DRAFT DRAFT DRAFT DRAFT Management System Description: Safeguards, Security, and Emergency Management KARL GOODWIN Management System Owner: Secondary Management System Owner: TY SANDERS Point of Contact: | EMERS Home Page | Issue Date: 06/30/2011 EMERS Revision: 1.7 1.0 Purpose The purpose of the Office of Environmental Management (EM) Safeguards, Security, and Emergency Management System is to assure that effective programs are in place for the protection of EM interests from loss, damage, or other harm, whether intentional or unintentional. This includes assets in the possession or control of EM Headquarters and the Site Offices, as well as third parties under various types of agreements with the Office of Environmental Management : management and operating (M&O) and non-M&O contracts, grants, cooperative agreements, Interagency Agreements, etc. 2.0 Responsibilities The table below represents roles and responsibilities specific to this Management System. For a detailed description of EMERS roles and responsibilities, please see the EMERS R2A2. Roles Assistant Secretary for Environmental Management (EM-1) Responsibilities EM-1 is responsible for management and implementation of Safeguards, Security, and Emergency Management (SS&EM) programs administered by EM. EM-1 serves as the Department of Energy (DOE) cognizant security authority for programs, operations, and facilities under the purview of EM to assure that effective programs are in place for the protection of EM interests from loss, damage, or other harm, whether intentional or unintentional. EM-1 accomplishes these responsibilities through further assignments within the organization described below. Principal Deputy Assistant Secretary (EM-2 ) EM Site Office Managers Deputy Assistant Secretary Utilizing specific authorities assigned from EM-1, EM-3 is the EM Line Manager responsible and accountable to EM-1 for the safety and protection of Federal and support contractor/laboratory employees assigned to EM-3. EM-2 assures SS&EM performance within previously established policy and clearly stated expectations within assigned organizational responsibilities (e.g., assigned Forrestal/Germantown [FORSTL/GTN] staff, all EM Site Offices). EM-2 assures that emergency management programs in the Office of Environmental Management , at all levels, are evaluated every three years as required by regulations (see Section 4.0, “Requirements”) EM-2 routinely communicates with EM-1 on all SS&EM matters and performance, and EM-2 develops and implements corrective actions, as appropriate. EM-2 serves as the champion for the EM Management System Owner (MSO) and thus recommends final policy to EM-1 on matters affecting SS&EM performance within the Office of Environmental Management . Utilizing specific authorities assigned from EM-3, EM Site Office Managers are the EM Line Managers responsible and accountable for the safety and protection of Federal and contractor employees, the environment, and the public at EM’s National Laboratory sites. EM Site Office Managers set contract SS&EM expectations and assure performance. EM Site Office Managers routinely communicate with EM-1, as well as EM-3, on all SS&EM matters and performance, and develop and implement corrective actions, as appropriate. Site Office Managers, in conjunction with EM-3, evaluate SS&EM performance under their respective management and operating contracts. The Deputy Assistant Secretary supports EM-2 and EM for Safety Security, and Quality Programs Site Office Managers by providing technical and subject matter oversight in SS&EM-related issues and other matters. This includes, but is not limited to, responsibility for determining eligibility for access to classified matter and/or special nuclear material, and implementing the Human Reliability Program for Federal and contractor employees at EM National Laboratory Sites. 3.0 Management System Operation 3.1 Overview The Office of Environmental Management implements SS&EM programs and activities to protect its assets, human and physical, utilizing the principles and functions of Integrated Safeguards and Security Management (ISSM). EM staff: 1. Ensure that applicable security and emergency management requirements are followed by EM personnel; 2. Ensure that appropriate security and emergency management requirements are placed into contracts; 3. Provide oversight of contractor work planning and controls; 4. Integrate continuous feedback and improvement mechanisms into their work; and 5. Perform the necessary oversight/assessments of both the Federal staff and contractors. This Management System addresses the training requirements for EM personnel in the relevant aspects of SS&EM and performance of SS&EM functions that are Federal responsibilities. Furthermore, this Management System serves to ensure that EM SS&EM requirements and methods of accomplishment are identified, communicated, and implemented by both EM staff and contractors. This includes the oversight, assessment, and evaluation of both Federal staff and contractor performance and reporting of SS&EM performance data to EM and other DOE entities. Effective implementation of this Management System will ensure the security and safety of EM staff, contractor personnel, and the public, and protection of the environment. The processes for addressing contractor SS&EM performance expectations are outlined in the [INTEGRATION ISSUE EM MSD: M&O Contracting.] 