doc_fn: draftord/473/m4731-1.html DocType: Draft ID: DOE M 473.1-1 Title: Manual for Physical Protection of Safeguards and Security Summary: Org: Date_Issue: 06/18/1997 Date_Close: VdkVgwKey: draftord-15 Directive: 473.1 Text: DATE: JUNE 17, 1997 REPLY TO: HOWARD LANDON, OFFICE OF ORGANIZATION AND MANAGEMENT, HR-62 TO: DIRECTIVES POINTS-OF-CONTACT AT DP, EH, EM, ER, NN, OPERATIONS OFFICES, AND FIELD OFFICES SUBJECT: DOE M 473.1-1, MANUAL FOR PHYSICAL PROTECTION OF SAFEGUARDS AND SECURITY INTERESTS The attached subject draft Manual, a revision of DOE M 5632.1C-1, is being forwarded for your review and comment. The requirements of this manual should have been implemented under the requirements of DOE Manual 5632.1C-1, dated 7-15-94. The changes in protection requirements in DOE M 473.1-1 are results from implementation experience with the DOE M 5632.1C-1, differing requirements of Departmental facilities brought about by adjustments in Departmental and National policy and by technical advances. Some of these changes include the removal of the Chapters on the Protection and Control of Classified Matter, Protection of Unclassified Irradiated Reactor Fuel in Transit, and the Acceptance and Validation Programs. In place of those removed, new Chapters on Protection of Classified Matter, the Radiological and Toxicological Sabotage Program and Security Design Criteria are inserted. The Department's Classified Information Systems Security Program was republished as DOE O 472.1, and the Acceptance and Validation Program was included in DOE O 470.1 Chapter III. The implementation of the graduated approach to protection facilitates a reduction in the technical considerations for the less sensitive systems while not increasing the more stringent requirements of systems of a more sensitive nature. Administrative changes have also been made. This Manual is composed of 14 Chapters that provide detailed requirements for protection of safeguards and security interests. Chapter I addresses five essential ingredients for a successful program; site specific characteristics; design basis threat; protection strategy; planning; and graduated protection. Chapter II through IV address protection and control of special nuclear material, protection requirements for classified matter, and radiological and toxicologic sabotage. Chapter V discusses Security Areas that are used to protect the safeguards and security interests discussed in Chapters II and III. Chapter XI is a collection of the security design criteria taken from DOE O 6430.1A that was canceled by DOE O 240.1, and which did not capture security requirements. The remaining chapters provide supporting information and requirements for effective implementation of safeguards and security programs. Comments on the Manual are due by July 18, 1997. Late comments will be held for consideration during the Manual's next annual review. MAJOR ISSUES and SUGGESTED COMMENTS should be designated as such when submitted. MAJOR ISSUES shall be limited to those instance where the Manual, in its entirety or its identified requirements, would have an adverse effect on DOE policy objectives, mission accomplishment, economy, efficiency, or other management concerns that would preclude its publication. COMMENT SUBMISSION FOR DOE Manual 473.1-1: Directives Points-of-Contact at Headquarters Elements: Submit comments to Marti Lydick, HR- 41, Room 8F-084 Forrestal; send to MARLENE.LYDICK@HQ.DOE.GOV; or send via e-mail. In addition, send a copy to Darryl Toms, Protection Program Operations, NN-512.1, Room E- 378, Germantown; send facsimile to (301) 903-8717; or send via e-mail to Daryl.Toms@hq.doe.gov. Directives Points-of-Contact at Field Elements: a. Submit consolidated comments to Marti Lydick, HR-41, Room 8F-084, Forrestal; send to MARLENE.LYDICK@HQ.DOE.GOV; or send via e-mail. In addition, send a copy to Darryl Toms, Protection Program Operations, NN-512.1, Room E-378, Germantown; send facsimile to (301) 903-8717; or send via e-mail. The package shall include as an attachment, the comments provided by contractor organizations. b. Operations Offices will send a copy of their comments to the Associate Deputy Secretary for Field Management, FM-1, Room 5A-115, Forrestal. Contractor Organizations: Submit comments directly to their appropriate Field Elements. Contacts: Questions concerning the processing of the Manual should be directed to Ms. Lydick, HR-41, at (202) 586-3278. Questions concerning the content of the Manual should be directed to Mr. Toms, NN-512.1, at (301) 903-7087. MANUAL FOR PHYSICAL PROTECTION OF SAFEGUARDS AND SECURITY INTERESTS 1. PURPOSE. This Manual provides detailed requirements to supplement DOE O 473.1, PHYSICAL PROTECTION OF SAFEGUARDS AND SECURITY INTERESTS, which establishes requirements and responsibilities for the protection of special nuclear material (SNM), nuclear weapons, vital equipment, classified matter, assets, and facilities. 2. SUMMARY. This Manual contains detailed requirements for protection of safeguards and security interests. a. Chapter I addresses five essential parts of a successful program: site-specific characteristics, design basis threat, strategy, planning, and graded protection. b. Chapters II and III address the protection of SNM and classified matter. c. Chapter IV addresses the protection of DOE facilities against radiological and toxicological sabotage. d. Chapter V discusses Security Areas that are used to protect the safeguards and security interests discussed in Chapters II and III. e. Chapter VI through XIII provide supporting information and requirements for protection elements that effectively implement safeguards and security programs. f. Chapter XIV is a collection of the security design criteria taken from DOE O 6430.1A, GENERAL DESIGN CRITERIA. DOE O 420.1 and O 430.1, canceled O 6430.1A but did not capture security requirements. 3. CANCELLATIONS: DOE Manual 5632.1C-1, MANUAL FOR THE PROTECTION AND CONTROL OF SAFEGUARDS AND SECURITY INTERESTS, dated 7-15-94, and the security requirements of canceled DOE O 6430.1A. 4. REFERENCES AND DEFINITIONS. a. See Attachment 1 for a list of references pertinent to the protection of safeguards and security interests. b. Definitions of terms commonly used in the Safeguards and Security Program are provided in the "Safeguards and Security Glossary of Terms," which is maintained and distributed by the Office of Safeguards and Security. 5. DEVIATIONS. Deviations to this Manual shall be approved through procedures established in DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM. 6. ASSISTANCE. Questions concerning this Manual should be directed to the Protection Operations Program Manager at 301-903-5693. 7. IMPLEMENTATION. Most requirements in this directive are the same as those contained in the superseded directives. Implementation plans for any requirements that cannot be implemented within 6 months of the effective date of this Manual or within existing resources shall be developed by Heads of Field Elements and submitted to the Office of Safeguards and Security. CONTENTS CHAPTER I, PROTECTION PLANNING 1. Site-Specific Characteristics . . . . . . . . . . . . . .I-1 2. Threat. . . . . . . . . . . . . . . . . . . . . . . . . .I-1 3. Protection Strategy.. . . . . . . . . . . . . . . . . . .I-1 4. Planning. . . . . . . . . . . . . . . . . . . . . . . . .I-2 5. Graded Protection. . . . . . . . . . . . . . . . . . . .I-3 6. Performance Assurance. . . . . . . . . . . . . . . . . .I-3 CHAPTER II, PROTECTION OF SPECIAL NUCLEAR MATERIAL AND VITAL EQUIPMENT 1. General . . . . . . . . . . . . . . . . . . . . . . . . II-1 2. Access. . . . . . . . . . . . . . . . . . . . . . . . . II-2 3. Protective Force Posts. . . . . . . . . . . . . . . . . II-2 4. Storage . . . . . . . . . . . . . . . . . . . . . . . . II-2 5. Category I Quantities of Special Nuclear Material.. . . II-4 6. Category II Quantities of Special Nuclear Material. . II-5 7. Category III Quantities of Special Nuclear Material . . II-5 8. Category IV Quantities of Special Nuclear Material. . . II-6 9. Vital Equipment . . . . . . . . . . . . . . . . . . . . II-7 Table II-1, Access Authorization Requirements . . . . . II-3 CHAPTER III, PROTECTION OF CLASSIFIED MATTER 1. General . . . . . . . . . . . . . . . . . . . . . . . .III-1 2 Storage Requirements. . . . . . . . . . . . . . . . . .III-2 3. Protecting Container Information. . . . . . . . . . . .III-6 CHAPTER IV, RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE PROTECTION 1. General . . . . . . . . . . . . . . . . . . . . . . . . IV-1 2. Protection Planning . . . . . . . . . . . . . . . . . . IV-1 3. Assessment of Risks . . . . . . . . . . . . . . . . . . IV-2 4. Protection of Radiological/Toxicological Sabotage TargetsIV-3 Table IV-1, Radiological and Toxicological Sabotage Consequence ValuesIV-4 CHAPTER V, SECURITY AREAS 1. General . . . . . . . . . . . . . . . . . . . . . . . . .V-1 2. Property Protection Area. . . . . . . . . . . . . . . . .V-4 3. Limited Area. . . . . . . . . . . . . . . . . . . . . . .V-5 4. Exclusion Area. . . . . . . . . . . . . . . . . . . . . .V-6 5. Protected Area. . . . . . . . . . . . . . . . . . . . . .V-7 6. Vital Area. . . . . . . . . . . . . . . . . . . . . . . .V-9 7. Material Access Area. . . . . . . . . . . . . . . . . . V-10 8. Other Security Areas. . . . . . . . . . . . . . . . . . V-12 CHAPTER VI, PROTECTION ELEMENT: INTRUSION DETECTION AND ASSESSMENT SYSTEMS 1. General . . . . . . . . . . . . . . . . . . . . . . . . VI-1 2. General Requirements. . . . . . . . . . . . . . . . . . VI-1 3. Interior Intrusion Detection System Requirements. . . . VI-3 4. Exterior Intrusion Detection System Requirements. . . . VI-4 5. Intrusion Detection System Alarm Annunciation at the Central and Secondary Alarm Station . . . . . . . . . . . . . . . . . . . . . . . . VI-5 6. Radio Frequency Alarm Systems . . . . . . . . . . . . . VI-6 7. Lighting Requirements . . . . . . . . . . . . . . . . . VI-8 8. Auxiliary Power Sources . . . . . . . . . . . . . . . . VI-9 9. Protection of Intrusion Detection Systems . . . . . . .VI-10 Table VI-1, Alarm System Protection Requirements . . .VI-14 CHAPTER VII, PROTECTION ELEMENT: ACCESS CONTROL AND ENTRY/EXIT INSPECTIONS 1. General . . . . . . . . . . . . . . . . . . . . . . . .VII-1 2. Automated Access Control Systems. . . . . . . . . . . .VII-2 3. Entry/Exit Inspections. . . . . . . . . . . . . . . . .VII-3 CHAPTER VIII, PROTECTION ELEMENT: BARRIERS AND LOCKS 1. Barriers. . . . . . . . . . . . . . . . . . . . . . . VIII-1 2. Locks.. . . . . . . . . . . . . . . . . . . . . . . . VIII-5 CHAPTER IX, PROTECTION ELEMENT: SECURE STORAGE 1. Vaults And Vault-Type Rooms . . . . . . . . . . . . . . IX-1 2. Security Containers . . . . . . . . . . . . . . . . . . IX-5 CHAPTER X, PROTECTION ELEMENT: COMMUNICATIONS 1. General . . . . . . . . . . . . . . . . . . . . . . . . .X-1 2. Duress Systems. . . . . . . . . . . . . . . . . . . . . .X-1 3. Radios. . . . . . . . . . . . . . . . . . . . . . . . . .X-1 4. Special Response Team Radio Communications. . . . . . . .X-2 CHAPTER XI, PROTECTION ELEMENT: MAINTENANCE 1. General . . . . . . . . . . . . . . . . . . . . . . . . XI-1 2. Corrective Maintenance. . . . . . . . . . . . . . . . . XI-1 3. Preventive Maintenance. . . . . . . . . . . . . . . . . XI-1 4. Maintenance Personnel Access Authorization. . . . . . . XI-2 5. Recordkeeping . . . . . . . . . . . . . . . . . . . . . XI-2 CHAPTER XII, PROTECTION ELEMENT: POSTING NOTICES 1. General . . . . . . . . . . . . . . . . . . . . . . . .XII-1 2. Trespassing . . . . . . . . . . . . . . . . . . . . . .XII-1 CHAPTER XIII, PROTECTION ELEMENT: SECURITY BADGES AND CREDENTIALS 1. Security Badges . . . . . . . . . . . . . . . . . . . XIII-1 2. Issuance, Use, Recovery, and Destruction of Security BadgesXIII-1 3. Types of Credentials. . . . . . . . . . . . . . . . . XIII-3 4. Issuance of Credentials . . . . . . . . . . . . . . . XIII-4 5. Accountability of Badges, Credentials, and Shields. . XIII-5 6. Storage of Security Badge Materials, Unissued Badges, Credentials, and ShieldsXIII-6 7. Terminating Security Badges, Credentials, and Shields XIII-6 CHAPTER XIV, SECURITY DESIGN CONSIDERATIONS 1. General . . . . . . . . . . . . . . . . . . . . . . . .XIV-1 2. Security Area Barriers. . . . . . . . . . . . . . . . .XIV-1 3. Intrusion Detection Systems . . . . . . . . . . . . . XIV-10 4. Access Control Systems and Entry/exit Inspections . . XIV-16 5. Barriers. . . . . . . . . . . . . . . . . . . . . . XIV-17 6. Physical Security Technical Surveillance Countermeasures Construction StandardsXIV-22 7. Secure Storage Architectural Requirements . . . . . . XIV-28 8. Communication Systems . . . . . . . . . . . . . . . . XIV-29 Attachment 1 - References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 CHAPTER I PROTECTION PLANNING 1. SITE-SPECIFIC CHARACTERISTICS. Protection programs shall be tailored to address specific site characteristics and requirements, current technology, ongoing programs, and operational needs and the measures necessary to achieve acceptable protection levels that reduce inherent risks on a cost-effective basis. 