ucn-26608 - ucni / ouo information protection … · attempted, suspected, or actual compromise of...

UCNI / OUO Information Protection Requirements for CNS Suppliers

UCN-26608 (03-18)

Subcontract contains: UCNI OUO Both

Protection of UCNI / OUO Information

SELLER shall be responsible for protecting all Unclassified Controlled Nuclear Information (UCNI) and Official Use Only (OUO) Information, and materials in connection with the performance of the work under this Purchase Order and in accordance with the CNS UCNI/OUO Information Protection Program requirements outlined in this appendix. SELLER shall protect against sabotage, espionage, loss, and theft of UCNI/OUO information and/or materials in SELLER’s possession. UCNI/OUO information will be protected in accordance with the U.S. Department of Energy/National Nuclear Security Administration (DOE/NNSA) Classification Program and the CNS UCNI/OUO Information Protection Program outlined in this Appendix. Definitions

Access authorization An administrative determination that an individual is eligible for access to sensitive matter.

Automated Information System (AIS)

An assembly of computer equipment, facilities, personnel, software, and procedures configured for sorting, calculating, computing, summarizing, storing, and retrieving data and information.

AIS Equipment All computer equipment, peripherals, software, data, networks, and facilities.

AIS security incident A failure to comply with AIS security requirements, which results in attempted, suspected, or actual compromise of Controlled Unclassified Information.

AIS Security Plan A document that describes the protection of sensitive AIS against unauthorized disclosure, modification, or destruction of the system or data, and denial of service to process data, including physical, personnel, administrative, telecommunications, hardware, and software security features.

AIS storage media A means used by AIS systems to convey or store information.

Computer Security Officer (CSO)

SELLER person(s) responsible for the implementation of their AIS Security Plan.

Controlled Unclassified Information (CUI)

Currently within the Department of Energy (DOE) and The National Nuclear Security Administration (NNSA), the term Controlled Unclassified Information (CUI) has dual meanings. One, it’s an overarching term used to refer to unclassified information that is identified and marked as sensitive (e.g. UCNI, OUO, and PII). Secondly, the term is also used to describe information that will eventually be identified and safeguarded under 32 CFR 2002, which mandates a U.S. Government-wide uniform program to identify and protect sensitive, but unclassified information. However, at this time DOE/NNSA has not established policies for identifying and protecting CUI in accordance with the new published CFR, and a timetable for implementation within DOE/NNSA has not been established. Therefore, the DOE Office of Classification has directed all contractor and federal employees to continue to identify and protect UCNI, OUO and PII in accordance with already established DOE Orders and federal regulations.


UCN-26608 (03-18)

Export Controlled Information (ECI)

ECI is scientific and technical information or commodities that are controlled by the Department of Commerce, Department of Energy, Department of State, Nuclear Regulatory Commission, and the Atomic Energy Act of 1954. The goal of the federal export laws laid out by these agencies is to control the unauthorized release of technology and commodities to foreign entities (Foreign companies, foreign person, foreign governments)

FIPS – Federal Information Processing Standards.

Standards and guidelines issued by the National Institute of Standards and Technology (NIST) as Federal Information Processing Standards (FIPS) for use government-wide. Specifically, applicable FIPS standards are included in FIPS 140-2.

Incident of Security Concern A knowing, willful, or negligent action contrary to the requirements for information security.

Information Security (INFOSEC)

A system of administrative policies and procedures for identifying, controlling, and protecting from unauthorized disclosure, information for which protection has been authorized.

Information Security Point of Contact (POC)

SELLER person(s) responsible for the implementation of requirements to avoid unauthorized disclosure of information.

Label The marking of an item of information to reflect the sensitive information (e.g., UCNI, OUO, etc.).

Need-to-Know A determination by an authorized person having responsibility for sensitive information that a prospective recipient requires access to information in order to perform official, approved, authorized tasks or services.

Official Use Only (OUO) Unclassified sensitive information which may be exempt from public release under the Freedom of Information Act (FOIA).

Security Plan A document that describes the protection of the facility and/or its assets.

Unclassified The designation for information, a document, or material that has been determined not to be classified or that has been declassified by proper authority. The information is not publicly releasable unless authorized by the BUYER. The information, document, or material may require additional protection if designated as Controlled Unclassified Information.

Unclassified Controlled Nuclear Information (UCNI)

Certain unclassified government information prohibited from unauthorized dissemination as defined by the Atomic Energy Act of 1954, Amended.

SELLER Responsibilities

• Complete the requisite briefing and certification (for the UCNI/OUO Information Protection) provided by the CNS UCNI/OUO Information Protection POC, or designee;

• Ensure UNCI/OUO information is granted only to persons with a need to know and is not released without

review for release restrictions;

• Ensure UCNI/OUO information is never released to foreign nationals;


UCN-26608 (03-18)

• Ensure that UCNI/OUO information is not placed on the SELLER’s computing equipment without prior certification by CNS Cyber Security;

• Notify the CNS Plant Shift Superintendent at Y-12 (865-574-7172) or the CNS Pantex Operations Center

(806-477-5000) of any security breaches immediately;

• Be responsible for recognizing the sensitivity of information before it is used, processed, or stored on a CNS Cyber Security approved information system;

• Certify to the BUYER that any UCNI/OUO documents, materials, or information storage media (disk

drives, thumb drives, hard drives) in SELLER’S possession or in the possession of any person under the SELLER’S control in connection with the performance of this subcontract are destroyed using approved destruction devices or are returned to the BUYER in conformance with CNS specifications upon completion of the Purchase Order.

• Flow these requirements down to all lower-tier subcontractors and/or suppliers. Ensure lower-tier

subcontractors and/or suppliers are approved by the BUYER prior to providing electronic or hard copy UCNI or OUO information.

Requirements

Briefing/Training requirements

SELLER personnel responsible for safeguarding, handling, possessing, or processing UCNI or OUO information must first successfully complete the UCNI/OUO Information Protection briefing/training provided by a CNS UCNI/OUO Information Protection POC, or designee. SELLER’s lower-tier subcontractors and/or suppliers are also required to complete the same requisite briefing/training given by the CNS UCNI/OUO Information Protection POC, or delegate prior to being provided access to UCNI/OUO Information. The SELLER shall be responsible for coordinating any additional personnel for briefing/training. The SELLER will provide the BUYER with briefing/training records of all individuals trained including lower-tier subcontractors and/or suppliers. The SELLER shall be responsible for the control of the UCNI/OUO documents and media and is not relieved of this obligation for documents provided to others. The UCNI/OUO briefing/training is required to be administered biennially (i.e., within 24 months of initial training). SELLER must maintain current UCNI/OUO Information Protection training records for all SELLER personnel responsible for safeguarding, handling, possessing, or processing UCNI/OUO Information. Additional briefing/training or instructions may be directed by the BUYER at the BUYER’s discretion.

Access to UCNI / OUO Information

Access to UCNI/OUO Information shall be provided only to those authorized for routine access. Routine access refers to the normal exchange of UCNI/OUO information during the conduct of official DOE/NNSA business. An authorized individual, who may be the originator or possessor of UCNI/OUO, may grant routine access to UCNI/OUO information to another person eligible for routine access to UCNI/OUO information by giving that person UCNI/OUO documents and providing assurance that the requirements below are met:

• Individual has completed the required briefing/training provided by a CNS UCNI/OUO Information Protection POC, or designee.

• Must be a citizen of the United States. Non-U.S. citizens (i.e., foreign nationals) are not allowed any access, casual or otherwise, to UCNI/OUO information or media. Verification of U.S. Citizenship must be determined, and a copy of the document retained by the SELLER, by one of the following:

1. Birth Certificate (certified copy with raised and/or colored official seal - issued by government/municipality [not issued by hospital])


UCN-26608 (03-18)

2. Certificate of naturalization (Immigration and naturalization Services (INS) Form N-550 or N-570),

3. Certificate of U.S. Citizenship (INS Form N-560 or N-561),

4. Report of Birth Abroad of a citizen of the United States of America (Form FS-240), or

5. U.S. Passport (active with picture that still looks like the person).

• Access limited to need-to-know. A person must possess a “need to know” for the specific UCNI/OUO information in the performance of official duties. (Curiosity is not a need-to-know. Supervision of an individual is not a need-to-know.) Need-to-know is granted by the authorized holder of the information or material.

UCNI/OUO Information Work Area and/or Computer Equipment Approval UCNI/OUO information must be controlled at all times to preclude unauthorized access. If SELLER must establish an UCNI/OUO work area at the SELLER’s location, notification must be submitted by the SELLER to the BUYER detailing UCNI/OUO information protection measures to be used as outlined in this Appendix. If SELLER desires to use Automated Information Systems (AIS) to process UCNI/OUO information electronically, an AIS Certification Request must be submitted to the BUYER (CNS Cyber Security). Certification is documented via an AIS Security Plan that describes the protection of sensitive AIS against unauthorized disclosure, modification, or destruction of the system or data, and denial of service to process data, including physical, personnel, administrative, telecommunications, hardware, and software security features. It is the responsibility of the SELLER to know and provide the degree of protection required for the type of information being processed. An AIS Security Plan shall be prepared for each system that processes UCNI/OUO information and it serves as the formal security record of the system. Once the SELLER requests an UCNI/OUO information work area approval and/or AIS certification, the BUYER will contact the SELLER to ensure appropriate protection measures are in place and will schedule a certification inspection 10 days prior to need. Therefore, it is imperative that the SELLER submit the certification request and associated security plan as early as possible to allow sufficient time to schedule a certification inspection prior to need. Certification must be approved by BUYER prior to use or electronic processing of UCNI/OUO information at the SELLER location. Modifications to the SELLER’S protection measures and/or AIS Security Plan must be approved by the BUYER prior to implementation. The BUYER and/or Customer will perform regular and unannounced assessments relative to approved information, computer, and physical security plans. BUYER approval is required prior to commencing construction, modification, or declaration of a UCNI/OUO information work area or equipment.

