Q: Why were many of the national requirements removed from the new DOE M 470.4-4A, Information Security?

A: Secretary Bodman's memo of September 10, 2007 required: "Departmental directives shall not duplicate or be inconsistent with applicable laws or regulations. To the extent possible, directives also should be written so that they are consistent with or incorporate widely accepted national standards." Requirements were removed to comply with this Secretarial initiative.

Q: How do I know which laws and regulations are applicable?

A: DOE M 470.4-7, Safeguards and Security Program References, lists applicable references for the DOE 470-Series Security Manuals. In addition, applicable references for DOE M 470.4-4A, Information Security, have been added to that Manual and its Contractor Requirements Document for easy reference. Further, the Office of Security Policy is developing a web application to maintain a current list of these references, provide a limited search feature and give a current web-based link to these national level policies/references. The Office of Health, Safety and Security (HSS) plans to place this application on its web site in 2009.

Q: Why should I have a new or updated document reviewed by a classifier if it only contains information that was marked as Unclassified, even though the information was extracted or copied from a classified document?

A: The review provides a protection for the author as well as for the information. Whenever information is taken from a classified document to be placed into another document it obviously came from a classified subject area. If you are not an expert in the subject area, you may not realize that adding that particular unclassified information with other unclassified information may result in a compilation - which is where pieces of information, which are unclassified when separate, become classified when joined together. For example, a date and location may not be classified when included by themselves. However, if you add a third fact, such as a planned meeting topic to the mix, it may become classified.

Q: Why does the Department establish and require specifically-defined protection of Accountable Classified Removable Electronic Media (ACREM) when other U.S. Government agencies do not?

A: Based on several past incidents at the Department, and the potential for losing large quantities of classified information regarding nuclear weapons via one or a small number of electronic media, the Deputy Secretary of Energy established additional requirements for protecting and accounting for classified electronic media that contain the most sensitive information for which DOE is responsible.

Q: The Information Security manual states, "ACREM may be reproduced when any of the data that resides on a piece of ACREM is to be copied onto a piece of media that has already been placed into the formal accountability system, provided there are no other limitations. Permission is required from the DOE cognizant security authority before copying any of the data that resides on a piece of ACREM onto a piece of media that has not already been placed into the formal accountability system." This appears to be unnecessary and does not increase security or accountability for these assets; why am I required to place such media into accountability before copying any information onto it?

A: CREM is an acronym for Classified Removable Electronic Media, and ACREM is Accountable CREM. This particular requirement applies to certain cases that were identified subsequent to CREM/ACREM requirements being established at the direction of the Deputy Secretary of Energy. Generally, ACREM is copied onto other ACREM. If, for example, unclassified information is copied from ACREM to non-ACREM, this requires DOE CSA authority, approval and accountability. However, to clarify the intent of this requirement, proposed Manual 470.4-4A, Information Security, contains the following replacement for this paragraph.

"When any of the data that reside on a piece of ACREM (source media, in this case) is moved to, or reproduced on, another piece of media, the receiving media immediately becomes (or remains) accountable because it must be assumed to contain that which made the source media accountable, until proven otherwise and approved by the DOE CSA."

Q: Why do I have to have Classified Matter Protection and Control (CMPC) training if I don't have responsibility for a safe or repository?

A: Training is required by various National directives, such as the National Industrial Security Program Operating Manual, and 32 CFR Parts 2001 and 2004, Classified National Security Information Directive No. 1, the latter which states in part:

1. General. Each department or agency shall establish and maintain a formal security education and training program which provides for initial and refresher training, and termination briefings. This subpart establishes security education and training standards for original classification authorities, declassification authorities, security managers, classification management officers, security specialists, and all other personnel whose duties significantly involve the creation or handling of classified information. These standards are not intended to be all-inclusive. The official responsible for the security education and training program may expand or modify the coverage provided in this part according to the agency's program and policy needs.



2. Elements of initial coverage. All cleared agency personnel shall receive initial training on basic security policies, principles, practices, and criminal, civil, and administrative penalties. Such training must be provided in conjunction with the granting of a security clearance, and prior to granting access to classified information. The following areas should be considered for inclusion in initial briefings.
1. Roles and responsibilities,
2. Elements of classifying and declassifying information,
3. Elements of safeguarding.
3. Specialized security education and training. Original classification authorities, authorized classification authorities, individuals specifically designated as responsible for derivative classification, classification management officers, security managers, security specialists, and all other personnel whose duties significantly involve the creation or handling of classified information should receive more detailed training. This training should be provided before or concurrent with the date the employee assumes any of the positions listed above, but in any event no later than six months from that date.

