physical barriers and
subject to access control, where mere presence in the area would result in access to
classified matter.
a. Requirements. An Exclusion Area shall have barriers identifying its boundaries
and encompassing the designated space, as well as access controls and
entrance/exit inspections to provide reasonable assurance that only authorized
personnel are allowed to enter and exit the area. Exclusion Area requirements
shall be administered as follows:
(1) An Exclusion Area shall meet all requirements for a Limited Area. An
analysis should be conducted to determine if a valid biometric template is
required to protect Top Secret classified matter and Restricted data.
(2) Access requirements are as follows:
(a) Individuals allowed unescorted access shall have an access
authorization and need-to-know consistent with the matter to which
they would have access by mere virtue of their presence in the area.
(b) When access to an Exclusion Area is authorized for a person
without appropriate access authorization and need-to-know,
measures shall be taken to prevent compromise of classified matter
while the individual is in the area.
b. Personnel and Vehicle Access Control. Validation of the identity and access
authorization of persons allowed access shall be accomplished at the Exclusion
Area entrance(s) and shall be administered by protective personnel and/or
automated systems.
(1) Private vehicles shall be prohibited from an Exclusion Area.
(2) Government-owned or Government-leased vehicles shall be admitted only
when on official business and when operated by properly cleared and
authorized drivers. Emergency service vehicles, e.g., ambulances, fire
trucks, police, may be granted immediate access when escorted by properly
cleared and authorized personnel. The local S&S authority shall implement
procedures for search and access of service and delivery vehicles on official
business, however, escort by properly cleared and authorized personnel is
required. Entry of service and delivery vehicles shall be kept to an
operational minimum.
(3) Where access to an Exclusion Area is controlled by an automated access
control system, the system shall verify the following: valid access
authorization, valid Personal Identification Number, and valid DOE
standard badge (i.e., the badge serial number read by the system matches
the serial number assigned to the badge holder).
5. Protected Area. A Protected Area is a Security Area encompassed by physical barriers,
surrounded by perimeter intrusion detection and assessment systems, and having access
controls for the protection of Category II quantities of special nuclear material and/or to
provide a concentric security zone surrounding a separately defined Material Access Area
or Vital Area.
a. Requirements. The requirements for a Protected Area shall be as follows:
(1) Entrance inspections of personnel, vehicles, and hand-carried items shall be
conducted to deter and detect the unauthorized introduction of contraband.
Specific inspection procedures and special nuclear material/metal detection
levels and limitations shall be established and documented.
(2) Exit inspections of personnel, vehicles, and hand-carried items shall be
conducted to deter and detect the unauthorized removal of special nuclear
material. Specific inspection procedures and special nuclear material/metal
detection levels and limitations shall be established and documented. When
the Protected Area encompasses a Material Access Area, and no Category
II or greater quantity of SNM is contained outside the Material Access
Area, then no exit inspection is required.
a A physical or electronic inspection shall be separately conducted of
vehicles, personnel, packages, and all other containers at all routine
exit points for Protected Areas that contain Category I quantities
(or lesser quantities with credible roll up to a Category I quantity).
b Exit inspection procedures and detection levels for special nuclear
material and shielding shall be established consistent with the
material type, form, quantity, attractiveness level, size,
configuration, portability, and credible diversion amounts of special
nuclear material contained within the area.
c Exit inspections shall be capable of detecting shielded special
nuclear material (e.g., using a combination of special nuclear
material and metal detectors) and shall meet requirements for metal
and special nuclear material detection as determined by the
Manager, Operations Office.
d Procedures used shall assure that unalarmed portals without the
means to detect special nuclear material are not used.
(3) Exits shall be alarmed or controlled at all times.
(4) Protected Area perimeter intrusion detection and assessment systems shall
be monitored in a continuously manned central alarm station.
(5) Protective force response time to an intrusion detection shall be less than
the delay time that can be demonstrated from alarm activation until
intruders could complete adverse actions.
b. Personnel and Vehicle Access Control. Validation of the identity and access
authorization of persons authorized access shall be administered by armed
protective force personnel and/or an automated access control system as
determined by local safeguards and security authorities. Access control
requirements shall be as follows:
(1) Private vehicles shall be prohibited from a Protected Area.