Physical Security Requirements

UCNI/OUO information documents shall be kept in a secure place at all times to preclude unauthorized viewing and disclosure. Only locations that meet the following physical security requirements will be approved by the BUYER to store and/or process UCNI/OUO information. SELLER must ensure the following physical security measures are met:

• Must have internal building security (i.e., access control to the facility, area, or room in which UCNI/OUO information is stored or processed, such as by-name badge reader control, controlled key locks, etc.)

• Access control system must be controlled by the information security point of contact to ensure only individuals with appropriate need to know and U.S. citizenship are allowed access.


UCN-26608 (03-18)

• Windows must not allow viewing from outside into the room when processing UCNI/OUO information. This can be accomplished by using opaque coverings, closed blinds, etc. Windows must remain locked from the inside.

• Telephones (landline, VOIP, or cell) are allowed within the room, HOWEVER,

o ECI and OUO – May only use a LANDLINE phone

o UCNI – Requires a Secure phone (OMNI or STE)

• Areas may be used for other tasks associated with subcontractor when all UCNI/OUO matter is locked in separate lockable containers. If the perimeter of the area is access controlled due to the entire area being a UCNI/OUO area, it may not be used by others.

• Network drops

o Corporate Network drops and outside networked computers within the room are allowed for noncertified equipment only.

o Standalone network drops within room may be unprotected. Certified network drops outside the UCNI/OUO Open Storage Area must be in conduit (any type which may be sealed and provide obvious tampering). Lines of certified networks must be on physically separate lines. VLAN capability allowed.

• Personal Workstations

For personal computer workstations, the primary security feature is physical access control for the information. Access to the computer may be further restricted by the hardware and software controls as follows:

o In offices with lockable doors and resistant to surreptitious entry, no hardware security devices are required as long as the room is locked when unattended. Alternative options will be considered by CNS Cyber Security and must be documented in the AIS Security Plan.

o In open offices and where there is not a common need-to-know of all information, appropriate protective measures (e.g., chassis locks, keyboard locks, monitor shields, or approved hardware password devices) are required as directed by the BUYER.

• Locations of monitors, printers, and other output devices

o The monitor, printer, and any other output device of an AIS processing UCNI/OUO information shall be positioned to prevent casual viewing by unauthorized personnel.

Automated Information System (AIS) Requirements

UCNI/OUO information provided by the BUYER and deliverables or working materials provided by the SELLER in support of the Purchase Order shall be performed on BUYER certified AIS resources unless otherwise directed in writing by the CNS Cyber Security and shall operate in compliance with a BUYER (CNS Cyber Security)-approved AIS Security Plan. SELLER must meet the specific cyber security requirements, below, and in Attachments A-E, as applicable. SELLER shall submit a request for a certification inspection by the BUYER in accordance with previous guidance.

• Computer Media and Encryption Requirements

1. Computer media containing UCNI/OUO information at the SELLER’s facility and at lower-tier subcontractors’ facilities shall be dedicated to this work. Lower-tiered subcontractor facilities and AIS must be approved by the BUYER prior to SELLER releasing UCNI/OUO information. UCNI/OUO information requires removable media including boot drives and drives which data is contained. In cases where UCNI/OUO information is contained on removable media (e.g., removable hard drives), a machine may be used for other purposes; however, all media must be removable, including boot drives.


UCN-26608 (03-18)

2. System hardware components shall be marked to indicate the most restrictive category of information processed, as directed by the BUYER (CNS Cyber Security).

3. All media must be encrypted by BUYER approved FIPS 140.2 Level 1 or higher encryption methods.

4. If required, the SELLER shall install encryption software in compliance with BUYER (Cyber Security) instructions.

An AIS processing UCNI/OUO information shall be re-certified by the BUYER (CNS Cyber Security) every three (3) years or when changes occur that affect the security posture of the system. A configuration modification of hardware, system software, or layered products may be cause for recertification of a system. The BUYER (CNS Cyber Security) must approve modifications that change the security posture of a system prior to implementation. This includes new computing systems or networks to be connected to existing approved networks. They shall be documented and approved by the BUYER (CNS Cyber Security) before connection and use.

1. Owners of data are responsible for recognizing the sensitivity of information before it is used, processed, or stored on an information system and for ensuring the system is certified for the information.

2. Protect UCNI/OUO information to which they have access or custody in accordance with security requirements identified in this document, and Y19-401, Automated Information System (AIS) Security Handbook.

SELLER UCNI/OUO Information Protection Point(s) of Contact

• UCNI/OUO Information Protection Point of Contact (POC)

The SELLER shall identify to the BUYER a qualified individual who is a citizen of the United States, and an alternate, to serve as the principal Point of Contact (POC) between the BUYER and the SELLER regarding UCNI/OUO information protection. The responsibilities of the position include but are not necessarily limited to:

1. Representing the SELLER/lower-tier subcontractors and/or suppliers concerning UCNI/OUO Information Protection issues.

2. Ensuring implementation of, and compliance with, all UCNI/OUO information protection requirements.

3. Reporting security-related incidents to the BUYER (at Y-12 Plant Shift Superintendent’s Office - 865-574-7172 or Panex Operations Center – 806-477-5000 during off hours) and participating in the inquiry of security incidents.

4. Determining UCNI/OUO Information Protection briefing/training needs and ensuring briefing/training is conducted in a timely manner.

5. Disseminating periodic UCNI/OUO information protection awareness material to employees who have responsibilities that include protection and control of UCNI/OUO information.

6. Attending meetings and briefing/training sessions as requested by the BUYER.

• Computer Security Point of Contact (POC)

The SELLER shall identify to the BUYER a qualified individual and alternate to serve as the principal point of contact between the BUYER and the SELLER regarding computer security. The SELLER Computer Security POC is responsible for:

1. Ensuring the implementation of, and compliance, with the AIS Security Plan.

2. Representing the SELLER/lower-tier subcontractor and/or supplier for computer security issues.

3. Coordinating general AIS security briefings/trainings.


UCN-26608 (03-18)

4. Reporting AIS-related security incidents to the BUYER (at Y-12 Plant Shift Superintendent’s Office - 865-574-7172 or Panex Operations Center – 806-477-5000 during off hours) and participating in the inquiry of cyber security incidents.

5. Coordinating the certification of computer systems processing UNCI/OUO information with the BUYER (CNS Cyber Security).

6. Ensuring that the AIS system described by the AIS Security Plan has been certified prior to use.

7. Taking immediate action to resolve AIS security deficiencies.

Document Requirements

The SELLER shall be responsible for control of documents issued to them by the BUYER. Further issuance of documents to lower-tier subcontractors and/or suppliers does not relieve the SELLER of this responsibility.

• Document Classification

No BUYER or SELLER information associated with CNS is released without review and approval by BUYER (CNS Classification Office) for release restrictions. Only the BUYER or a BUYER-trained and certified individual will classify and mark documents. SELLER shall protect at the highest level marked on any documents contained in the Purchase Order Documents. Information should be marked and protected as Official Use Only or Unclassified Controlled Nuclear Information (if highest-level) pending a classification review by a SELLER Derivative Classifier/UCNI Reviewing Official. When a document must be sent outside the originating organization for review, the document must be transmitted as described in detailed instructions of this Appendix and the front of the document marked with “Protect as UCNI Pending Review- See section titled “Responsibilities of Originator or Possessor of Matter, Review Requirements” in the detailed instructions below for specific details.

• Reproduction

1. Reproduction of UCNI/OUO information shall not be performed by the SELLER without prior approval of reproduction equipment by the BUYER, CNS Information Protection POC, Cyber Security POC or designee.

Transmission of UCNI/OUO Information

All transmission of UCNI/OUO matter shall be by means that preclude unauthorized disclosure or dissemination.

• Electronic Transmission of UCNI/OUO Information

1. No transmissions via computer of UCNI/OUO information will be allowed unless formally pre-approved by the BUYER.

2. Electronic media transmissions shall be encrypted using BUYER approved FIPS 140-2 Level 1 or higher encryption modules.

• Telephone Transmissions

1. All voice transmissions of UCNI information shall be over BUYER approved secure telephone units or approved encrypted communication links. Applications utilized across Internet or distribution of sensitive information over Internet is not permitted unless through encryption (i.e., Entrust or BUYER approved encryption methods) and then only after certification by the BUYER.

2. All voice transmissions of OUO information shall be made over physical landlines and shall not utilize Voice Over IP (VOIP), cellular phone transmissions, or cordless phones.

• Fax Transmission of UCNI/OUO Information


UCN-26608 (03-18)

1. No fax transmissions of UCNI are allowed.

2. Fax transmissions of OUO information should be protected by encryption when possible. Unencrypted fax transmissions are permissible only when :

o It is preceded by a telephone call to the recipient so that he or she can control the document when it is received or respond to the sender that the facsimile was not received as expected, and

o The sender is assured by the recipient that the facsimile is, and will be, only in the possession of an individual who has the proper need-to-know and is a U.S. citizen. Although not required, it is encouraged that the sender obtains a positive response from the recipient that the fax was received as expected.