Q: Why was non-standard storage removed from the Information Security Manual?

A: By definition, non-standard storage (NSS) differs from normal storage conditions and ability to meet typical requirements. Given this divergence from the norm and the wide dissimilarities from one instance of NSS conditions to the next, policy was previously changed such that NSS was intended to be treated as a deviation rather than an ordinary process. However, the current information security manual (DOE M 470.4-4A) contains sections on 1) Non-conforming Storage: to address classified matter that cannot be protected by the established standards and requirements due to its size, nature, operational necessity, or other factors; and 2) Permanent Burial: to address permanent placement of classified matter.

Q: Regarding the reproduction section of the Information Security manual, why not just recognize that all accountable CREM will be placed into accountability?

A: The associated requirement was written as a result of extensive discussions with individuals from various sites and programs regarding their local implementations. There were occasions when it was asserted that it was possible to copy some of the data from a piece of ACREM onto separate media in such a way as for that new media to not contain information that requires it to be placed into accountability and that it would not need to be marked at the accreditation level of the system where the source ACREM resided. The expanded language in the Reproduction section is, in part, responsive to this scenario.

So, if someone creates a new piece of ACREM, he or she must place it into accountability before writing any information to it that would make the media accountable or placing it into an information system which is accredited for S/RD or higher. No CSA action is required in these cases. However, to EXTRACT a file (say an unclassified document or appendix) from a piece of ACREM - to media that will not be designated as ACREM, the process for doing so, and ensuring that ACREM is not inadvertently created, requires Classification Officer and Designated Approving Authority involvement and CSA approval.

To clarify the intent of this topic, proposed Manual 470.4-4A, Information Security, contains the following: "When any of the data that reside on a piece of ACREM (source media, in this case) is moved to, or reproduced on, another piece of media, the receiving media immediately becomes (or remains) accountable because it must be assumed to contain that which made the source media accountable, until proven otherwise and approved by the DOE CSA."

Q: Does classified matter that is going to be destroyed have to be protected (but not stored) and controlled until it is finally destroyed?

A: Yes, classified matter must be protected and controlled until it is finally destroyed. For classified matter to be protected and controlled, it must either be "in use" (constantly attended by, or under the control of, a person possessing the proper security clearance and need-to-know) or securely stored in an approved secure storage repository (i.e. vault, safe or vault-type room).

Q: I am the ACREM Custodian, do I have to destroy my ACREM or can I delegate it to someone?

A: As ACREM Custodian, you would not have to destroy your ACREM personally unless it is required by local procedures. However, an individual who is authorized access to the ACREM must accompany the matter to the destruction site and witness the destruction to include inspecting the residue. To remove the ACREM from accountability, a copy of the destruction certificate certifying the ACREM was destroyed would have to be presented to you as the ACREM Custodian. The certificate must include the name of the individual who validated the destruction.

Q: What is the NISPOM and how does it apply to DOE?

A: The National Industrial Security Program Operating Manual (NISPOM) is the implementing directive for the National Industrial Security Program (NISP), which was established by Executive Order 12829, to achieve common standards for protecting classified information that is held by contractors, licensees, and grantees of the Federal Government. National security requires that this information be safeguarded equivalent to its protection within the executive branch. The NISP is applicable to all executive branch departments and agencies. Under the Atomic Energy Act of 1954, as amended (AEA), DOE is responsible for controlling the protection, classification, dissemination and declassification of Restricted Data and Formerly Restricted Data. Concurrently, under the NISPOM, the Secretary of Energy retains authority over the information classified under the provisions of the Atomic Energy Act of 1954, as amended. Moreover, the security cognizance over the Department remains with the Department of Energy. Thus, DOE retains responsibility for security administration regarding classified activities and contracts under its purview.

Q: Why must I remove my DOE/Site parking pass/DOE Badge from open view when I leave DOE property?

