Doc:DoD 5220.22-M Chapter 9

From FISMApedia
Jump to: navigation, search


Special Requirements

Section 1. RD and FRD

9-100 General
  This section was prepared by DOE according to reference (a) and is provided for information purposes only. It describes the requirements for classifying and safeguarding nuclear-related information that is designated RD or FRD. Such information is classified under reference (c) as opposed to other Government information that is classified by E.O. (National Security Information (NSI)).
9-101 Authority and Responsibilities

a. Reference (c) establishes policy for classifying and protecting RD and FRD information. Under section 141 of reference (c), DOE is responsible for controlling the dissemination and declassification of RD. Under section 142c and d of reference (c), DOE shares certain responsibilities regarding RD and FRD with the Department of Defense. Under section 142e of reference (c), DOE shares certain responsibilities regarding RD with the DNI. Under section 143 of reference (c), the Secretary of Defense is responsible for establishing personnel and other security procedures and standards that are in reasonable conformity to the standards established by DOE. The procedures and standards established by the Secretary of Defense are detailed in other sections of the Manual and are applicable to contractors under the security cognizance of the Department of Defense.
b. Specific policies and procedures for classifying and declassifying RD and FRD are set forth in 10 Code of Federal Regulations (CFR) Part 1045, Subparts A, B, and C (reference (q)).
c. The Secretary of Energy and the Chairman of the NRC retain authority over access to information that is under their respective cognizance as directed by reference (c). The Secretary of DOE or the Chairman of the NRC may inspect and monitor contractor programs or facilities that involve access to such information or may enter into written agreement with the Department of Defense to inspect and monitor these programs or facilities.
9-102 Unauthorized Disclosures
  Contractors shall report all unauthorized disclosures involving RD and FRD information to the CSA.
9-103 International Requirements
  Reference (c) provides for a program of international cooperation to promote common defense and security and to make available to cooperating nations the benefits of peaceful applications of atomic energy as widely as expanding technology and considerations of the common defense and security will permit. Under section 123 of reference (c), information controlled by reference (c) may be shared with another nation only under the terms of an agreement for cooperation. The disclosure by a contractor of RD and FRD shall not be permitted until an agreement is signed by the United States and participating governments and disclosure guidance and security arrangements are established. RD and FRD shall not be transmitted to a foreign national or regional defense organization unless such action is approved and undertaken under an agreement for cooperation between the United States and the cooperating entity and supporting statutory determinations as prescribed in reference (c).
9-104 Personnel Security Clearances
  Only DOE, NRC, Department of Defense, and NASA can grant access to RD and FRD. The minimum investigative requirements and standards for access to RD and FRD for contractors under the security cognizance of DOE are set forth below.
a. TOP SECRET RD – A favorable SSBI.
b. SECRET RD – A favorable SSBI.
d. TOP SECRET FRD – A favorable SSBI.
e. SECRET FRD – A favorable NACLC.
9-105 Classification

a. The Director, DOE, Office of Classification and Information Control, determines whether nuclear-related information is classified as RD under reference (q). DOE and the Department of Defense jointly determine what classified information is removed from the RD category to become FRD under section 14(a) of reference (q). These decisions are promulgated in classification guides issued under section 37(a) of reference (q).
b. Reference (q) describes the authorities and procedures for classifying RD and FRD information and documents. All contractors with access to RD and FRD shall designate specified employees as RD Classifiers. Only those contractor employees designated as RD classifiers may classify RD and FRD documents according to section 32(a)(2) of reference (q). Such employees must be trained on the procedures for classifying, declassifying, marking, and handling for RD and FRD information and documents according to section 35(a) of reference (q). RD classifiers shall use classification guides as the primary basis for classifying and declassifying documents containing RD and FRD information according to section 37(c) of reference (q). If such classification guidance is not available and the information in the document appears to meet the definition of RD, then the RD classifier shall, as an interim measure, mark the document as Confidential RD (or as Secret RD if the sensitivity of the information in the document so warrants) and promptly forward the document to the GCA. The GCA shall provide the contractor with the final determination based upon official published classification guidance. If the GCA cannot make such a determination, the GCA shall forward the document to DOE for a classification determination according to section 14(a) of reference (q).
c. Classifying information as RD and FRD is not limited to U.S. Government information. Contractors who develop an invention or discovery useful in the production or utilization of special nuclear material or nuclear energy shall file a fully descriptive report with DOE or the Commissioner of Patents as prescribed by Section 151c of reference (c). Documents thought to contain RD or FRD shall be marked temporarily as such. These documents shall be promptly referred to the GCA for a final determination based upon official published classification guidance. If the GCA cannot make such a determination, the GCA shall forward the document to DOE for a classification determination.
9-106 Declassification