• Document Transmission Within an Approved Facility

1. A single opaque envelope, wrapper or coversheet may be used.

2. Internal mail systems must use a sealed opaque envelope marked TO BE OPENED BY ADDRESSEE ONLY.

3. An authorized individual may hand carry the matter as long as he/she can control access.

• Document Transmission Outside an Approved Facility

1. Documents marked as UCNI or OUO shall be packaged in a single, opaque envelope or wrapping. The envelope shall be sealed and marked TO BE OPENED BY ADDRESSEE ONLY.

2. Any of the following U.S. mail methods may be used:

o First Class, Express, Certified, or Registered Mail.

o Any commercial carrier using a signature service may be used.

3. An authorized individual may hand carry the matter as long as he/she can control access.

Destruction of UNCI / OUO Information

UCNI/OUO documents generated as part of daily work that requires disposal may be destroyed using an approved cross-cut shredder that produces strips no more than ¼-inch wide and 2-inches long. Documents that cannot be destroyed using approved shredders (e.g., media, mylar, etc.) must be returned to the BUYER.

Return of UCNI / OUO Information for Destruction

A SELLER awarded a contract shall return UNCI/OUO electronic data and all media used to process UCNI/OUO information supplied by the BUYER or generated by the SELLER or lower-tier subcontractors and/or suppliers to the BUYER at the termination of the Purchase Order or upon termination of the certification of the computer. AIS equipment will be sanitized of all UCNI/OUO information by the BUYER before connecting to a network or computer system of a lower category or before equipment is removed from service. The SELLER and the BUYER will retain an accountability of media and contents. When lower-tier subcontractors and suppliers have completed their work, the associated data media and materials shall be forwarded to the SELLER. The SELLER will return all media involved in handling UCNI/OUO information to the BUYER for accountability and destruction. At the termination of the Purchase Order, the SELLER shall provide written notification to the BUYER stating all UCNI/OUO information was destroyed and/or returned to the BUYER.


UCN-26608 (03-18)

Infractions and Incidents

Failure to comply with requirements specified herein may result in an Incident of Security Concern (IOSC). The SELLER is responsible for SELLER costs incurred because of IOSCs due to SELLER error. Any person who violates applicable civil law under Atomic Energy Act provisions is subject to civil penalties or may face criminal prosecution.

Notifications of security breaches or deviations from expectations shall be reported to the BUYER or Y-12 Plant Shift Superintendent (PSS) at 865-574-7172 or Pantex Operations Center at 806-477-5000. The SELLER shall cooperate with the Y-12 or Pantex Incident of Security Concerns (IOSC) organization in the conduct of an inquiry of an incident.

All computer security incidents involving UCNI/OUO information or AIS resources shall be reported immediately to the BUYER (or PSS/Pantex Operations Center), including:

1. Fraudulent action involving AIS.

2. Processing of information without an approved Security Plan.

3. Leaving a session active while not properly protected (e.g., unattended, unsupervised).

4. Unauthorized testing of a certified AIS.

5. Printer ribbons, cards, diskettes, hardcopy output, and/or magnetic media left unattended (not properly physically protected).

6. Disclosure of sensitive information (e.g., failure to protect data files properly).

7. Hackers/crackers or other unauthorized access attempts.

8. Using CNS UCNI/OUO information on unapproved/uncertified AIS.

9. Connecting certified AIS to an unapproved network.

Applicable Regulatory Requirements

1. 10 CFR 1017, Identifications and Protection of Unclassified Controlled Nuclear Information. 2. DOE O 471.1B, Identification and Protection Unclassified Controlled Nuclear Information 3. DOE O 471.3, Identifying and Protecting Official Use Only Information 4. DOE M 471.3-1, Manual for Identifying and Protecting Official Use Only Applicable Procedures and Policies 1. Y19-401, Automated Information System (AIS) Security Handbook (OUO) 2. Y15-404, Acceptable Use of Information Technology Equipment 3. MUN08-00051-01, Rev. 1.0.03, Unclassified Master Information System Security Plan (Unclassified-

ISSP)(OUO) 4. Y30-205, Exporting Compliance for Foreign National Transactions: Commodities, Hardware, Software,

and Information


UCN-26608 (03-18)

Detailed Instructions for the Identification and Protection of UCNI/OUO Information

Description of UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION (UCNI) This attachment provides those requirements that are unique to identify and protect Unclassified Controlled Nuclear Information (UCNI).

UCNI is unclassified but sensitive Government information concerning nuclear material, weapons, and components whose dissemination is controlled under Sect. 148 of the Atomic Energy Act, 10 CFR Part 1017, and DOE O 471.1B, Identification and Protection of Unclassified Controlled Nuclear Information.

UCNI is exempt from public release; therefore, whenever any matter determined to contain UCNI by a reviewing official (RO) is requested under statute or Executive Order, the CNS Privacy and Freedom of Information Act officer must be notified and will coordinate this request with the DOE/National Nuclear Security Administration (NNSA).

All documents or media potentially containing UCNI must be submitted to an UCNI RO or the CNS Classification Office for review. UCNI Review Determination

Only individuals designated as authorized ROs by the CNS Classification Officer can determine that a CNS document contains UCNI. The CNS Classification Office maintains a list of authorized UCNI ROs on the Classification Office Web site.

An UCNI RO with knowledge of information contained in matter (or as appointed by the CNS Classification Officer) is authorized to determine whether matter contains UCNI. An UCNI RO authorizes UCNI markings to be applied to or removed from matter. The UCNI RO’s authority may not be re-delegated to anyone or exercised by a person acting for or in the absence of the RO. Responsibilities of Originator or Possessor of Matter

Review Requirements

Before initiating a task, it is recommended that a Derivative Classifier/Reviewing Official (DC/RO) be consulted to ensure appropriate classification and protection of information. If the SELLERs organization will be generating and processing a large quantity of UCNI/OUO information, it’s highly recommended that the organization have at least one DOE trained DC/RO within the organization. Details on how to become a DOE DC/RO can be obtained through the CNS Classification Office.

Before information is finalized, a classification and/or UCNI RO review should take place. Until a final determination is made, the matter is protected as containing UCNI.

When a document must be sent outside the originating organization for review, the document must be transmitted as described in these detailed instructions and the front of the document marked with “Protect as UCNI Pending Review.”

Organization is defined as the SELLER’s company and the project staff (Y-12, Pantex or UPF). In cases where the SELLER’s organization has a lower tier they are collaborating with, the SELLER serves as the project staff and the company serves as the lower tier. When documents are transmitted between companies within the SELLER’s organization, they must be


UCN-26608 (03-18)

appropriately marked and protected. Documents that many contain UCNI, were created from an UCNI sources, or are generated on UCNI-certified equipment must bear the “Protect as UCNI pending review” stamp when transferred between companies within the organization.

To obtain the UCNI Reviewing Official review and have the documents marked as final, the SELLER will submit the necessary document(s) to the STR. The STR will then obtain the necessary review and transmit the final documents back to the SELLER for replacement of the draft document. This submittal must be completed by using iron-key thumb drives, a CNS email account on a Government Furnished Equipment (GFE) laptop or computer or by submitting a hard copy or iron-key thumb drive via FedEx, U.S. mail or hand carried to the STR.

Review Requirement Exceptions

• Review is not required when matter is being sent for destruction; however, any matter being destroyed that is not marked as containing UCNI, but the originator or possessor believes may contain UCNI, must be protected and destroyed in accordance with the UCNI destruction procedures contained in this chapter.

Responsibilities of Originator or Possessor of Matter (cont.)

Review Requirement Exceptions (cont.)

• Any document that was permanently filed prior to May 22, 1985, is not required to be reviewed for UCNI while in the files or when retrieved from the files for reference, inventory, or similar purposes as long as the document will be returned to the files and is not accessible by unauthorized individuals. However, if a document is removed from the files for dissemination, it must first be reviewed by an appropriate reviewing official.

Physical Protection

In Use

An authorized individual must maintain physical control over any matter marked as containing UCNI to prevent unauthorized access to the information.

In Storage

A document or material marked as containing UCNI must be stored to preclude unauthorized disclosure. When not in use, documents or material containing UCNI must be stored in locked receptacles (e.g., file cabinet, desk drawer), or if in secured areas or facilities, in a manner that would prevent inadvertent access by an unauthorized individual.

Reproduction

Matter marked as containing UCNI, may be reproduced without permission of the originator to the minimum extent necessary consistent with the need to carry out official duties. The reproduced matter must be marked and protected in the same manner as the original matter. Copy machine malfunctions must be cleared and all paper paths checked for papers containing UCNI. The user must ensure no UCNI sheets remain in the machine (e.g., after duplexing). Running three blank sheets through the copier can easily accomplish this. Excess paper, containing UCNI, must be destroyed, as described below.


UCN-26608 (03-18)

Destruction

Documents. Matter marked as containing UCNI must be destroyed by using a classified shredder or a cross-cut shredder that produces strips no more than 1/4 in. wide and 2 in. long or by any other means that provides a similar level of destruction approved by the Information Security manager and Classification Office. Methods for destroying documents that cannot be destroyed in approved shredders (e.g., films, disks, and flash memory drives) must be approved by the Information Security manager and Classification Office. Any new purchase of a shredder must meet the requirements mentioned above. Existing strip-cut shredders may continue to be used until such shredders are no longer operable. Disposal of documents containing UCNI must be consistent with the requirements for records disposition contained in DOE O 243.1, Records Management Program.