A: Your parking pass and badge reveal information about you. There are several reasons to remove parking passes from open view (and similarly protecting badges). These include considerations of personal safety as well as personal and organizational security. From a safety perspective, a parking pass hanging from a rear-view mirror can obstruct a driver's vision. Additionally, the parking pass or badge provides information about you that may be useful to a stranger who intends you harm, or to an adversary or competitor of your organization or the Federal Government. Significant concerns include turning you and/or your car and its contents into a target of opportunity (breaking into your vehicle to steal the pass; or creating a counterfeit pass or badge based on visual access to yours). Such release of relatively small amounts of information (e.g. parking passes, individuals who possess them and how they are used) may be combined with other public or unprotected information to permit an aggressor to defeat access control processes, disrupt missions/operations, or otherwise compromise important activities.

Q: What is the difference between the terms Electronic Storage Media (ESM) and Classified Removable Electronic Media (CREM), as used in DOE M 470.4-4, Information Security?

A: Electronic storage media (ESM) refers to all electronic storage media. It does not have to be classified or removable, whereas CREM must be both classified and removable. Additionally, the term ACREM is used for accountable classified removable electronic media. Given these definitions, ACREM is a subset of CREM and CREM is a subset of ESM.

Q: When may I consider classified electronic storage media (ESM) to be unclassified?

A: Generally, DOE M 470.4-4A, Information Security, does not permit classified ESM to be removed from accountability, downgraded or declassified if the ESM provides any potential access to information that made/makes it accountable or classified at a specific level and/or category. The basic performance requirement is that no classified information is present or recoverable before any of these actions are permissible. The DOE Office of the Chief Information Officer promulgates policy indicating approved methods for accomplishing the sanitization, clearing and destruction of electronic media for use in determining the proper classification and accountability status of ESM.

Q: On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a memorandum establishing policy panels to increase feedback from the implementers of DOE policy. How will the Information Security policy panel be organized?

A: The Information Security Policy Panel (ISPP) is divided into three separate Policy Panels: Classified Matter Protection and Control (CMPC), Operations Security (OPSEC), and Technical Surveillance Countermeasures (TSCM). The policy panels are organized to provide expert opinion to the Office of Security Policy on policy implementation issues, legal and technology factors that affect information security policy and other relevant topics as they are identified. Temporary or permanent subcommittees may be formed as needed to provide specific input to issues raised, and participants or topics may span across more than one of the ISPP sub-elements as needed. HSS will attempt to leverage technology to conduct meaningful panels without the financial and administrative burden posed by many face-to-face meetings. Meetings may consist of teleconferences, videoconferences and in-person events.

Q: Does the Information Security manual apply to anything besides paper documents?

A: Yes, the Information Security manual applies to all classified information, in all forms. These forms include, but are not limited to paper, electronic, parts, waste, and auditory (for example, spoken information). Although this manual provides requirements for all classified information, there are other DOE directives that provide additional requirements for certain forms of classified information. Two prime examples are requirements for protecting classified special nuclear material (SNM), which are found in DOE M 470.4-2, Physical Protection and DOE M 470.4-6, Nuclear Material Control and Accountability, and cyber security requirements (for classified information in electronic form), that are promulgated by the DOE Office of the Chief Information Officer (OCIO).

For information in electronic format, the Information Security manual provides general requirements for protecting classified information that apply, and provides requirements for protecting the physical aspects of classified (cyber) information. Please note that the following examples do not include all relevant requirements as they are just provided here for illustration.

Examples of General Requirements:

• Classified information and matter that is generated, received, transmitted, used, stored, reproduced, or destroyed must be protected and controlled.
• Controls must be established to prevent, deter, and detect unauthorized access to classified matter.
• Classified information may be disclosed only to individuals who have appropriate access authorization for the level and category of the information involved, all required formal access approval(s), and a legitimate need-to-know.

Examples of Physical Aspect Requirements:

• All classified information systems media must be marked with the accreditation level of the information system unless an appropriate classification review has been conducted. All classified electronic storage media (ESM) must have the overall classification level and category (if RD or FRD) visible on the front and back.
• Classified Removable Electronic Media (CREM) that contain Sigma 1, 2, 14, or 15; a combination of nuclear weapons design/test data; or Top Secret or Special Access Program (SAP) matter must be separated from and not commingled with other classified information/media.
• Vaults or VTRs that are used to store ACREM must be configured to provide limited access to ACREM by only the ACREM custodian(s) or alternate ACREM custodian(s).

Q: Does the Information Security manual address verbal discussion of classified information?