2. THREAT. Physical protection afforded safeguards and security interests shall be based upon the "Design Basis Threat for the Department of Energy Programs and Facilities (U)." Consideration should also be given to site and regional threats and emergency situations, such as civil disturbances and disasters. 3. PROTECTION STRATEGY. a. Strategies for the physical protection of SNM and vital equipment shall incorporate the applicable requirements established in Chapter II. Protection strategies may be graded to address varying circumstances and may range from denial, to containment, to recapture/recovery and/or pursuit. (1) A denial strategy shall be used when unauthorized access presents an unacceptable risk for: (a) the theft of Category I SNM, (b) the initiation (or credible threat of initiation) of nuclear dispersal or detonation, or (c) the use of available nuclear materials for onsite assembly of an improvised nuclear device. (2) A containment strategy shall be used to prevent the unauthorized removal of Category II or greater SNM that can roll up to Category I. (3) Should denial and/or containment referenced in 3a(1) and (2) above fail, a recapture/recovery and/or pursuit strategy would then be required. Forces capable of rapid reaction are vital to the implementation of such recapture or recovery efforts. b. Strategies for the physical protection of classified matter shall incorporate the applicable requirements established in Chapter III. The strategy shall be based on efforts that will detect or deter unauthorized disclosure, modification, loss of availability, and removal from a site or facility of classified information or sensitive but unclassified information. c. Strategies for the physical protection of radiological/toxicological sabotage targets shall incorporate the applicable requirements established in Chapter IV. Protection strategies shall be designed to prevent radiological/toxicological sabotage acts that would pose significant dangers to the health and safety of employees, the public, or the environment. These strategies may be graded to address varying circumstances and may range from denial, to containment, and/or to consequence mitigation. d. Strategies for the physical protection of other safeguards and security interests shall be developed commensurate with the safeguard and security interest importance. (1) A strategy ranging from detection to deterrence shall be used for security interests whose loss, theft, compromise, and/or unauthorized use will seriously affect the national security and/or the health and safety of DOE and contractor employees, the public, the environment, or DOE programs. (2) A strategy of detection and deterrence shall be used for safeguard and security interests whose loss or theft will have a negative financial impact on the Department. (3) A strategy of denial shall be used to address the introduction of certain articles into DOE facilities that would impact the health and safety of DOE and contractor employees (e.g., hand-carried, mailed, and vehicle- transported explosives, firearms, and chemical and biological agents). 4. PLANNING. a. Site Safeguards and Security Plans. The details of site physical protection measures shall be addressed in the Site Safeguards and Security Plan (SSSP), as required by DOE O 470.1. b. Security Plans. At locations where an SSSP is not required due to the limited scope of safeguards and security interests, a security plan shall be developed to describe the protection program in place. 5. GRADED PROTECTION. a. Graded Protection. (1) Protection shall be applied in a graded manner. The level of effort and magnitude of resources expended for the protection of a security interest shall be commensurate with the security interest's importance or the impact of its loss, destruction, or misuse. The highest level of protection shall be given to security interests whose loss, theft, compromise, sabotage, and/or unauthorized use will have serious impact on the national security, financial security, and/or the health and safety of DOE and contractor employees, the public, the environment, or DOE programs. For example, use of a weapon of mass destruction by a terrorist(s) could have severe consequences necessitating the highest reasonably attainable level of security. (2) Protection of other interests shall be graded accordingly. Protection- related plans shall describe and document the rationale used for selecting the graded protection provided the various safeguards and security interests. Asset valuation, threat analysis, and vulnerability assessments shall be considered, along with the acceptable level of risk and any uncertainties, to determine if the risk is significant and what protection measures should be applied. Heads of DOE Elements shall provide a rational and cost-effective protection framework applying risk management as the underlying basis for making security-related decisions. b. A rational, cost-effective protection framework shall be provided applying risk management as the underlying basis for making security-related decisions. It should be recognized that risks will be accepted (i.e., that actions cannot be taken to reduce the potential for or consequences of all malevolent events to zero); however, an acceptable level of risk will be determined based on evaluation of a variety of facility-specific goals and considerations. c. Protection plans shall describe, justify, and document the graded protection provided various safeguards and security interests. 6. PERFORMANCE ASSURANCE. Safeguards and security systems shall be tested as required by DOE O 470.1 to ascertain effectiveness in providing countermeasures to address design basis threats. CHAPTER II PROTECTION OF SPECIAL NUCLEAR MATERIAL AND VITAL EQUIPMENT 1. GENERAL. This chapter outlines requirements for the protection of Categories I through IV quantities of SNM and vital equipment. The following requirements shall apply. a. A facility shall not receive, process, transmit, or store SNM until that facility has been approved as required by DOE O 470.1. b. Nuclear material production reactors and fuel shall be protected consistent with the category of SNM involved and/or the consequences of radiological sabotage. c. An integrated system of positive measures shall be developed and implemented for the protection of Category I SNM (nuclear weapons). d. Protection afforded SNM shall be graded according to the nuclear material safeguards category, as defined in Figure I-2 of DOE 5633.3B, CONTROL AND ACCOUNTABILITY OF NUCLEAR MATERIALS, and shall reflect the specific nature of SNM existing at each site. DOE 5633.3B shall be used to determine the potential to accumulate a Category I quantity of SNM by theft from more than one location (roll-up) within the same Protected Area. e. Factors such as ease of separability, accessibility, and concealment; quantity, chemical form, isotopic composition, purity, and containment; portability; protection strategies; radioactivity; and self-protecting features, shall be considered in determining physical protection for each category of SNM. f. When SNM is classified because of its configuration or content, or because it is part of a classified item, it shall receive the physical protection required by the highest level of classification of the configuration, content, item, or category of SNM involved. g. Protective force personnel shall be available and positioned to respond to a verified threat occurrence to contain, interrupt, and/or neutralize adversaries within the required response times. h. Intrusion detection shall be accomplished through a combination of intrusion sensors and tamper-indicating devices, material surveillance procedures, material accounting and tracking, and/or specialized nuclear measurement techniques. i. Delay mechanisms shall be employed to prevent removal or unauthorized use of Category I and II quantities of SNM. Delay mechanisms may include passive barriers (e.g., walls, ceilings, floors, windows, doors, security bars), activated barriers (e.g., sticky foam, pop-up barriers), and obscurants (e.g., cold smoke). j. Specific protection requirements, such as systems and protective personnel response capabilities necessary to satisfy identified protection needs, shall be documented. 2. ACCESS. Access controls shall be in place to ensure that only properly cleared and authorized personnel are permitted unescorted access to SNM and vital equipment. Access authorizations (security clearances) shall be accomplished according to DOE O 472.1B, PERSONNEL SECURITY ACTIVITIES. See Table II-1 of this Manual for SNM access authorization requirements. Access authorization requirements for vital equipment shall be comparable to Category I SNM. 3. PROTECTIVE FORCE POSTS. See DOE 5632.7A, PROTECTIVE FORCE PROGRAM, or DOE O 473.2, PROTECTIVE FORCE PROGRAM when implemented. 4. STORAGE. Each facility shall have controls for all categories of nuclear materials held in storage, consistent with the graded safeguards approach. (See Chapter IX of this Manual for elaboration). Controls for storage shall: a. be formally documented; b. ensure that only authorized personnel have access to the storage repositories (see Chapter I); c. prevent and/or detect unauthorized access; d. describe procedures used to authenticate material movements into or out of a repository; TABLE II-1 ACCESS AUTHORIZATION REQUIREMENTS Special Nuclear Material Category Minimum Level of Access Authorization Required Remarks I and II with credible roll-up to I Q Hands-on access or transportation of Category I quantities of SNM may require additional measures, such as Personnel Security Assurance Program participation and/or enhanced material surveillance procedures, to further reduce the probability of insider acts. II and III L Unless special circumstances determined by site vulnerability assessment, require Q access authorization to minimize risk. Document in Site Safeguards and Security Plan. IV None Unless special circumstances determined by site vulnerability assessment require access authorization to mitigate risk. Document in Site Safeguards and Security Plan. e. include procedures for investigating and reporting abnormal conditions; f. provide a record system to document ingress/egress to repositories; and g. define procedures for conducting inventories and daily administrative checks. 