Material. Material containing UCNI must be destroyed by removing the properties that make the material UCNI. Methods for the destruction of UCNI material must be approved by the Information Security manager, Classification Office, and CSA. The material must be reviewed by a reviewing official after destruction to ensure that all UCNI has been removed prior to disposing of the material.

UCNI Access Requirements

Routine Access

Routine access refers to the normal exchange of UCNI during the conduct of official business and allows for further dissemination of UCNI if the requirements below are met.

Authorized Individual. The Reviewing Official who determines that a document or material contains UCNI is the initial Authorized Individual for that document or material. An Authorized Individual, for UCNI in his or her possession or control, may determine that another person is an Authorized Individual who may be granted access to the UCNI, subject to limitations in paragraph B of this section, and who may further disseminate the UCNI under the provisions of this section.

Requirements for Routine Access. To be eligible for routine access to UCNI, the person must have a need to know the UCNI in order to perform official duties or other Government-authorized activities and must be:

U.S. Citizen—who is:

o an employee of any branch of the Federal Government, including the U.S. Armed Forces;

o an employee or representative of a state, local, or Indian tribal government; o a member of an emergency response organization; o an employee of a Government contractor or a consultant, including those

contractors or consultants who need access to bid on a Government contract;

o a member of Congress or a staff member of a congressional committee or of an individual member of Congress;

o a Governor of a State, his/her designated representative, or a State government official;


UCN-26608 (03-18)

o a member of a DOE advisory committee; or, o a member of an entity that has entered into a formal agreement with the

Government, such as a Cooperative Research and Development Agreement or similar arrangement.

UCNI Access Requirements (cont.) Routine Access (cont)

Other than a U.S. citizen—a person who is not a U.S. citizen but who is:

o a Federal Government employee or a member of the U.S. Armed Forces;

o an employee of a Federal Government contractor or subcontractor;

o a Federal Government consultant;

o a member of a DOE advisory committee;

o a member of an entity that has entered into a formal agreement with the

Government, such as a Cooperative Research and Development Agreement or similar arrangement;

o an employee or representative of a state, local, or Indian tribal government; or

o a member of an emergency response organization when responding to an

emergency.

Disclosure to a Foreign National must have the Export Compliance Office or the Technical Information Office’s specific authorization.

Other Than a U.S. Citizen and Otherwise Not Eligible for Routine Access—a person who is not a U.S. citizen but who needs to know the UCNI in conjunction with an activity approved by the DOE Program Secretarial Officer or NNSA Deputy or Associate Administrator with cognizance over the UCNI.

The authorized individual who desires to release UCNI to a person for the reasons listed in this paragraph must coordinate such release with the DOE Secretarial Officer or NNSA Deputy Administrator or Chief with cognizance over the information. Disclosure to a Foreign National must also have the Export Compliance Office or the Technical Information Office’s specific authorization.

Dissemination Limitations. An authorized individual may disseminate UCNI only to a person who is eligible for routine access to UCNI (see paragraph 2 above) or a person granted limited access to UCNI.


UCN-26608 (03-18)

UCNI Access Requirements (cont.)

Limited Access

A person who is not eligible for routine access to specific UCNI under Section B above may request limited access to such UCNI by sending a written request to the DOE Program Secretarial Officer or NNSA Deputy or Associate Administrator with cognizance over the information. The written request must include the following:

o the name, current residence or business address, birthplace, birth date, and

country of citizenship of the person submitting the request;

o a description of the specific UCNI for which limited access is being requested;

o a description of the purpose for which the UCNI is needed; and,

o Certification by the requester that he or she:

o understands and will follow these regulations; and

o understands that he or she is subject to the civil and criminal penalties.

The decision whether to grant the request for limited access is based on the following criteria:

o the sensitivity of the UCNI for which limited access is being requested;

o the approving official’s evaluation of the likelihood that the requester will

disseminate the UCNI to unauthorized individuals; and,

o the approving official’s evaluation of the likelihood that the requester will use the UCNI for illegal purposes.

Within 30 days of receipt of the request for limited access, the appropriate DOE Program Secretarial Officer or NNSA Deputy or Associate Administrator must notify the requester if limited access is granted or denied, or if the determination cannot be made within 30 days, of the date when the determination will be made.

A person granted limited access to specific UCNI is not an Authorized Individual and may not further disseminate the UCNI to anyone. Disclosure to a Foreign National must also have the Technical Information Office’s (TIO) specific authorization. CNS employees must submit all requests for Limited Access with the CNS Information Security manager for coordination with the NNSA Production Office (NPO).

An individual who has been granted limited access to UCNI must protect the information as follows:

• must not disseminate to other personnel,

• must protect it in use or storage to prevent unauthorized access,


UCN-26608 (03-18)

• may not reproduce, and

• when no longer needed, must return it to the sender in an opaque envelope that is sealed and marked “To be Opened by Addressee Only” via a commercial carrier, that uses a signature service. Any of the following U.S. Postal Service (USPS) methods: express, certified, or registered mail or USPS first class may be used when other USPS or commercial carrier options are not available.

Each individual granted limited access to UCNI must be notified of applicable regulations concerning UCNI before dissemination of UCNI. Attaching an UCNI coversheet (SF-1008 UCN at Y-12 and a Yellow Cover Sheet at Pantex) to the front of the matter containing UCNI it is transmitting to an individual constitutes notification of the regulations while at Y-12 or Pantex. See Exhibit 4.3 for examples of Y-12 and Pantex’s UCNI cover sheets.

UCNI Marking Requirements

UCNI with Other Markings

Unclassified Matter. Appropriate markings must be applied to any unclassified matter that contains or reveals UCNI regardless of any other unclassified control markings [e.g., Official Use Only (OUO)] that are also on the matter.

Classified Matter. UCNI markings must not be applied to classified matter that contains UCNI unless such matter has been portion marked to indicate the classification level. In such cases, the acronym “UCNI” must be used to indicate those unclassified portions containing UCNI.

Documents or Material that Contain UCNI Document Titles. The use of titles or subjects that contain UCNI is discouraged; however, if it is unavoidable, the acronym “(UCNI)” must be placed at the end of the title or subject. Front Marking. When an UCNI RO determines that unclassified matter contains UCNI, the RO marks or authorizes the front of the matter to be marked as follows:


UCN-26608 (03-18)

Page Marking. The marking “UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION” or “UCNI” must be placed as follows:

• on the bottom of the front and back of the matter and

• on the bottom of each interior page of the matter or, if more convenient, on the bottom of only those interior pages that contain UCNI.

See Exhibit 4-1 for an example of UCNI markings.

Attachments. If the message itself is not UCNI, but an attachment contains UCNI, the message must indicate that the attachment is UCNI. The attachment must have all required UCNI markings.

Removal of Markings. The removal of these markings may be authorized only by (1) the Classification Officer or delegate, or (2) a Denying Official.

Special Format Matter

Special formats of unclassified matter (e.g., photographs, viewgraphs, films, electronic storage media (ESM), audio tapes, videotapes, or slides) must be marked to the extent practical as described above. Regardless of the precise markings used, special-format unclassified matter that contains UCNI must be marked so that both a person in physical possession of the matter (e.g., markings on a viewgraph frame or a film reel and its container) and a person with access to the information in or on the matter (e.g., markings on the projected image of a slide or a warning on a film leader) are made aware that it contains UCNI. When space is limited, as on a 35-mm slide, the “UCNI” marking will suffice.

Transmittal Documents

A document that transmits matter marked as containing UCNI and does not itself contain UCNI must be marked on the front as follows:

UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION

NOT FOR PUBLIC DISSEMINATION

Unauthorized dissemination subject to civil and criminal sanctions under Section 148 of the Atomic Energy Act of 1954, as amended (42 U.S.C. 2168).

Reviewing Official: Name:

Organization:

Date:

Guidance Used:


UCN-26608 (03-18)

An UCNI document that transmits matter marked as containing classified matter and does not itself contain classified information, but does contain UCNI information, must be marked with the highest classification level being transmitted on the top and bottom of the front page of the transmittal and with the appropriate warning notice on the front page of the transmittal. An example is as follows:

The UCNI transmittal document transmitting a classified document must meet all the UCNI marking and protection requirements.

Information In Electronic Format

An e-mail message, electronic database, spreadsheet, information system, etc., sent inside the CNS Border Network that is known to contain UCNI must include “Unclassified Controlled Nuclear Information” or “UCNI” in the subject line or the first line of the text. If it is suspected, but not confirmed, that an e-mail contains UCNI, the user may include the text “Protect as UCNI Pending Review” in the subject line or the first line of text to allow for proper protection of information. If the email is going outside the CNS Border Network it MUST BE encrypted. E-mail messages known to contain UCNI that are addressed outside the CNS Border Network must be properly marked as a final document in accordance with Section F.2.

Attachments. If the message itself is not UCNI, but an attachment contains UCNI, the message must indicate that the attachment is UCNI. The attachment must have all required UCNI markings.