(2) Government-owned or Government-leased vehicles shall be admitted only
when on official business and only when operated by properly cleared and
authorized drivers, or when escorted by properly cleared, authorized
personnel. Service and delivery vehicles shall be admitted only when on
authorized business and when driven or when escorted by properly cleared,
authorized personnel. Entry of service and delivery vehicles shall be kept
to an operational minimum.
(3) Where access to a Protected Area is controlled by an automated access
control system, the system shall verify the following: valid access
authorization, valid Personal Identification Number, and valid DOE
standard badge (i.e., the badge serial number read by the system matches
the serial number assigned to the badge holder).
6. Vital Area. A Vital Area is a Security Area, located within a Protected Area, used for the
protection of vital equipment. All vital equipment shall be contained within a Vital Area.
a. Requirements. In addition to protection strategies at a Protected Area, the
following requirements shall be met:
(1) Area boundaries shall conform to the layered protection concept, with a
separate Vital Area perimeter located within a separate and distinct
Protected Area.
(2) The perimeter of each Vital Area shall be monitored to deter and detect
unauthorized entry attempts.
(3) Vital equipment shall be protected with an intrusion detection system.
(4) Exits shall be alarmed or controlled at all times.
(5) Protective force response time to an intrusion detection shall be less than
the delay time that can be demonstrated from alarm activation until
intruders could complete adverse actions.
b. Personnel and Vehicle Access Control. The local S&S authority shall implement
procedures for personnel, and official vehicles for vital area access. The procedure
shall require the validation of the identity and access authorization of persons
authorized access and shall be administered by protective personnel or an
automated access control system. Access control requirements shall be as follows:
(1) Private vehicles shall be prohibited from a Vital Area.
(2) Government-owned or Government-leased vehicles shall be admitted only
when on official business and only when operated by properly cleared and
authorized drivers, or when escorted by properly cleared and authorized
personnel. Service and delivery vehicles shall be admitted only when on
authorized business and when driven by or escorted by properly cleared
and authorized personnel.
(3) Where access to a Vital Area is controlled by an automated access control
system, the system shall verify the following: valid access authorization,
valid Personal Identification Number, and valid DOE standard badge (i.e.,
the badge serial number read by the system matches the serial number
assigned to the badge holder).
7. Material Access Area. A Material Access Area is a Security Area defined by physical
barriers and subject to access control, used for the protection of Category I quantities of
special nuclear material or Category II quantities of special nuclear material with credible
roll up to a Category I quantity. A Material Access Area shall be contained within a
Protected Area and shall have separately defined physical barriers constructed to provide
sufficient delay time to control, impede, or deter unauthorized access. Area boundaries
shall conform to the layered protection concept, with a separate Material Access Area
perimeter located within a separate and distinct Protected Area. Material Access Area
barriers shall direct the flow of personnel and vehicles through designated portals.
a. Requirements. Inspections shall provide reasonable assurance against the
unauthorized introduction of prohibited articles or removal of special nuclear
material by force, stealth, or deceit.
(1) Entrance inspections of personnel, vehicles, and hand-carried items shall be
conducted to deter and detect the unauthorized introduction of prohibited
articles.
(2) Exit inspections of personnel, vehicles, and hand-carried items shall be
conducted to deter and detect the unauthorized removal of special nuclear
material. Specific inspection procedures and special nuclear material/metal
detection levels and limitations shall be established and documented.
a A physical or electronic inspection shall be separately conducted of
vehicles, personnel, packages, and all other containers at all routine
exit points for Material Access Areas that contain Category I
quantities (or lesser quantities with credible roll up to a Category I
quantity).
b Exit inspection procedures and detection levels for special nuclear
material and shielding shall be established consistent with the
material type, form, quantity, attractiveness level, size,
configuration, portability, and credible diversion amounts of special
nuclear material contained within the area.
c Exit inspections shall be capable of detecting shielded special
nuclear material (e.g., using a combination of special nuclear
material and metal detectors) and shall meet requirements for metal
and special nuclear material determined by the Manager, Operations
Office.
d Procedures used shall assure that unalarmed portals without the
means to detect special nuclear material are not used.