5. CATEGORY I QUANTITIES OF SPECIAL NUCLEAR MATERIAL. a. In-Process. Material shall be used or processed within Material Access Areas. DOE 5633.3B, Page III-3, Paragraph 3b(1), requires a material surveillance program to detect unauthorized material flows and transfers. Any location within a Material Access Area that contains unattended Category I quantities of SNM in use or process shall be equipped with an intrusion detection system or other effective means of detection approved by the cognizant local DOE authority for safeguards and security. b. Storage. Material shall be stored within a Material Access Area. (1) When not in process or when unattended, material falling under Attractiveness Level A shall be stored in a vault. Storage facilities for Category I SNM Attractiveness Level A, constructed after 7-14-94, shall be underground or below-grade construction. (2) Material falling under Attractiveness Level B shall be stored in a vault or provided enhanced protection that exceeds vault-type room storage [e.g., collocated with protective force response station and/or activated barrier(s)]. (3) Material falling under Attractiveness Level C shall, as a minimum, be stored in a vault-type room. c. In-Transit. Protection requirements for material in transit shall be as follows. (1) Domestic offsite shipments of Category I quantities of SNM shall be made by the Transportation Safeguards System, managed by the Albuquerque Operations Office. (2) Packages or containers containing SNM shall be sealed with tamper- indicating devices. (3) Protection measures for movements of material between Protected Areas at the same site, or between Protected Areas and staging areas at the same site, shall be under direct surveillance by the number of Security Police Officers necessary to protect against threats as established in the "Design Basis Threat for Department of Energy Programs and Facilities (U)," and documented in the SSSP. 6. CATEGORY II QUANTITIES OF SPECIAL NUCLEAR MATERIAL. a. In-Process. Material shall be used or stored only within a Protected Area. DOE 5633.3B, Page III-3, Paragraph 3b(1) requires a material surveillance program to detect unauthorized material flows and transfers. Any location within a Protected Area that contains unattended Category II quantities of SNM in use or process shall be equipped with intrusion detection systems or other effective means of detection approved by the cognizant local DOE authority for safeguards and security. b. Storage. When not in process or when unattended, material shall be stored in a vault or vault-type room located within a Protected Area. c. In-Transit. Shipments shall conform to the shipment requirements for Category I quantities of SNM. (See Paragraph 5c above.) 7. CATEGORY III QUANTITIES OF SPECIAL NUCLEAR MATERIAL. a. In-Process. Material shall be processed within a Security Area that provides, at a minimum, the protection of a Limited Area. b. Storage. When not in process or when unattended, material shall be stored, at a minimum, within a Limited Area and secured within a locked security container or locked room. The container or locked room containing the matter shall be under the protection of an intrusion detection system or protective patrol at intervals not to exceed 8 hours. c. In-Transit. (1) Domestic offsite shipments of classified configurations of Category III quantities of SNM may be made by the Transportation Safeguards System. (2) Methods of shipping unclassified configurations: (a) Truck or Train. Truck or train shipments shall meet the following requirements. 1 Government-owned or exclusive-use truck, commercial carrier, or rail may be used to ship Category III quantities of SNM. 2 A detailed inspection of the transport vehicle shall be conducted before loading and shipment. Cargo compartments shall be locked and sealed while en route. 3 Personnel assigned to escort shipments shall maintain periodic communication with a control station operator who can request appropriate local law enforcement agency response, if needed. 4 Shipments shall be made without intermediate stops except for emergency reasons, driver relief, meals, refueling, or transfer of cargo. (b) Air Shipment. Air shipments of Category III quantities of SNM may take place if not otherwise prohibited by statute or otherwise limited by implementing instructions. The shipments shall be under the direct observation of the authorized escorts during all land movements and loading and unloading operations. (3) Movements of Category III quantities of SNM between Security Areas at the same site shall be according to the appropriate locally-developed security plan. 8. CATEGORY IV QUANTITIES OF SPECIAL NUCLEAR MATERIAL. a. In-Process. Material shall be processed according to procedures approved by the cognizant local DOE authority for safeguards and security. b. Storage. When not in process or when unattended, material shall be stored according to the procedures approved by the cognizant local authority for safeguards and security. c. In-Transit. (1) Domestic offsite shipments of classified configurations of Category IV quantities of SNM may be made by means of the Transportation Safeguards System, under procedures approved by the Albuquerque Operations Office as deemed appropriate, and by agreements between the Manager, Albuquerque Operations Office, and the respective Heads of Field Elements. (2) Shipments of unclassified configurations of material may be made by truck, rail, or water, in commercial, for-hire, or leased vehicles. If not otherwise prohibited by state or federal laws, Category IV quantities of SNM may also be shipped by air. (a) Shipments (except laboratory analysis samples or reference materials) shall be arranged with a capability to trace and identify, within 24 hours of request, the precise location where a shipment went astray, in the event that it fails to arrive at the destination at the prescribed time. (b) Shipper shall be required to give the consignee an estimated time of arrival before dispatch, and follow up with a written confirmation not later than 48 hours after dispatch. (c) Consignee shall promptly notify the shipper by telephone and written confirmation upon determination that a shipment has not arrived by the scheduled time. 9. VITAL EQUIPMENT. SSSPs shall define applicable threats and measures to protect vital equipment from hostile actions. CHAPTER III PROTECTION OF CLASSIFIED MATTER 1. GENERAL. DOE Order 471.2, INFORMATION SECURITY PROGRAM, of 9-26-95, establishes the Information Security Program for the control of classified and sensitive information in use. The protection of classified SNM shall be in accordance with Chapter II of this Manual if the SNM categories and attractiveness levels dictate more stringent requirements; otherwise the provisions of this chapter apply. a. Classification levels shall be used to determine the degree of protection and control required for classified matter. b. Classified information, regardless of its form, shall be afforded a level of protection against loss or compromise commensurate with its level of classification. c. Classified matter shall be stored in a manner to allow detection and deterrence of unauthorized access. d. When possible, classified matter shall be processed, handled, and stored in security areas providing control measures equal to or greater than those present in Limited Areas. When classified matter is not processed, handled, and/or stored within Limited Areas or above, additional control measures shall be required. Control measures shall include technical, physical, personnel, and/or administrative measures. e. Facilities, buildings, rooms, structures, etc., shall be afforded the protection measures necessary to prevent unauthorized persons from gaining access to classified matter. (1) Measures shall be in place to prevent persons from viewing or hearing classified information. (2) Conference rooms and areas specifically designated for classified discussions shall follow Technical Surveillance Countermeasures Program requirements. f. Sensitive Compartmented Information Facilities shall be afforded physical protection in accordance with the Director of Central Intelligence Directives 1/21 (see Attachment 1). Any unresolved issues pertaining to this subject shall be referred to the Director of Safeguards and Security for coordination. 2. STORAGE REQUIREMENTS. a. Restrictions on Use of Secure Storage Repositories. (1) Funds, firearms, medical items, controlled substances, precious metals, or other items susceptible to theft shall not be stored in the same secure storage repository used to store classified matter. (2) Secure storage repositories shall not bear any external classification or other type markings that would indicate the level of classified matter authorized to be stored within the container. For identification purposes, each security container shall externally bear an assigned number. b. Requirements. Security containers required for the storage of classified matter shall conform to the GSA standards and specifications and applicable requirements of Chapter IX of this Manual. Classified matter that is not under the personal control of an authorized person shall be stored as prescribed below. NOTE: Inspections by the protective force shall consist of examination of the exposed surfaces of the container, vault, vault-type-room and steel filing cabinets to determine if there has been any force entry and to ensure that the container is locked. (1) Top Secret Matter. Top Secret matter may be stored in one of the following ways: (a) In a locked, General Services Administration (GSA)-approved security container with one of the following supplemental controls: 1 Under intrusion detection alarm protection with protective force response within 15 minutes of annunciation of the alarm. 2 Protective force, with inspections on a 2-hour basis. 