NOTE: Printed e-mail messages known to contain UCNI must be properly marked in

accordance with this Manual. E-mails identified as “Protect as UCNI Pending Review” must be reviewed for UCNI prior to sending outside the site or ad hoc working group.

All UCNI messages going outside the CNS Border Network must be reviewed and encrypted. Failure to encrypt UCNI e-mail going outside the CNS Border Network will result in an incident of security concern. Additionally, UCNI messages sent outside the Border Network to offsite subcontractor facilities must only be sent to those subcontractors that possess certified accredited AIS systems approved for processing UCNI in accordance with Y19-401.

UCNI may be processed or produced on any AIS system which is certified for classified information or which complies with the guidelines of Office of Management and Budget Circular No. A-71, “Security of Federal Automated Information Systems” or which has been approved for such use in accordance with the provisions of applicable DOE directives. For further information, contact Cyber Security.

Matter transmitted contains Unclassified Controlled Nuclear Information. When separated from enclosures, this transmittal document does not contain UCNI.

Matter transmitted contains (level and category of classified matter). When separated from enclosures, this transmittal document contains UCNI.


UCN-26608 (03-18)

All removable media containing UCNI taken or used external to either the Pantex Plant or Y-12 NSC, except as approved, and all portable/mobile devices taken or used external to either site must be protected using approved encryption.

Approved encryption includes all encryption meeting FIPS 140-2 Level 1 or higher, or other CNS Authorizing Official-approved encryption software. Entrust is the approved encryption standard for CNS e-mail. Pointsec is the approved encryption standard for CNS laptops. Other software (e.g., PGP, SecureZip, etc.) meeting FIPS 140-2 Level 1 encryption standards may be obtained through the CNS Information Solutions and Services organization for use where use of Entrust is not possible.

Unclassified Matter That No Longer Contains UCNI An RO or a denying official may determine that unclassified matter marked as containing UCNI no longer contains UCNI. In such a case, the official must ensure that all UCNI markings are removed or crossed out and that the front of the matter is marked as follows:

If the matter is determined no longer to be UCNI, it must be reviewed for other controlled information, such as OUO, unless other such markings already appear on the document.

An RO may determine that unclassified, unmarked matter does not contain UCNI. No markings are required in such a case; however, for documentation purposes, the RO may mark or may authorize the front of the matter to be marked with the same marking shown above.

Transmission

Outside a Facility

Matter marked as containing UCNI must be packaged to conceal the presence of the UCNI from someone who is not authorized access. A single, opaque envelope or wrapping is sufficient for this purpose. The address of the recipient and the sender must be indicated on the outside of the envelope or wrapping along the words “TO BE OPENED BY ADDRESSEE ONLY.” Use USPS First Class, Express, Certified or Registered Mail. Any commercial carrier may be used. An authorized individual or a person granted special access may hand carry the matter as long as he/she can control access to the matter being transmitted.

Authorized individuals (i.e., those who have a need to access controlled information in the performance of their official duties) may hand carry UCNI outside a facility as long as matter identified as containing UCNI is packaged in an opaque envelope or wrapping, sealed, marked with the recipient’s address and a return address, and marked with the words “TO BE OPENED BY ADDRESSEE ONLY” prior to removing from the site.

DOES NOT CONTAIN UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION

Reviewing/Denying Official:

(Name/Organization) Date: _


UCN-26608 (03-18)

Transmission

Inside a Facility

A standard Plant Mail envelope marked with the words “TO BE OPENED BY ADDRESSEE ONLY” may be used. An authorized individual or a person granted access to UCNI may hand carry the matter as long as he/she can control access to the matter being transmitted to preclude unauthorized disclosure or dissemination.

Telecommunication

Encryption algorithms that comply with all applicable Federal laws, regulations, and standards for the protection of UCNI must be used when transmitting it over a telecommunications circuit (including the telephone, facsimile, radio, Internet).

Approved encryption includes all encryption meeting FIPS 140-2 Level 1 or higher, or other CNS Authorizing Official–approved encryption software. Entrust is the approved encryption standard for CNS e-mail. Pointsec is the approved encryption standard for CNS laptops. Other software (e.g., PGP, SecureZip, etc.) meeting FIPS 140-2 Level 1 encryption standards may be obtained through the CNS Information Solutions & Services Organization for use where use of Entrust is not possible

Voice and Fax. For voice and fax transmission, an OMNI Secure Telephone or other secure telephone must be used.

E-mail. An e-mail message that contains UCNI must be marked as stated in F.6 of this chapter. If the message is sent inside CNS Border Network (i.e., to a @cns.doe.gov or @npo.doe.gov e-mail address) encryption is not required but is considered a best business practice.

Any e-mail containing UCNI being sent outside the CNS Border Network must be encrypted.

Failure to encrypt UCNI e-mail going outside the CNS Border Network will result in an incident of security concern.

UCNI Cover Sheets

The custodian of an UCNI document is responsible for ensuring that the recipient is knowledgeable of UCNI requirements. An UCNI cover sheet attached to the front of the document is a fast and cost-effective method of meeting this requirement; unless, specific training is required. See Exhibit 4-3 for example of an UCNI coversheet.

UCNI cover sheets do not take the place of any markings required on the document. UCNI cover sheets are available from your subcontract technical representative (STR).


UCN-26608 (03-18)

EXHIBIT 4-1. EXAMPLE OF DOCUMENT MARKINGS (Page 1 of 1)

XXX.Rev 0

DOCUMENT TITLE

May 2018


UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION NOT FOR PUBLIC DISSEMINATION

Unauthorized dissemination subject to civil and criminal sanctionsUnder Section 148 of the Atomic Energy Act of 1954, as amended(42 U.S.C. 2168). Reviewing Official: _ Name: Organization:Date: _Guidance Used:

_


UCN-26608 (03-18)

EXHIBIT 4-2. EXAMPLE OF UCNI E-MAIL MARKINGS

(p.1 of 2)

To: John Doe From: Happy Sender Subject: Marking UCNI e-mails with no attachments

This email contains UCNI. This is an EXAMPLE of an email that is UCNI itself. It must be marked at the bottom of the document and must have the UCNI review stamp.

Thank you, Happy Sender _ CMPC Office



Unauthorized dissemination subject to civil and criminal sanctionsUnder Section 148 of the Atomic Energy Act of 1954, as amended (42 U.S.C. 2168). Reviewing Official: _ Name: Organization:Date: _Guidance Used:

_


UCN-26608 (03-18)

EXHIBIT 4-2. EXAMPLE OF UCNI EMAIL MARKINGS

(p.1 of 2)

To: John Doe From: Happy Sender Subject: Attachment contains UCNI: Marking of email with an UCNI attachment

Attachment contains UCNI.

This is an EXAMPLE of an email that is Unclassified, but has an UCNI attachment.

Thank you, Happy Sender _ CMPC Office

THIS IS THE ATTACHMENT

The attachment will be marked at the bottom either as UNCLASSIFIED CONTROLLED NUCLEAR INFORMATION or UCNI. In addition, it must have the UCNI review stamp.

Also, when sending an UCNI email or an email with an UCNI attachment outside the CNS Border Network, it MUST be encrypted.

Following is the proper way of marking.



Unauthorized dissemination subject to civil and criminal sanctionsUnder Section 148 of the Atomic Energy Act of 1954, as amended (42 U.S.C. 2168). Reviewing Official: _ Name: Organization:Date: _Guidance Used:

_


UCN-26608 (03-18)

EXHIBIT 4-3. Y-12 UCNI COVER SHEET


UCN-26608 (03-18)

EXHIBIT 4-3. Pantex UCNI COVER SHEET


UCN-26608 (03-18)

Description of OFFICIAL USE ONLY (OUO) Information

This chapter covers the requirements that are unique to Official Use Only (OUO) information. OUO is unclassified information that may be exempt from mandatory disclosure under the Freedom of Information Act (FOIA) on a case-by-case basis. It consists of information that, if disclosed to a person who does not need it in performance of official duties, may be prejudicial to the public interest, a person, or a concern or may assist an individual or enterprise to benefit improperly.

All employees and subcontractors have a responsibility to protect the confidentiality of personal and other sensitive information from unauthorized disclosures and intentional or negligent misuse. This includes any information that may be maintained in hard copy or electronic records and on computer equipment and storage media that may be subject to the Privacy Act or the FOIA exemptions.

Personally Identifiable Information (PII)

PII is defined in the Office of Management & Budget (OMB) directives as “any information about an individual maintained by an agency, including but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their social security numbers, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual.” In some cases PII overlaps Privacy Act Information. All information of this nature is categorized as OUO Exemption 6, Personal Privacy, and should not be removed from DOE facilities without the written authorization of the employee or the employee's supervisor.

Examples of what is PII:

Social Security Numbers (SSN) are PII

Place of birth associated to an individual

Date of birth associated with an individual

Mother’s maiden name associated with an individual

Biometric record associated with an individual • Fingerprint • Iris scan

• DNA Medical history information associated with an individual

• Previous diseases • Metric information

• Weight • Height • Blood Pressure

Criminal history associated with an individual


UCN-26608 (03-18)

Employment history associated with an individual. Performance elements and standards (or work expectations) are PII when they are so intertwined with performance appraisals that their disclosure would reveal an individual’s performance appraisal.

