Safeguards, Security, and Emergency Management

advertisement
DRAFT DRAFT DRAFT DRAFT
Management System Description:
Safeguards, Security, and Emergency Management
KARL GOODWIN
Management System Owner:
Secondary Management System Owner:
TY SANDERS
Point of Contact:
| EMERS Home Page |
Issue Date: 06/30/2011
EMERS Revision: 1.7
1.0 Purpose
The purpose of the Office of Environmental Management (EM) Safeguards, Security, and
Emergency Management System is to assure that effective programs are in place for the
protection of EM interests from loss, damage, or other harm, whether intentional or
unintentional. This includes assets in the possession or control of EM Headquarters and the Site
Offices, as well as third parties under various types of agreements with the Office of
Environmental Management : management and operating (M&O) and non-M&O contracts,
grants, cooperative agreements, Interagency Agreements, etc.
2.0 Responsibilities
The table below represents roles and responsibilities specific to this Management System. For a
detailed description of EMERS roles and responsibilities, please see the EMERS R2A2.
Roles
Assistant Secretary for
Environmental
Management (EM-1)
Responsibilities


EM-1 is responsible for management and implementation
of Safeguards, Security, and Emergency Management
(SS&EM) programs administered by EM.
EM-1 serves as the Department of Energy (DOE) cognizant
security authority for programs, operations, and facilities
under the purview of EM to assure that effective programs
are in place for the protection of EM interests from loss,
damage, or other harm, whether intentional or
unintentional. EM-1 accomplishes these responsibilities
through further assignments within the organization
described below.
Principal Deputy Assistant
Secretary (EM-2 )





EM Site Office Managers




Deputy Assistant Secretary

Utilizing specific authorities assigned from EM-1, EM-3 is
the EM Line Manager responsible and accountable to
EM-1 for the safety and protection of Federal and support
contractor/laboratory employees assigned to EM-3.
EM-2 assures SS&EM performance within previously
established policy and clearly stated expectations within
assigned organizational responsibilities (e.g., assigned
Forrestal/Germantown [FORSTL/GTN] staff, all EM Site
Offices).
EM-2 assures that emergency management programs in the
Office of Environmental Management , at all levels, are
evaluated every three years as required by regulations (see
Section 4.0, “Requirements”)
EM-2 routinely communicates with EM-1 on all SS&EM
matters and performance, and EM-2 develops and
implements corrective actions, as appropriate.
EM-2 serves as the champion for the EM Management
System Owner (MSO) and thus recommends final policy to
EM-1 on matters affecting SS&EM performance within the
Office of Environmental Management .
Utilizing specific authorities assigned from EM-3, EM Site
Office Managers are the EM Line Managers responsible
and accountable for the safety and protection of Federal
and contractor employees, the environment, and the public
at EM’s National Laboratory sites.
EM Site Office Managers set contract SS&EM
expectations and assure performance.
EM Site Office Managers routinely communicate with
EM-1, as well as EM-3, on all SS&EM matters and
performance, and develop and implement corrective
actions, as appropriate.
Site Office Managers, in conjunction with EM-3, evaluate
SS&EM performance under their respective management
and operating contracts.
The Deputy Assistant Secretary supports EM-2 and EM
for Safety Security, and
Quality Programs
Site Office Managers by providing technical and subject
matter oversight in SS&EM-related issues and other
matters. This includes, but is not limited to, responsibility
for determining eligibility for access to classified matter
and/or special nuclear material, and implementing the
Human Reliability Program for Federal and contractor
employees at EM National Laboratory Sites.
3.0 Management System Operation
3.1 Overview
The Office of Environmental Management implements SS&EM programs and
activities to protect its assets, human and physical, utilizing the principles and
functions of Integrated Safeguards and Security Management (ISSM). EM staff:
1. Ensure that applicable security and emergency management requirements
are followed by EM personnel;
2. Ensure that appropriate security and emergency management requirements
are placed into contracts;
3. Provide oversight of contractor work planning and controls;
4. Integrate continuous feedback and improvement mechanisms into their
work; and
5. Perform the necessary oversight/assessments of both the Federal staff and
contractors.
This Management System addresses the training requirements for EM personnel
in the relevant aspects of SS&EM and performance of SS&EM functions that are
Federal responsibilities. Furthermore, this Management System serves to ensure
that EM SS&EM requirements and methods of accomplishment are identified,
communicated, and implemented by both EM staff and contractors. This includes
the oversight, assessment, and evaluation of both Federal staff and contractor
performance and reporting of SS&EM performance data to EM and other DOE
entities. Effective implementation of this Management System will ensure the
security and safety of EM staff, contractor personnel, and the public, and
protection of the environment.
The processes for addressing contractor SS&EM performance expectations are
outlined in the [INTEGRATION ISSUE EM MSD: M&O Contracting.]
3.2 Key Functions/Services and Processes
3.2.1 EM Safeguards and Security
This component includes a variety of formal and informal
safeguards and security systems and processes for the protection
and management of all EM interests.
3.2.1.1 Program Management and Support
Each EM Site Office is considered a “Lead
Responsible Office” per DOE Directive (see
Section 4.0, “Requirements”). Accordingly, Site
Office Managers are responsible for:








