Incidents of Security Concern <ORG> NN <SUMMARY> This Order is being established to streamline the Department's ability to more effectively inquire into the myriad of security incidents that affect the national security and degrade DOE's ability to assure the protection of classified and sensitive operations. Also, the Order will enable the field to focus on their daily business, while giving them a centralized point of contact for reporting security incidents. <DATE_ISSUE> 04/28/1999 <DATE_CLOSE> 05/28/1999 <TEXT> DATE: APRIL 28, 1999 FROM: PETER GRAHN, JR. DIRECTOR, INFORMATION MANAGEMENT DIVISION (MA-411) TO: DIRECTIVES POINTS OF CONTACT SUBJECT: DRAFT DOE O 471.XX, INCIDENTS OF SECURITY CONCERN The subject Order, developed by the Office of Safeguards and Security, is attached for your review and comment. This Order is being established to streamline the Department's ability to more effectively inquire into the myriad of security incidents that affect the national security and degrade DOE's ability to assure the protection of classified and sensitive operations. Also, the Order will enable the field to focus on their daily business, while giving them a centralized point of contact for reporting security incidents. Comments on the directive are due by May 28, 1999. MAJOR ISSUES AND SUGGESTED COMMENTS should be designated as such when submitted. MAJOR ISSUES shall be limited only to instances where the directive in its entirety, or one or more of its requirements, would have an adverse effect on DOE policy objectives, mission accomplishment, economy, efficiency, or other management concerns that would preclude its publication. Major issues need to be supported by the head of Department Element making the comment. Directives Points of Contact at Headquarters and Field Elements: Submit comments to Cathy Tullis, by mail to NN-512.3, Room E-364, GERMANTOWN; or fax (301) 903-8717 or internet address cathy.tullis@hq.doe.gov. Submit a second set of comments to Marolyn Hester, by mail to MA-41, Room 8F-084, FORRESTAL; or fax (202) 586-1972, or internet address marolyn.hester@hq.doe.gov. Directives Points of Contact at Field Elements: Submit consolidated comments to the Order writer as well as a copy to MA-41. The package submitted by Field Elements shall include as an attachment the comments provided by contractors. Contractors will submit comments directly to their appropriate Field Elements. Questions concerning the content of the directive should be directed to Ms. Tullis at (301)903-4805. Contact Ms. Hester at (202)586-6811 for questions pertaining to the directives system. Attachment U.S. Department of Energy ORDER DOE O 471.XX Washington, D.C. Approved: XX-XX-99 Sunset Review: XX-XX-01 Expires: XX-XX-03 SUBJECT: INCIDENTS OF SECURITY CONCERN 1. OBJECTIVE. To set forth requirements for the identification, reporting, and resolution of Incidents of Security Concern. 2. CANCELLATIONS. a. DOE Order 470.1, Safeguards and Security Program, dated 9-28-95, Chapter VII, Incidents of Safeguards and Security Concern. b. DOE Order 471.2A, Information Security Program, dated 3-27-97, Chapter I, Program Management, paragraphs 2 and 3. c. DOE Manual 471.2-1B, Manual for Classified Matter Protection and Control, dated 1-6-99, Chapter IV, Loss, Potential Compromise, or Unauthorized Disclosure of Classified Information. 3. APPLICABILITY. a. General. This Order applies to all Departmental Elements. b. Application to Contracts. This Order applies to all DOE contractors. Contractor requirements are listed in the Contractor Requirements Document, Attachment 1. 4. DEFINITIONS. See Attachment 2. 5. REQUIREMENTS. a. Any person observing, finding, or with knowledge of or credible information regarding an Incident of Security Concern shall immediately report this information to the facility security officer. The facility security officer shall immediately notify their cognizant DOE safeguards and security office. b. Any person discovering a potential violation of law shall exercise care to ensure that evidence is not destroyed. c. Programs and procedures shall be established to ensure the identification, reporting, and resolution of Incidents of Security Concern. d. Inquiries shall be conducted to determine all the pertinent facts and circumstances surrounding an Incident of Security Concern, to include whether an infraction or violation has occurred. e. After each Incident of Security Concern, security practices and procedures shall be reviewed and revised, if necessary, to preclude recurrence. f. The party(ies) responsible for an Incident of Security Concern shall be identified and disciplined appropriately. 6. RESPONSIBILITIES. a. Secretarial Offices, shall: (1) Provide sufficient resources for the conduct of inquiries and corrective actions. (2) Assist in preliminary investigations conducted by the Office of Safeguards and Security, when requested. (3) Conduct damage assessments, as required in Chapter III of this Order. (4) Ensure corrective actions are taken to prevent recurrence of Incidents of Security Concern. b. Office of Nonproliferation and National Security, Office of Safeguards and Security, shall: (1) Develop and maintain policies to implement and sustain an effective Incidents of Security Concern program. (2) Maintain a centralized data base for Incidents of Security Concern for trending and analysis purposes. (3) Serve as the primary point of liaison with the Federal Bureau of Investigation (FBI), state and local law enforcement agencies, and the Office of the Inspector General for Incidents of Security Concern that are to be referred for criminal investigation. (4) Conduct preliminary investigations into Incidents of Security Concern. c. Office of Nonproliferation and National Security, Office of Declassification, when requested, shall ensure timely classification/declassification reviews of information involved in Incidents of Security Concern. d. General Counsel, shall provide resources for timely legal advice and assistance regarding Incidents of Security Concern. e. Operations/Field Offices and for Headquarters, the Office of Safeguards and Security, Headquarters Operations Division, shall: (1) Establish implementing procedures to ensure the provisions of this Order are met at facilities or activities for which they are responsible. (2) Ensure that Incidents of Security Concern are reported to the Office of Safeguards and Security. (3) Ensure that inquiries are conducted and documented to establish all the pertinent facts and circumstances surrounding Incidents of Security Concern. (4) Ensure corrective actions are taken to prevent recurrence of Incidents of Security Concern. (5) Assist in the conduct of preliminary investigations conducted by the Office of Safeguards and Security, when requested.. 7. CONTACT. Comments and inquiries on this Order may be directed to the Technical and Operations Security Program Manager at (301) 903-5217. CHAPTER I IDENTIFICATION AND REPORTING REQUIREMENTS 1. GENERAL a. A system of controls and procedures shall be developed, approved, implemented, enforced, and maintained: (1) to deter, detect, and prevent Incidents of Security Concern; and (2) for the timely identification, response, notification, investigation, and reporting of Incidents of Security Concern. b. All discussions and documents associated with an Incident of Security Concern shall be handled in accordance with CG-SS-3, "Classification Guide for Safeguards and Security Information," and the classification determination of an authorized classifier. 2. IDENTIFICATION AND REPORTING a. The facility security officer shall, upon identification of an Incident or suspected Incident of Security Concern, promptly notify the appropriate management of the incident status and record all pertinent information, including details concerning the discovery of the incident. b. Within 24 hours of the discovery of an Incident or suspected Incident of Security Concern, or (when classified matter is lost or unaccounted for) within 24 hours of the completion of a search/inspection for the lost or unaccounted-for classified matter, an internal inquiry shall be initiated to examine and report all the pertinent facts and circumstances related to the incident under inquiry. c. Due to their sensitive and/or classified nature, all Incidents of Security Concern involving or dealing with (i) violation of U.S. law(s), (ii) the loss, potential compromise, or unauthorized disclosure of classified matter; and/or (iii) events/issues that have attracted, or have the potential to attract, public or Congressional interest shall be promptly reported to the Office of Safeguards and Security (OSS) by the cognizant DOE safeguards and security office. (1) Initial notification. Initial notification to OSS shall be made by secure voice or electronic transmittal. Electronic transmittal, using the notification form provided in Attachment 3, is preferred. Oral notifications shall be confirmed within 24 hours by submitting the notification form provided in Attachment 3. (2) Update Reports. Follow-up notification(s), transmitted electronically via facsimile or other approved manner, shall be made to OSS as the inquiry establishes additional facts/information regarding the incident. (3) Inquiry Report. Within 15 days following the completion of an internal inquiry, the documented findings of the inquiry shall be transmitted to OSS. (4) Changes/Final Actions. OSS must also be promptly notified, and provided a copy of any changes, if applicable, and final action(s) {e.g., corrective actions and disciplinary sanctions} taken in the case. d. Incidents of Security Concern that do not involve or deal with (i) violation of law(s); the loss, potential compromise, or unauthorized disclosure of classified matter; and/or events/issues that have attracted, or have the potential to attract, public or Congressional interest shall be reported in accordance with DOE M 232.1-1A, "Occurrence Reporting and Processing of Operations Information, " (ORPS) and via the unclassified ORPS computer database. e. Information determined during the conduct of an internal inquiry may change the manner in which the incident is to be reported (e.g., an incident reported via ORPS is subsequently determined to involve a violation of U.S. law). When this occurs, the incident shall be re- reported in accordance with the reporting requirements set forth above. f. The Office of Safeguards and Security shall make all required internal DOE Headquarters and external notifications/distributions for the Incidents of Security Concern reported to the Office of Safeguards and Security above. Examples of such required internal and external notifications are: (1) The Headquarters Secretarial Officer responsible for the facility in which the incident occurred. (2) The Headquarters Secretarial Officer, other government agency, or foreign government responsible for the lost, potentially compromised, or compromised classified matter. (3) The Director of Energy Intelligence if intelligence-related classified information was lost, potentially compromised, or compromised. (4) The Office of Declassification when the incident involves issues with authorized classifier/declassifier and classification guides (e.g., misclassification, not using current classification guide). 