3.2 Key Functions/Services and Processes 3.2.1 EM Safeguards and Security This component includes a variety of formal and informal safeguards and security systems and processes for the protection and management of all EM interests. 3.2.1.1 Program Management and Support Each EM Site Office is considered a “Lead Responsible Office” per DOE Directive (see Section 4.0, “Requirements”). Accordingly, Site Office Managers are responsible for: Approving all safeguards and security plans; Approving the Training Approval Program Plan; Ensuring that the appropriate Foreign, Ownership or Influence (FOCI) determinations are made prior to allowing any classified work to occur; Ensuring appropriate facility clearances are granted and Facility Data and Approval Records (FDARs) and Contract Security Classification Specification (CEMS) forms are completed; Maintaining the Safeguards and Security Information Management System (SSIMS); Ensuring that safeguards and security surveys are conducted at facilities under their purview; Ensuring that any deficiencies identified during the surveys are corrected appropriately; and Approving/concurring on deviations to DOE Directives. 3.2.1.2 Protective Force The Site Office Manager ensures that all protective force personnel employed to protect DOE interests [DESCRIBE REQUIREMENT]. 3.2.1.3 Physical Security Site Office Managers are responsible for approving, for the facility under their cognizance, any vulnerability assessments conducted on the physical security (not limited to barriers, locks, systems, alarms), access controls, protective force operations, performance testing, transportation security, and badging. 3.2.1.4 Information Protection Site Office Managers have the responsibility for the activities in the Classification, Operations Security (OPSEC), Technical Surveillance Counter Measures (TEMM), Classified Matter Protection and Control Program, and Integrated Safeguards and Security (ISS) Programs for the protection of classified matter, Unclassified Controlled Nuclear Information and Official Use Only documents to ensure that classified and sensitive activities conducted at facilities under their purview are in accordance with the Atomic Energy Act and its implementing regulations (and related DOE Directives) and the National Industrial Security Policy. This necessitates the appointment of a DOE employee as FOCI Program Manager, Technical Surveillance Countermeasures Program Manager, Facility Clearance Operations Manager, and a Designated Accrediting Authority for classified computer operations. These appointments could be individuals on their staff, or individuals in the Deputy Assistant Secretary for Safety Security, and Quality Programs . 3.2.1.5 Cyber Security Site Office Managers, with appropriate support from the Deputy Assistant Secretary for Safety Security, and Quality Programs, are responsible for implementing all cyber security mandates and guidance to ensure that cyber-generated and stored information, and the systems housing them, are adequately protected from unauthorized intrusion, disruption, damage, and destruction. 3.2.1.6 Personnel Security The Deputy Assistant Secretary for Safety Security, and Quality Programs is responsible for determining eligibility for access to classified matter and/or special nuclear material, and to implement the Human Reliability Program. The clearance requests are for initial access authorizations, extensions, transfers, upgrades, downgrades, reinstatements, and reinvestigations. To the extent consistent with the regulation (see Section 4.0, “Requirements”), [DESCRIBE WHICH SITES HAVE THIS AUTHORIZATION] Managers retain the authority to suspend or decline to grant an access authorization. 3.2.1.7 Unclassified Visits and Assignments by Foreign Nationals The EM Laboratory Directors are responsible for the Unclassified Foreign Visits and Assignments Program consistent with the related DOE Directive. The Site Office Manager is responsible for assuring that the facilities under their cognizance comply with the appropriate requirements. This means assuring that all unclassified foreign visits and assignments are tracked in the Foreign Access Central Tracking System (FACTS); indices checks are favorably completed, security plans are completed when required, the visa/passport information are obtained and that the appropriate subject matter experts review all visits and assignments. 3.2.1.8 Nuclear Materials Control and Accountability If nuclear materials are managed by the contractor under his or her cognizance, the Site Office Manager is responsible for approving a Material Control and Accountability Plan. This means assuring that: MC&A requirements are considered in all phases of design of new facilities and operations; Nuclear material transactions, inventories, and material balances are documented and submitted to the Nuclear Materials Management and Safeguards System (NMMSS); and Material balances held in the contractor’s systems are reconciled with NMMSS in the March and September reporting periods. 