Approving all safeguards and security plans;
Approving the Training Approval Program
Plan;
Ensuring that the appropriate Foreign,
Ownership or Influence (FOCI)
determinations are made prior to allowing
any classified work to occur;
Ensuring appropriate facility clearances are
granted and Facility Data and Approval
Records (FDARs) and Contract Security
Classification Specification (CEMS) forms
are completed;
Maintaining the Safeguards and Security
Information Management System (SSIMS);
Ensuring that safeguards and security
surveys are conducted at facilities under
their purview;
Ensuring that any deficiencies identified
during the surveys are corrected
appropriately; and
Approving/concurring on deviations to DOE
Directives.
3.2.1.2 Protective Force
The Site Office Manager ensures that all protective
force personnel employed to protect DOE interests
[DESCRIBE REQUIREMENT].
3.2.1.3 Physical Security
Site Office Managers are responsible for approving,
for the facility under their cognizance, any
vulnerability assessments conducted on the physical
security (not limited to barriers, locks, systems,
alarms), access controls, protective force operations,
performance testing, transportation security, and
badging.
3.2.1.4 Information Protection
Site Office Managers have the responsibility for the
activities in the Classification, Operations Security
(OPSEC), Technical Surveillance Counter
Measures (TEMM), Classified Matter Protection
and Control Program, and Integrated Safeguards
and Security (ISS) Programs for the protection of
classified matter, Unclassified Controlled Nuclear
Information and Official Use Only documents to
ensure that classified and sensitive activities
conducted at facilities under their purview are in
accordance with the Atomic Energy Act and its
implementing regulations (and related DOE
Directives) and the National Industrial Security
Policy. This necessitates the appointment of a DOE
employee as FOCI Program Manager, Technical
Surveillance Countermeasures Program Manager,
Facility Clearance Operations Manager, and a
Designated Accrediting Authority for classified
computer operations. These appointments could be
individuals on their staff, or individuals in the
Deputy Assistant Secretary for Safety Security, and
Quality Programs .
3.2.1.5 Cyber Security
Site Office Managers, with appropriate support
from the Deputy Assistant Secretary for Safety
Security, and Quality Programs, are responsible for
implementing all cyber security mandates and
guidance to ensure that cyber-generated and stored
information, and the systems housing them, are
adequately protected from unauthorized intrusion,
disruption, damage, and destruction.
3.2.1.6 Personnel Security
The Deputy Assistant Secretary for Safety Security,
and Quality Programs is responsible for
determining eligibility for access to classified
matter and/or special nuclear material, and to
implement the Human Reliability Program. The
clearance requests are for initial access
authorizations, extensions, transfers, upgrades,
downgrades, reinstatements, and reinvestigations.
To the extent consistent with the regulation (see
Section 4.0, “Requirements”), [DESCRIBE
WHICH SITES HAVE THIS AUTHORIZATION]
Managers retain the authority to suspend or decline
to grant an access authorization.
3.2.1.7 Unclassified Visits and Assignments by
Foreign Nationals
The EM Laboratory Directors are responsible for
the Unclassified Foreign Visits and Assignments
Program consistent with the related DOE Directive.
The Site Office Manager is responsible for assuring
that the facilities under their cognizance comply
with the appropriate requirements. This means
assuring that all unclassified foreign visits and
assignments are tracked in the Foreign Access
Central Tracking System (FACTS); indices checks
are favorably completed, security plans are
completed when required, the visa/passport
information are obtained and that the appropriate
subject matter experts review all visits and
assignments.
3.2.1.8 Nuclear Materials Control and
Accountability
If nuclear materials are managed by the contractor
under his or her cognizance, the Site Office
Manager is responsible for approving a Material
Control and Accountability Plan. This means
assuring that:


MC&A requirements are considered in all
phases of design of new facilities and
operations;
Nuclear material transactions, inventories,
and material balances are documented and
submitted to the Nuclear Materials
Management and Safeguards System
(NMMSS); and

Material balances held in the contractor’s
systems are reconciled with NMMSS in the
March and September reporting periods.
3.2.2 Emergency Management
This component is comprised of a series of more
rigorous processes designed to enhance EM
response capabilities, graded in approach, to
mitigate a variety of events or conditions that
jeopardize or may jeopardize the health and safety
of workers, the public, and the environment.
3.2.2.1 Operational Emergency
Program
Each DOE facility/site is required to
have an Operational Emergency
Program, which provides the
framework for response to all events
or conditions that involve the health
and safety of workers, the public,
and the environment. The objective
of the program is to achieve an
effective integration of emergency
planning and preparedness
requirements into an Emergency
Management Program that provides
response capabilities for all
emergencies, through
communication, coordination, and an
efficient and effective use of
resources. The Emergency
Management Program for a specific
facility/site shall be commensurate
with the hazards present at that
facility/site.
3.2.2.2 Hazards Survey
A Hazards Survey is used to identify
the generic emergency events or
conditions that define the scope of
the emergency management program
at a facility/site. It is a site-specific
qualitative examination of the events
or conditions which may require an
emergency response. The description
of the potential impacts of such
events or conditions contained in the
Hazards Survey determines the
planning and preparedness
requirements that apply.
3.2.2.3 Hazards Assessment
Hazards Assessment is conducted for
each DOE facility/site where
hazardous materials are present in
quantities exceeding the specified
threshold quantities. It is a
quantitative analysis that includes the
identification and characterization of
hazardous materials specific to a
facility/site, analyses of potential
accidents or events, and evaluation
of potential consequences. The
results of the Hazards Assessment
determine whether an Operational
Emergency Hazardous Materials
Program is required.
4.0 Requirements
4.1 Primary Responsibility
This Management System has primary responsibility for ("owns") the following requirements:
Document
Title
10 CFR 710
Criteria and Procedures for Determining
Eligibility for Access to Classified Matter or
Special Nuclear Material
10 CFR 1046
Physical Protection Of Security Interest
DEAR 952.2042
Security Requirements
Requirement Decision
Record
DEAR 952.20470
Classification/Declassification
DEAR 952.20473
Facility Clearance
DoD 5220.22-M
National Industrial Security Program
Operating Manual
DOE M 142.2-1
Manual For Implementation Of The Voluntary
Offer Safeguards Agreement And Additional
Protocol With The International Atomic
Energy Agency
DOE O 142.2A
Voluntary Offer Safeguards Agreement And
Additional Protocol With The International
Atomic Energy Agency
DOE O 142.3A
Unclassified Foreign Visits and Assignments
Program