3 The security container be equipped with a lock meeting Federal Specification FF-L-2740 only if the container is located in a Limited, Exclusion, Protected, or Material Access Area. 4 Within a Limited Area or above, random protective force patrols at least once every 8 hours during nonworking hours. Facilities with large numbers of security containers shall patrol at least 25 percent of the containers once every 24 hours. (b) In a vault approved by the cognizant DOE element. The vault shall be designed and constructed of masonry units or steel-lined construction and equipped with GSA-approved vault door. (A GSA-approved modular vault meeting Federal Specification FFV-2737 may be used in lieu of the above.) The vault shall be equipped with intrusion detection protection with protective force response within 15 minutes of alarm annunciation. (c) In a vault-type room approved by the cognizant DOE element. The vault-type-room shall be under intrusion detection alarm protection with protective force response within 15 minutes of alarm annunciation. The vault-type room shall be located within a Limited, Exclusion, Protected, or Material Access Area. (2) Secret Matter. Secret matter shall be stored in a manner authorized for Top Secret matter or in one of the following ways: NOTE: Secret matter not stored in security areas providing control measures equal to or greater than those present in Limited Areas shall be maintained in an accountability system as required in DOE O 471.2. (a) In a locked GSA-approved security container. (b) In a vault approved by the cognizant DOE element; the vault shall be designed and constructed of masonry units or steel-lined construction and equipped with GSA vault door. (A GSA- approved modular vault meeting Federal Specification FFV-2737 may be used in lieu of the above.) (c) Steel filing cabinets not meeting GSA requirements (such containers approved for use prior to 7-15-94 may continue to be used until there is a need for replacement) shall be equipped with an automatic unit locking mechanism and three-position, dial-type, built-in combination lock. In addition, one of the following supplementary controls is required; 1 Within a Security Area providing, as a minimum, the protection level of a Limited Area or above. 2 Under intrusion detection alarm protection with protective force response within 30 minutes of alarm annunciation; or 3 Inspections of the container every four hours by protective force. (d) In a vault-type room approved by the cognizant DOE element with one of the following supplemental controls: 1 within a Security Area providing as a minimum the protection level of a Limited Area or above; 2 under intrusion detection alarm protection with protective force response within 30 minutes of alarm annunciation; or, 3 under inspection every 4 hours by protective force. (3) Confidential Matter. Confidential matter shall be stored in a manner authorized for Secret matter, except that supplemental controls are notrequired. c. Nonstandard Methods of Storage. Within the minimum protection level of a Limited Area, nonstandard methods of storage may be applied for Top Secret, Secret, and Confidential material whose size, weight, construction, or other characteristics preclude storage as discussed in the subparagraphs above. (1) Local safeguards and security authorities shall base their protection measures upon the results of documented vulnerability analyses. These vulnerability analyses shall address the nature of the matter to be protected (e.g., size, weight, composition, radioactivity, and importance to an adversary and/or the Department) in relation to the threat. Additionally, vulnerability analyses must consider the portability of the classified matter, ease of concealment, time needed to gain access, ease of gaining access, protective force response time, and the potential consequences of gaining unauthorized access. (2) Measures (e.g., barriers, locks, intrusion detection systems, and protective force) tailored to address the specific nonstandard condition, as determined by local safeguards and security authority shall be implemented to provide protection to deter unauthorized access to classified matter. (3) Measures to be implemented for each nonstandard condition shall be documented in the applicable security plan and approved by the cognizant DOE security office. (4) For protective force to be employed as a specified supplemental protection measure, due consideration should be given to ensuring the interval for those inspections is less than the time required for an adversary to gain undetected access to the classified matter and/or remove the classified matter and escape detection. d. Protective Force Personnel. (1) If an unattended secure storage repository containing classified matter is found open, the repository shall be secured by designated protective personnel and a custodian notified immediately. The contents shall be checked no later than the next workday. If there is an indication of a violation or compromise, the contents shall be checked immediately by a custodian, being careful not to destroy fingerprints or other physical evidence. The violation or compromise shall be reported and inquiries conducted as required by DOE O 471.2 and DOE O 470.1, SAFEGUARDS AND SECURITY PROGRAM. (2) Protective personnel, private security firms, or local law enforcement personnel shall respond to intrusion detection alarms, as documented in approved security plans. e. Alternate Storage Locations. (1) With prior written DOE approval, a bank safe deposit box/vault may be used to store Secret or Confidential matter, provided that the lock and keys to the box/vault are changed prior to such use and the customer's key is furnished only to persons authorized access to the contents. (2) Federal Records Centers, approved as outlined in DOE O 470.1, may be used to store classified information. 3. PROTECTING CONTAINER INFORMATION. a. Protection of Security Containers and Combinations. The outside of the security container shall not be marked to indicate that the contents are Top Secret, Secret, or Confidential. Security containers, vaults, and vault-type rooms used to protect safeguards and security interests shall be kept locked when not under direct supervision of an authorized individual. Combinations shall be protected at the classification level and category of the matter being protected. A minimum number of authorized persons (i.e., personnel having access authorization for the information kept in that container) shall have the combination to the storage container or access to the information stored within the security container. (1) To ensure proper protection of the combination, part 2 of SF700 shall be marked with the highest classification level and category (indicate if National Security Information, Restricted Data or Formerly Restricted Data) of the information being stored within the secure storage container. Classifier information is not required to be affixed to part 2 of the SF700. (2) To comply with classification guidance, part 2A should be marked onlywith the highest classification level of the combination. The category is notmarked on this part of the form. Classifier information is not required to be affixed to part 2 of the SF700. (3) All persons who know the container's combination must be listed on the SF700. If needed, a continuation page may be used. b. Changing Combinations. Combinations shall be changed by an appropriately cleared, authorized individual. Combinations shall be changed at the earliest practical time following: (1) initial receipt of a GSA-approved security container or lock; (2) reassignment, transfer, or termination of employment of any person who knows the combination, or when the DOE access authorization granted to any such person is downgraded to a level lower than the category of matter stored, or when the DOE access authorization has been administratively terminated, suspended, or revoked; (3) compromise or suspected compromise of a security container or its combination, or discovery of a security container unlocked and unattended. c. Selection of Combination Settings. Combination numbers shall be selected at random, avoiding simple ascending or descending series such as 10-20-30 or 50- 40-30. Care shall also be exercised to avoid selecting combinations of numbers that are easily associated with the person(s) selecting the combination (e.g., birth dates, anniversaries, social security numbers, or telephone extensions). d. Security Repository Information. Applicable requirements concerning security repositories are provided below. (1) Security Container Information. An SF-700, "Security Container Information," shall be completed for all security containers, rooms, vaults, and other approved locations for the storage of classified matter. (a) Part 1 of the SF-700 shall be affixed to the security container to ensure high visibility. On rooms or vaults, Part 1 of the SF-700 shall be affixed to the inside of the door containing the combination lock. On security containers, it shall be placed on the inside (back front) of the locking drawer or on the front of the locking drawer, at the user's discretion. (b) Part 2 and 2a of each completed copy of SF 700 shall be classified at the highest level of classification of the information authorized for storage in the repository. (2) Security Container Check Sheets. An integral part of the security check system shall be ensuring that classified matter has been properly stored and that security containers, vaults, or vault-type rooms have been secured. SF-702, "Security Container Checklist," shall be used to record the end-of- day security checks. (a) The SF-702 shall be used to record the names and times of the persons who have opened, closed, or checked a particular container, room, or vault holding classified information. (b) The SF-702 shall be used in all situations requiring the use of a security container check sheet and shall be affixed to the container or entrance to a room or vault. (3) Activity Security Checklist. SF-701, "Activity Security Checklist," provides a systematic means of checking end-of-day activities for a particular work area, allowing for employee accountability in the event that irregularities are discovered. The checklist identifies such activities as checking security containers, desks, and wastebaskets for classified matter and ensuring that windows and doors are locked, ribbons for classified typewriters and automated data processing equipment have been secured, and security alarms have been activated. Use of the SF-701 is optional except in situations requiring detailed end-of-day security inspections, when its use is mandatory. (4) Records. Completed SF-701s and SF-702s shall be maintained according to General Record Schedule 18. CHAPTER IV RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE PROTECTION 1. GENERAL. Safeguards and security planning shall include protection of the health and safety of employees, the public, and the environment against potential adverse impacts of radiological and toxicological sabotage. Protection shall be provided in a graded manner, consistent with the level of hazards present. The following requirements shall apply. a. Facilities representing a "significant" radiological/toxicological sabotage threat shall document in the SSSP the sabotage assessment process and the facility program for protection against such a threat. b. A facility may be considered to present a "significant" potential radiological/toxicological sabotage threat when any of the following materials are present at the facility: (1) SNM that is respirable or that can be assimilated into the human body; (2) quantities of radioactive materials sufficient to achieve a critical mass; (3) radioactive materials in excess of quantities listed in Title 10 Code of Federal Regulations (CFR) 30.72; (4) hazardous chemicals in quantities greater than 10,000 lbs (or 4,540 Kgs); (5) extremely hazardous substances in quantities greater than "Threshold Planning Quantities" (TPQ) listed in SARA Title III, found at 40 CFR 255, Appendices A and B. 2. PROTECTION PLANNING. a. Safety analysis reports completed for accident scenarios, emergency event classification, vulnerability analysis reports (VARs), protection actions, and consequence assessments, as well as other pertinent information that can be used to assess risks and/or consequences of sabotage release scenarios, shall be considered in the radiological/toxicological sabotage analysis. Paragraph 4 of this chapter should be considered in formulating the radiological/toxicological sabotage targets. b. The methodology for completing a radiological/toxicological sabotage assessment shall parallel that used for completing the vulnerability analysis for theft/diversion of SNM, and shall be integrated into the site VAR(s). c. Consequence values, as shown in Table IV-1, shall consider how acts of radiological and toxicological sabotage would affect the public, employees, and the environment. d. Radiological/toxicological sabotage analysis completed after the date of this Manual shall consider a wide variety of factors, such as materials, locations, site- specific features, and existing security and safety features. The analysis shall include the development and analysis of a spectrum of scenarios leading to radiological/toxicological releases. 