(3) Protective force response time to an intrusion detection shall be less than
the delay time that can be demonstrated from alarm activation until
intruders could complete adverse actions.
(4) Exits and all openings larger than 96 square inches, see CVIII.1.g.(2), shall
be alarmed with intrusion detection sensors or controlled at all times.
(5) Material in process or stored within an unattended MAA, or within a vault
or vault type room within the MAA shall be protected by intrusion
detection sensors.
(6) Intrusion detection sensors and assessment systems shall be monitored in a
continuously manned central alarm station.
b. Personnel and Vehicle Access Control. Validation of the identity, access
authorization, and authority to enter for persons allowed access shall be
accomplished at Material Access Area entrances. Access control shall be
administered by armed protective force personnel and/or automated access control
systems as determined by local safeguards and security authorities.
(1) Private vehicles shall be excluded from a Material Access Area.
(2) Government-owned or Government-leased vehicles shall be admitted to
Material Access Areas only when on official business and only when
operated by drivers having the proper access authorization, or when
escorted by authorized personnel who have the proper access
authorization.
(3) Exit detection levels for special nuclear material and shielding shall be
established consistent with the form, quantity, attractiveness level, and
credible diversion amounts/attempts of special nuclear material contained
within the area.
(4) Where access to a Material Access Area is controlled by an automated
access control system, the system shall verify the following: valid access
authorization, valid Personal Identification Number, valid DOE standard
badge (i.e., the badge serial number read by the system matches the serial
number assigned to the badge holder), and a valid biometric template.
8. Other Security Areas. Other security areas shall be administered as follows and as
outlined in pertinent Departmental directives:
a. Sensitive Compartmented Information Facilities. The Department of Energy
follows requirements in Director of Central Intelligence Directive 1/21 for the
construction of Sensitive Compartmented Information Facilities.
b. Central Alarm Station. A Central Alarm Station shall be used in protection of
Categories I and II quantities of special nuclear material. A Central Alarm Station
shall meet the requirements of a hardened post and shall be located, as a minimum,
within a Limited Area. Requirements are as follows:
(1) An access control system shall be used to restrict admittance to persons
who require access in the performance of official duties.
(2) A Central Alarm Station shall be attended constantly by appropriately
trained security personnel who possess access authorizations that are
commensurate with the most sensitive asset that is under the protection of
the Central Alarm Station.
c. Secondary Alarm Stations. Facilities with Categories I or II quantities of special
nuclear material shall have a Secondary Alarm Station. Used as an alternative
alarm annunciation point to the Central Alarm Station, the Secondary Alarm
Station shall be maintained at a location continuously manned, such that a response
can be initiated in the event a Central Alarm Station is unable to perform its
intended function. Secondary Alarm Stations shall meet the operational
requirements of Central Alarm Stations with the exception of hardening and
location within a Limited Area. The Secondary Alarm Station need not be fully
redundant to the Central Alarm Station, but shall be capable of providing effective
control response to safeguards and security incidents.
d. Local Law Enforcement Agency or Private Alarm Station. If response by
local law enforcement agency/protective personnel to alarm activity is required for
facility approval, the response shall meet the specifications for Grade AA as
contained in Underwriters Laboratories Standard 611, "Central-Station Burglar-
Alarm Systems."
e. Secure Communications Centers and Automated Information System
Centers.
(1) Centers handling classified messages or information shall be located, as a
minimum, within a Limited Area.
(2) Separate access controls and barriers shall be established to restrict
admittance to persons employed therein or who require access in the
performance of official duties.
(3) Access authorizations, consistent with the highest level and category of
classified information handled, shall be required for all persons assigned to
or having any unescorted access to these Centers. A list of persons
authorized such access shall be maintained within the Center, and a record
of all visitors entering the facility shall be maintained.