3. INQUIRY AND INVESTIGATIVE OFFICIALS. a. Investigative and inquiry official(s) must be familiar with appropriate laws, Departmental directives, and/or regulatory requirements. Investigators shall be appointed by the Director, Office of Safeguards and Security, and inquiry officials shall be appointed in writing by the Head of the Operations/Field Office. b. Inquiry officials must be Federal employees with previous investigative experience. Contractors may assist in the conduct of an investigations and inquiries, but may not be appointed as an investigative or inquiry official. c. Inquiry official(s) are not authorized to detain individuals for interviews or to obtain sworn statements; however, he/she may shall conduct consensual interviews and obtain signed statements. d. inquiry official(s) is responsible for the conduct of the inquiry and maintaining records of inquiry (e.g., logs of events, notes, recordings, and statements). 4. FEDERAL, STATE, OR LOCAL LAW ENFORCEMENT PERSONNEL. a. Federal, State, or local law enforcement agency personnel shall be admitted to areas and afforded access to classified information as necessary for them to perform their duties when investigating criminal violations. This authority does not extend to Sensitive Compartmented Information or Special Access Programs, which impose additional controls governing access beyond those required by normal management and safeguarding practices. Federal, State, or local law enforcement agency personnel shall be provided escort, as necessary, for safety reasons or to facilitate the investigation. b. When Federal, State, or local law enforcement personnel are given access to classified information, they will be immediately advised of the classification level and category. They also will be informed of the protection and control requirements associated with the classified information they possess. c. The availability of DOE standard security badges and advance notification arrangements shall be determined by agreement between the DOE and Federal, State, or local law enforcement agencies involved. 7. INQUIRIES AND INVESTIGATIONS. a. Representatives of DOE safeguards and security offices will conduct preliminary inquiries as required to establish all the pertinent facts and circumstances surrounding Incidents of Security Concern. b. An inquiry shall be initiated within 24 hours from the discovery of the Incident of Security Concern, or when classified matter is lost or unaccounted for, within 24 hours of the completion of an inspection for the unaccounted-for classified matter. c. Representatives of the Security Incidents Investigation Unit, Office of Safeguards and Security, will monitor the status of inquiries and reserves the right, as approved by the Secretary, to assist and/or intervene into the activities of the inquiry, or to open a preliminary investigation in coordination with the Offices of Intelligence, Counterintelligence, or Inspector General, as appropriate. d. Federal Bureau of Investigation and Office of Counterintelligence. When an inquiry surrounding an Incident of Security Concern establishes credible information that classified information is being, or may have been, disclosed in an unauthorized manner to a foreign power or an agent of a foreign power, the Office of Safeguards and Security shall, in accordance with Section 402a of Title 50 U.S. Code, immediately notify the Federal Bureau of Investigation through the Office of Counterintelligence for information and/or investigation of the alleged or suspected violation of U.S. law. e. Federal, State, or Local Law Enforcement Agencies. When an inquiry surrounding an Incident of Security Concern establishes credible information that a violation of U.S. law has occurred, the appropriate DOE Element shall officially refer the case to the Office of Safeguards and Security. The Office of Safeguards and Security shall refer the case to the Department of Justice and/or appropriate law enforcement agency for investigation and prosecution, as appropriate. f. Office of the Inspector General. When an inquiry surrounding an Incident of Security Concern establishes credible information that fraud, waste, or abuse has occurred, the Office of the Inspector General shall be notified for information and/or action. g. Inquiries must determine the cause(s) of the incident of security concern, to include root, direct, and contributing causes. h. Inquiries must determine the individual(s) responsible for the incident. i. An inquiry must determine whether the incident involves an inadvertent or deliberate failure to follow DOE safeguards and security regulations and directives, a statute, Executive Order, and/or a national directive that does not constitute a crime, or a violation of U.S. laws or their implementing regulations. Inquiry officials shall identify all violations of U.S. laws applicable to the matter under inquiry. 8. CONTENTS OF INQUIRY REPORTS. Reports shall describe the conduct and results of the inquiry and shall include the following minimum information: a. An executive summary b. A narrative, which must include: (1) The facility name and facility code (as registered in DOE's Safeguards and Security Information Management System) or other identification as appropriate for the facility responsible for the incident, and the facility where the incident occurred. (2) Identification of the inquiry officials and assisting contractors (3) The dates of the inquiry (4) Initial notifications (5) Description of the incident of security concern (6) Discussion of findings (e.g., causes, responsible individuals, and type of incident) (7) Classification review (8) Subject interviews (9) All records reviews (e.g., training records and personnel security files) (10) Corrective action plan c. Conclusions d. Recommendations e. Attachments to the Report of Inquiry shall include the Memorandum of Appointment of the Inquiry Official, any signed statements of involved individuals, a copy of the lost/compromised or potentially compromised information or a description of same (as appropriate), completed DOE Form 5639.3, a copy of the final ORPS occurrence report for the incident. 7. RECORDS RETENTION. Records pertaining to the Incidents of Security Concern shall be destroyed 5 years after the close of all associated actions. These records shall not be sent to Federal Records Centers. CHAPTER II LOSS, POTENTIAL COMPROMISE, OR UNAUTHORIZED DISCLOSURE OF CLASSIFIED INFORMATION 1. INSPECTION FOR LOST OR UNACCOUNTED-FOR CLASSIFIED MATTER. a. Upon learning that classified matter may be lost or unaccounted-for, an inspection of the area(s) where the matter was stored, handled, or processed shall be initiated. The inspection process must be completed within 48 hours. b. Custodians providing support to the holder shall be queried. When applicable, accountability records shall be audited for evidence of destruction, transmission, or other disposition. 2. INQUIRIES INTO THE LOSS, POTENTIAL COMPROMISE, OR UNAUTHORIZED DISCLOSURE OF CLASSIFIED INFORMATION. The following requirements are in addition to requirements contained in Chapter I of this Order. The inquiry will examine and report all the pertinent facts and circumstances related to the matter under inquiry, which will include but not necessarily be limited to the following: a. If the lost, potentially compromised, or compromised information is determined to be classified, the individuals who may have knowledge regarding the incident shall be interviewed. Upon conclusion of the interview, these individuals may also be requested to provide an official (signed?) written statement concerning their knowledge of or involvement in the incident. b. Complete DOE F 5639.2, "Reporting Unaccounted-for Documents," or a form comparable in content when classified information is lost or unaccounted-for. c. Determine the DOE Secretarial Officer with programmatic responsibility for the information or whether the information was originated by another Government agency or foreign government. d. Determine whether a loss/compromise occurred. If there was a loss, then determine the probability of compromise. The basis for such findings must be documented. e. If a preliminary inquiry or investigation determines that a loss/compromise has occurred or the circumstances of the incident cannot rule out the possibility of compromise, document the extent of the dissemination of the classified information. In coordination with the Office of Safeguards and Security ensure that appropriate measures (e.g., sanitizing electronic media) are taken to mitigate the loss, potential compromise, or unauthorized disclosure. f. When an inquiry establishes credible information that a violation of U.S. law pertaining to the compromise of classified information to the media has occurred, the Department of Justice (DOJ) Eleven-point Criteria must be completed in coordination with the Office of Safeguards and Security. When completing the DOJ Eleven-point Criteria, all documentation and appropriate information must be provided to support affirmative responses to the 11 criteria (i.e., questions) listed below. In addition, each question must be answered affirmatively for DOJ to initiate a formal investigation into the compromise. However, a failure to affirmatively answer all criteria of the DOJ 11 points does not preclude DOE from pursuing criminal action for a compromise. (1) Could the date and identity of the article or articles disclosing the classified information be provided? (2) Could specific statements in the article that are considered classified be identified? Was the data properly classified? (3) Is the classified data that was disclosed accurate? If so, provide the name of the person competent to testify concerning the accuracy? (4) Did the data come from a specific document and, if so, what is the origin of the document and the name of the individual(s) responsible for the security of the classified data disclosed? (5) Could the extent and official dissemination of the data be determined? (6) Has it been determined that the