A: Yes, the Information Security manual addresses the auditory form of classified information in Section A, Paragraph 2, which states, in part:

• Classified information and matter that is generated, received, transmitted, used, stored, reproduced, or destroyed must be protected and controlled.
• Buildings and rooms containing classified matter must be provided the security measures necessary to deter unauthorized persons from gaining access to classified matter; specifically, security measures that prevent unauthorized visual and/or aural access.
• Classified information may be disclosed only to individuals who have appropriate access authorization for the level and category of the information involved, all required formal access approval(s), and a legitimate need-to-know.

Q: What is an "Ad Hoc Working Group" as used in the Information Security Manual?

A: An Ad Hoc Working Group (AHWG), in the context of the manual, is a formally defined (documented by or in accordance with line management) group of individuals participating in a specific activity, project or group of activities in which all members have been determined to have the appropriate access authorization, any required formal access approvals, and need-to-know. The AHWG must have the ability to limit access to on-line activities to only those members of the AHWG and use that ability when transmitting classified information which is not marked as a final document. Limiting access to on-line information is essentially a cyber security issue. Questions regarding requirements and guidance for such access limitations should be directed to the DOE Office of the Chief Information Officer.

This terminology was developed primarily to allow a defined group of individuals the ability to work together on draft documents without requiring any individual document to be marked as a final document just because control of the document changed from one person to another in the same working group. Each AHWG is required to be formally defined to increase the assurance that all marking and other requirements are met and that individuals are accountable for classified matter entrusted to them.

Q: What were the major changes for the Information Security manual when DOE M 470.4-4 Change 1 was published?

A: The manual was changed to reflect input from various field/program activities and updates to CMPC requirements. These changes were designed to allow more efficient application and management of program resources and to provide increased flexibility in implementation of departmental security requirements, bounded by required performance levels. Changes include:

• Requirements for protection, handling and accountability of Classified Removable Electronic Media (CREM) were changed to eliminate unnecessary resource burdens while maintaining protection and accountability by:
• modifying the number of allowable custodians/alternate custodians based on site specific procedures, operational need and associated risk;
• providing for appropriate temporary storage of ACREM when necessary;
• modifying required inventory frequency, depending on risk and other site-specific factors,
• The current Confidential Foreign Government Information-Modified Handling Authorized (C/FGI-MOD) coversheet was replaced with an updated version.
• Marking requirements for automated information system hard copy output were clarified.
• A new intelligence dissemination marking, Releasable by Information Disclosure Official (RELIDO) was added.
• Office names were changed to conform with DOE organizational changes (e.g. Office of Security to Office of Health, Safety and Security).

Q: The Operations Security section of the Information Security manual refers to Critical Program Information (CPI). Is this just a form of Official Use Only information?

A: Critical Information is not a subset of OUO or FOUO. Qualifying for either marking is not a prerequisite for information to be Critical in this context. CPI has its basis in National Security Decision Directive (NSDD) 298, National Operations Security Program. This information includes specific facts about friendly intentions, capabilities, and activities vitally needed by adversaries for them to plan and act effectively and guarantee failure or unacceptable consequences for friendly mission accomplishment. Further, this information may be OUO, UCNI and/or classified and still meet the CPI threshold.

Q: If a document is received from another agency (e.g., DOD) and the classification markings do not meet current requirements, is the receiving organization required to re-mark the document? (Implicit in the question is that the document has been properly classified, just the marking is in question).

A: As long as the classification level and category is correctly marked on the document, DOE is not required to re-mark other agency documents. If it is necessary to completely and correctly mark a document from another agency, the other agency should be contacted regarding the marking, or the document should be returned to that agency for correct markings. There may be cases where the corrections are minor or the other agency has a waiver from the requirement in question. Contacting the sender would be necessary to determine whether or not they had a waiver or how to make the appropriate corrections to the document.

Q: Where on NSI-only documents should we put the new "Derivative Declassifier Review Required Prior to Declassification" stamp?

A: According to the Office of Classification, there is no requirement for the exact placement of the marking. However, for clarity, it is suggested that it be placed on the first page of the document near the classification stamp that has the "Declassify On" line. That way it serves as a reminder that it is not automatically declassified as it may seem to indicate. The marking should be legible and should stand out apart from both the classifier stamp and any other text.

Return to Top of Page

Return to the FAQ Topic List