3.2.2 Emergency Management This component is comprised of a series of more rigorous processes designed to enhance EM response capabilities, graded in approach, to mitigate a variety of events or conditions that jeopardize or may jeopardize the health and safety of workers, the public, and the environment. 3.2.2.1 Operational Emergency Program Each DOE facility/site is required to have an Operational Emergency Program, which provides the framework for response to all events or conditions that involve the health and safety of workers, the public, and the environment. The objective of the program is to achieve an effective integration of emergency planning and preparedness requirements into an Emergency Management Program that provides response capabilities for all emergencies, through communication, coordination, and an efficient and effective use of resources. The Emergency Management Program for a specific facility/site shall be commensurate with the hazards present at that facility/site. 3.2.2.2 Hazards Survey A Hazards Survey is used to identify the generic emergency events or conditions that define the scope of the emergency management program at a facility/site. It is a site-specific qualitative examination of the events or conditions which may require an emergency response. The description of the potential impacts of such events or conditions contained in the Hazards Survey determines the planning and preparedness requirements that apply. 3.2.2.3 Hazards Assessment Hazards Assessment is conducted for each DOE facility/site where hazardous materials are present in quantities exceeding the specified threshold quantities. It is a quantitative analysis that includes the identification and characterization of hazardous materials specific to a facility/site, analyses of potential accidents or events, and evaluation of potential consequences. The results of the Hazards Assessment determine whether an Operational Emergency Hazardous Materials Program is required. 4.0 Requirements 4.1 Primary Responsibility This Management System has primary responsibility for ("owns") the following requirements: Document Title 10 CFR 710 Criteria and Procedures for Determining Eligibility for Access to Classified Matter or Special Nuclear Material 10 CFR 1046 Physical Protection Of Security Interest DEAR 952.2042 Security Requirements Requirement Decision Record DEAR 952.20470 Classification/Declassification DEAR 952.20473 Facility Clearance DoD 5220.22-M National Industrial Security Program Operating Manual DOE M 142.2-1 Manual For Implementation Of The Voluntary Offer Safeguards Agreement And Additional Protocol With The International Atomic Energy Agency DOE O 142.2A Voluntary Offer Safeguards Agreement And Additional Protocol With The International Atomic Energy Agency DOE O 142.3A Unclassified Foreign Visits and Assignments Program DOE O 142.5 Committee on Foreign Investment in the United States DOE O 150.1 Continuity Programs DOE O 151.1C Comprehensive Emergency Management System DOE M 200.1-1, Chapter 9 (restricted access) Public Key Cryptography And Key Management (Unclassified) DOE P 205.1 Departmental Cyber Security Management Policy DOE M 205.1-3 Telecommunications Security Manual (Official Use Only) DOE N 206.4 Personal Identity Verification DOE N 251.87 Extension of DOE N 470.4, Reciprocal Recognition of Existing Personnel Security Clearances/Access Authorizations DOE N 251.90 Extension of DOE N 470.5 DOE O 410.2 Management of Nuclear Materials DOE O 457.1 Nuclear Counterterrorism DOE M 457.1-1 Control Of Improvised Nuclear Device Information (Official Use Only) DOE P 470.1A Safeguards and Security Program DOE O 470.3B Graded Security Protection Policy DOE M 470.44A, Change 1 Information Security Manual DOE O 471.1B Identification and Protection of Unclassified Controlled Nuclear Information DOE O 471.3, Admin. Change 1 Identifying and Protecting Official Use Only Information DOE M 471.3-1, Admin. Change 1 Manual for Identifying and Protecting Official Use Only Information DOE O 471.6 Information Security DOE O 473.3 Protection Program Operations DOE O 475.1 Counterintelligence Program DOE O 475.2A Identifying Classified Information DOE O 5670.1A Management And Control Of Foreign Intelligence DOE CG-SS-4, Change 6 Classification and UNCI Guide for Safeguards and Security Information (Official Use Only) E.O. 13467 Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information [PROVIDE DOCUMENT] Office of Environmental Management (EM) Program Cyber Security Plan (PCSP) NISP National Industrial Security Policy NSD 42 National Policy for the Security of National Security Telecommunications and Information Systems NSDD 298 National Operations Security Program OMB M-04-25 FY 2004 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management OMB M 04-26 Personal Use Policies and "File Sharing" Technology P.L. 83-703 (68 stat. 