• Ratings • Disciplinary actions

Financial information associated with an individual • Credit card numbers • Bank account numbers

Security clearance history or related info (not including actual clearances held)

Examples of what is not PII:

Phone numbers (work, home, cell)

Street addresses (home, work, other)

E-mail addresses (work or personal)

Digital pictures

Birthday cards

Birthday e-mails Present and past grade and step information

Medical information pertaining to work status (X is out sick today)

Medical information included in a health or safety report (X broke his arm when...)

Resumes unless it includes SSN Job titles for employment history, resume, or written biography

Present and past annual salary rates (including performance awards or bonuses, incentive awards, merit pay amount, meritorious or distinguished executive ranks, and allowances and differentials)

Present and past position titles and occupational series

Position descriptions

Written biographies (like the ones used in pamphlets of speakers)

Alma mater or degree level

Personal information stored by individuals on their personal workstation or laptop (unless a SSN)

Protection of PII

Documents containing PII must be stored in a manner that applies strict need-to-know criteria. Under no circumstances should PII be accessible to unauthorized individuals. Storage of PII on local electronic storage media, including desktop and laptop hard drives and all removable media, should be reduced to the minimum necessary level and must be encrypted. Unnecessary PII files should be deleted. PII data should be relocated to internal network-based storage whenever possible.


UCN-26608 (03-18)

Under no circumstances should PII other than for oneself be stored on a private computer or personally owned electronic storage media.

A Privacy Impact Assessment (PIA) is required for unclassified information systems per DOE O 206.1, Department of Energy Privacy Program. For any information system that will contain (collect and/or maintain), or plan to contain any information about individuals, a full PIA is required. Unclassified information system owners must perform a PIA prior to submitting a security plan for initial accreditation for production use. Owners of existing systems containing information about individuals who did not perform a PIA by April 30, 2010, must perform a PIA prior to submitting a security plan for re-accreditation.

The collection and use of Social Security numbers not required by statute, regulation or an intended DOE/NNSA purpose is prohibited in future information systems and software applications, and shall be eliminated where they are presently used as soon as practical, but prior to submitting a security plan for initial or reaccreditation, or prior to application software certification for production use. Requirement for Reporting Compromised or Potentially Compromised PII Any security incident involving the suspected or confirmed compromise (i.e., unauthorized release of any kind) of PII must be reported to the PSS Office @ 865-574-7172 or Pantex Operations Center @ 806-477-5000 immediately upon discovery (i.e., within 10 minutes of discovering the incident). The PSS Office or Pantex Operations Center will report to the CNS Classification Officer and the NNSA Production Office Cyber Security Office Manager (CSOM) immediately upon notification. (If the CSOM is unavailable, the PSS Office or Pantex Operations Center shall report directly to the DOE Incident Advisory Reporting Center at [email protected] or at 702-942-2611.).

When reporting security incidents possibly involving PII, there should be sufficient reason to believe that a security breach has occurred and that PII is likely to have been involved. Otherwise, the incident should be reported following normal IOSC procedures for reporting all security incidents.

Privacy Act Information

The Privacy Act of 1974 (5 U.S.C. Sect 552(a)) requires the protection of certain types of information maintained on individuals.

The types of data that are protected by the Privacy Act include, but are not limited to:

Promotions, Disciplinary actions,

Appraisal and development records,

Payroll and leave records,

Reports of financial interest, Supervisor maintained personnel records,

Personnel medical information,

Equal opportunity complaints,

mailto:[email protected]


UCN-26608 (03-18)

Labor standards complaints and grievances,

Personnel security files,

Security investigations,

Personnel records of former contract employees, and

Emergency locator records.

Violations

DOE and contractor employees who handle records must adhere to rules of conduct and ensure administrative, technical, and physical safeguards are in place to protect information from unwarranted disclosure or access by unauthorized persons. Penalties of up to $5,000 per incident are imposed on individuals who violate certain sections of the law, such as willfully and knowingly obtaining privacy information under false pretenses or willfully and knowingly disclosing privacy information unlawfully to third parties without the consent of the individual.

Export Controlled Information (ECI)

ECI is scientific and technical information for processes or commodities that are controlled by the Department of Commerce, Department of Energy, Department of State, Nuclear Regulatory Commission, and the Atomic Energy Act of 1954. The goal of the federal export laws laid out by these agencies is to control the unauthorized release of technology and commodities to foreign entities (Foreign companies, foreign persons, a n d foreign governments).

An Export Controlled document may contain (1) unclassified information that reveals technological information that would aide someone in the development, production, or use of a technology or commodity; that has not been released readily in the public domain; and is not intended for public release by the sponsor; or (2) information relating to military end-use technology, explosives technology, missile or satellite technology, nuclear reactor or special nuclear material technology, or nuclear/chemical/biological weapons or sensor technology. All ECI (Export Controlled documents) must be marked appropriately as OUO-ECI, exemption 3, Statutory Exemption, and should be marked in accordance with Section F of this chapter. ECI is OUO, and OUO documents are to be marked OUO when they are authored.

Unless specifically authorized by the Export Compliance Office and with Section A of Chapter 2, foreign nationals are not allowed access to ECI.

All information thought to contain ECI must be reviewed for ECI. The CNS Export Compliance Office has final determination authority.

The CNS Export Compliance Office is available to assist with all determinations.

Following is a list of the Federal Export Control Regulations that particularly apply to CNS:

Assistance to Foreign Atomic Energy Activities, DOE (10 CFR 810)

Technology controls apply to activities involving nuclear reactors and other


UCN-26608 (03-18)

nuclear fuel cycle facilities for the following: fluoride and nitrate conversion; isotope separation (enrichment); the chemical, physical or metallurgical processing, fabricating or allying of special nuclear material; production of heavy water, zirconium (hafnium-free or low-hafnium), nuclear-grade graphite or reactor-grade beryllium; production of reactor-grade uranium dioxide from yellowcake; and certain uranium milling activities.

Description of Official Use Only (cont.)

Nuclear Regulatory Commission (10 CFR 110) Materials include Special Nuclear Materials, Source Material, Byproduct Material, Deuterium, Nuclear grade graphite for nuclear end use, Production and utilization facilities. Equipment controls include Nuclear reactors and especially designed or prepared equipment and components for nuclear reactors.

The Atomic Energy Act of 1954, as amended Provides the Department of Energy unique authority to perform a broad range of activities related to nuclear weapons. DOE has invoked Sections 91.c (restricts the release of non-nuclear parts of atomic weapons or the utilization of facilities whose disclosure would contribute significantly to another nation’s atomic weapon capability) and 148 (prohibition against the dissemination of certain unclassified information).

International Traffic in Arms Regulations, DOS (22 CFR 120-130) All items Military to include explosives; contains the U. S. Munitions List

Export Administration Regulation U. S. Department of Commerce Dual Use Items – Controls all items and technology over which no other agency has jurisdiction. Controls are based on technology, end-user, location, and use.

Unless specifically authorized, foreign nationals are not allowed access to ECI.

ECI is OUO, and the following should be on the front of each document. ECI is Exemption 3 OFFICIAL USE ONLY

OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number(s) and category:

Department of Energy review required before public release.

Name/Org: Date Reviewed:

Guidance (if applicable):


UCN-26608 (03-18)

The marking OFFICIAL USE ONLY - EXPORT CONTROLLED or OUO - ECI must be placed as follows:

• On the bottom of the front of the matter and

• On the bottom of each interior page of the matter or, if more convenient, on the bottom of only the interior pages that actually contain OUO (markings must be clearly visible).

Description of Official Use Only (cont.)

Export Controlled Information (ECI) (cont.)

If information is ECI, it should be added to the page bottom marking as follows:

• General ECI (all ECI except ITAR controlled) OFFICIAL USE ONLY - EXPORT CONTROLLED or OUO - EXPORT CONTROLLED

• U.S. State Department Controlled (ITAR) ECI OUO - EXPORT CONTROLLED INFORMATION - ITAR Category ## or OUO-ECI- ITAR Cat. ##

Where ## represents the specific ITAR category

Identifying Information as OUO

To be identified as OUO, information must meet the following criteria:

• be unclassified;

• have the potential to damage governmental, commercial, or private interests if disseminated to persons who do not have a need to know; and

• fall under at least one of the seven FOIA exemptions (exemptions 3 through 9; information falling under exemption 1 can never be OUO because it covers information classified by Executive Order. Information under exemption 2 has been drastically narrowed and is no longer considered OUO).

Determination That Matter Contains OUO

Determination Responsibilities

Unclassified matter originated within the DOE/NNSA, produced in or for that office, or under the control of that office may contain OUO information. Any employee from an office with cognizance over such information may determine if the matter contains OUO information. The document originator may serve as the reviewer.

It is possible that the DOE/NNSA secretarial offices or the director of NNSA Defense Nuclear Security Office may determine that information under his/her cognizance should be identified as OUO. If this occurs, the responsible office may develop, approve, and issue specific guidance that identifies matter containing OUO.


UCN-26608 (03-18)

Determination That Matter Contains OUO (cont.)

Determination Process

The employee first considers whether the information has the potential to damage governmental, commercial, or private interests if disseminated to persons who do not need the information to perform their jobs or other DOE/NNSA-authorized activities.

If the information is considered to have the potential for such damage, then the employee consults such guidance as may have been provided by DOE/NNSA secretarial offices or the director of NNSA Defense Nuclear Security Office, who may determine that information under his/her cognizance should be identified as OUO. If the specific guidance determines that information in question is identified as OUO, then the employee determines that the document contains OUO information.