Chapter VI
PROTECTION ELEMENT: INTRUSION DETECTION AND ASSESSMENT SYSTEMS
1. General. Contractors shall install intrusion detection systems to provide reasonable
assurance that breaches of security boundaries are detected, and alarms are generated at a
continuously manned alarm annunciation point. . Intrusion detection systems shall be
provided for Protected Areas as required in paragraph 5, Vital Areas, in paragraph 6, and
for Material Access Areas and special nuclear material as discussed in paragraphs 2, 3, and
4 below. Intrusion detection systems shall be provided for protection of classified matter
as described at page III-3, paragraph 3. Intrusion detection systems shall also be provided
for vaults, vault-type rooms, Sensitive Compartmented Information Facilities, Classified
Automated Information System facilities, and Secure Communications Centers. For other
applications, the impact of loss or destruction of property and facilities shall be considered
when assessing the need for intrusion detection systems.
2. General Requirements. Specifications for intrusion detection systems shall be as
follows:
a. A means for timely detection of intrusion shall be provided by the use of intrusion
detection systems and/or protective force fixed posts and/or mobile patrols.
Timely assessment of intrusion detection system alarms shall be provided by
electronic systems and/or patrols. Electronic assessment systems shall be fixed in
place. When used for detection, patrols shall be conducted at random intervals, at
a documented frequency.
b. Intrusion detection systems shall provide operable coverage in all environmental
conditions common to that area and under all common types of lighting conditions.
c. Visual observation by protective personnel on patrol or in fixed posts may
complement intrusion detection systems and increase the probability of early
detection.
d. There shall be an effective method by which to assess all intrusion detection system
alarms (e.g., intrusion, false, nuisance, system failure, and tamper), and radio
frequency (RF) Jamming.
e. Response capability to intrusion detection system alarms shall be provided to
protect Departmental safeguards and security interests. The response capability
may be provided by assigned protective personnel or by the local law enforcement
agency, as applicable. Response times shall be appropriate for the protection
strategy employed at the site.
f. Employ protection in-depth with multiple detection layers for Categories I and II
special nuclear material targets. Complementary sensor selection is required when
multiple types of sensors are deployed.
g. The intrusion detection system shall be designed, installed, operated and
maintained in a manner ensuring that the number of false and nuisance alarms does
not reduce the system effectiveness. The system effectiveness metrics results shall
be recorded.
h. The intrusion detection system and the associated components such as sensors,
multiplexers, power supply cabinets, processors, junction boxes, and alarm access
panels that are servicing Protected Areas, Material Access Areas, or Vital Areas
shall resist tampering and provide an alarm indicating tampering.
i. The intrusion detection systems shall be monitored continuously by personnel
assigned to assess alarms and intrusion activities. Monitoring personnel shall
initiate the appropriate responses.
j. Compensatory measures shall be provided during times when the intrusion
detection system is not in operation or not operating effectively . The use of RF
devices for the protection of Cat I, SNM, are considered temporary compensatory
measures which require deviation approval.
k. Systems installed after 9/14/94, used in the protection of Category I quantities of
special nuclear material, shall employ redundant, independently routed
communication paths to avoid a single point failure. If the communication path is
in a "loop" configuration, it must feature reverse polling to meet this requirement.
The redundant pathways shall begin at a data collection point and be conveyed and
reported independently to a physically separated Central Alarm Station and
Secondary Alarm Station. The use of two Radio Frequency (RF) alarm
communication devices to protect CAT I, SNM, one as the primary and the other
as secondary path, does not satisfy the DOE requirement for redundant
communications paths. Several intrusion detection sensors may be connected to
a common data collection point.
l. Records shall be kept on each alarm. The alarm record shall contain, as a
minimum: date and time of the alarm; cause of the alarm or a probable cause if
definite cause cannot be established; and the identity of the recorder or the
operator on duty. The record shall be reviewed, analysis performed, and corrective
measures taken as applicable.
m. Alarm monitoring systems shall annunciate system and system component failure,
including RF systems alarms, in the alarm station(s). For the protection of
Categories I and II quantities of special nuclear material, alarms shall be
annunciated in both the Central Alarm Station and Secondary Alarm Station.