a. DOE determines whether RD information may be declassified under section 14(b) of reference (q). DOE, jointly with the Department of Defense, determines whether FRD information may be declassified under section 14(d) of reference (q).
b. Documents marked as containing RD and FRD information remain classified until a positive action by an authorized Government official is taken to declassify them; no date or event for automatic declassification ever applies to RD and FRD documents.
9-107 Challenges to RD/FRD Classification
  Any contractor employee who believes that an RD/FRD document is classified improperly or unnecessarily may challenge that classification following the procedures established by the GCA.
9-108 Marking
  Documents containing RD and FRD information shall be marked as indicated below:
a. Front of the Document. In addition to the overall classification level of the document at the top and bottom of the page, the following notices must appear on the front of the document, as appropriate:
If the document contains RD information:
This document contains RESTRICTED DATA as defined in the Atomic Energy Act of 1954. Unauthorized disclosure subject to administrative and criminal sanctions.

If the document contains FRD information:
Unauthorized disclosure subject to administrative and criminal sanctions. Handle as Restricted Data in foreign dissemination. Section 144b, AEA 1954.

A document containing RD or FRD information also must be marked to identify: (1) the classification guide or source document (by title and date) used to classify the document and (2) the identity of the RD classifier unless the classifier is the same as the document originator or signer:
Derived from: (Classification guide or source document – title and date)
RD Classifier: (Name and position or title)
b. Interior Page. Each RD or FRD document must also be clearly marked at the top and bottom of each interior page with the overall classification level and category of the document or the classification level and category of the page, whichever is preferred. The abbreviations RD and FRD may be used in conjunction with the classification level (e.g., SECRET RD or SECRET FRD).
c. Other Caveats. Any other caveats indicated on the source document shall be carried forward.

Section 2. DOD Critical Nuclear Weapon Design Information (CNWDI)

9-200 General
  This section contains the special requirements for protection of CNWDI.
9-201 Background
  CNWDI is a DoD category of TOP SECRET RD or SECRET RD that reveals the theory of operation or design of the components of a thermonuclear or fission bomb, warhead, demolition munition, or test device. Specifically excluded is information concerning arming, fuzing, and firing systems; limited life components; and total contained quantities of fissionable, fusionable, and high explosive materials by type. Among these excluded items are the components that DoD personnel set, maintain, operate, test or replace. The sensitivity of DoD CNWDI is such that access shall be granted to the absolute minimum number of employees who require it for the accomplishment of assigned responsibilities on a classified contract. Because of the importance of such information, special requirements have been established for its control. DoD Directive 5210.2 (reference (r)) establishes these controls in DoD.
9-202 Briefings
  Prior to having access to DoD CNWDI, employees shall be briefed on its sensitivity by the FSO or his or her alternate. (The FSO will be initially briefed by a Government representative.) The briefing shall include the definition of DoD CNWDI, a reminder of the extreme sensitivity of the information, and an explanation of the individual's continuing responsibility for properly safeguarding DoD CNWDI, and for ensuring that dissemination is strictly limited to other personnel who have been authorized for access and have a need-to-know for the particular information. The briefing shall also be tailored to cover any special local requirements. Upon termination of access to DoD CNWDI, the employee shall be given an oral debriefing.
9-203 Markings
  In addition to any other required markings, CNWDI material shall be clearly marked, "Critical Nuclear Weapon Design Information-DoD Directive 5210.2 Applies." As a minimum, CNWDI documents shall show such markings on the cover or first page. Portions of documents that contain CNWDI shall be marked with an (N) or (CNWDI) following the classification of the portion; for example, TS(RD)(N) or TS(RD)(CNWDI).
9-204 Subcontractors
  Contractors shall not disclose CNWDI to subcontractors without the prior written approval of the GCA. This approval may be included in a Contract Security Classification Specification, other contract-related document, or by separate correspondence.
9-205 Transmission Outside the Facility
  Transmission outside the contractor's facility is authorized only to the GCA, or to a subcontractor as described in paragraph 9-204 above. Any other transmission must be approved by the GCA. Prior to transmission to another cleared facility, the contractor shall verify from the CSA that the facility has been authorized access to CNWDI. When CNWDI is transmitted to another facility, the inner wrapping shall be addressed to the personal attention of the FSO or his or her alternate, and in addition to any other prescribed markings, the inner wrapping shall be marked: "Critical Nuclear Weapon Design Information-DoD Directive 5210.2 Applies." Similarly, transmissions addressed to the GCA or other U.S. Government agency shall bear on the inner wrapper the marking "Critical Nuclear Weapon Design Information-DoD Directive 5210.2 Applies."
9-206 Records
  Contractors shall annotate CNWDI access in the CSA-designated database for all employees who have been authorized access to CNWDI.
9-207 Weapon Data
  That portion of RD or FRD that concerns the design, manufacture, or utilization (including theory, development, storage, characteristics, performance, and effects) of atomic weapons or atomic weapon components and nuclear explosive devices is called Weapon Data and it has special protection provisions. Weapon Data is divided into Sigma categories the protection of which is prescribed by DOE Order 5610.2 (reference (s)). However, certain Weapon Data has been re-categorized as CNWDI and is protected as described in this section.