3. ASSESSMENT OF RISKS. The DOE Design Basis Threat, regional threat assessments, and when available, local threat descriptions, shall be the basis for the site/facility vulnerability assessment and for which the protection program is designed. The threat, targets, and protection strategies shall be documented in the SSSP. a. The radiological/toxicological sabotage assessment shall consider the complete spectrum of available resources in identifying and developing preventive, response, and mitigation options. (1) Within the limits of the DOE Design Basis Threat, every combination of insider and outsider threat shall be analyzed to determine which threats apply to specific site facilities. (2) For the facility and target involved, the protection strategies pertaining to denial and mitigation and the title of the responsible office for each plan or procedure in which the strategies are described shall be documented. (3) Documentation shall describe procedures for the mitigation of a radiological/toxicological sabotage event, and risk acceptance shall be documented. b. Hazardous materials shall be identified. Threshold quantities of hazardous materials shall be screened to eliminate those facilities whose vulnerability to sabotage is limited by the lack of sufficient inventory. Note that this evaluation should be based on a maximum level of hazardous materials that are expected or that may be present at the facility. 4. PROTECTION OF RADIOLOGICAL/TOXICOLOGICAL SABOTAGE TARGETS. a. The analysis of all radiological/toxicological sabotage target assessments shall be included in the SSSP Vulnerability Analysis Report (VAR). (1) All SNM identified as theft targets under the provisions of Chapter II of this Manual shall also be identified as potential radiological/toxicological sabotage targets and afforded a radiological/toxicological sabotage analysis. (2) If the radiological/toxicological sabotage targets are not subject to the SNM theft protection requirements of Chapter II, an evaluation will be made to determine if the potential targets are afforded protection equal to or greater than similar material in the commercial or private sector. If the targets are afforded this level of protection, no further analysis is required. (3) A radiological/toxicological sabotage analysis must be performed for those radiological/toxicological sabotage targets not subject to (1) or (2) above, not found in the commercial or private sector, and not afforded a protection level equal to or greater than that provided for in the commercial or private sector. b. The following prevention and mitigation options shall be implemented in a graded manner, based on the results of the radiological/toxicological sabotage analysis: (1) safeguards and security features to prevent or detect adversary actions (i.e., access and materials controls, surveillance, additional barriers/alarms, and entry/exit inspections); (2) additional controls or equipment that would prevent the sabotage release scenario (i.e., providing automatic shutdown if components fail, adding backup systems, or establishing Protected/Vital Areas); and (3) event-mitigating actions, such as establishing shelters, emergency notifications/evacuations, reducing and/or removing inventory quantities, or changing storage locations. TABLE IV-1 RADIOLOGICAL AND TOXICOLOGICAL SABOTAGE CONSEQUENCE VALUES Consequence Value Impact Effects on the Public, Employees, and the Environment from Acts of Radiological or Toxicological Sabotage 1.0 Catastrophic On- and off-site fatalities and injuries, long-term denial of facility (greater than 2 years) due to damage or radiation contamination, and off-site denial of food, water, or habitat due to contamination for more than 1 year. 0.8 High Off-site injuries and on-site fatalities and injuries, on- site facility denial for 1 to 2 years, and off-site denial of food, water, or habitat due to contamination for less than 1 year. 0.5 Moderate On-site injury (no off-site injury), on-site facility denial for 6 months to 1 year, and denial of food, water, or habitat due to contamination for less than 6 months. 0.2 Low On-site injury, on-site facility denial for less than 1 month, and no impact on food, water supply or habitat. CHAPTER V SECURITY AREAS 1. GENERAL. The local DOE safeguards and security authority may determine the application of the Security Area requirements for Property Protection Areas. The following applies to Security Areas. a. Access shall be controlled to limit entry to appropriately cleared and/or authorized individuals. (1) Any person allowed to enter a Security Area who does not possess an access authorization at the appropriate level shall be escorted at all times by a cleared and knowledgeable individual. (2) Local authorities shall establish escort-to-visitor ratios in a graded manner for each of these Security Areas. b. Access control requirements may be layered as appropriate for the situation. At succeeding boundaries, access controls may be more stringent. c. A personnel identification system (e.g., security badge system) shall be used to control access. d. Automated access control systems may be used as approved by the cognizant local DOE authority for safeguards and security. (1) Automated access controls, when used for access to any security area, except property protection areas designated by the local authority, shall require the minimum of the verification of a valid DOE Standard Badge and personal identification number. (2) When remote automated access control systems are used for access to security areas, each barrier penetration shall provide the same degree of penetration resistance as the barrier itself. Anti-tailgating means and procedures must be implemented. (3) Both central and secondary alarm stations shall be used to monitor automated access control systems used to protect Category I SNM, Category II SNM capable of roll-up to Category I, and Top Secret matter. (4) Automated access control system events (e.g., annunciation of a door alarm, tamper alarm, or anti-passback indication feature, or the occurrence of an unauthorized entry attempt) shall be treated in the same manner as an intrusion alarm for the area being protected. e. Means shall be provided to deter unauthorized intrusion into Security Areas. Such means include the use of intrusion detection sensors and alarm systems, barriers, random patrols, and/or visual observation. The protection program shall include suitable means to assess alarms. Intrusion detection and assessment systems used for the protection of Category I SNM, Category II SNM capable of roll-up to Category I, and Top Secret matter shall be monitored in both central and secondary alarm stations. See Paragraph 1, Page VI-1 for amplified requirements. f. Entrance/exit inspections, as required, shall be made by protective personnel or with detection equipment designed to detect prohibited articles. (See subparagraph (2) below.) Inspections of personnel, hand-carried items, packages and mail, and/or vehicles shall provide reasonable assurance that prohibited articles are not introduced and that safeguards and security interests are not removed from the area without authorization. (1) Inspections. Inspection procedures, requirements, and frequencies shall be developed based on a graded approach and included in the appropriate security plan. Where random entry or exit inspections are permissible, the inspection shall be conducted on a percentage basis, determined by the local cognizant DOE authority for safeguards and security, using techniques that ensure randomness. (2) Prohibited Articles. The following articles are prohibited from all Security Areas: any explosives or other dangerous weapon, instrument, or material likely to produce substantial injury or damage to persons or property (Reference: Title 10 CFR Part 860, and Title 41 CFR Part 101-19.3); any controlled substances (e.g., illegal drugs and associated paraphernalia, but not prescription medicine); hazardous chemicals; and any other items prohibited by law. The local cognizant DOE authority for safeguards and security may authorize the introduction of explosives and weapons used to conduct official Government business. (3) Controlled Articles. The following privately owned articles are not permitted in a Limited, Exclusion, Protected, or Material Access Area without prior authorization of the local cognizant DOE authority for safeguards and security: (a) recording equipment (audio, video, optical, or data); (b) electronic equipment with a data exchange port capable of being connected to automated information system equipment; (c) cellular telephones; (d) radio frequency transmitting equipment; and (e) computers and associated media. (4) Concentric Security Areas. When a Security Area other than a Material Access Area is within a larger Security Area, additional entry/exit inspections are not required at the inner Security Area perimeter if inspections conducted at the outer Security Area boundary are at the same level as required for the inner Security Area boundary. Entry and exit inspections shall be conducted at Material Access Area boundaries regardless of outer boundary inspections. g. Clearly defined physical barriers, such as fences, walls, and doors, shall be used to define the boundary of a Security Area. Barriers shall meet the following requirements, as well as supplementary requirements defined in Chapter VII, Paragraph 1, of this Manual. (1) Barriers shall direct the flow of personnel and vehicles through designated entry control portals. (2) Barriers and entry control portals, supplemented by other systems such as patrols or surveillance, shall be used to deter and detect introduction of prohibited articles or removal of safeguards and security interests. (3) Barriers shall be used to deter and/or prevent penetration by motorized vehicles where vehicular access could significantly enhance the likelihood of a successful malevolent act, associated with Protected Areas and high level security areas. (4) Barriers shall be capable of controlling, impeding, or denying access to a Security Area. h. Emergency personnel and vehicles may be authorized immediate entry to security areas when escorted by properly cleared and authorized personnel. Personnel and vehicles shall be subject to exit inspections upon completion of the emergency situation. i. Signs shall be posted to convey information on the Atomic Weapons and Special Nuclear Rewards Act; prohibited articles; the inspection of vehicles, packages, or persons either entering or exiting; notification of video surveillance equipment; and trespassing, if applicable. Signs prohibiting trespassing shall be posted around the perimeter and at each entrance to a Security Area except when one Security Area is located within a larger posted Security Area. See Chapter XII for further details. j. Visitor logs are required at Protected Areas, Material Access Areas, and Exclusion Areas. Requirements for other Security Areas, if any, and procedures for visitor logs at Security Areas shall be developed and approved by the cognizant local DOE authority for safeguards and security. DOE F 1240.1, "Foreign Visitors Security Register," and DOE F 5630.6, "Visitors Security Register," shall be used. Logs shall be retained in accordance with DOE O 200.1, INFORMATION MANAGEMENT PROGRAM, and General Records Schedule 18. 