DOE O 142.5
Committee on Foreign Investment in the
United States
DOE O 150.1
Continuity Programs
DOE O 151.1C
Comprehensive Emergency Management
System
DOE M 200.1-1,
Chapter 9
(restricted
access)
Public Key Cryptography And Key
Management (Unclassified)
DOE P 205.1
Departmental Cyber Security Management
Policy
DOE M 205.1-3
Telecommunications Security Manual
(Official Use Only)
DOE N 206.4
Personal Identity Verification
DOE N 251.87
Extension of DOE N 470.4, Reciprocal
Recognition of Existing Personnel Security
Clearances/Access Authorizations
DOE N 251.90
Extension of DOE N 470.5
DOE O 410.2
Management of Nuclear Materials
DOE O 457.1
Nuclear Counterterrorism
DOE M 457.1-1
Control Of Improvised Nuclear Device
Information (Official Use Only)
DOE P 470.1A
Safeguards and Security Program
DOE O 470.3B
Graded Security Protection Policy
DOE M 470.44A, Change 1
Information Security Manual
DOE O 471.1B
Identification and Protection of Unclassified
Controlled Nuclear Information
DOE O 471.3,
Admin. Change
1
Identifying and Protecting Official Use Only
Information
DOE M 471.3-1,
Admin. Change
1
Manual for Identifying and Protecting Official
Use Only Information
DOE O 471.6
Information Security
DOE O 473.3
Protection Program Operations
DOE O 475.1
Counterintelligence Program
DOE O 475.2A
Identifying Classified Information
DOE O 5670.1A
Management And Control Of Foreign
Intelligence
DOE CG-SS-4,
Change 6
Classification and UNCI Guide for Safeguards
and Security Information (Official Use Only)
E.O. 13467
Reforming Processes Related to Suitability for
Government Employment, Fitness for
Contractor Employees, and Eligibility for
Access to Classified National Security
Information
[PROVIDE
DOCUMENT]
Office of Environmental Management (EM)
Program Cyber Security Plan (PCSP)
NISP
National Industrial Security Policy
NSD 42
National Policy for the Security of National
Security Telecommunications and Information
Systems
NSDD 298
National Operations Security Program
OMB M-04-25
FY 2004 Reporting Instructions for the
Federal Information Security Management Act
and Agency Privacy Management
OMB M 04-26
Personal Use Policies and "File Sharing"
Technology
P.L. 83-703 (68
stat. 919)
The Atomic Energy Act of 1954
4.2 Parsed Responsibility
This Management System is responsible for a part of the following high-level requirements:
Document
Title
OMB Circular A- Management of Federal Information Resources
130
— Appendix III, Security of Federal
Automated Information Resources
DOE O 206.1
Department of Energy Privacy Program —
Appendix A, Privacy Impact Assessments
and Appendix B, Response and Notification
Procedures for Data Breaches Involving
Personally Identifiable Information
OMB M-06-19
Reporting Incidents Involving Personally
Requirement Decision
Record
Identifiable Information and Incorporating the
Cost for Security in Agency Information
Technology Investments — Not specified
P.L. 107-347,
116 Stat. 289
E-Government Act of 2002 - Federal
Information Security Management Act
(FISMA) — FISMA specific portion (Title III
Information Security)
5.0 Subject Areas, Program Descriptions, and Guidance Documents
The following Subject Areas are maintained by this Management System:
[TBD]
6.0 References




