Section 3. Intelligence Information

9-300 Background
  This section was prepared by CIA in accordance with reference (a) and is provided for information purposes only. It contains general information on safeguarding intelligence information. Intelligence information is under the jurisdiction and control of the DNI, who establishes security policy for the protection of intelligence information, sources, methods, and analytical processes.
9-301 Definitions
  The following definitions pertain to intelligence information:
a. Counterintelligence (CI). Information collection, analysis and operations conducted to identify and neutralize espionage, other foreign intelligence or covert actions, the intelligence-related capabilities and activities of terrorists, and operations against U.S. personnel or political, economic and policy processes.
b. Classified Intelligence Information. Information identified as SCI included in SAPs for intelligence, and collateral classified intelligence information under the purview of the DNI.
c. Foreign Intelligence. Information relating to the capabilities, intentions, and activities of foreign powers, organizations, or persons, but not including counterintelligence information except for information on international terrorist activities.
d. Intelligence Community (IC). Those U.S. Government organizations and activities identified as members of the IC in reference (h).
e. Senior Officials of the Intelligence Community (SOICs). SOICs are the heads of departments and agencies with organizations in the IC or the heads of IC organizations responsible for protecting classified intelligence information and intelligence sources and methods from unauthorized disclosure consistent with DNI policy.
f. Senior Intelligence Officer (SIO). The SIO is the highest ranking military or civilian individual charges with direct foreign intelligence missions, functions, or responsibilities within an element of the IC.
g. SCI. SCI is classified intelligence information concerning or derived from sensitive sources, methods, or analytical processes, which is required to be handled exclusively within formal access control systems established by the DNI.
h. SCI Facility (SCIF). A SCIF is an area, room, group of rooms, or installation accredited by the proper authority to store, use, discuss and/or process SCI.
9-302 Key Concepts
  This section provides general guidance on the intended purpose of several security tenets that form a critical baseline for the protection of intelligence information.
a. Apply Need-to-Know. Authorized holders (individuals or information systems) of classified intelligence information shall determine if prospective recipients (individuals or information systems) have the requisite clearances and accesses, and require knowledge of specific classified intelligence information in order to perform or assist in a lawful and authorized governmental function. To effectively implement this concept, IC departments, agencies, and bureaus must work cooperatively with customers to understand their requirements and ensure that they receive all applicable classified intelligence information while minimizing the risk of unauthorized disclosure. IC organizations shall provide intelligence at multiple security levels appropriate to the security authorizations of intended customers. Customers, in turn, shall be responsible for verifying need-to-know for this information for individuals of information systems within their organizations.
b. Protect SCI. In order to protect information regarding particularly fragile intelligence sources and methods, SCI has been established as the SAP for the DNI. SCI must be protected in specific SCI control systems and shall be clearly defined and identified. The DNI has the sole authority to create or to discontinue SAPs, including SCI access control systems pertaining to intelligence sources and methods and classified intelligence activities (including special activities, but not including military operational, strategic, and tactical programs).
c. Educate the Work Force. SOICs shall establish formal security awareness training and education programs to ensure complete, common, and consistent understanding and application of security principles. Individuals shall be advised of their security responsibilities before receiving access to classified intelligence information and information systems. Annual refresher training is required to review security principles and responsibilities and to emphasize new security policies and practices developed from the preceding year.
d. Promote Security Reciprocity. To facilitate security reciprocity across the IC and industry, SOICs shall accept from other IC departments, agencies, and bureaus access eligibility determinations and accreditations of information systems and facilities except when an agency has documented information indicating that an employee, contractor, information system, or a facility does not meet DCID standards. Any exceptions to access eligibility determinations and accreditations of information systems and facilities must be noted in certifications to other agencies.
e. Promote Institutional Collaboration. Security elements of the IC shall work with intelligence production, counterintelligence, and law enforcement partners to identify and implement integrated responses to threats. Proactive collaboration among programs should synergize efforts to protect the U.S. population, national security assets, and classified intelligence information.
f. Manage Risk. IC departments, agencies and bureaus shall employ a risk management/risk analysis process to cost-effectively minimize the potential for loss of classified intelligence information or assets and the consequences should such loss occur. This methodology shall involve techniques to counter threats, reduce vulnerabilities, and implement security countermeasures.
g. Minimize Insider Threat. All personnel who have access to classified intelligence information shall be thoroughly vetted, fully trained in their security responsibilities, appropriately supervised, and provided a secure work environment. CI and security management shall maintain aggressive programs to deter, detect, and support the apprehension and prosecution of those cleared personnel who endanger national security interests.
9-303 Control Markings Authorized for Intelligence Information