2. PROPERTY PROTECTION AREA. A Property Protection Area is a Security Area established by local authority to protect DOE property. A Property Protection Area may be established to protect against damage, destruction, or theft of Government-owned property, and for public access. Measures taken shall be adequate to give reasonable assurance of protection and may include physical barriers, access control systems, protective personnel, intrusion detection systems, and locks and keys. Protective measures taken shall be determined by local authorities and shall provide appropriate, graded protection as follows. a. Access controls may be implemented to protect DOE property and facilities. When access to a Property Protection Area is controlled by an automated access control system, the system shall verify the validity of the DOE standard badge (i.e., that the badge serial number read by the system matches the serial number assigned to the badge holder). b. Signs prohibiting trespassing, where necessary, shall be posted around the perimeter and at each entrance to the Property Protection Area in accordance with Title 10 CFR Part 860, Trespassing on Administration Property, and Title 41 CFR Part 101-19.3, Federal Property Management Regulation. See Chapter XII. c. Vehicles and hand-carried items entering or exiting are subject to inspection to deter and/or detect unauthorized introduction of contraband and removal of Government assets. d. Physical barriers may be used to protect property and facilities. e. Property Protection Area security measures may range from facilities open to public access to that of a Protected Area, at the discretion of the local authority and as implemented in the SSSP. 3. LIMITED AREA. A Limited Area is a Security Area defined by physical barriers, used to protect classified matter and/or Category III quantities of SNM, where protective personnel or other internal controls can prevent access by unauthorized persons to classified matter or SNM. a. Requirements. A Limited Area shall have barriers identifying its boundaries and encompassing the designated space, access controls to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area, and random entrance/exit contraband inspections. Limited Area access requirements shall be administered as follows. (1) Individuals permitted unescorted access shall have access authorization and need-to-know consistent with the matter under protection within the area. (2) When access to a Limited Area is authorized for a person without appropriate access authorization or need-to-know, measures shall be taken to prevent compromise of classified matter. (3) Access to safeguards and security interests within a Limited Area, when not in approved storage, shall be controlled by the custodian(s) or authorized user(s). b. Personnel and Vehicle Access Control. Validation of the identity and access authorization of persons allowed access shall be administered by protective personnel (e.g., protective force or other appropriately authorized personnel) and/or automated systems and shall be accomplished at the Limited Area entrance(s). Access control requirements shall be as follows. (1) Privately-owned Government employee and contractor vehicles shall be prohibited from a Limited Area. (2) Government-owned or Government-leased vehicles shall be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when escorted by properly cleared, authorized personnel. Emergency service vehicles (e.g., ambulances, fire trucks, and police vehicles), may be granted immediate access when escorted by properly cleared and authorized personnel. The local safeguards and security authority shall implement procedures for search and access of service and delivery vehicles on official business; however, escort by properly cleared and authorized personnel is required. Entry of service and delivery vehicles shall be kept to an operational minimum. (3) Where access to a Limited Area is controlled by an automated access control system, the system shall verify the following: valid access authorization, valid Personal Identification Number, and valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder). 4. EXCLUSION AREA. An Exclusion Area is a Security Area defined by physical barriers and subject to access control, where mere presence in the area would result in access to classified matter. a. Requirements. An Exclusion Area shall have barriers identifying its boundaries and encompassing the designated space and access controls and entrance/exit inspections to provide reasonable assurance that only authorized personnel are allowed to enter and exit the area. Exclusion Area requirements shall be administered as follows. (1) An Exclusion Area shall meet all requirements for a Limited Area. An analysis should be conducted to determine if a valid biometric template is required to protect Top Secret classified matter and Restricted data. (2) Access requirements are as follows. (a) Individuals allowed unescorted access shall have access authorizations and need-to-know consistent with the matter to which they would have access by mere virtue of their presence in the area. (b) When access to an Exclusion Area is authorized for a person without appropriate access authorization and need-to-know, measures shall be taken to prevent compromise of classified matter while the individual is in the area. b. Personnel and Vehicle Access Control. Validation of the identity and access authorization of persons allowed access shall be accomplished at the Exclusion Area entrance(s) and shall be administered by protective personnel and/or automated systems. (1) Private vehicles shall be prohibited from Exclusion Areas. (2) Government-owned or Government-leased vehicles shall be admitted only when on official business and when operated by properly cleared and authorized drivers. Emergency service vehicles (e.g., ambulances, fire trucks, and police vehicles) may be granted immediate access when escorted by properly cleared and authorized personnel. The local safeguards and security authority shall implement procedures for search and access of service and delivery vehicles on official business; however, escort by properly cleared and authorized personnel is required. Entry of service and delivery vehicles shall be kept to an operational minimum. (3) Where access to an Exclusion Area is controlled by an automated access control system, the system shall verify the following: valid access authorization, valid Personal Identification Number, and valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder). 5. PROTECTED AREA. A Protected Area is a Security Area encompassed by physical barriers, surrounded by perimeter intrusion detection and assessment systems, and equipped with access controls to protect Category II quantities of SNM and/or to provide a concentric security zone surrounding a separately defined Material Access Area or Vital Area. a. Requirements. The requirements for a Protected Area shall be as follows. (1) Entrance inspections of personnel, vehicles, and hand-carried items shall be conducted to deter and detect the unauthorized introduction of contraband. Specific inspection procedures and SNM/metal detection levels and limitations shall be established and documented. (2) Exit inspections of personnel, vehicles, and hand-carried items shall be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures and SNM/metal detection levels and limitations shall be established and documented. When the Protected Area encompasses a Material Access Area, and no Category II or greater quantity of SNM is contained outside the Material Access Area, then no exit inspection is required. (a) A physical or electronic inspection shall be separately conducted of vehicles, personnel, packages, and all other containers at all routine exit points for Protected Areas that contain Category I quantities (or lesser quantities with credible roll-up to a Category I quantity). (b) Exit inspection procedures and detection levels for SNM and shielding shall be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections shall be capable of detecting shielded SNM (e.g., by using a combination of SNM and metal detectors) and shall meet requirements for metal and SNM detection as determined by the Manager, Operations Office. (d) Procedures used shall ensure that unalarmed portals shall have the means to detect SNM. (3) Exits shall be alarmed or controlled at all times. (4) Protected Area perimeter intrusion detection and assessment systems shall be monitored in a continuously manned central alarm station. (5) Protective force response time to an intrusion detection shall be less than the delay time that can be demonstrated from alarm activationuntil intruders could complete adverse actions. b. Personnel and Vehicle Access Control. Validation of the identity and access authorization of persons authorized access shall be administered by armed protective force personnel and/or an automated access control system as determined by local safeguards and security authorities. Access control requirements shall be as follows. (1) Private vehicles shall be prohibited from a Protected Area. (2) Government-owned or Government-leased vehicles shall be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when escorted by properly cleared, authorized personnel. Service and delivery vehicles shall be admitted only when on authorized business and when driven or escorted by properly cleared, authorized personnel. Entry of service and delivery vehicles shall be kept to an operational minimum. (3) Where access to a Protected Area is controlled by an automated access control system, the system shall verify the following: valid access authorization, valid Personal Identification Number, and valid DOE standard badge (i.e., the badge serial number read by the system matches the serial number assigned to the badge holder). 