data has not been officially released in the past? (7) Has it been determined that prior clearance for publication or release of the information was not granted by proper authorities? (8) Does review reveal that educated speculation on the matter cannot be made from material, background data, or portions thereof which have been published officially or have previously appeared in the press? (9) Could the data be made available for the purpose of prosecution? If so, include the name of the person competent to testify concerning the classification? (10) Has it been determined that declassification had not been accomplished prior to the publication or release of the data? (11) Will disclosure of the classified data have an adverse impact on the national defense? g. Estimate the known or probable damage to the national security that has resulted or may result for all reportable occurrences. h. If the inquiry determines that the facts of the incident rule out the possibility of compromise and the incident did not constitute a violation of U.S. laws, the Inquiry Official must still produce a formal Report of Inquiry. The DOE Form 5639.3, "Report of Security Incident/Infraction," or a form comparable in content, can be used for documenting such incidents, to include corrective action taken to prevent recurrence. A copy of the DOE Form 5639.3, or a form comparable in content, shall be forwarded by the cognizant DOE safeguards and security organization to the Office of Safeguards and Security. i. If the inquiry determines that loss/compromise has occurred, the circumstances of the incident cannot rule out the possibility of compromise, and/or a violation of law appears to have occurred, the facts and circumstances related to the matter under inquiry shall be transmitted through a written official Report of Inquiry to the Office of Safeguards and Security. CHAPTER III DAMAGE ASSESSMENTS 1. Purpose. Damage assessments determine potential damage to national security when classified information is compromised or potentially compromised. Damage assessments are used by the Department of Justice when criminal prosecution is sought by responsible managers to determine future courses of action within the program and by security personnel for evaluating possible countermeasures and documenting actions to limit potential damage. 2. When Required. a. Whenever the inquiries disclose evidence that classified information has been compromised. b. Whenever a violation of law(s) appears to have occurred and a criminal prosecution is contemplated. c. Whenever the inquiries disclose evidence that classified information may have been compromised (i.e., the circumstances of the incident cannot confirm compromise, however, the possibility of compromise cannot be ruled out), the Secretarial Officer with programmatic responsibility for the potentially compromised classified information must determine whether a damage assessment is required. This determination shall be based on the circumstances of the loss/compromise and the sensitivity of the information. 3. Conduct of Damage Assessment. The Secretarial Officer with programmatic responsibility for the compromised or potentially-compromised classified information shall appoint a Federal employee responsible for conducting the damage assessment and appoint an assessment team consisting of an authorized classifier and appropriate technical experts (e.g., weapons design, nuclear policy, material production communications, intelligence, counterintelligence, etc.) to assist in assessing the value of the compromised information to foreign governments and/or hostile organizations. 4. Procedures. The following procedures shall be followed for all DOE damage assessments: a. The originator of the compromised information shall provide the cognizant DOE safeguards and security organization with a copy of the compromised or potentially-compromised information. The originator also shall provide a rationale/justification for the assigned classification, including a reference to the appropriate classification guides. b. The team performing the damage assessment shall prepare a draft assessment and coordinate it with the originator of the compromised or potentially-compromised information. c. The damage assessment shall then be approved by the Secretarial Officer with programmatic responsibility for the compromised or potentially-compromised information and, at a minimum, submitted to the Office of Safeguards and Security, the Office of Declassification, and the cognizant DOE safeguards and security organization responsible for the inquiry. 5. Content of a Damage Assessment Report. At a minimum, damage assessment reports shall contain the following: a. Identification of the source, date, and circumstances of the compromise or potential compromise. b. Classification of the specific information compromised or potentially compromised. c. Description of the specific information compromised or potentially compromised. d. An analysis and statement of the known or probable damage to the national security that has resulted or may result. e. An assessment of the possible advantage to foreign governments and/or hostile organizations resulting from the compromise or potential compromise. f. A recommendation to the Office of Declassification regarding whether (1) classification of the information should be continued ; (2) specific information, or parts thereof, shall be modified to minimize or nullify the effects of the reported loss/compromise and the classification retained; and (3) downgrading, declassification, or upgrading is warranted. g. An assessment of whether countermeasures are appropriate and feasible to negate or minimize the effect of the compromise or potential compromise. h. An assessment of other appropriate corrective, administrative, disciplinary, or legal actions. i. Impact statement. 6. Combining Similar Documents. Damage assessments may be completed for a group of similar incidents, when such grouping is a logical method of meeting this requirement. A logical grouping includes a situation where multiple matters requiring a damage assessment are related to a programmatic area and would result in the same or similar damage to the national security or advantage to foreign governments and/or hostile organizations. 7. Cases Involving Other Government Agency Information. Whenever a compromise or potential compromise involves the classified information of another Government agency, the cognizant DOE safeguards and security organization responsible for the inquiry shall provide the circumstances and findings that affect the other government agency's information or interests to the Office of Safeguards and Security. The Office of Safeguards and Security shall coordinate with the Other Government Agency, as appropriate. 8. Cases Involving Foreign Government Information. Whenever a compromise or potential compromise involves the classified information of a foreign government, the cognizant DOE safeguards and security organization responsible for the inquiry shall provide the circumstances and findings that affect the foreign government's information or interests to the Office of Safeguards and Security. The foreign government, however, shall not normally be advised of any DOE security system vulnerability(ies) that allowed or contributed to the compromise or potential compromise. The Office of Safeguards and Security shall coordinate with the foreign government, as appropriate. 9. Joint Damage Assessment with Another Government Agency. Whenever a compromise or possible compromise involves the classified information or interests of more than one government agency, the following conditions apply: a. Another government agency has the inherent responsibility to conduct the damage assessment on their compromised or potentially compromised information. b. Whenever a compromise or potential compromise involves the classified information of DOE and another government agency and if more than one damage assessment is performed, the DOE Element responsible for the DOE damage assessment shall provide the damage assessment to the Office of Safeguards and Security. The Office of Safeguards and Security will coordinate with the other government agency. c. When a joint damage assessment is to be made, the Office of Safeguards and Security will coordinate assignment of responsibility between DOE and the other government agency. d. Whenever a compromise or potential compromise of DOE classified information is the result of actions taken by foreign nationals, by foreign government officials, or by U.S. nationals in the employ of international organizations, the Office of Safeguards and Security shall ensure, through appropriate intergovernmental liaison channels, that information pertinent to the assessment is obtained. e. Whenever a compromise or potential compromise of Sensitive Compartmented Information has occurred, the Director of Energy Intelligence shall consult with the designated representative of the Director of Central Intelligence and other appropriate officials with responsibility for the information involved. CHAPTER IV CORRECTIVE ACTIONS 1. GENERAL. a. Whenever possible, the responsibility for an Incident of Security Concern shall be fixed upon an individual rather than upon a position or office. When individual responsibility cannot be established and the facts show that a responsible official allowed conditions to exist that led to an Incident of Security Concern, responsibility shall be fixed upon such an individual. b. Whenever a violation appears to have occurred and a criminal prosecution is contemplated against the individual, disciplinary actions will be coordinated with the Office of Safeguards and Security, who will coordinate with appropriate investigative or prosecuting officials to avoid prejudice to any criminal investigation or prosecution. Additionally, the cognizant DOE safeguards and security organization responsible for the inquiry shall apprise the legal counsel of the Departmental Element (i.e., Office of the General Counsel or Chief Counsel Office) where the individual(s) responsible is assigned or employed. c. Whenever an Incident of Concern involves gross negligence or a willful violation, the DOE access authorization granted the person(s) believed or determined responsible will be administratively suspended, in accordance with DOE Order 472.1B, until the completion of the inquiry/investigation. d. When the Incident of Security Concern was caused by a shortfall(s) of the safeguards and security program, the cause, to including contributing factors, for the Incident of Security Concern will be identified and measures taken to correct deficiencies or prevent recurrence. e. A root cause analysis of why the incident occurred must be conducted to ensure that appropriate corrective action plans can be developed. Development of a root cause analysis requires the use of an appropriate methodology and a qualified team. 2. WORKFORCE DISCIPLINE a. For DOE employees, disciplinary or corrective action shall be determined by the Heads of Departmental Elements in coordination with the Office of Personnel. Any disciplinary or adverse action involving a DOE employee shall be according to DOE 3750.1, WORK FORCE DISCIPLINE. b. For contractor employees, disciplinary or corrective action shall be determined by appropriate management officials according to the contractor's personnel policies and procedures. c. For military personnel and employees of other Government agencies assigned to DOE or DOE contractors, DOE or its contractors shall take corrective action and submit a report of infraction to the military organization or Government agency to which the employee is permanently assigned for whatever disciplinary action that the cognizant agency or organization deems necessary. 