a. “DISSEMINATION AND EXTRACTION OF INFORMATION CONROLLED BY ORIGINATOR” (ORCON). Information bearing this marking may be disseminated within the headquarters and specified subordinate elements of the recipient organizations, including their contractors within government facilities. This information may also be incorporated in whole or in part into other briefings or products, provided the briefing or product is presented or distributed only to original recipients of the information and marked accordingly. Dissemination beyond headquarters and specified subordinate elements or to agencies other than the original recipients requires advanced permission from the originator.
b. “FOR OFFICIAL USE ONLY” (FOUO). Intelligence information used to control dissemination of UNCLASSIFIED official government information until approved for public release by the originator. May be used only with UNCLASSIFIED on page markings.
c. “CAUTION-PROPRIETARY INFORMATION INVOLVED” (PROPIN). Marking used to identify information provided by a commercial firm or private source under an express or implied understanding that the information will be protected as a proprietary trade secret or proprietary data believed to have actual or potential value. This information may not be disseminated outside the Federal Government in any form without the express permission of the originator of the proprietary information. Dissemination to contractors is precluded irrespective of their status to, or within, the U.S. Government without the authorization of the originator of the information.
d. “NOT RELEASABLE TO FOREIGN NATIONALS” (NOFORN). NOFORN is classified information that may not be released in any form to foreign governments, foreign nationals, foreign organizations, or non-U.S. citizens without permission of the originator. It cannot be used with REL TO [country codes] or EYES ONLY on page markings. When a document contains both NOFORN and REL TO (see below) or NOFORN and EYES ONLY portions, NOFORN takes precedence for the markings at the top and bottom of the page.
e. “AUTHORIZED FOR RELEASE TO (REL TO) (name of country (ies)/international organization)”. This marking is used to identify Intelligence Information that an originator has predetermined to be releasable or has released, through established foreign disclosure procedures and channels, to the foreign/international organization indicated.
9-304 Limitation on Dissemination of Classified Intelligence Information
  A contractor is not authorized to further disclose or release classified intelligence information (including release to a subcontractor) without prior written authorization of the releasing agency.
9-305 Safeguarding Classified Intelligence Information
  All classified intelligence information in the contractor’s possession shall be safeguarded and controlled according to the provisions of this manual for classified information of the same classification level, with any additional requirements and instructions received from the GCA, and with any specific restrictive markings or limitations that appear on the documents themselves.
9-306 Inquiries
  All inquiries concerning source, acquisition, use, control, or restrictions pertaining to classified intelligence information shall be directed to the providing agency.

Section 4. Communications Security (COMSEC)

9-400 General
  This section was prepared by NSA. The procedures in this section pertaining to COMSEC information shall apply to contractors when the contractor requires the use of COMSEC systems in the performance of a contract; the contractor is required to install, maintain, or operate COMSEC equipment for the U.S. Government; or the contractor is required to accomplish research, development, or production of COMSEC systems, COMSEC equipment, or related COMSEC material.
9-401 Instructions
  Specific requirements for the management and safeguarding of COMSEC material in industry are established in the COMSEC material control and operating procedures provided to the custodian of each industrial COMSEC account by the agency Central Office of Record (COR) responsible for establishing the account. Such procedures that are above the baseline requirements detailed in the other sections of this manual shall be contractually mandated.
9-402 Clearance and Access Requirements