If the information is considered to have the potential for such damage but no guidance is issued by the DOE/NNSA secretarial offices or the director of NNSA Defense Nuclear Security Office, then the employee considers whether the information falls under at least one of FOIA exemptions 3 through 9. If the employee believes that the information falls under one of the FOIA exemptions, then the employee may determine that the document contains OUO information.

If the employee finds no basis for identifying the information as OUO and does not believe the information falls under one of the FOIA exemptions, then the employee must not mark the document as containing OUO information.

OUO Exemptions

For information to be considered OUO, it must fall within the scope of one of the FOIA exemptions from public release and be otherwise uncontrolled. The nine exemptions from public release are listed in Exhibit 5-2. Certain kinds of information within DOE/NNSA that are exempt from public release under FOIA are identified and protected under their own formal information control systems. Within DOE, the Atomic Energy Act, which is the basis for the formal control of Restricted Data (RD) and Formerly Restricted Data (FRD) and UCNI, is an exemption 3 statute, but RD and FRD are classified and UCNI is already subject to formal control system, and therefore, are not also designated as OUO.

Recently, a Supreme Court ruling narrowed the scope of Exemption 2 and “Circumvention of Statute” is no longer an OUO determination. The more restrictive Exemption 2 now only applies to the “Internal personnel rules and practices” of an agency. DOE has determined no information will be considered as OUO under Exemption 2.

Physical Protection Requirements

Protection in Use

Precautions must be taken to prevent access to documents marked as containing OUO by persons who are not authorized access to OUO in order to perform their jobs (e.g., do not read OUO documents in public). OUO documents may be posted on interior bulletin


UCN-26608 (03-18)

boards, walls, or doorways where the need-to-know criterion is established for all individuals obtaining visual access.

Protection of PII

See Section above.

Protection in Storage

OUO matter must be stored to preclude unauthorized disclosure. Storage of such matter with other unclassified matter in unlocked receptacles, such as file cabinets, desks, or bookcases, is adequate when internal building security is provided during non-duty hours. When such internal building security is not provided, locked rooms or buildings provide adequate after-hours protection. If rooms or buildings are not locked or otherwise controlled, OUO matter must be stored in locked receptacles, such as file cabinets, desks, or bookcases. In cases where unauthorized disclosure may occur due to after-hours maintenance activities (e.g., janitorial work), the OUO matter must be protected from view.

Requirement for Removal of Hardcopy PII from CNS Owned/Leased/Rented Space

All employees and subcontractors have a responsibility to protect the confidentiality of personal and other sensitive information from unauthorized disclosures and intentional or negligent misuse. This includes any information that may be maintained in hard copy that may be subject to the Privacy Act or the exemptions of the Freedom of Information Act. PII is categorized as Official Use Only Exemption 6, Personal Privacy, and should not be removed from either site (Pantex or Y-12) or from Pantex or Y-12 leased/rented space without prior authorization from the employee or employee’s supervisor.

Off-Site Physical Protection

OUO must be maintained under physical control when taken to off-site areas and maintained under positive physical control where others without a need to know cannot obtain access.

In an area that is neither controlled nor guarded, OUO must be stored in a locked room or other container (e.g., a locked file cabinet, desk, bookcase, or briefcase) or in a locked room to which only individuals authorized for access to OUO have access.

Physical Protection Requirements (cont.)

Reproduction

Documents marked as containing OUO may be reproduced without the permission of the originator to the minimum extent necessary to carry out official activities. Copies must be marked and protected in the same manner as originals. Copy machine malfunctions must be cleared and all paper paths checked for papers containing OUO information. Excess paper containing OUO information must be destroyed as described below.


UCN-26608 (03-18)

Destruction

Documents marked as containing OUO must be destroyed by using a strip-cut shredder that produces strips no more than ¼-inch wide or by any other means that provides a similar level of destruction that has been approved by the Information Security manager.

Marking

OUO with Other Markings

Appropriate markings must be applied to unclassified matter that contains OUO.

OUO markings must be applied to an unclassified document that contains OUO information regardless of any other unclassified control marking [e.g., Unclassified Controlled Nuclear Information (UCNI)]. Such marking clearly indicates that OUO applies if the matter is subsequently downgraded from the UCNI designation.

OUO markings must not be applied to classified matter that contains OUO unless such matter has been portion marked to indicate the classification level. In such cases the designation “OUO” must be used to indicate those unclassified portions containing OUO.

Obsolete Marking

From July 18, 1949, to October 22, 1951, the Atomic Energy Commission used the term “Official Use Only” to designate some classified information. If “Official Use Only” matter dated during this time period is found, protect it as Confidential National Security Information until a proper classification determination is made. See Y19-203 for instructions on protection requirements.

Front Marking

Any unclassified matter that has been reviewed and determined to contain OUO information must be marked on the front of the matter as shown below. The front marking includes the applicable FOIA exemption number and related category name (e.g., Exemption 7 – Law Enforcement) and the name and organization of the employee making the determination and identifies the guidance used, if the determination was based on guidance. .

NOTE New documents generated on or after May 27, 2008, that contain PII or Privacy Act information must be marked as OUO, Exemption 6, unless otherwise authorized by the Information Security organization. Documents in existence prior to that date that contain PII or Privacy Act information in storage do not require the OUO marking unless they are distributed out of the holding office. Those documents containing PII or Privacy Act information that are not currently marked, or are marked as Privacy Act, Business Sensitive, etc., must be marked OUO when the documents are sent outside the holding office to anyone other than the individual to whom they belong.


UCN-26608 (03-18)

Front Marking (cont.)

The employee making the determination ensures that the following marking is placed on the front of each document containing OUO.

Page Marking

The marking “OFFICIAL USE ONLY” or “OUO” must be placed as follows:

• on the bottom of the front of the matter and

• on the bottom of each interior page of the matter or, if more convenient, on the bottom of only the interior pages that actually contain OUO (markings must be clearly visible).

Note: For general ECI documents, page markings are the same as that stated above; however, the page marking should denote the material is ECI by using the following: “OFFICIAL USE ONLY - EXPORT CONTROLLED,” or “OUO-ECI” (see Section A of this chapter, Export Controlled Information).

Cooperative Research and Development Cooperative Research and Development Agreement (CRADA) information (protected) is data produced in the performance of the agreement that would have been proprietary information had it been obtained from a nonfederal entity. The National Competitiveness Technology Transfer Act of 1989 created a statutorily exempt category of information under CRADAs. This provision permits withholding such information from public dissemination for a period of up to five years. Freedom of Information Act (FOIA) requests are included in this exemption. Marking (cont.)

Special CRADA Access Requirements

Unless specifically authorized in accordance with Section A of this chapter, foreign nationals are not allowed access to CRADA information.

OFFICIAL USE ONLY May be exempt from public release under the Freedom of Information Act (5 U.S.C. 552), exemption number(s) and category:

Department of Energy review required before public release. Name/Org:

Date Reviewed:

Guidance (if applicable):


UCN-26608 (03-18)

CRADA Document Markings

Any unclassified matter that has been reviewed and determined to contain protected CRADA information must be marked on the front of the matter as follows:

The marking “OUO PROTECTED CRADA INFORMATION” must be placed as follows

• on the bottom of the face of the matter and

• on the bottom of each interior page of the document or, if more convenient, on the bottom of only the interior pages that actually contain protected CRADA information (markings must be clearly visible).

E-Mail Message

The first line of an e-mail message containing OUO information must contain the abbreviation “OUO” before the beginning of the text.

If the message body of the e-mail is not OUO but it contains an attachment that is OUO, the message body must indicate that the attachment is OUO. The attachment must have all required OUO markings.

Marking Special Format Documents

Special formats of matter [e.g., photographs, viewgraphs, films, electronic storage media (ESM), audio tapes, videotapes, DVDs, or CD-ROMs] must be marked to the extent possible as described above.

All markings must clearly indicate that the matter contains OUO.

Marking (cont.)

Restricted Access Files

Matter located in a restricted access file (e.g., personal office files) does not need to be reviewed and marked while in the file or when retrieved from the file as long as it will be returned to the file and is not accessible by individuals who are not authorized access to the OUO information.

However, if the matter is to be removed and not returned to the file or if copies will be made, then a review to determine if the matter contains OUO must be completed and the matter must be marked (if appropriate). NOTE: Documents that are moved from one restricted access file location to another for storage purposes do not need to be reviewed). Documents that are removed for criminal, civil, or administrative law enforcement or prosecution purposes need not be reviewed or marked where parallel controls to this order are in place.

PROTECTED CRADA INFORMATION This product contains Protected CRADA Information, which was produced on (date) under CRADA No. (number) is not to be further disclosed for a period of five years from the date it was produced except as expressly provided for in the CRADA.


UCN-26608 (03-18)

Transmittal Documents

A document that transmits matter marked as containing OUO and does not itself contain OUO, must be marked on the front page to call attention to the presence of OUO. Following is an example:

Transmission

Authorized individuals (i.e., those who have a need to access controlled information in the performance of their official duties) may hand carry UCNI /OUO outside a facility as long as matter identified as containing UCNI/OUO is packaged in an opaque envelope or wrapping, sealed, marked with the recipient’s address and a return address, and marked with the words “TO BE OPENED BY ADDRESSEE ONLY” prior to removing from the site.