919) The Atomic Energy Act of 1954 4.2 Parsed Responsibility This Management System is responsible for a part of the following high-level requirements: Document Title OMB Circular A- Management of Federal Information Resources 130 — Appendix III, Security of Federal Automated Information Resources DOE O 206.1 Department of Energy Privacy Program — Appendix A, Privacy Impact Assessments and Appendix B, Response and Notification Procedures for Data Breaches Involving Personally Identifiable Information OMB M-06-19 Reporting Incidents Involving Personally Requirement Decision Record Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments — Not specified P.L. 107-347, 116 Stat. 289 E-Government Act of 2002 - Federal Information Security Management Act (FISMA) — FISMA specific portion (Title III Information Security) 5.0 Subject Areas, Program Descriptions, and Guidance Documents The following Subject Areas are maintained by this Management System: [TBD] 6.0 References CNSS Instruction No. 1253, Security Categorization and Control Selection for National Security Systems CNSS Policy No. 22, Information Assurance Risk Management Policy for National Security Systems NSTISSI No. 1000, National Information Assurance Certification and Accreditation Process (NIACAP) DOE CG-SS-6, Classification and UCNI Guide for Safeguards And Security Information (Official Use Only) DOE G 151.1-1A, Emergency Management Fundamentals and the Operational Emergency Base Program DOE G 151.1-2, Technical Planning Basis DOE G 151.1-3, Programmatic Elements DOE G 151.1-4, Response Elements DOE G 151.1-5, Biosafety Facilities DOE M 205.1-5, Administrative Change 2, Cyber Security Process Requirements Manual DOE M 205.1-6, Administrative Change 2, Media Sanitization Manual DOE M 205.1-7, Administrative Change 2, Security Controls for Unclassified Information Systems Manual DOE M 205.1-8, Administrative Change 2, Cyber Security Incident Management Manual DOE G 226.1-1, Safeguards and Security Oversight and Assessments Implementation Guide DOE G 241.1-1A, Guide to the Management of Scientific and Technical Information DOE G 413.3-3, Safeguards and Security for Program and Project Management DOE G 470.4-1, Asset Protection Analysis Guide DOE G 471.3-1, Guide to Identifying Official Use Only Information DOE G 473.2-1, Guide for Establishment of a Contingency Protective Force DOE-STD-1171-2009, Safeguard and Security Functional Area Qualification Standard DOE-STD-1177-2004, Emergency Management Functional Area Qualification Standard Executive Order 13526, Classified National Security Information Memorandum from Daniel B. Poneman, Deputy Secretary, to Distribution, titled "Unclassified Foreign National Visits and Assignments," dated 03/09/2010 Memorandum from Daniel B. Poneman, Deputy Secretary, to Heads of Departmental Elements, title "Security Incident (Including Cyber) Congressional Notification Protocol," dated 06/24/2011 National Response Plan National Incident Management System (NIMS) National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems NIST FIPS 2000, Minimum Security Requirements for Federal Information and Information Systems NIST FIPS 201-1, Change Notice 1, Personal Identity Verification (PIV) of Federal Employees and Contractors NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information Technology Systems, was withdrawn on 02/2007 and superseded by NIST FIPS 200, NIST SP 800-53, and NIST SP 800-53A. NIST SP 800-30, Risk Management Guide for Information Technology Systems NIST SP 800-34, Revision 1, Contingency Planning Guide for Information Technology Systems NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems, A Security Life Cycle Approach NIST SP 800-40, Version 2.0, Creating a Patch and Vulnerability Management Program NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems NIST SP 800-50, Building an Information Technology Security Awareness and Training Program NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans NIST SP 800-59, Guideline for Identifying an Information System as a National Security System NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 1: Guide NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories, Volume 2: Appendices NIST SP 800-61, Computer Security Incident Handling Guide NIST SP 800-64, Revision 1, Security Consideration in the System Development Life Cycle NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process NIST SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT Professionals: A NIST Security Configuration Checklist NIST SP 800-73-2, Interfaces for Personal Identity Verification NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification Office of Management and Budget (OMB) M-06-15, Safeguarding Personally Identifiable Information Office of Environmental Management (EM) Security Program Management Plan [INTEGRATION ISSUE EM MSD: Management and Operating (M&O) Contracting] [INTEGRATION ISSUE EM MSD: Quality Assurance and Oversight] | EMERS Home Page | Send a question or comment to the EMERS Help Desk. Filename: /EMERS/content/DRAFT/MSD/SSEM/AUTHOR/SSEC_MS Last Major EMERS Revision: DRAFT