Systems shall indicate the type and location of the alarm source.
n. In existing intrusion detection systems where dedicated telephone cable pairs are
used to connect the intrusion detection system to the alarm station and/or
annunciating point, cable pairs shall not be routed through telephone switching
equipment.
o. The system shall have a means of providing the system operator, response force, or
maintenance personnel the location of the alarm.
p. RF alarm communication devices shall use approved Digital Encryption System
(DES) encryption or other National Security Agency approved encryption
techniques.
q. RF alarm communication devices, including those FR devices used as
compensatory measures, to protect Category I, (Cat I), Special Nuclear Materials
shall meet all requirements of this manual, and shall be analyzed to determine if
they provide adequate protection when considering target identification, threat
definition, and overall effectiveness of the physical protection system.
p. Systems and system components shall be functionally tested in accordance with
established procedures at a frequency that is documented. Chapter III, of DOE
470.1 contains the performance assurance program requirements for systems
protecting Categories I and II SNM. The testing program for all other security
interests shall be developed by the local safeguards and security authority .
r. Public vehicle parking and drive areas shall be maintained at the explosive threat
quantity distance from Protected Area perimeter intrusion detection and
assessment systems.
3. Interior Intrusion Detection System Requirements. The approved interior intrusion
detection systems shall be documented in the Site Safeguards and Security Plan.
a. The probability of detection for each safeguards and security physical protection
systems shall be established and documented.
b. Balanced magnetic switches shall initiate an alarm upon attempted substitution of
an external magnetic field when the switch is in the normally secured position and
whenever the leading edge of the door is moved 1 inch (2.5 centimeters) or more
from the door jam.
c. Volumetric detectors shall detect an individual moving at a rate of 1 foot per
second, or faster, within the total field-of-view of the sensor and its plane of
detection.
4. Exterior Intrusion Detection System Requirements. Approved exterior intrusion
detection systems shall be documented in the Site Safeguards and Security Plan.
Requirements for Protected Areas, Material Access Areas, and Vital Areas are as follows:
a. The perimeter intrusion detection system shall be capable of detecting an individual
(weighing 35 kilograms or more) crossing the detection zone walking, crawling,
jumping, running, or rolling (at speeds between 0.15 and 5 meters per second), or
climbing the fence, if applicable, at any point in the detection zone with a detection
probability of 90 percent, at a 95 percent confidence level. Testing shall be
conducted at the time of initial perimeter intrusion detection system installation and
at least annually thereafter to validate this detection probability and confidence
level. If operational testing or effectiveness testing indicates degradation of the
intrusion detection system or portion thereof, then that portion of the intrusion
detection system shall be revalidated. When calculating detection probability for
multiple sensor systems, detection is assumed if any of the sensors detect the
intrusion.
b. Intrusion detection systems shall cover the entire length of the perimeter of a
detection area, including the tops of buildings that are situated in the detection
area.
c. All openings in barriers, unattended gates and/or portals, and culverts and sewers
that have openings greater than 96 square inches (619 square centimeters) where
the smallest dimension is greater than 6 inches (15 centimeters), shall have
detection capabilities at least as effective as the rest of the intrusion detection
system, except when protected by access delay systems providing delay
comparable to tunneling or wall penetration. The intrusion detection system shall
be operational when the opening is not attended.
d. Intrusion detection systems in adjacent detection zones shall overlap sufficiently to
eliminate areas of no detection between detection zones. The length of alarm
zones shall be consistent with the characteristics of the sensors used in that zone.
e. Perimeter intrusion detection systems shall be designed, installed, and maintained
in such a manner as to deny adversaries a means to circumvent the detection
system.
f. The isolation zone between fences shall be at least 20 feet (6 meters) wide.
g. The isolation zone between fences shall be clear of fabricated or natural objects
that would interfere with detection equipment or the effectiveness of the
assessment.
h. Wires, piping, poles or similar objects that could be used to assist an intruder
traversing the isolation zone or could assist in the undetected ingress or egress of
an adversary or matter, shall be protected by the detection and assessment system
or constructed in a manner that deters their use.
i. The detection zone of each intrusion detection system sensor (where applicable)
shall not provide a pathway (e.g., dips, obstructions) for an individual to avoid
detection.
j. The detection zone of each intrusion detection system shall be kept free of snow,
ice, grass, weeds, debris, and any other item that degrades intrusion detection
system effectiveness. When the above action cannot be accomplished in a timely
manner, and when degradation of detection capabilities exists, compensatory
measures shall be taken to provide timely detection.
