INTRODUCTION

The National Industrial Security Program Operating Manual (NISPOM) dated January 1995 prescribes requirements, restrictions, and other safeguards that are necessary to prevent unauthorized disclosure of classified information. This is the security bible.

Paragraph 3-107 of the NISPOM states, "The contractor shall provide all cleared employees with some form of security education and training at least annually. The refresher training shall reinforce the information provided during the initial security briefing and shall keep cleared employees informed of appropriate changes in security regulations. Contractors shall maintain records about the program offered and employee participation in them".

This year, as we have in the seven previous years, we are providing you the required refresher briefing in electronic form. We hope that you will find the briefing enlightening and thought-provoking. This is a "Collateral" (not SCI, or SAP) briefing. Individuals holding SCI or SAP require a more detailed and technical classified refresher briefing. Contact Special Security Office David Green at LLNL for more information on required classified briefings (925) 422-5085. For any person having difficulty accessing the internet, this briefing is also available in hardcopy at your request. Additional security briefing materials and security forms are available on the Internet.

If you have any questions about any of the subjects discussed in the briefing, please contact me by phone at (510) 987-9846 or by e-mail at willie.archie@ucop.edu.

*1. The Threat. The Threat today comes in a number of different forms and threatens different parts of our corporate mission. There is the traditional Threat from Foreign Intelligence Services (FIS) who are pursuing our classified and proprietary information. We also have the Threat from hackers and their malicious code and disgruntled insiders who perhaps desire to damage or compromise our information systems.

*2. The Threat from Foreign Intelligence Services. The technologies generating the most foreign interest in 1999 included information systems, sensors and lasers, electronics, aeronautics systems, and armaments and energetic materials. The majority of countries targeting our Institution have limited military capabilities and are seeking technological advancement. In 1997 this list of countries was 37; in 1998 the list had grown to 47; and in 1999 there were 56 countries associated with suspicious collection activities targeted at cleared contractors. Many of the Foreign Intelligence Services are now being primarily tasked to collect information that will allow their country to better compete on the world economic stage. This often means they are after both classified and unclassified information.

The most frequently reported Method of Operation is the request for scientific and technical information. This often comes in the form of an email message. The requestor may indicate they are from a foreign university or research institute or a graduate student who needs assistance with their thesis. He/she may indicate they have noted from our web page that we have competencies in a certain area and they desire additional information related to a business opportunity for us, or they are asking for sensitive or export-controlled information or copies of technical articles that appeared in trade journals and periodicals.

For more information on the threat topic go to:

http://www.defenselink.mil/news/Aug2001/n08172001_200108172.html

*3. The Threat from hackers and disgruntled insiders. As you all are aware, we are also concerned about the threat from individuals who would do undesirable things to the information residing on our information systems. It seems every week there is a new virus or Trojan horse coming into our lives via the Internet. You can do your part by:

• ensuring your computer has current anti-virus signatures loaded on it
• paying attention to the periodic warnings about malicious code provided by the computer center folks
• understanding that there are virus "hoaxes" out there and do not "pass them to everyone on your distribution list" (pass them instead to the computer center folks or your security officer)
• creating strong passwords
• not disclosing remote login numbers and procedures to personnel who do not have a need to know
• granting access privileges only to those personnel who have a need to know
• remembering that you leave tracks when you surf the web, converse in chat rooms, or post to user groups.

*4. The Threat from individuals engaged in industrial espionage. Even though we are a not-for-profit institution, we still must be mindful about protecting any sensitive business information that we may possess - ours or that of others in our keeping. Information passed over the "frame relay" will be encrypted but when you pass information over the Internet, it is susceptible to interception by other than the intended recipient. Sensitive proprietary information stored on a laptop could be worth 100 times what the laptop itself is worth if stolen. If you generate sensitive company information (e.g., proposals, salary information, labor rates, network configurations, countermeasures to intruders, private personnel information, strategic plans, etc.), please think about physical protection for the information, how you are marking it to indicate it is sensitive and needs special protection, and access controls you are placing on the information.

5. Why is there a Security Clearance Backlog? This is a question that is asked every year. The Defense Security Service is still behind on processing clearances. Although the DSS software is now capable of moving 2500 cases per day through their system, this is now causing a large backlog at the adjudicator's desk (the person who looks at the investigation report and decides if the person will get a clearance).