By Mail Outside a Facility

Use a sealed, opaque envelope or wrapping and mark the envelope or wrapping with the recipient’s address, a return address, and the words “TO BE OPENED BY ADDRESSEE ONLY.” Use U.S. Postal Service (USPS) First Class, Express, Certified, or Registered Mail. In addition, any commercial carrier may be used.

Transmission (cont.)

By Mail Within a Facility

Use a sealed, opaque envelope with the recipient’s address and the words ”TO BE OPENED BY ADDRESSEE ONLY” on the front.

Fax

Documents containing OUO should be protected by Entrust encryption whenever possible. However, if such encryption capabilities are not available and transmission by mail is not a feasible alternative, then regular facsimile machines may be used to transmit the document. An unencrypted facsimile transmission must be preceded by a telephone call to the recipient so that he or she can control the document when it is received.

E-Mail, Portable/Mobile Devices and Removable Media

FIPS 140-2 Level 1 or higher encryption is required for e-mail and e-mail attachments containing OUO being sent outside the CNS Border Network. Encryption is not required if the e-mail transmission remains inside the CNS Border Network. Inside the CNS Border Network is defined as within the NNSA Production Office (NPO), Y-12, and Pantex.

Document transmitted contains OUO information. When separated from attachment, this document is not OUO.


UCN-26608 (03-18)

An automated information system (AIS) or AIS network must provide methods (e.g., authentication, file access controls, passwords) to prevent access to OUO information stored on the system by persons who do not require the information to perform their jobs or other DOE-authorized activities. For further information, contact CNS Cyber Security.

All portable/mobile devices taken or used external to either the Pantex or Y-12 Site must be protected using approved encryption.

Approved encryption includes all encryption meeting FIPS 140-2 Level 1 or higher, or other CNS Authorizing Office-approved encryption software. Entrust is the approved encryption standard for CNS e-mail. Pointsec is the approved encryption standard for CNS laptops. Other software (e.g., PGP, SecureZip, etc.) meeting FIPS 140-2 Level 1 encryption standards may be obtained through the Information Technology department for use where use of Entrust is not possible. If transmitting OUO via an alternate approved encryption method that is password protected, passwords should be transmitted to the receiving party through a different method than the one used to transmit the OUO.

When encryption and password protection are not feasible options for transmitting OUO information on removable media, the media may be transmitted using the following U. S. mail methods: First Class, Express, Certified, or Registered mail. This transmission method is not approved for media containing PII or Privacy Act Information. See Section G.1 of this chapter for specific information on packaging and addressing OUO information for transmission via mail service.

Requirement for Electronic Removal of PII from either Y-12 or Pantex or CNS Leased/Rented Spaces

Use of Encryption. Encryption must be used for electronic PII that is removed from CNS owned/rented/leased space. The use of FIPS 140-2 Level 1 or higher encryption must be implemented to protect all PII on laptops and on removable media, such as CD ROMs or thumb drives. At either site (Pantex or Y-12), the approved encryption product for laptop computers is Pointsec (a product of Pointsec Mobile Technologies, Inc.). For removable media, the approved encryption product is Entrust (a product of Entrust, Inc.). • All laptop computers used by CNS employees and subcontractors which contain PII

are not allowed to leave the perimeter of either site (Pantex or Y-12) or the interior of leased/rented facilities without the prior successful installation of Pointsec or an approved alternative (see below). Laptop owners are responsible for initially identifying machines containing PII. It is the intent of CNS IS&S to place Pointsec on all laptop computers used by staff members for business purposes.

• All users of these laptops should be instructed to use this capability to protect all PII. • Additionally, all DOE/NNSA staff, CNS employees, subcontractors, business

partners, or others who remotely access CNS computing assets containing PII, including laptop users, are required to also use Cisco Virtual Private Network (VPN) software, and obtain an RSA SecurID authentication token for system access. Blackberry access uses a different, but equally secure, encryption method utilizing the 256-bit advanced encryption standard (256-AES).


UCN-26608 (03-18)

• PII may not be transmitted via email to a commercial provider email account (e.g., AOL, Yahoo, etc.)

• All removable media containing PII used by CNS employees, subcontractors, and business partners are not allowed to leave the perimeter of either site (Pantex or Y-12) or the interior of CNS eased/rented facilities without the prior successful encryption of the data via use of Entrust or an approved alternative.

• Information regarding employee/subcontractor receipt and installation of Pointsec and/or Entrust can be obtained by contacting the CNS Computer Helpline at 865-574-4000.

• Use of any alternative FIPS 140-2 compliant encryption product or methodology must be approved in advance by the CNS Cyber Security manager who will coordinate review with the NPO as appropriate.

Phone

OUO information transmitted over voice circuits should be protected by encryption whenever possible. However, if such encryption capabilities are not available and transmission by other encrypted means is not a feasible alternative, then regular voice circuits may be used. Cell or cordless phone transmission are prohibited.

Hand Carry Within a Facility

Documents containing OUO may be hand carried between or within a facility as long as the person carrying the document(s) can control the document being transported to preclude unauthorized disclosure or dissemination.

Processing on Automated Information Systems

An automated information system (AIS) or AIS network must provide methods (e.g., authentication, file access controls, passwords) to prevent access to OUO information stored on the system by persons who do not require the information to perform their jobs or other DOE-authorized activities.


UCN-26608 (03-18)

EXHIBIT 5-2. OUO EXEMPTIONS (Page 1 of 3)

This exhibit notes the OUO exemptions that can be used for CNS projects. It shows only the exemption and its summary information. For more detailed information, refer to the Freedom of Information Act Guide, published by the Department of Justice (http://www.usdoj.gov/oip/foi- act.htm).

Exemption number

Exemption

Description

1 National Security Information

Is classified by Executive Order and is never OUO information.

2 Circumvention of Statute

Due to a Supreme Court ruling the scope of Exemption 2 has been significantly narrowed and “Circumvention of Statute” is no longer a valid OUO determination. The updated exemption is “Internal Personnel Rules and Practices.”

Internal Personnel Rules and Practices

This more restrictive Exemption 2 exempts from mandatory disclosure records “related solely to the internal personnel rules and practices of an agency.” Information under Exemption 2 has been drastically narrowed and is no longer considered OUO.

3 Statutory Exemption Concerns information specifically exempted from disclosure by statute, provided that such statute (1) requires that the matter be withheld from the public in such a manner as to leave no discretion on the issue or (2) establishes particular criteria for withholding or refers to particular types of matter to be withheld. Examples are the Federal Technology Transfer Act and Export Controlled Information. Basing an OUO determination on an Exemption 3 statute is very complex and requires interpretations of statutory language and case law to ensure that the statute qualifies as an Exemption 3 statute and that the document falls within the statute’s scope. Therefore, use of Exemption 3 should be limited to those cases where appropriate statute-specific guidance is available.

http://www.usdoj.gov/oip/foi-act.htm

http://www.usdoj.gov/oip/foi-act.htm


UCN-26608 (03-18)

EXHIBIT 5-2 (Page 2 of 3)

Exemption

number

Exemption

Description 4 Commercial or

Proprietary Information Concerns trade secrets and commercial or financial information that is obtained from a person and that is privileged or confidential. Examples are (1) bids, contracts, or proposals, and other related information received in confidence and (2) sensitive information included in personal statements given in the course of inspections, investigations, or audits that are received in confidence. Exemption 4 protects the interests of both government and persons submitting information to the government. This exemption encourages commercial entities to voluntarily submit useful commercial or financial information to the government and provides the government with some assurance that the submitted information is reliable. It may appear that there is some overlap between Exemptions 4 and 5. Briefly, Exemption 4 applies to information generated by a company and provided to the government, while Exemption 5 applies to government- generated information.

5 Privileged Information Concerns inter-agency or intra-agency memoranda or letters that would not be available by law to a party other than an agency in litigation with the agency. Three primary privileges are (1) deliberative process privilege, (2) attorney work-product privilege, and (3) attorney-client privilege. Examples are (1) letters, memos, papers, reports, and other documents that contain advice, opinions, or recommendations on new or revised government decisions and policies; (2) evaluations of contractors and their products and services by DOE personnel; and (3) information that is exchanged among DOE personnel and within and among agencies in preparation of anticipated administrative proceedings by an agency or litigations before any federal or state court and information that qualifies for attorney-client privilege.


UCN-26608 (03-18)

EXHIBIT 5-2 (Page 3 of 3)

Exemption

number

Exemption

Description 6 Personal Privacy Personal information such as information identified in PII and

Privacy Act sections. Examples are social security number, date of birth, marital status, personnel disciplinary action, and evaluations for employment.

7 Law Enforcement Concerns records or information complied for law enforcement purposes. Some examples of Exemption 7 include (1) statements of witnesses and other material developed during the course of an investigation; (2) identity of individuals or firms being investigated; and (3) information concerning homemade weapons that could assist a criminal element and might result in harm to individuals, property, or national interest.

"Exemption 7, Law Enforcement" would be appropriate to use for DOE security-related information formerly protected under Exemption 2, and can be used for many aspects of information we desire to protect, in order to protect “the life or physical safety of any individual”.

8 Financial Institutions Concerns information contained in or related to examination, operating, or condition reports prepared by, on behalf of, or for the use of an agency responsible for the regulation or supervision of financial institutions. This exemption is normally not applicable at CNS. Consultation with the Office of Legal Council should be exercised.

9 Wells and Mines Concerns geological and geophysical information and data, including maps. This exemption is rarely used at CNS but protects technical and scientific information about wells.