a. Before a COMSEC account can be established and a contractor may receive or possess COMSEC material accountable to a COR, individuals occupying the positions of FSO, COMSEC custodian, and alternate COMSEC custodian must have a final PCL appropriate for the material to be held in the account. COMSEC custodians and alternate COMSEC custodians having access to TOP SECRET keying material marked as containing CRYPTOGRAPHIC (CRYPTO) information must have a final security clearance based upon an SSBI current within five years. This requirement does not apply to contractors using only data transfer devices and seed key.
b. Before disclosure of COMSEC information to a contractor, GCAs must first verify with the CSA that appropriate COMSEC procedures are in place at the contractor facility. If procedures are not in place, the GCA shall provide a written request and justification to the CSA to establish COMSEC procedures and a COMSEC account, if appropriate, at the facility and to conduct the initial COMSEC briefings for the FSO and custodians.
c. Access to COMSEC information by a contractor requires a final FCL and a government-issued final PCL at the appropriate level; however, an Interim TOP SECRET FCL or PCL is valid for access to COMSEC at the SECRET and CONFIDENTIAL levels.
d. If a COMSEC account will be required, the Contract Security Classification Specification shall contain a statement regarding the establishment of a COMSEC account as appropriate.
9-403 Establishing a COMSEC Account

a. When COMSEC material which is accountable to a COR is to be provided, acquired or produced under a contract, the contracting officer shall inform the contractor that a COMSEC account must be established. The contractor shall forward the names of U.S. citizen employees who will serve as the COMSEC Custodian and Alternate COMSEC Custodian to the CSA. The CSA shall forward the names of the FSO, COMSEC Custodian, and Alternate Custodian to the appropriate COR, with a copy to the GCA, indicating that the persons have been cleared and COMSEC has been briefed.
b. The COR will then establish the COMSEC account and notify the CSA that the account has been established.
c. An individual may be appointed as the COMSEC custodian for more than one account only when approved by each COR concerned.
9-404 COMSEC Briefing and Debriefing Requirements

a. All contractor employees who require access to classified COMSEC information in the performance of their duties shall be briefed before access is granted. Depending on the nature of COMSEC access required, either a COMSEC briefing or a Cryptographic Access Briefing will be given. The FSO, the COMSEC Custodian, and the Alternate Custodian shall be briefed by a government representative or their designee. Other contractor employees shall be briefed by the FSO, the COMSEC Custodian, the Alternate Custodian, or other individual designated by the FSO. The purpose of the briefing is to ensure that the contractor understands:
(1) The unique nature of COMSEC information and its unusual sensitivity,
(2) The special security requirements for the handling and protection of COMSEC information, and
(3) The penalties prescribed in Title 18, U.S.C., §§ 793, 794, and 798 (reference (t)) for willful disclosure of COMSEC information.
b. COMSEC debriefings are not required.
c. The contractor shall maintain a record of all COMSEC briefings.
9-405 CRYPTO Access Briefing and Debriefing Requirements

a. U.S. classified CRYPTO information is defined as:
(1) TOP SECRET and SECRET, CRYPTO, key and authenticators that are designated CRYPTO, and
(2) CRYPTO media that embody, describe, or implement classified CRYPTO logic; this includes full maintenance manuals, CRYPTO descriptions, drawings of a CRYPTO logic, specifications describing a CRYPTO logic, CRYPTO computer software, or any other media which may be specifically identified.
b. U.S. classified CRYPTO information does not include seed key and CCI.
c. A contractor’s employee may be granted access to U.S. classified CRYPTO information only if the employee:
(1) Is a U.S. citizen;
(2) Has a final government-issued security clearance appropriate to the classification of the U.S. CRYPTO information to be accessed;
(3) Has a valid need-to-know to perform duties for, or on behalf of, the U.S. Government;
(4) Receives a security briefing appropriate to the U.S. classified CRYPTO information to be accessed;
(5) Acknowledges the granting of access by executing Section I of Secretary of Defense Form (SD) 572, Cryptographic Access Certification and Termination; and
(6) Where so directed by a U.S. Government Department or Agency head, acknowledges the possibility of being subject to a non-lifestyle, CI-scope polygraph examination that shall be administered in accordance with department or agency directives and applicable law.
d. An employee granted access to CRYPTO information shall be debriefed and execute Section II of the SD 572 not later than 90 days from the date access is no longer required.
e. The contractor shall maintain the SD 572 for a minimum of three years following the debriefing.
f. CRYPTO access briefings fully meet the requirements of paragraph 9-407 of this manual for COMSEC briefings.
9-406 Destruction and Disposition of COMSEC Material
  The COR shall provide directions to the contractor when accountable COMSEC material is to be destroyed. These directions may be provided in superseding editions of publications or by specific instructions.
9-407 Subcontracting COMSEC Work
  Subcontracts requiring the disclosure of classified COMSEC information shall be awarded only upon the written approval of the GCA.
9-408 Unsolicited Proposals
  Any unsolicited proposal for a COMSEC system, equipment, development, or study that may be submitted by a contractor to a government agency shall be forwarded to the Deputy Director, Information Systems Security, NSA, Fort George G. Meade, MD 20755-6000, for review and appropriate follow-up action.