In September 1999, DSS contracted with two private sector entities to augment DSS investigative capabilities. This year, DSS has contracted investigations out to three other vendors. The DSS has done a number of things to improve the issuance time for a final clearance but we still have at least a year to go before they will be back to the pace they were on before they implemented the Case Control Management System (CCMS). The CCMS, since its implementation on October 29, 1998, has experienced significant operational problems with numerous software fixes..

The Clearance backlog in the Department of Energy is not as bad as that in the DOD system. Processing of a DOD Top Secret clearance averages one year to thirteen months. An equivalent DOE "Q" clearance averages seven to nine months.

6. What is the "Smith Amendment" and what impact will it have on our hiring practices? The Senator Bob Smith (from New Hampshire) Amendment to the FY2001 DoD Appropriations bill sets new limitations on personnel who are eligible for a security clearance. It says that the following people are ineligible for a security clearance.

• Someone who has been convicted in any court of the U.S. of a crime and sentenced to imprisonment for a term exceeding one year
• An unlawful user of, or someone who is addicted to, a controlled substance
• Someone who is mentally incompetent, or who has been determined by a mental health professional to be mentally incompetent
• Someone who has been discharged or dismissed from the Armed Forces under dishonorable conditions

Since these are absolute disqualifying conditions, for certain UC positions requiring DOD clearances, these disqualifying conditions might be asked of a candidate prior to employment or appointment.

7. The Security Classification System. Security classification by a nation’s government is based on the government’s responsibility for the survival of the nation and its people. In the United States, information is classified either by Presidential authority, currently Executive Order 12958, or by statute, the Atomic Energy Act of 1954, as amended (Atomic Energy Act). The first Executive Order dealing with classification was EO 8381 issued on March 22, 1940 by President Franklin Roosevelt. In this EO, there were three levels of classification - Secret, Confidential, and Restricted.On February 1, 1950, President Truman issued the second EO (10104) dealing with protecting classified information. This EO added a fourth level - Top Secret. On September 24, 1951, he issued his second EO (10290) that simply dropped any citation of a specific statutory authority.

In November 1953, President Eisenhower replaced EO 10290 with EO 10501. It eliminated the "Restricted" level. Note the British and other allies have kept their "Restricted" classification level. This EO was the ruling authority for 20 years until President Nixon's EO 11652 issued on March 8, 1972. This Executive order was a result of an interagency committee study initially headed by William H. Rhenquist - the current chief Justice of the U.S. Supreme Court. Executive Order 12065 replaced EO 11652 on December 1, 1978. For the first time, this EO talked about "Derivative Classification". The next Executive Order was 12356 issued by President Reagan on April 6, 1982. On April 17, 1995, President Clinton issued the current EO 12958. This EO required that Executive Branch Agencies review their classified holdings and declassify as many as possible to support the Administration's "Openness in Government" initiative.

8. Executive Order 12958. EO 12958 took effect in FY 1996. Since that time, Executive Branch Agencies have declassified 720 million pages of classified information. The government declassified 127 million pages in FY 1999 alone. The number of "original classification authorities" decreased by 57, to 3,846. Steve Garfinkle, Director of the Information Security Oversight Office (ISOO) believes this is about as low as the Government can go. The CIA accounted for 44 percent of all classification decisions last year; DoD, 27 percent; NRO, 24 percent; Justice, 2 percent; State, 2 percent; and all others, 1 percent.

What can one do to help with this problem? Do not overclassify and place classified portions of documents in appendices whenever possible. The Executive Order tells us, "If there is significant doubt about the need to classify information, it shall not be classified". Too often, we take the easy road and just classify everything that is generated. Take the time to think about your classification decisions and ask the security staff to assist you in properly marking a classified document.