3. DETERMINING CORRECTIVE ACTIONS. The following aggravating or mitigating factors shall be taken into account when determining corrective actions. a. The four types of non-compliance are inadvertent, negligent, gross negligence, and willful. See Attachment 2 for definitions. b. To establish a uniform approach of corrective actions for each of the types of non- compliance, consequences must be scaled to the level of intent and resultant damage caused by the non-compliance. Based on the preponderance of evidence discovered during a preliminary inquiry or investigation (as appropriate), consequences more or less severe may be instituted. c. The following information shall be used to determine corrective actions: (1) Breach. a Nature. b Seriousness. c Consequences. d Effect. (2) Rehabilitative potential of corrective action. (3) Consistency of corrective action. d. Mitigating factors are favorable elements that tend toward the imposition of less severe corrective action. Included are the following: (1) The possibility of genuine misunderstanding. (2) Enticements or provocations. (3) Culpability of others. (4) Mitigating circumstances. (5) Record of employee's cooperativeness. e. Aggravating factors are unfavorable elements that tend to show a need for more severe action than is usually taken. Included are: (1) Past breaches. (2) Series of breaches. (3) Nature of other breaches. (4) Recency of other breaches. (5) Employee willfulness. f. Proposed corrective actions are determined on the basis of all information available at time of action and is specifically stated on a DOE F 5639.3. g. The table provided in Attachment 4 identifies corrective actions to be taken based on the nature of the incident and the frequency of occurrences. 4. SECURITY INFRACTIONS. a. Report of Security Infraction. DOE F 5639.3, "Report of Security Incident/Infraction," or a similar form shall be used to document infractions. A copy of the report shall be kept in the employee's DOE personnel security file. b. Records of Security Infractions. The facility security officer reporting the security infraction and the cognizant DOE safeguards and security organization shall maintain records of each infraction. ATTACHMENT 1 CONTRACTOR REQUIREMENTS DOCUMENT INCIDENTS OF SECURITY CONCERN This contractor requirements document is issued to aid in the identification of requirements applicable to contractors. All requirements contained in Order 470.XX apply to contractors. The requirements in this Order shall flow down to all subcontractors. ATTACHMENT 2 DEFINITIONS 1. Compromise. Disclosure or release of classified information to an uncleared individual. 2. Gross negligence. In this situation, a person acts in a way that shows recklessness or willful disregard for the protection of classified information. Gross negligence requires more than just neglect of ordinary care towards classified information or just inadvertence. For example, a person may circumvent prescribe procedures with full knowledge of the security requirements and associated penalties but does so for personal convenience with little concern for the potential loss, compromise, or unauthorized disclosure of classified information. Although there may be no intent to lose, compromise, or disclosure of classified information to an unauthorized person, a reasonable person would recognize that the act or omission has a high probability for such results. This type of non-compliance constitutes a violation of 18 U.S.C. 793 (f). 3. Inadvertent. This is when a person is carefully following the prescribed procedures as understood by the individual, and yet classified information is mishandled. This type of non-compliant situation arises without any kind of risk/benefit analysis and is generally the result of ignorance of requirements, or a systemic or procedural failure. 4. Incident of Security Concern. Incidents which are of concern to the DOE Safeguards and Security program because they involve inadvertent or deliberate failures to follow Departmental safeguards and security regulations and directives and/or alleged or suspected violations of U.S. laws or their implementing regulations. Examples of Incidents of Security Concern include: the loss, potential compromise, or unauthorized disclosure of classified information; substance abuse; criminal racketeering or other organized criminal activity; waste, fraud, or abuse; theft, loss, or damage of Government property or information; the discovery or possession of contraband articles; civil disorder; sabotage, terrorism, or vandalism affecting facilities or properties owned by or contracted to the Department 5. Infraction. Any action contrary to Departmental safeguards and security regulations and directives, implementing procedures, Executive Order, or a national directive that does not constitute a violation. 6. Investigation. A review by representatives of the Office of Safeguards and Security of the circumstances surrounding a suspected or alleged violation to develop all pertinent information and to determine whether a violation has occurred. 7. Negligent. This situation is caused when, a) a person may be attempting to follow procedures in good faith, but through carelessness or neglect mishandles classified information; b) a person circumvents prescribe procedures with full knowledge of the security requirements and associated penalties but does so with a good faith expectation of an overriding programmatic gain without expectation of any loss, compromise, or unauthorized disclosure of classified information. In the latter situation, the non-compliant situation arises with some degree of risk/benefit analysis, and the person assumes the risk without management's knowledge or approval. This type of non- compliance represents an infraction, which is any knowing, willful, or negligent action contrary to the requirements of applicable DOE orders or regulations that does not constitute a violation or result in the actual compromise or the unauthorized disclosure of classified information. Normally this type of non-compliance is elevated above an infraction when it results in the actual compromise or the unauthorized disclosure of classified information. 8. Non-compliance. The actual or anticipated state of affairs that arises when an activity is conducted in a manner that violates legal, regulatory, or policy requirements. 9. Preliminary inquiry. A review by field elements of the circumstances surrounding a suspected or alleged security infraction, violation, or loss involving classified information or special nuclear material to develop all pertinent information and to determine whether an infraction, a violation, or a loss has occurred. 10. Unauthorized Disclosure. A communication or physical transfer of classified information to an unauthorized recipient. 11. Violation. Any action or intent that constitutes a violation of U.S. law or its implementing regulations. 12. Willful. When a person with full knowledge of the security requirements and associated penalties disregards or circumvents prescribed procedures with intent to removes classified information from its proper place of custody or to conceal the loss, theft, abstraction, or destruction of classified information. _________________________ (Classification) UNITED STATES DEPARTMENT OF ENERGY OFFICE OF SAFEGUARDS AND SECURITY Security Incident Notification Report Date/Time of Incident Discovery:____________________________________________ Classification Level: TOP SECRET SECRET CONFIDENTIAL Category of Information Involved: RD FRD NSI Applicable Identifier (s): WD WFO SAP FGI OGA Facility/Location of Incident:______________________________________________________________ Form(s) of the Information Involved: Magnetic Media Internet E-Mail Visual Facsimile Hard Copy Discussion Multimedia Other _______________________________ Brief Description of the Incident: Point of Contact:_______________________________________________________________________ Name Telephone No. Secure Fax No. Transmit this report via the Information Security Incident Hotline at (301) 903-8116. ______________________ (Classification) SECURITY INFRACTIONS AND VIOLATIONS GUIDELINES Occurrence 1st Occurrence 2nd Occurrence 3rd or More Occurrence Inadvertent -No Loss, Damage, Compromise Oral admonishment to mandatory training Mandatory training to infraction Infraction to administrative suspension of access authorization Inadvertent-Loss, Damage, Compromise Mandatory training Infraction to administrative suspension of access authorization Written reprimand to consideration of termination of access authorization Negligence-No Loss, Damage, Compromise Mandatory training to infraction Infraction to written reprimand Written reprimand to administrative suspension of access authorization Negligence-Loss, Damage, Compromise Infraction to written reprimand Written reprimand to administrative suspension of access authorization Written reprimand to consideration of termination of access authorization Gross Negligence-No Loss, Damage, Compromise Until completion of investigation, administrative suspension of access authorization is required. Then, infraction to written reprimand Until completion of investigation, administrative suspension of access authorization is required. Then written reprimand to consideration of termination of access authorization. Until completion of investigation, administrative suspension of access authorization is required. Then written reprimand to consideration of termination of access authorization.