CNSS Instruction No. 1253, Security Categorization and Control Selection for National
Security Systems
CNSS Policy No. 22, Information Assurance Risk Management Policy for National
Security Systems
NSTISSI No. 1000, National Information Assurance Certification and Accreditation
Process (NIACAP)
DOE CG-SS-6, Classification and UCNI Guide for Safeguards And Security Information
(Official Use Only)
DOE G 151.1-1A, Emergency Management Fundamentals and the Operational
Emergency Base Program
DOE G 151.1-2, Technical Planning Basis
DOE G 151.1-3, Programmatic Elements
DOE G 151.1-4, Response Elements
DOE G 151.1-5, Biosafety Facilities
DOE M 205.1-5, Administrative Change 2, Cyber Security Process Requirements
Manual
DOE M 205.1-6, Administrative Change 2, Media Sanitization Manual
DOE M 205.1-7, Administrative Change 2, Security Controls for Unclassified
Information Systems Manual
DOE M 205.1-8, Administrative Change 2, Cyber Security Incident Management Manual
DOE G 226.1-1, Safeguards and Security Oversight and Assessments Implementation
Guide
DOE G 241.1-1A, Guide to the Management of Scientific and Technical Information
DOE G 413.3-3, Safeguards and Security for Program and Project Management
DOE G 470.4-1, Asset Protection Analysis Guide
DOE G 471.3-1, Guide to Identifying Official Use Only Information
DOE G 473.2-1, Guide for Establishment of a Contingency Protective Force
DOE-STD-1171-2009, Safeguard and Security Functional Area Qualification Standard


























DOE-STD-1177-2004, Emergency Management Functional Area Qualification Standard
Executive Order 13526, Classified National Security Information
Memorandum from Daniel B. Poneman, Deputy Secretary, to Distribution, titled
"Unclassified Foreign National Visits and Assignments," dated 03/09/2010
Memorandum from Daniel B. Poneman, Deputy Secretary, to Heads of Departmental
Elements, title "Security Incident (Including Cyber) Congressional Notification
Protocol," dated 06/24/2011
National Response Plan
National Incident Management System (NIMS)
National Institute of Standards and Technology (NIST) Federal Information Processing
Standard (FIPS) 199, Standards for Security Categorization of Federal Information and
Information Systems
NIST FIPS 2000, Minimum Security Requirements for Federal Information and
Information Systems
NIST FIPS 201-1, Change Notice 1, Personal Identity Verification (PIV) of Federal
Employees and Contractors
NIST Special Publication (SP) 800-26, Security Self-Assessment Guide for Information
Technology Systems, was withdrawn on 02/2007 and superseded by NIST FIPS 200,
NIST SP 800-53, and NIST SP 800-53A.
NIST SP 800-30, Risk Management Guide for Information Technology Systems
NIST SP 800-34, Revision 1, Contingency Planning Guide for Information Technology
Systems
NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to
Federal Information Systems, A Security Life Cycle Approach
NIST SP 800-40, Version 2.0, Creating a Patch and Vulnerability Management Program
NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems
NIST SP 800-50, Building an Information Technology Security Awareness and Training
Program
NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information
Systems and Organizations
NIST SP 800-53A, Revision 1, Guide for Assessing the Security Controls in Federal
Information Systems and Organizations, Building Effective Security Assessment Plans
NIST SP 800-59, Guideline for Identifying an Information System as a National Security
System
NIST SP 800-60, Volume 1, Revision 1 , Guide for Mapping Types of Information and
Information Systems to Security Categories, Volume 1: Guide
NIST SP 800-60, Volume 2, Revision 1, Guide for Mapping Types of Information and
Information Systems to Security Categories, Volume 2: Appendices
NIST SP 800-61, Computer Security Incident Handling Guide
NIST SP 800-64, Revision 1, Security Consideration in the System Development Life
Cycle
NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment
Control Process
NIST SP 800-68, Guidance for Securing Microsoft Windows XP Systems for IT
Professionals: A NIST Security Configuration Checklist
NIST SP 800-73-2, Interfaces for Personal Identity Verification





NIST SP 800-76-1, Biometric Data Specification for Personal Identity Verification
Office of Management and Budget (OMB) M-06-15, Safeguarding Personally
Identifiable Information
Office of Environmental Management (EM) Security Program Management Plan
[INTEGRATION ISSUE EM MSD: Management and Operating (M&O) Contracting]
[INTEGRATION ISSUE EM MSD: Quality Assurance and Oversight]
| EMERS Home Page |
Send a question or comment to the EMERS Help Desk.
Filename: /EMERS/content/DRAFT/MSD/SSEM/AUTHOR/SSEC_MS
Last Major EMERS Revision: DRAFT
Download