DCID 1/7 directs us to " prepare reports and products at the lowest classification level commensurate with expected damage that could be caused by unauthorized disclosure. When necessary, the material should be prepared in other formats (e.g., tear-line form, attachments) to permit broader dissemination or release of information." They practice what they preach in that the body of DCID 1/7 is unclassified but it has a Confidential supplement. For more on how the Executive Order is being implemented, click here http://www.fas.org/sgp/isoo/isoo99.html

9. Classification Under the Atomic Energy Act. The devastating power of the atomic bomb, its dramatic role in ending the war, and the secrecy surrounding its development had a major impact on Congress and the American public. Postwar discussions on the control of the U.S. atomic energy program produced consensus that some special statutory control over atomic energy was necessary. The Atomic Energy Act of 1946 was the first and, other than its successor, the Atomic Energy Act of 1954, the only U.S. statute to establish a program to restrict the dissemination of information. In the final version of the Atomic Energy Act of 1946, Congress established a special category of information called “Restricted Data.” Restricted Data was defined to encompass “all data concerning the manufacture or utilization of atomic weapons, the production of fissionable material, or the use of fissionable material in the production of power.” The Atomic Energy Act authorized the AEC to control the dissemination of RD, specifying as a prerequisite for access to this information that an individual must have a security clearance. The controls imposed by Congress on the dissemination of RD were unusually rigorous. Two particularly unique and significant aspects of RD warrant emphasis. First, a positive action is not required to put information into the RD category. If information falls within the Act’s definition of RD, it is in this category from the moment of its origination; that is, it is “born classified.” A second unique aspect of RD is that information does not have to be owned or controlled by the government to be classified as RD. Private individuals or organizations may originate RD, which then becomes controlled by the Atomic Energy Act. The circumstance could even arise in which an individual could originate RD and then not be allowed to possess it because of lack of security clearance or “need to know.” The Atomic Energy Act does not forbid an individual from generating RD, but, once RD is generated, the Act prohibits its communication to persons not authorized to receive it.

The Atomic Energy Act of 1946 was replaced on August 30, 1954, by the Atomic Energy Act of 1954. Major changes from the 1946 Act included an increased emphasis on wider dissemination of atomic energy information, to make more of it accessible to U.S. industry and to the world. Access to more atomic information by U.S. industry was necessary for the development of nuclear reactors for commercial production of electric power. This information was provided to the rest of the world as a consequence of President Eisenhower’s Atoms For Peace initiative, presented in a speech to the United Nations on December 8, 1953, and the President’s desire to provide certain RD concerning industrial applications of atomic energy to “friendly” nations.

With the passage of the Atomic Energy Act of 1954, the United States had changed a basic assumption on atomic energy information control. Whereas in the 1946 Act the assumption was that helping countries to build nuclear reactors helped them to build atomic weapons, the 1954 Act supported assistance to other nations to build reactors and relied on the use of safeguards to prevent diversion for military purposes. Thus, a consequence of the 1954 Atomic Energy Act was an acceptance that nations with nuclear reactors would gain the capability to produce nuclear weapons.

The 1954 Act also encouraged wider dissemination of classified atomic energy information to commercial enterprises by establishing different kinds of personnel clearances that depended upon the classification of the information that an individual could receive. Full clearances (access to any classified data) continued to require “Q” clearances, but under the 1954 Act the Commission established “L” clearances whose holder could have access to Confidential atomic energy information (also termed, at that time, “gray areas” of information).

The cumulative effect of the above-mentioned changes in the Atomic Energy Act were substantial. However, the Atomic Energy Act of 1954 neither significantly changed the definition of RD nor relinquished the AEC’s statutory control of RD.

FRD (Formerly Restricted Data)
The 1954 Act allowed the removal of certain weapons-related information from the RD category and specified that this information could be placed in a new category (subsequently designated as FRD):

The Commission shall remove from the Restricted Data category such data as the Commission and the Department of Defense jointly determine relates primarily to the military utilization of atomic weapons and which the Commission and the Department of Defense jointly determine can be adequately safeguarded as defense information: Provided, however, that no such data so removed from the Restricted Data category shall be transmitted or otherwise made available to any nation or regional defense organization, while such data remains defense information, except pursuant to an agreement for cooperation entered into in accordance with Section 2164(a) of this title.

"Defense information" was defined by the Act to mean "any information in any category determined by any Government agency authorized to classify information respecting, relating to, or affecting the national defense." This new FRD category of atomic energy information dealt mainly with military utilization of nuclear weapons, not their design and development. FRD could be made accessible to military personnel on the basis of their military security clearances; special security clearances required for access to atomic energy information were not required.

* The current counterpart of "defense information" is National Security Information as defined by Executive Order 12356.