DOE O 471.XX Draft 471.XX Incidents of Security Concern <ORG> NN <SUMMARY> This Order is being established to streamline the Department's ability to more effectively inquire into the myriad of security incidents that affect the national security and degrade DOE's ability to assure the protection of classified and sensitive operations. Also, the Order will enable the field to focus on their daily business, while giving them a centralized point of contact for reporting security incidents. <DATE_ISSUE> 04/28/1999 <DATE_CLOSE> 05/28/1999 <TEXT> DATE: APRIL 28, 1999 FROM: PETER GRAHN, JR. DIRECTOR, INFORMATION MANAGEMENT DIVISION (MA-411) TO: DIRECTIVES POINTS OF CONTACT SUBJECT: DRAFT DOE O 471.XX, INCIDENTS OF SECURITY CONCERN The subject Order, developed by the Office of Safeguards and Security, is attached for your review and comment. This Order is being established to streamline the Department's ability to more effectively inquire into the myriad of security incidents that affect the national security and degrade DOE's ability to assure the protection of classified and sensitive operations. Also, the Order will enable the field to focus on their daily business, while giving them a centralized point of contact for reporting security incidents. Comments on the directive are due by May 28, 1999. MAJOR ISSUES AND SUGGESTED COMMENTS should be designated as such when submitted. MAJOR ISSUES shall be limited only to instances where the directive in its entirety, or one or more of its requirements, would have an adverse effect on DOE policy objectives, mission accomplishment, economy, efficiency, or other management concerns that would preclude its publication. Major issues need to be supported by the head of Department Element making the comment. Directives Points of Contact at Headquarters and Field Elements: Submit comments to Cathy Tullis, by mail to NN-512.3, Room E-364, GERMANTOWN; or fax (301) 903-8717 or internet address cathy.tullis@hq.doe.gov. Submit a second set of comments to Marolyn Hester, by mail to MA-41, Room 8F-084, FORRESTAL; or fax (202) 586-1972, or internet address marolyn.hester@hq.doe.gov. Directives Points of Contact at Field Elements: Submit consolidated comments to the Order writer as well as a copy to MA-41. The package submitted by Field Elements shall include as an attachment the comments provided by contractors. Contractors will submit comments directly to their appropriate Field Elements. Questions concerning the content of the directive should be directed to Ms. Tullis at (301)903-4805. Contact Ms. Hester at (202)586-6811 for questions pertaining to the directives system. Attachment U.S. Department of Energy ORDER DOE O 471.XX Washington, D.C. Approved: XX-XX-99 Sunset Review: XX-XX-01 Expires: XX-XX-03 SUBJECT: INCIDENTS OF SECURITY CONCERN 1. OBJECTIVE. To set forth requirements for the identification, reporting, and resolution of Incidents of Security Concern. 2. CANCELLATIONS. a. DOE Order 470.1, Safeguards and Security Program, dated 9-28-95, Chapter VII, Incidents of Safeguards and Security Concern. b. DOE Order 471.2A, Information Security Program, dated 3-27-97, Chapter I, Program Management, paragraphs 2 and 3. c. DOE Manual 471.2-1B, Manual for Classified Matter Protection and Control, dated 1-6-99, Chapter IV, Loss, Potential Compromise, or Unauthorized Disclosure of Classified Information. 3. APPLICABILITY. a. General. This Order applies to all Departmental Elements. b. Application to Contracts. This Order applies to all DOE contractors. Contractor requirements are listed in the Contractor Requirements Document, Attachment 1. 4. DEFINITIONS. See Attachment 2. 5. REQUIREMENTS. a. Any person observing, finding, or with knowledge of or credible information regarding an Incident of Security Concern shall immediately report this information to the facility security officer. The facility security officer shall immediately notify their cognizant DOE safeguards and security office. b. Any person discovering a potential violation of law shall exercise care to ensure that evidence is not destroyed. c. Programs and procedures shall be established to ensure the identification, reporting, and resolution of Incidents of Security Concern. d. Inquiries shall be conducted to determine all the pertinent facts and circumstances surrounding an Incident of Security Concern, to include whether an infraction or violation has occurred. e. After each Incident of Security Concern, security practices and procedures shall be reviewed and revised, if necessary, to preclude recurrence. f. The party(ies) responsible for an Incident of Security Concern shall be identified and disciplined appropriately. 6. RESPONSIBILITIES. a. Secretarial Offices, shall: (1) Provide sufficient resources for the conduct of inquiries and corrective actions. (2) Assist in preliminary investigations conducted by the Office of Safeguards and Security, when requested. (3) Conduct damage assessments, as required in Chapter III of this Order. (4) Ensure corrective actions are taken to prevent recurrence of Incidents of Security Concern. b. Office of Nonproliferation and National Security, Office of Safeguards and Security, shall: (1) Develop and maintain policies to implement and sustain an effective Incidents of Security Concern program. (2) Maintain a centralized data base for Incidents of Security Concern for trending and analysis purposes. (3) Serve as the primary point of liaison with the Federal Bureau of Investigation (FBI), state and local law enforcement agencies, and the Office of the Inspector General for Incidents of Security Concern that are to be referred for criminal investigation. (4) Conduct preliminary investigations into Incidents of Security Concern. c. Office of Nonproliferation and National Security, Office of Declassification, when requested, shall ensure timely classification/declassification reviews of information involved in Incidents of Security Concern. d. General Counsel, shall provide resources for timely legal advice and assistance regarding Incidents of Security Concern. e. Operations/Field Offices and for Headquarters, the Office of Safeguards and Security, Headquarters Operations Division, shall: (1) Establish implementing procedures to ensure the provisions of this Order are met at facilities or activities for which they are responsible. (2) Ensure that Incidents of Security Concern are reported to the Office of Safeguards and Security. (3) Ensure that inquiries are conducted and documented to establish all the pertinent facts and circumstances surrounding Incidents of Security Concern. (4) Ensure corrective actions are taken to prevent recurrence of Incidents of Security Concern. (5) Assist in the conduct of preliminary investigations conducted by the Office of Safeguards and Security, when requested.. 7. CONTACT. Comments and inquiries on this Order may be directed to the Technical and Operations Security Program Manager at (301) 903-5217. CHAPTER I IDENTIFICATION AND REPORTING REQUIREMENTS 1. GENERAL a. A system of controls and procedures shall be developed, approved, implemented, enforced, and maintained: (1) to deter, detect, and prevent Incidents of Security Concern; and (2) for the timely identification, response, notification, investigation, and reporting of Incidents of Security Concern. b. All discussions and documents associated with an Incident of Security Concern shall be handled in accordance with CG-SS-3, "Classification Guide for Safeguards and Security Information," and the classification determination of an authorized classifier. 2. IDENTIFICATION AND REPORTING a. The facility security officer shall, upon identification of an Incident or suspected Incident of Security Concern, promptly notify the appropriate management of the incident status and record all pertinent information, including details concerning the discovery of the incident. b. Within 24 hours of the discovery of an Incident or suspected Incident of Security Concern, or (when classified matter is lost or unaccounted for) within 24 hours of the completion of a search/inspection for the lost or unaccounted-for classified matter, an internal inquiry shall be initiated to examine and report all the pertinent facts and circumstances related to the incident under inquiry. c. Due to their sensitive and/or classified nature, all Incidents of Security Concern involving or dealing with (i) violation of U.S. law(s), (ii) the loss, potential compromise, or unauthorized disclosure of classified matter; and/or (iii) events/issues that have attracted, or have the potential to attract, public or Congressional interest shall be promptly reported to the Office of Safeguards and Security (OSS) by the cognizant DOE safeguards and security office. (1) Initial notification. Initial notification to OSS shall be made by secure voice or electronic transmittal. Electronic transmittal, using the notification form provided in Attachment 3, is preferred. Oral notifications shall be confirmed within 24 hours by submitting the notification form provided in Attachment 3. (2) Update Reports. Follow-up notification(s), transmitted electronically via facsimile or other approved manner, shall be made to OSS as the inquiry establishes additional facts/information regarding the incident. (3) Inquiry Report. Within 15 days following the completion of an internal inquiry, the documented findings of the inquiry shall be transmitted to OSS. (4) Changes/Final Actions. OSS must also be promptly notified, and provided a copy of any changes, if applicable, and final action(s) {e.g., corrective actions and disciplinary sanctions} taken in the case. d. Incidents of Security Concern that do not involve or deal with (i) violation of law(s); the loss, potential compromise, or unauthorized disclosure of classified matter; and/or events/issues that have attracted, or have the potential to attract, public or Congressional interest shall be reported in accordance with DOE M 232.1-1A, "Occurrence Reporting and Processing of Operations Information, " (ORPS) and via the unclassified ORPS computer database. e. Information determined during the conduct of an internal inquiry may change the manner in which the incident is to be reported (e.g., an incident reported via ORPS is subsequently determined to involve a violation of U.S. law). When this occurs, the incident shall be re- reported in accordance with the reporting requirements set forth above. f. The Office of Safeguards and Security shall make all required internal DOE Headquarters and external notifications/distributions for the Incidents of Security Concern reported to the Office of Safeguards and Security above. Examples of such required internal and external notifications are: (1) The Headquarters Secretarial Officer responsible for the facility in which the incident occurred. (2) The Headquarters Secretarial Officer, other government agency, or foreign government responsible for the lost, potentially compromised, or compromised classified matter. (3) The Director of Energy Intelligence if intelligence-related classified information was lost, potentially compromised, or compromised. (4) The Office of Declassification when the incident involves issues with authorized classifier/declassifier and classification guides (e.g., misclassification, not using current classification guide). 