6. VITAL AREA. A Vital Area is a Security Area located within a Protected Area used for the protection of vital equipment. All vital equipment shall be contained within a Vital Area. a. Requirements. In addition to protection strategies at a Protected Area, the following requirements shall be met. (1) Area boundaries shall conform to the layered protection concept, with a separate Vital Area perimeter located within a separate and distinct Protected Area. (2) The perimeter of each Vital Area shall be monitored to deter and detect unauthorized entry attempts. (3) Vital equipment shall be protected with an intrusion detection system. (4) Exits shall be alarmed or controlled at all times. (5) Protective force response time to an intrusion detection shall be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. b. Personnel and Vehicle Access Control. The local safeguards and security authority shall implement procedures for personnel and official vehicles for Vital Area access. The procedure shall require the validation of the identity and access authorization of persons authorized access and shall be administered by protective personnel or an automated access control system. Access control requirements shall be as follows. (1) Private vehicles shall be prohibited from a Vital Area. (2) Government-owned or Government-leased vehicles shall be admitted only when on official business and only when operated by properly cleared and authorized drivers, or when escorted by properly cleared and authorized personnel. Service and delivery vehicles shall be admitted only when on authorized business and when driven by or escorted by properly cleared and authorized personnel. (3) Where access to a Vital Area is controlled by an automated access control system, the system shall verify the following: valid access authorization, valid Personal Identification Number, and valid DOE standard badge (i.e., that the badge serial number read by the system matches the serial number assigned to the badge holder). 7. MATERIAL ACCESS AREA. A Material Access Area is a Security Area defined by physical barriers and subject to access control, used for the protection of Category I quantities of SNM or Category II quantities of SNM with credible roll-up to a Category I quantity. A Material Access Area shall be contained within a Protected Area and shall have separately defined physical barriers constructed to provide sufficient delay time to control, impede, or deter unauthorized access. Area boundaries shall conform to the layered protection concept, with a separate Material Access Area perimeter located within a separate and distinct Protected Area. Material Access Area barriers shall direct the flow of personnel and vehicles through designated portals. a. Requirements. Inspections shall provide reasonable assurance against the unauthorized introduction of prohibited articles or removal of SNM by force, stealth, or deceit. (1) Entrance inspections of personnel, vehicles, and hand-carried items shall be conducted to deter and detect the unauthorized introduction of prohibited articles. (2) Exit inspections of personnel, vehicles, and hand-carried items shall be conducted to deter and detect the unauthorized removal of SNM. Specific inspection procedures and SNM/metal detection levels and limitations shall be established and documented. (a) A physical or electronic inspection shall be separately conducted of vehicles, personnel, packages, and all other containers at all routine exit points for Material Access Areas that contain Category I quantities (or lesser quantities with credible roll-up to a Category I quantity). (b) Exit inspection procedures and detection levels for SNM and shielding shall be established consistent with the material type, form, quantity, attractiveness level, size, configuration, portability, and credible diversion amounts of SNM contained within the area. (c) Exit inspections shall be capable of detecting shielded SNM (e.g., using a combination of SNM and metal detectors) and shall meet requirements for metal and SNM determined by the Manager, Operations Office. (d) Procedures used shall ensure that unalarmed portals have the means to detect SNM. (3) Protective force response time to an intrusion detection shall be less than the delay time that can be demonstrated from alarm activation until intruders could complete adverse actions. (4) Exits and all openings larger than 96 square inches (619.20 square centimeters) shall be alarmed with intrusion detection sensors or controlled at all times. (See Chapter VIII, Paragraph 1.g.(2).) (5) Material in process or stored within an unattended Material Access Area or within a vault or vault type room within the Material Access Area shall be protected by intrusion detection sensors. (6) Intrusion detection sensors and assessment systems shall be monitored in a continuously manned central alarm station. b. Personnel and Vehicle Access Control. Validation of the identity, access authorization, and authority to enter for persons allowed access shall be accomplished at Material Access Area entrances. Access control shall be administered by armed protective force personnel and/or automated access control systems as determined by local safeguards and security authorities. (1) Private vehicles shall be excluded from a Material Access Area. (2) Government-owned or Government-leased vehicles shall be admitted to Material Access Areas only when on official business. Drivers must have the proper access authorization or be escorted by authorized personnel with the proper access authorization. (3) Exit detection levels for SNM and shielding shall be established consistent with the form, quantity, attractiveness level, and credible diversion amounts/attempts of SNM contained within the area. (4) Where access to a Material Access Area is controlled by an automated access control system, the system shall verify the following: valid access authorization, valid Personal Identification Number, valid DOE standard badge (i.e., that the badge serial number read by the system matches the serial number assigned to the badge holder), and valid biometric template. 8. OTHER SECURITY AREAS. Other security areas shall be administered as follows and as outlined in pertinent DOE directives. a. Sensitive Compartmented Information Facilities. The Department of Energy follows requirements in Director of Central Intelligence Directive 1/21 for the construction of Sensitive Compartmented Information Facilities. b. Central Alarm Station. A central alarm station shall be used in protection of Category I and II quantities of SNM. A central alarm station shall meet the requirements of a hardened post and shall be located, as a minimum, within a Limited Area. Requirements are as follows. (1) An access control system shall be used to restrict admittance to persons who require access in the performance of official duties. (2) A central alarm station shall be attended constantly by appropriately trained security personnel who possess access authorizations commensurate with the most sensitive asset that is under the protection of the central alarm station. c. Secondary Alarm Stations. Facilities with Category I or II quantities of SNM shall have a secondary alarm station. Used as an alternative alarm annunciation point to the central alarm station, the secondary alarm station shall be maintained at a location continuously manned, such that a response can be initiated if the central alarm station cannot perform its intended function. Secondary alarm stations shall meet the operational requirements of central alarm stations with the exception of hardening and location within a Limited Area. The secondary alarm station need not be fully redundant to the central alarm station, but shall be capable of providing effective control response to safeguards and security incidents. d. Local Law Enforcement Agency or Private Alarm Station. If response by local law enforcement agency/protective personnel to alarm activity is required for facility approval, the response shall meet the specifications for Grade AA as contained in Underwriters Laboratories Standard 611, "Central-Station Burglar- Alarm Systems." e. Secure Communications Centers and Automated Information System Centers. (1) Centers handling classified messages or information shall be located, as a minimum, within a Limited Area. (2) Separate access controls and barriers shall be established to restrict admittance to persons employed therein or who require access in the performance of official duties. (3) Access authorizations, consistent with the highest level and category of classified information handled, shall be required for all persons assigned to or having any unescorted access to these centers. A list of persons authorized such access shall be maintained within the center, and a record of all visitors entering the facility shall be maintained. CHAPTER VI PROTECTION ELEMENT: INTRUSION DETECTION AND ASSESSMENT SYSTEMS 1. GENERAL. Intrusion detection systems shall be installed to provide reasonable assurance that breaches of security boundaries are detected and alarms are generated at a continuously manned alarm annunciation point. Intrusion detection systems shall be provided for Protected Areas (as required in Chapter V, Paragraph 5), for Vital Areas, (as required in Chapter V, Paragraph 6), and for Material Access Areas and SNM (as discussed in Chapter V, Paragraph 7, and Paragraphs 2, 3, and 4 below). Intrusion detection systems shall be provided for protection of classified matter as described in Chapter III, pragraph 2b. Intrusion detection systems shall also be provided for vaults, vault-type rooms, Sensitive Compartmented Information Facilities, Classified Automated Information System facilities, and Secure Communications Centers. For other applications, the impact of loss or destruction of property and facilities shall be considered when assessing the need for intrusion detection systems. 2. GENERAL REQUIREMENTS. Specifications for intrusion detection systems shall be as follows. a. A means for timely detection of intrusion shall be provided by the use of intrusion detection systems and/or protective force fixed posts and/or mobile patrols. Timely assessment of intrusion detection system alarms shall be provided by electronic systems and/or patrols. Electronic assessment systems shall be fixed in place. When used for detection, patrols shall be conducted at random intervals, at a documented frequency. b. Intrusion detection systems shall provide operable coverage in all environmental conditions common to that area and under all common types of lighting conditions. c. Visual observation by protective personnel on patrol or in fixed posts may complement intrusion detection systems and increase the probability of early detection. d. There shall be an effective method by which to assess all intrusion detection system alarms (e.g., intrusion, false, nuisance, system failure, and tamper), and radio frequency (RF) jamming. e. Response capability to intrusion detection system alarms shall be provided to protect DOE safeguards and security interests. The response capability may be provided by assigned protective personnel or by the local law enforcement agency, as applicable. Response times shall be appropriate for the protection strategy employed at the site. f. Intrusion detection systems shall employ multiple detection layers for Category I and II SNM targets. Complementary sensor selection is required when multiple types of sensors are deployed. g. Intrusion detection systems shall be designed, installed, operated, and maintained to ensure that the number of false and nuisance alarms does not reduce the system effectiveness. System effectiveness metrics results shall be recorded. h. Intrusion detection systems and their associated components, such as sensors, multiplexers, power supply cabinets, processors, junction boxes, and alarm access panels that service Protected Areas, Material Access Areas, or Vital Areas, shall resist tampering and provide an alarm to indicate tampering. i. Intrusion detection systems shall be monitored continuously by personnel assigned to assess alarms and intrusion