The 1954 Act provided that RD placed in the FRD category may also be published (presumably after being declassified):

In the case of Restricted Data which the Commission and the Department of Defense jointly determine to relate primarily to the military utilization of atomic weapons, the determination that such data may be published without constituting an unreasonable risk to the common defense and security shall be made by the Commission and the Department of Defense jointly, and if the Commission and the Department of Defense do not agree, the determination shall be made by the President.

Note that the test for declassification of FRD is "unreasonable risk" as contrasted to "undue risk" for declassification of RD. The same "unreasonable risk" test is used in the sections of the 1954 Act dealing with international cooperation. Restricted Data may, if special conditions have been met, be shared with other nations if such sharing "will not constitute an unreasonable risk to the common defense and security." Yet another test is described with regard to access to RD by employees of the AEC (now the Department of Energy and the Nuclear Regulatory Commission) and its contractors. For such access a determination must be made that such access "will not endanger the common defense and security."

Access to/Marking Classified Documents in accordance with Atomic Energy Act. The following chart illustrates the access authorized by clearance level:

Legend:
RD= Restricted Data FRD= Formerly Restricted Data NSI= National Security Information
Q= Top Secret TS= Top Secret S= Secret C= Confidential L= Secret

An active access authorization alone does not grant access to information. It is the information holder’s responsibility to ask the question—“Do you have the need to know?” DOE defines “need to know” as follows:

…a determination by persons having responsibility for classified information or matter, that a proposed recipient’s access to such classified information or matter is necessary in the performance of official or contractual duties of employment under the cognizance of the Department of Energy.

MARKING:

Marking documents is a finite process. This is the age of change, so document marking is part of the process – particularly in the areas of bringing DoD and DOE onto a common ground.

DOE Manual 471.2B defines specific marking requirements for:

• Originally Classified Documents
• Derivatively Classified Documents
  
• Special Documents, such as:
• Classification extensions
  
• Foreign Government information
  
• Atomic Energy information
  
• Transmittals
  
• Non-documents (maps, hardware, software, film, objects etc)

LEVEL--the highest classification level contained in the document is placed at top center and bottom center of each page of the document.

CATEGORY-- RD, FRD or NSI. If any page of the document contains RD or FRD this must be included at the top and bottom of each page with the level
(i. e. Secret/RD). The lower left corner of the cover page and title page (if any) and first page must be marked with the Restricted Data, or Formerly Restricted Data Stamp. If it is not identified as RD or FRD, the document is assumed to be NSI (National Security Information). NSI documents must be portion marked by paragraph after reviews by a DERIVATIVE CLASSIFIER.

ORIGINATOR IDENTIFICATION—the first page of a document must show the name and address of the organization responsible for preparation; the date of preparation.

DERIVED FROM—identifies the source used as the basis for classification.

For NSI documents: “Classified by” includes the name and position title of the classifier. “Derived From” includes the identity of the classification source. “Declassify On” is a specific date/event upon which the document may be declassified; or 10 years from the date of original decision; or a declassification exemption code.

For RD and FRD documents: DOE M 475.1-1 requires a “ Derivative Classifier” line with name and position title of the classifier of the document, classification source or guide, and date.

Letters of Transmittal

When attached to classified matter, the first page of transmittal documents must be conspicuously marked with the highest classification level of any information transmitted by it; and must also contain the appropriate instructions indicating its level of classification when separated from the classified attachments.

Marking Information Other than Documents

For marking special types of material, such as computer hardware and software, objects, charts, maps, drawings, photographs, film, and recordings, please contact the Classified Document Control Center (CDCC) or the Classified Matter Protection and Control Program Manager located at Department of Energy (National Nuclear Security Administration) at (925) 422-2242 for precise instructions.

Your responsibility…

If you believe that information in your possession is inappropriately classified (or unclassified), you are expected to bring your concerns to the attention of a DOE Classification Officer at the CDCC phone number above.

There are many other caveats for marking contents: such as multiple sources for classification; reports; binders; subjects; unclassified pages within a classified document. This is why it is essential to contact the CDCC for current rules.