3. INQUIRY AND INVESTIGATIVE OFFICIALS. a. Investigative and inquiry official(s) must be familiar with appropriate laws, Departmental directives, and/or regulatory requirements. Investigators shall be appointed by the Director, Office of Safeguards and Security, and inquiry officials shall be appointed in writing by the Head of the Operations/Field Office. b. Inquiry officials must be Federal employees with previous investigative experience. Contractors may assist in the conduct of an investigations and inquiries, but may not be appointed as an investigative or inquiry official. c. Inquiry official(s) are not authorized to detain individuals for interviews or to obtain sworn statements; however, he/she may shall conduct consensual interviews and obtain signed statements. d. inquiry official(s) is responsible for the conduct of the inquiry and maintaining records of inquiry (e.g., logs of events, notes, recordings, and statements). 4. FEDERAL, STATE, OR LOCAL LAW ENFORCEMENT PERSONNEL. a. Federal, State, or local law enforcement agency personnel shall be admitted to areas and afforded access to classified information as necessary for them to perform their duties when investigating criminal violations. This authority does not extend to Sensitive Compartmented Information or Special Access Programs, which impose additional controls governing access beyond those required by normal management and safeguarding practices. Federal, State, or local law enforcement agency personnel shall be provided escort, as necessary, for safety reasons or to facilitate the investigation. b. When Federal, State, or local law enforcement personnel are given access to classified information, they will be immediately advised of the classification level and category. They also will be informed of the protection and control requirements associated with the classified information they possess. c. The availability of DOE standard security badges and advance notification arrangements shall be determined by agreement between the DOE and Federal, State, or local law enforcement agencies involved. 7. INQUIRIES AND INVESTIGATIONS. a. Representatives of DOE safeguards and security offices will conduct preliminary inquiries as required to establish all the pertinent facts and circumstances surrounding Incidents of Security Concern. b. An inquiry shall be initiated within 24 hours from the discovery of the Incident of Security Concern, or when classified matter is lost or unaccounted for, within 24 hours of the completion of an inspection for the unaccounted-for classified matter. c. Representatives of the Security Incidents Investigation Unit, Office of Safeguards and Security, will monitor the status of inquiries and reserves the right, as approved by the Secretary, to assist and/or intervene into the activities of the inquiry, or to open a preliminary investigation in coordination with the Offices of Intelligence, Counterintelligence, or Inspector General, as appropriate. d. Federal Bureau of Investigation and Office of Counterintelligence. When an inquiry surrounding an Incident of Security Concern establishes credible information that classified information is being, or may have been, disclosed in an unauthorized manner to a foreign power or an agent of a foreign power, the Office of Safeguards and Security shall, in accordance with Section 402a of Title 50 U.S. Code, immediately notify the Federal Bureau of Investigation through the Office of Counterintelligence for information and/or investigation of the alleged or suspected violation of U.S. law. e. Federal, State, or Local Law Enforcement Agencies. When an inquiry surrounding an Incident of Security Concern establishes credible information that a violation of U.S. law has occurred, the appropriate DOE Element shall officially refer the case to the Office of Safeguards and Security. The Office of Safeguards and Security shall refer the case to the Department of Justice and/or appropriate law enforcement agency for investigation and prosecution, as appropriate. f. Office of the Inspector General. When an inquiry surrounding an Incident of Security Concern establishes credible information that fraud, waste, or abuse has occurred, the Office of the Inspector General shall be notified for information and/or action. g. Inquiries must determine the cause(s) of the incident of security concern, to include root, direct, and contributing causes. h. Inquiries must determine the individual(s) responsible for the incident. i. An inquiry must determine whether the incident involves an inadvertent or deliberate failure to follow DOE safeguards and security regulations and directives, a statute, Executive Order, and/or a national directive that does not constitute a crime, or a violation of U.S. laws or their implementing regulations. Inquiry officials shall identify all violations of U.S. laws applicable to the matter under inquiry. 8. CONTENTS OF INQUIRY REPORTS. Reports shall describe the conduct and results of the inquiry and shall include the following minimum information: a. An executive summary b. A narrative, which must include: (1) The facility name and facility code (as registered in DOE's Safeguards and Security Information Management System) or other identification as appropriate for the facility responsible for the incident, and the facility where the incident occurred. (2) Identification of the inquiry officials and assisting contractors (3) The dates of the inquiry (4) Initial notifications (5) Description of the incident of security concern (6) Discussion of findings (e.g., causes, responsible individuals, and type of incident) (7) Classification review (8) Subject interviews (9) All records reviews (e.g., training records and personnel security files) (10) Corrective action plan c. Conclusions d. Recommendations e. Attachments to the Report of Inquiry shall include the Memorandum of Appointment of the Inquiry Official, any signed statements of involved individuals, a copy of the lost/compromised or potentially compromised information or a description of same (as appropriate), completed DOE Form 5639.3, a copy of the final ORPS occurrence report for the incident. 7. RECORDS RETENTION. Records pertaining to the Incidents of Security Concern shall be destroyed 5 years after the close of all associated actions. These records shall not be sent to Federal Records Centers. CHAPTER II LOSS, POTENTIAL COMPROMISE, OR UNAUTHORIZED DISCLOSURE OF CLASSIFIED INFORMATION 1. INSPECTION FOR LOST OR UNACCOUNTED-FOR CLASSIFIED MATTER. a. Upon learning that classified matter may be lost or unaccounted-for, an inspection of the area(s) where the matter was stored, handled, or processed shall be initiated. The inspection process must be completed within 48 hours. b. Custodians providing support to the holder shall be queried. When applicable, accountability records shall be audited for evidence of destruction, transmission, or other disposition. 2. INQUIRIES INTO THE LOSS, POTENTIAL COMPROMISE, OR UNAUTHORIZED DISCLOSURE OF CLASSIFIED INFORMATION. The following requirements are in addition to requirements contained in Chapter I of this Order. The inquiry will examine and report all the pertinent facts and circumstances related to the matter under inquiry, which will include but not necessarily be limited to the following: a. If the lost, potentially compromised, or compromised information is determined to be classified, the individuals who may have knowledge regarding the incident shall be interviewed. Upon conclusion of the interview, these individuals may also be requested to provide an official (signed?) written statement concerning their knowledge of or involvement in the incident. b. Complete DOE F 5639.2, "Reporting Unaccounted-for Documents," or a form comparable in content when classified information is lost or unaccounted-for. c. Determine the DOE Secretarial Officer with programmatic responsibility for the information or whether the information was originated by another Government agency or foreign government. d. Determine whether a loss/compromise occurred. If there was a loss, then determine the probability of compromise. The basis for such findings must be documented. e. If a preliminary inquiry or investigation determines that a loss/compromise has occurred or the circumstances of the incident cannot rule out the possibility of compromise, document the extent of the dissemination of the classified information. In coordination with the Office of Safeguards and Security ensure that appropriate measures (e.g., sanitizing electronic media) are taken to mitigate the loss, potential compromise, or unauthorized disclosure. f. When an inquiry establishes credible information that a violation of U.S. law pertaining to the compromise of classified information to the media has occurred, the Department of Justice (DOJ) Eleven-point Criteria must be completed in coordination with the Office of Safeguards and Security. When completing the DOJ Eleven-point Criteria, all documentation and appropriate information must be provided to support affirmative responses to the 11 criteria (i.e., questions) listed below. In addition, each question must be answered affirmatively for DOJ to initiate a formal investigation into the compromise. However, a failure to affirmatively answer all criteria of the DOJ 11 points does not preclude DOE from pursuing criminal action for a compromise. (1) Could the date and identity of the article or articles disclosing the classified information be provided? (2) Could specific statements in the article that are considered classified be identified? Was the data properly classified? (3) Is the classified data that was disclosed accurate? If so, provide the name of the person competent to testify concerning the accuracy? (4) Did the data come from a specific document and, if so, what is the origin of the document and the name of the individual(s) responsible for the security of the classified data disclosed? (5) Could the extent and official dissemination of the data be determined? (6) Has it been determined