activities. Monitoring personnel shall initiate the appropriate responses. j. Compensatory measures shall be provided during times when the intrusion detection system is not in operation or not operating effectively. RF devices used to protect Category I SNM are considered temporary compensatory measures that require deviation approval. k. Systems installed after 9/14/94, used in the protection of Category I quantities of SNM, shall employ redundant, independently routed communication paths to avoid a single point failure. If the communication path is in a "loop" configuration, it must feature reverse polling to meet this requirement. The redundant pathways shall begin at a data collection point and be conveyed and reported independently to a physically separated central alarm station and secondary alarm station. The use of two RF alarm communication devices to protect Category I SNM, one as the primary path and the other as secondary path, does not satisfy the DOE requirement for redundant communications paths. Several intrusion detection sensors may be connected to a common data collection point. l. Records shall be kept on each alarm. The alarm record shall contain, as a minimum: date and time of the alarm; cause of the alarm or a probable cause if definite cause cannot be established; and the identity of the recorder or the operator on duty. The record shall be reviewed, analysis performed, and corrective measures taken as applicable. m. Alarm monitoring systems shall annunciate system and system component failure, including RF systems alarms, in the alarm station(s). For the protection of Category I and II quantities of SNM, alarms shall be annunciated in both the central and secondary alarm stations. Systems shall indicate the type and location of the alarm source. n. In existing intrusion detection systems where dedicated telephone cable pairs are used to connect the intrusion detection system to the alarm station and/or annunciating point, cable pairs shall not be routed through telephone switching equipment. o. The system shall have a means of providing the system operator, response force, or maintenance personnel the location of the alarm. p. RF alarm communication devices shall use approved Digital Encryption System (DES) encryption or other National Security Agency-approved encryption techniques. q. RF alarm communication devices, including those RF devices used as compensatory measures to protect Category I SNM, shall meet all requirements of this Manual and shall be analyzed to determine if they provide adequate protection in terms of target identification, threat definition, and overall effectiveness of the physical protection system. r. Systems and system components shall be functionally tested in accordance with established procedures at a documented frequency . Chapter III of DOE 470.1 contains the performance assurance program requirements for systems protecting Category I and II SNM. The testing program for all other security interests shall be developed by the local safeguards and security authority. s. Public vehicle parking and drive areas shall be maintained at the explosive threat quantity distance from Protected Area perimeter intrusion detection and assessment systems. 3. INTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. The approved interior intrusion detection systems shall be documented in the SSSP. a. The probability of detection for each safeguards and security physical protection system shall be established and documented. b. Balanced magnetic switches shall initiate an alarm upon attempted substitution of an external magnetic field when the switch is in the normally secured position and whenever the leading edge of the door is moved 1 inch (2.5 centimeters) or more from the door jam. c. Volumetric detectors shall detect an individual moving at a rate of 1 foot per second, or faster, within the total field-of-view of the sensor and its plane of detection. 4. EXTERIOR INTRUSION DETECTION SYSTEM REQUIREMENTS. Approved exterior intrusion detection systems shall be documented in the SSSP. Requirements for Protected Areas, Material Access Areas, and Vital Areas are as follows. a. The perimeter intrusion detection system shall be capable of detecting an individual (weighing 35 kilograms or more) crossing the detection zone walking, crawling, jumping, running, or rolling (at speeds between 0.15 and 5 meters per second), or climbing the fence, if applicable, at any point in the detection zone with a detection probability of 90 percent, at a 95 percent confidence level. (1) Testing shall be conducted at the time of initial perimeter intrusion detection system installation and at least annually thereafter to validate this detection probability and confidence level. (2) If operational testing or effectiveness testing indicates degradation of the intrusion detection system or portion thereof, then that portion of the intrusion detection system shall be revalidated. When calculating detection probability for multiple sensor systems, detection is assumed if any of the sensors detect the intrusion. b. Intrusion detection systems shall cover the entire perimeter of a detection area, including the tops of buildings situated in the detection area. c. All openings in barriers, unattended gates and/or portals, and culverts and sewers that have openings larger than 96 square inches (619.20 square centimeters) where the smallest dimension is larger than 6 inches (15.24 centimeters) shall have detection capabilities at least as effective as the rest of the intrusion detection system, except when protected by access delay systems providing delay comparable to tunneling or wall penetration. The intrusion detection system shall be operational when the opening is not attended. d. Intrusion detection systems in adjacent detection zones shall overlap sufficiently to eliminate areas of no detection between detection zones. The length of alarm zones shall be consistent with the characteristics of the sensors used in that zone. e. Perimeter intrusion detection systems shall be designed, installed, and maintained so as to deny adversaries a means to circumvent the detection system. f. The isolation zone between fences shall be at least 20 feet (6 meters) wide. g. The isolation zone between fences shall be clear of fabricated or natural objects that would interfere with detection equipment or the effectiveness of the assessment. h. Wires, piping, poles, and similar objects that could be used to assist an intruder traversing the isolation zone or that could assist in the undetected ingress or egress of an adversary or matter shall be protected by the detection and assessment system or constructed in a manner that deters their use. i. The detection zone of each intrusion detection system sensor (where applicable) shall not provide a pathway (e.g., dips, obstructions) that an individual might use to avoid detection. j. The detection zone of each intrusion detection system shall be kept free of snow, ice, grass, weeds, debris, and any other item that degrades intrusion detection system effectiveness. When the above action cannot be accomplished in a timely manner, and when degradation of detection capabilities exists, compensatory measures shall be taken to provide timely detection. 5. INTRUSION DETECTION SYSTEM ALARM ANNUNCIATION AT THE CENTRAL AND SECONDARY ALARM STATION. a. Alarms for the protection of Category I and II SNM and Top Secret matter shall be distinguished at the central alarm station from alarms protecting other security interests. Annunciation of these alarms shall take priority over the alarms for other security interests. b. Facilities not protecting Category I and II SNM and Top Secret matter and using commercial alarm station monitoring services shall have its sensors connected by direct, continuously supervised, leased line, or by such other means as to distinguish its alarms from all alarms for other customers that are monitored by the monitoring service. c. Alarms shall annunciate audibly and visually to both the central and secondary alarm stations. d. Action to acknowledge alarms shall be straightforward and easily performed. Reporting and acknowledgment of a multiple alarm scenario must address alarm priorities to ensure system credibility/reliability is not diminished. e. Intrusion detection system status indicators shall be provided to indicate when the system is not in working order and to indicate tampering with any essential system component, including analyzing all RF alarm communication physical protection devices for state-of-health (SOH) and for their capability to detect intentional and non-intentional jamming attempts. f. Where applicable, the alarm control system shall have the capability to call the central alarm station and secondary alarm station operators' attention to a closed- circuit television camera (CCTV) alarm-associated video recorder/monitor. The picture quality shall allow the operator to recognize and discriminate between human and animal presence in the camera field-of-view. g. Video recorders, when used, shall be actuated by alarm signals and shall operate automatically. The response shall be sufficiently rapid to record an actual intrusion. h. When CCTV is used as the principal means for assessing alarms and for determining response level, CCTV cameras shall have tamper-protection and loss-of-video alarm annunciation. Fixed CCTV shall be used when cameras are the principle means of alarm assessment. Movable pan-tilt-or-zoom lens cameras may be used for surveillance and as back-up to fixed primary assessment cameras. i. If remote CCTV assessment of a perimeter intrusion detection system is used, the coverage shall be complete, with no gaps between zones and no areas that cannot be assessed because of shadows or objects blocking the camera field. When such conditions are temporary, compensatory measures shall be put into effect. 6. RADIO FREQUENCY ALARM SYSTEMS. When RF alarm communications are used, the RF link that replaces the direct hardwire link between the sensor and the central alarm station display panels shall maintain a high level of security. RF alarm communications systems used for the protection of Category I SNM shall be limited to emergencies and temporary situations. (The requirements of this paragraph do not apply to mobile and SNM presence alarm monitoring systems.) Emergency and temporary use of RF alarm communications shall not exceed 120 days per application. a. RF Alarm Communications. To ensure protection requirements, RF alarm communication systems, as a minimum, shall meet all of the following requirements. (1) Approved Digital Encryption Standard (DES) encryption or other National Security Agency approved encryption techniques shall be provided. (2) The RF alarm communication system shall only be used as a redundant or alternate path with hardwire being the primary method. Using two RF frequencies to protect Category I, one as the primary and the other as secondary path, does not satisfy the DOE requirement for redundant communications paths. Compensatory measures will be required. It may be adequate to use exposed, supervised hardwire along with RF as a redundant communication path for temporary applications. (3) The SOH interval shall be determined by analyzing the entire physical protection system for the particular application. The SOH must be less than the adversary task time minus the assessment time plus the response time: [SOH >