10. Properly Marking Classified Documents Subject to EO 12958.
Classified documents must be marked to ensure the reader understands:

• The magnitude of the damage to national security that could incur if the information was to be disclosed to unauthorized personnel (OVERALL MARKINGS)
• The highest level of information within a section, part, or paragraph (PORTION MARKINGS)
• Who is the original classifier (CLASSIFIED BY)
• The authority under which we classified the information (DERIVED FROM)
• The reason (from section 1.5a-g of EO 12958) the information is classified (REASON)
• How long the document should remain classified. (DECLASSIFY ON)

The “Classified By” and “Reason” lines are normally only on originally classified documents.

11. Derivatively-classified documents. Industry creates only derivatively-classified documents. A derivatively-classified document must have at least two lines - the "Derived From" line and the "Declassify On" line but you may include the "Reason" line also.

The purpose of the "Derived From" line is to link the derivative classification applied to the material and the source document or classification guide under which it was classified.

In some cases, you may have extracted information to go in your report from more than one source document or you may have used more than one Security Classification Guide (SCG) for security guidance. In this case, you would put "Multiple Sources" in the "Derived From" line and maintain a record that supports the classification for the duration of the contract. This record may be a bibliography in the document itself or a listing maintained with the record copy of the document.

The "Declassify On" line will reflect an event or a date that is no more than 10 years from origin of the document. For example, "Declassify On: Cessation of Desert Storm Operations". But, we know some information is so sensitive that it must remain classified for longer than 10 years. EO 12958 recognizes this and says, "An original classification authority may extend the duration of classification or reclassify specific information for successive periods not to exceed 10 years at a time if such action is consistent with the standards and procedures established under this order". This is when the "Exemption Categories 1-8" are used. When an X1-8 follows the "Declassify On" line, it means that document will probably remain classified for at least 20 years.

12. What is the status of the perhaps "tens or hundreds of thousands" of classified documents (over 25 years old) expected to be declassified as a result of EO 13142 (which extended the deadline for declassification from last May until at least October 14, 2001)? EO 12958 tasked all Executive Branch Agencies to review all of their holdings over 25 years old and to declassify them or seek exemption before April 17, 2000. This effort has not gone as well as hoped. EO 13142 extended the deadline for most documents to next October. For documents in which "two or more Agencies have an equity" and documents "pertaining to intelligence sources and methods", the new deadline is now April 17, 2003.

13. Employee Reporting obligations. Cleared inidviduals have a responsibility to report any suspicious contacts to the security office. This includes:

• efforts by any individual, regardless of nationality, to obtain illegal or unauthorized access to classified information or an attempt to compromise you in any way
• All contacts with known or suspected intelligence officers from any country
• Any contact which suggests you may be the target of an attempted exploitation by the intelligence services of another country

In addition to reporting suspicious contacts to the University Research Security Officer, you are also required to report:

• A change in your name
• If you get married or divorced
• There is a change in your citizenship

If you enter into a business relationship with a foreign national, a foreign company, or a foreign country or one of its Agencies, then you have become a "Representative of a Foreign Interest" or RFI. You must report this to the University Research Security Officer. For instance, if you pump gas for British Petroleum on the weekend - you are an RFI and this must be reported. Does this mean you will lose your security clearance? Not necessarily and in the above case, probably not - each case is examined independently.

*14. Is my voluntary participation in a alcohol or drug abuse rehabilitation program considered to be adverse information and reportable?

• Self-enrollment in a rehabilitation program is not necessarily reportable. However, alcohol and drug abuse, or observation of behavior which is indicative of alcohol or drug abuse is reportable.
• Mandatory enrollment in the University's Employment Assistance Program is reportable.
• Refusal to accept rehabilitation assistance when offered is reportable.
• Incomplete or unsuccessful participation in a rehabilitation program is reportable.
• Keep in mind that an adverse information report is not the sole basis for suspension or revocation of a clearance.

15. Security Escorts. Sometimes it is necessary to bring an uncleared person into a secure area. Although not probable, the uncleared person could be a threat to sensitive and/or classified information and is required to be escorted. Most of the time, the escort will be from the Laboratory's Security Office. However, if you are the escort, what are your responsibilities?