5. Intrusion Detection System Alarm Annunciation at the Central and Secondary
Alarm Station.
a. Alarms for the protection of Categories I and II special nuclear material and Top
Secret matter shall be distinguished at the Central Alarm Station from alarms
protecting other security interests. Annunciation of these alarms shall take priority
over the alarms for other security interests.
b. Facilities not protecting Category I and II SNM and Top Secret matter, and
utilizing commercial alarm station monitoring services shall have its sensors
connected by direct, continuously supervised, leased line, or by such other means
as to distinguish its alarms from all alarms for other customers that are monitored
by the monitoring service.
c. Alarms shall annunciate audibly and visually to both the Central Alarm Station and
the Secondary Alarm Station.
d. Action to acknowledge alarms shall be straightforward and easily performed.
Reporting and acknowledgment of a multiple alarm scenario must address alarm
priorities to ensure system credibility/reliability is not diminished.
e. Intrusion detection system status indicators shall be provided to indicate when the
system is not in working order and to indicate when tampering with any essential
system component has occurred, including analyzing the entire RF alarm
communication physical protection devices for state-of-health (SOH), and for
detecting intentional and non-intentional jamming attempts.
f. Where applicable, the alarm control system shall have the capability to call the
Central Alarm Station and Secondary Alarm Station operators' attention to a
closed-circuit television camera (CCTV) alarm-associated video recorder/monitor.
The picture quality shall allow the operator to recognize and discriminate between
human and animal presence in the camera field-of-view.
g. Video recorders, when used, shall be actuated by alarm signals and operate
automatically. The response shall be sufficiently rapid to record an actual
intrusion.
h. When CCTV is used as the principal means of alarm assessment and to determine
response level, CCTV cameras shall have tamper-protection and loss-of-video
alarm annunciation. Fixed CCTV shall be used when cameras are the principle
means of alarm assessment. Movable pan-tilt-or zoom lens cameras may be used
for surveillance and as back-up to fixed primary assessment cameras.
i. If remote CCTV assessment of a perimeter intrusion detection system is used, the
coverage shall be complete, with no gaps between zones and no areas that cannot
be assessed because of shadows or objects blocking the camera field. When such
conditions exist on a temporary basis, compensatory measures shall be put into
effect.
6. Radio Frequency Alarm Systems. When using radio frequency (RF) alarm
communications the RF link that replaces the direct hardwire link between the sensor and
the central alarm station display panels shall maintain a high level of security. RF alarm
communications systems when used for the protection of Category I SNM, shall be limited
to emergencies and temporary situations. (The requirements of this paragraph do not
apply to mobile and SNM presence alarm monitoring systems.) Emergency and temporary
use of RF alarm communications shall not exceed 120 days per application.
a. RF Alarm Communications. In order to ensure protection requirements, the RF
alarm communication systems, as a minimum, shall meet all of the following:
(1) Provide approved Digital Encryption System (DES) encryption or other
National Security Agency approved encryption techniques.
(2) Only be used as a redundant or alternate path with hardwire being the
primary method. Using two RF frequencies to protect CAT I, one as the
primary and the other as secondary path, does not satisfy the DOE
requirement for redundant communications paths. Compensatory measures
will be required. It may be adequate to use exposed supervised hardwire
along with RF as a redundant communication path for temporary
applications.
(3) The state-of-health (SOH) interval shall be determined by analyzing the
entire physical protection system for the particular application. The SOH
must be less than the adversary task time minus the assessment time plus
the response time: (SOH >