Headquarters Information Security Program
Office of Headquarters Security Operations
HSO SPOTLIGHT No. 017-2008 Accountable Classified Removable Electronic Media (ACREM)
| What is the issue: |
Performance testing ACREM check
out and transfer process |
| Why do we need this?: |
To ensure ACREM transfers are properly
conducted in accordance with current CMPC policy |
| Who is impacted?: |
ACREM Custodians, Alternate Custodians,
Emergency Custodians, and ACREM Users |
| What does the HSO need to do?: |
Disseminate this
information to your ACREM Custodians, Alternate
Custodians, Emergency Custodians, and ACREM Users
|
The Office of Independent Oversight, within the Office
of Health, Safety and Security (HSS), conducted a
recent security inspection of DOE Headquarters. The
inspection evaluated the performance of responsible
Headquarters Elements across the spectrum of protection
related topical areas including Classified Matter
Protection and Control (CMPC). One item noted was
the need to reemphasize the requirement that the ACREM
check out and transfer process between ACREM custodians,
alternate ACREM custodians, and users is performance
tested.
DOE M 470-4.4, "Information Security," Section
A, Paragraph 4.c.(1)(b) states, "A formal and documented
ACREM check out and transfer process must be implemented
to record all ACREM transfers between ACREM custodians,
alternate ACREM custodians and users. This process
must be performance tested to ensure its effectiveness
and must include:
- Return of ACREM checked out from its normal storage
location to its normal storage location at the close
of the work shift;
- Personal responsibility for the ACREM by the individual
who checked it out (has it formally transferred
to his/her control) until it is formally returned
to its approved storage repository;
- Training for all affected employees regarding
ACREM procedures.”
Effective immediately, the following ACREM Performance
Testing Procedures will be implemented:
1. ACREM performance testing of ACREM custodians,
alternate custodians and ACREM users will be conducted
every six months by any of the following personnel:
- assigned organizational HSO; or
- Other knowledgeable person appointed by the
HSO; or
- a representative from the Headquarters Survey
Program.
2. At a minimum, the ACREM performance testing will
consist of the following:
- Review of ACREM training records to ensure all
ACREM custodial personnel and ACREM users have
received ACREM training
- Physically locate/validate that the ACREM log
accurately records who has control of a random
sampling of ACREM at any given time
- Interview randomly selected ACREM custodians
and users regarding their knowledge of the proper
transfer, use, handling, and storage of ACREM.
Some examples of questions that might be asked
are:
- Who is your ACREM Custodian and alternate
custodian?
- Can you store ACREM in your safe overnight?
- Describe the process you use when reproducing
ACREM.
- When is permission required from the Cognizant
Security Authority (CSA) to reproduce ACREM?
- What are the requirements for annotating the
SF 700 when using a security container with
an XO-series lock for storing ACREM?
3. ACREM Performance Testing records shall be maintained
by the individual conducting the performance testing.
A copy of the performance testing record must also
be forwarded to the assigned organizational HSO to
be maintained with his or her HSO records.
The Headquarters Facilities Master Security Plan,
Section 21, "Storing and Handling Classified Electronic
Media" will be revised in the future to reflect
this ACREM Performance Testing requirement.
If you have any questions regarding this HSO Spotlight,
please contact the Information Security Program at
(301) 903-9990.
This page was last updated on
January 17, 2012
|
 |