• Make sure the occupants of the area to be entered understand that you are about to bring an uncleared person into their area
• Notify the occupants BEFORE you bring the person in so the area can be sanitized, things can be put away, doors can be closed, etc. to preclude the person obtaining visual access to classified information or overhearing a classified conversation
• Accompany the person everywhere he/she needs to go
• Ensure the visitor removes no classified information or materials from the area
• Make sure the visitor does not tamper with any security equipment unless they are there for that purpose
• Ensure the visitor does not access to any Information System (IS) unless it has been coordinated with the Security Staff and/or the computer support staff
• Do not answer any curious questions about what is going on in the spaces
• Ensure that upon leaving, the visitor is not lagging behind you and that you have close control over their movement
• Ensure the occupants know when you have escorted the uncleared person out of the spaces
• Report any anomalies to the security staff

*16. Importance of wearing your security badges. It is important that you wear your badge when at a DOE Facility (LLNL, LANL, etc.).

Please wear your badge at all times while within a restricted Government Facility to make it a safer work place for everyone.

*17. Handcarrying classified materials. Sometimes mailing or faxing a document is not sufficient to meet time or other constraints and you are designated (must be in writing) as a courier to handcarry the classified document to its destination. The following are some basic rules to remember if you are a courier:

• If you have an early morning flight, you cannot take the materials home with you the night before
• The materials must be double-wrapped with the recipient's name on the inside wrapper
• You must obtain a receipt for the package when you turn it over to the recipient
• If you must stay overnight at your destination, you must store the materials at a cleared contractor facility or at a government facility - you cannot keep it in your hotel room
• Your trip itinerary should be directly to the storage facility - do not go out to dinner or stop by the hotel first.
• If you return with your package, ensure you take it directly back to the specified facility for storage - do not keep it at your home overnight
• If you left the package at your destination, give the receipt to the security staff upon your return

*18. Using computers to process classified information. This is our biggest security challenge. As information technology has changed, the Government has tried to keep up as evidenced by the new Chapter eight (AIS) to the NISPOM and a new DCID 6/3 for SCIF IS operations. The first thing you need to understand are the three attributes of information: Confidentiality, Integrity, and Availability.

Confidentiality - this is something we are used to - safeguarding the information - ensuring that only individuals with a "need-to-know" get to see the information in question. The "Level of Concern" for Confidentiality is characterized as either High, Medium, or Basic. If you are processing any kind of Intelligence information, then your Level of Concern for Confidentiality is always "High".

Integrity - this is protection against unauthorized modification or destruction of information. It is easy to see that the Level of Concern for the Integrity of threat data files is high since an F-15, F/A-18, or F-16 pilot dies when his radar warning receiver or Jammer does not work properly due to the integrity of the threat data being modified. On the other hand, the concern for Integrity may be Basic or Medium for other classified information we are processing.

Availability - this is the timely, reliable access to data and information services for the authorized user. Availability pertains to both the information itself and the information systems or networks. If we are providing real-time support to tactical programs, our Level of Concern for Availability may be High. If we are simply accomplishing research for which there is a great tolerance for delay, our Level of Concern may be Basic.

*19. Protection of laptops. Since we are purchasing and using more and more laptop computers, we must remember that with the mobility of the machines comes a threat. Please protect your laptop when you are on the road. Unscrupulous individuals are not only interested in your hardware but also the information you store on that laptop. The article below emphasizes why any sensitive information on your laptop should be encrypted or stored on removable media.

http://www.computerworld.com/cwi/story/0,1199,NAV47_STO54791,00.html

*20. Summary/Wrap-up/Documentation. This completes your annual security refresher briefing for 2001. We discussed that the Threat is very much alive and is especially threatening to our information systems. We talked about the continuing problem with the security clearance backlog and the possible impact of the new "Smith Amendment". We know from this briefing that the policies for protection of classified information originate from Executive Orders - the latest being 12958 and from the Atomic Energy Act-the latest being the Atomic Energy Act of 1954. We learned there is a new NISPOM Chapter 8 that dictates the implementation of a number of technical countermeasures depending on the "Protection Level" of the system or network. We were reminded of the threat to the information we store on our laptops. We were told that as Program Managers, we need to periodically review our classified holdings to ensure they are kept to a minimum. We reviewed the rules for handcarrying documents and escorting an uncleared visitor. We were told about our reporting responsibilities as cleared personnel. We were also reminded of the reason we should wear our badges at all times while within restricted Government Facilities.