that the data has not been officially released in the past? (7) Has it been determined that prior clearance for publication or release of the information was not granted by proper authorities? (8) Does review reveal that educated speculation on the matter cannot be made from material, background data, or portions thereof which have been published officially or have previously appeared in the press? (9) Could the data be made available for the purpose of prosecution? If so, include the name of the person competent to testify concerning the classification? (10) Has it been determined that declassification had not been accomplished prior to the publication or release of the data? (11) Will disclosure of the classified data have an adverse impact on the national defense? g. Estimate the known or probable damage to the national security that has resulted or may result for all reportable occurrences. h. If the inquiry determines that the facts of the incident rule out the possibility of compromise and the incident did not constitute a violation of U.S. laws, the Inquiry Official must still produce a formal Report of Inquiry. The DOE Form 5639.3, "Report of Security Incident/Infraction," or a form comparable in content, can be used for documenting such incidents, to include corrective action taken to prevent recurrence. A copy of the DOE Form 5639.3, or a form comparable in content, shall be forwarded by the cognizant DOE safeguards and security organization to the Office of Safeguards and Security. i. If the inquiry determines that loss/compromise has occurred, the circumstances of the incident cannot rule out the possibility of compromise, and/or a violation of law appears to have occurred, the facts and circumstances related to the matter under inquiry shall be transmitted through a written official Report of Inquiry to the Office of Safeguards and Security. CHAPTER III DAMAGE ASSESSMENTS 1. Purpose. Damage assessments determine potential damage to national security when classified information is compromised or potentially compromised. Damage assessments are used by the Department of Justice when criminal prosecution is sought by responsible managers to determine future courses of action within the program and by security personnel for evaluating possible countermeasures and documenting actions to limit potential damage. 2. When Required. a. Whenever the inquiries disclose evidence that classified information has been compromised. b. Whenever a violation of law(s) appears to have occurred and a criminal prosecution is contemplated. c. Whenever the inquiries disclose evidence that classified information may have been compromised (i.e., the circumstances of the incident cannot confirm compromise, however, the possibility of compromise cannot be ruled out), the Secretarial Officer with programmatic responsibility for the potentially compromised classified information must determine whether a damage assessment is required. This determination shall be based on the circumstances of the loss/compromise and the sensitivity of the information. 3. Conduct of Damage Assessment. The Secretarial Officer with programmatic responsibility for the compromised or potentially-compromised classified information shall appoint a Federal employee responsible for conducting the damage assessment and appoint an assessment team consisting of an authorized classifier and appropriate technical experts (e.g., weapons design, nuclear policy, material production communications, intelligence, counterintelligence, etc.) to assist in assessing the value of the compromised information to foreign governments and/or hostile organizations. 4. Procedures. The following procedures shall be followed for all DOE damage assessments: a. The originator of the compromised information shall provide the cognizant DOE safeguards and security organization with a copy of the compromised or potentially-compromised information. The originator also shall provide a rationale/justification for the assigned classification, including a reference to the appropriate classification guides. b. The team performing the damage assessment shall prepare a draft assessment and coordinate it with the originator of the compromised or potentially-compromised information. c. The damage assessment shall then be approved by the Secretarial Officer with programmatic responsibility for the compromised or potentially-compromised information and, at a minimum, submitted to the Office of Safeguards and Security, the Office of Declassification, and the cognizant DOE safeguards and security organization responsible for the inquiry. 5. Content of a Damage Assessment Report. At a minimum, damage assessment reports shall contain the following: a. Identification of the source, date, and circumstances of the compromise or potential compromise. b. Classification of the specific information compromised or potentially compromised. c. Description of the specific information compromised or potentially compromised. d. An analysis and statement of the known or probable damage to the national security that has resulted or may result. e. An assessment of the possible advantage to foreign governments and/or hostile organizations resulting from the compromise or potential compromise. f. A recommendation to the Office of Declassification regarding whether (1) classification of the information should be continued ; (2) specific information, or parts thereof, shall be modified to minimize or nullify the effects of the reported loss/compromise and the classification retained; and (3) downgrading, declassification, or upgrading is warranted. g. An assessment of whether countermeasures are appropriate and feasible to negate or minimize the effect of the compromise or potential compromise. h. An assessment of other appropriate corrective, administrative, disciplinary, or legal actions. i. Impact statement. 6. Combining Similar Documents. Damage assessments may be completed for a group of similar incidents, when such grouping is a logical method of meeting this requirement. A logical grouping includes a situation where multiple matters requiring a damage assessment are related to a programmatic area and would result in the same or similar damage to the national security or advantage to foreign governments and/or hostile organizations. 7. Cases Involving Other Government Agency Information. Whenever a compromise or potential compromise involves the classified information of another Government agency, the cognizant DOE safeguards and security organization responsible for the inquiry shall provide the circumstances and findings that affect the other government agency's information or interests to the Office of Safeguards and Security. The Office of Safeguards and Security shall coordinate with the Other Government Agency, as appropriate. 8. Cases Involving Foreign Government Information. Whenever a compromise or potential compromise involves the classified information of a foreign government, the cognizant DOE safeguards and security organization responsible for the inquiry shall provide the circumstances and findings that affect the foreign government's information or interests to the Office of Safeguards and Security. The foreign government, however, shall not normally be advised of any DOE security system vulnerability(ies) that allowed or contributed to the compromise or potential compromise. The Office of Safeguards and Security shall coordinate with the foreign government, as appropriate. 9. Joint Damage Assessment with Another Government Agency. Whenever a compromise or possible compromise involves the classified information or interests of more than one government agency, the following conditions apply: a. Another government agency has the inherent responsibility to conduct the damage assessment on their compromised or potentially compromised information. b. Whenever a compromise or potential compromise involves the classified information of DOE and another government agency and if more than one damage assessment is performed, the DOE Element responsible for the DOE damage assessment shall provide the damage assessment to the Office of Safeguards and Security. The Office of Safeguards and Security will coordinate with the other government agency. c. When a joint damage assessment is to be made, the Office of Safeguards and Security will coordinate assignment of responsibility between DOE and the other government agency. d. Whenever a compromise or potential compromise of DOE classified information is the result of actions taken by foreign nationals, by foreign government officials, or by U.S. nationals in the employ of international organizations, the Office of Safeguards and Security shall ensure, through appropriate intergovernmental liaison channels, that information pertinent to the assessment is obtained. e. Whenever a compromise or potential compromise of Sensitive Compartmented Information has occurred, the Director of Energy Intelligence shall consult with the designated representative of the Director of Central Intelligence and other appropriate officials with responsibility for the information involved. CHAPTER IV CORRECTIVE ACTIONS 1. GENERAL. a. Whenever possible, the responsibility for an Incident of Security Concern shall be fixed upon an individual rather than upon a position or office. When individual responsibility cannot be established and the facts show that a responsible official allowed conditions to exist that led to an Incident of Security Concern, responsibility shall be fixed upon such an individual. b. Whenever a violation appears to have occurred and a criminal prosecution is contemplated against the individual, disciplinary actions will be coordinated with the Office of Safeguards and Security, who will coordinate with appropriate investigative or prosecuting officials to avoid prejudice to any criminal investigation or prosecution. Additionally, the cognizant DOE safeguards and security organization responsible for the inquiry shall apprise the legal counsel of the Departmental Element (i.e., Office of the General Counsel or Chief Counsel Office) where the individual(s) responsible is assigned or employed. c. Whenever an Incident of Concern involves gross negligence or a willful violation, the DOE access authorization granted the person(s) believed or determined responsible will be administratively suspended, in accordance with DOE Order 472.1B, until the completion of the inquiry/investigation. d. When the Incident of Security Concern was caused by a shortfall(s) of the safeguards and security program, the cause, to including contributing factors, for the Incident of Security Concern will be identified and measures taken to correct deficiencies or prevent recurrence. e. A root cause analysis of why the incident occurred must be conducted to ensure that appropriate corrective action plans can be developed. Development of a root cause analysis requires the use of an appropriate methodology and a qualified team. 2. WORKFORCE DISCIPLINE a. For DOE employees, disciplinary or corrective action shall be determined by the Heads of Departmental Elements in coordination with the Office of Personnel. Any disciplinary or adverse action involving a DOE employee shall be according to DOE 3750.1, WORK FORCE DISCIPLINE. b. For contractor employees, disciplinary or corrective action shall be determined by appropriate management officials according to the contractor's personnel policies and procedures. c. For military personnel and employees of other Government agencies assigned to DOE or DOE contractors, DOE or its contractors shall take corrective action and submit a report of infraction to the military organization or Government agency to which the employee is permanently assigned for whatever disciplinary action that the cognizant agency or organization deems necessary. 3. DETERMINING CORRECTIVE ACTIONS. The following aggravating or mitigating factors shall be taken into account when determining corrective actions. a. The four types of non-compliance are inadvertent, negligent, gross negligence, and willful. See Attachment 2 for definitions. b. To establish a uniform approach of corrective actions for each of the types of non- compliance, consequences must be scaled to the level of intent and resultant damage caused by the non-compliance. Based on the preponderance of evidence discovered during a preliminary inquiry or investigation (as appropriate), consequences more or less severe may be instituted. c. The following information shall be used to determine corrective actions: (1) Breach. a Nature. b Seriousness. c Consequences. d Effect. (2) Rehabilitative potential of corrective action. (3) Consistency of corrective action. d. Mitigating factors are favorable elements that tend toward the imposition of less severe corrective action. Included are the following: (1) The possibility of genuine misunderstanding. (2) Enticements or provocations. (3) Culpability of others. (4) Mitigating circumstances. (5) Record of employee's cooperativeness. e. Aggravating factors are unfavorable elements that tend to show a need for more severe action than is usually taken. Included are: (1) Past breaches. (2) Series of breaches. (3) Nature of other breaches. (4) Recency of other breaches. (5) Employee willfulness. f. Proposed corrective actions are determined on the basis of all information available at time of action and is specifically stated on a DOE F 5639.3. g. The table provided in Attachment 4 identifies corrective actions to be taken based on the nature of the incident and the frequency of occurrences. 4. SECURITY INFRACTIONS. a. Report of Security Infraction. DOE F 5639.3, "Report of Security Incident/Infraction," or a similar form shall be used to document infractions. A copy of the report shall be kept in the employee's DOE personnel security file. b. Records of Security Infractions. The facility security officer reporting the security infraction and the cognizant DOE safeguards and security organization shall maintain records of each infraction. ATTACHMENT 1 CONTRACTOR REQUIREMENTS DOCUMENT INCIDENTS OF SECURITY CONCERN This contractor requirements document is issued to aid in the identification of requirements applicable to contractors. All requirements contained in Order 470.XX apply to contractors. The requirements in this Order shall flow down to all subcontractors. ATTACHMENT 2 DEFINITIONS 1. Compromise. Disclosure or release of classified information to an uncleared individual. 2. Gross negligence. In this situation, a person acts in a way that shows recklessness or willful disregard for the protection of classified information. Gross negligence requires more than just neglect of ordinary care towards classified information or just inadvertence. For example, a person may circumvent prescribe procedures with full knowledge of the security requirements and associated penalties but does so for personal convenience with little concern for the potential loss, compromise, or unauthorized disclosure of classified information. Although there may be no intent to lose, compromise, or disclosure of classified information to an unauthorized person, a reasonable person would recognize that the act or omission has a high probability for such results. This type of non-compliance constitutes a violation of 18 U.S.C. 793 (f). 3. Inadvertent. This is when a person is carefully following the prescribed procedures as understood by the individual, and yet classified information is mishandled. This type of non-compliant situation arises without any kind of risk/benefit analysis and is generally the result of ignorance of requirements, or a systemic or procedural failure. 4. Incident of Security Concern. Incidents which are of concern to the DOE Safeguards and Security program because they involve inadvertent or deliberate failures to follow Departmental safeguards and security regulations and directives and/or alleged or suspected violations of U.S. laws or their implementing regulations. Examples of Incidents of Security Concern include: the loss, potential compromise, or unauthorized disclosure of classified information; substance abuse; criminal racketeering or other organized criminal activity; waste, fraud, or abuse; theft, loss, or damage of Government property or information; the discovery or possession of contraband articles; civil disorder; sabotage, terrorism, or vandalism affecting facilities or properties owned by or contracted to the Department 5. Infraction. Any action contrary to Departmental safeguards and security regulations and directives, implementing procedures, Executive Order, or a national directive that does not constitute a violation. 6. Investigation. A review by representatives of the Office of Safeguards and Security of the circumstances surrounding a suspected or alleged violation to develop all pertinent information and to determine whether a violation has occurred. 7. Negligent. This situation is caused when, a) a person may be attempting to follow procedures in good faith, but through carelessness or neglect mishandles classified information; b) a person circumvents prescribe procedures with full knowledge of the security requirements and associated penalties but does so with a good faith expectation of an overriding programmatic gain without expectation of any loss, compromise, or unauthorized disclosure of classified information. In the latter situation, the non-compliant situation arises with some degree of risk/benefit analysis, and the person assumes the risk without management's knowledge or approval. This type of non- compliance represents an infraction, which is any knowing, willful, or negligent action contrary to the requirements of applicable DOE orders or regulations that does not constitute a violation or result in the actual compromise or the unauthorized disclosure of classified information. Normally this type of non-compliance is elevated above an infraction when it results in the actual compromise or the unauthorized disclosure of classified information. 8. Non-compliance. The actual or anticipated state of affairs that arises when an activity is conducted in a manner that violates legal, regulatory, or policy requirements. 9. Preliminary inquiry. A review by field elements of the circumstances surrounding a suspected or alleged security infraction, violation, or loss involving classified information or special nuclear material to develop all pertinent information and to determine whether an infraction, a violation, or a loss has occurred. 10. Unauthorized Disclosure. A communication or physical transfer of classified information to an unauthorized recipient. 11. Violation. Any action or intent that constitutes a violation of U.S. law or its implementing regulations. 12. Willful. When a person with full knowledge of the security requirements and associated penalties disregards or circumvents prescribed procedures with intent to removes classified information from its proper place of custody or to conceal the loss, theft, abstraction, or destruction of classified information. _________________________ (Classification) UNITED STATES DEPARTMENT OF ENERGY OFFICE OF SAFEGUARDS AND SECURITY Security Incident Notification Report Date/Time of Incident Discovery:____________________________________________ Classification Level: TOP SECRET SECRET CONFIDENTIAL Category of Information Involved: RD FRD NSI Applicable Identifier (s): WD WFO SAP FGI OGA Facility/Location of Incident:______________________________________________________________ Form(s) of the Information Involved: Magnetic Media Internet E-Mail Visual Facsimile Hard Copy Discussion Multimedia Other _______________________________ Brief Description of the Incident: Point of Contact:_______________________________________________________________________ Name Telephone No. Secure Fax No. Transmit this report via the Information Security Incident Hotline at (301) 903-8116. ______________________ (Classification) SECURITY INFRACTIONS AND VIOLATIONS GUIDELINES Occurrence 1st Occurrence 2nd Occurrence 3rd or More Occurrence Inadvertent -No Loss, Damage, Compromise Oral admonishment to mandatory training Mandatory training to infraction Infraction to administrative suspension of access authorization Inadvertent-Loss, Damage, Compromise Mandatory training Infraction to administrative suspension of access authorization Written reprimand to consideration of termination of access authorization Negligence-No Loss, Damage, Compromise Mandatory training to infraction Infraction to written reprimand Written reprimand to administrative suspension of access authorization Negligence-Loss, Damage, Compromise Infraction to written reprimand Written reprimand to administrative suspension of access authorization Written reprimand to consideration of termination of access authorization Gross Negligence-No Loss, Damage, Compromise Until completion of investigation, administrative suspension of access authorization is required. Then, infraction to written reprimand Until completion of investigation, administrative suspension of access authorization is required. Then written reprimand to consideration of termination of access authorization. Until completion of investigation, administrative suspension of access authorization is required. Then written reprimand to consideration of termination of access authorization.