Latest News		 Text size: A - A - A - A
Security Policy
Home
Sub Offices
Policy
Foreign Visits and Assignments
Mission & Functions
Security Policy
Policy
Foreign Visits and Assignments
Regulations & Orders
Guidance Documents
Protective Force Supplemental Documents
Policy Panels
News
S&S FAQs
Related Links
Contact Us
HSS Logo

Program Planning and Management: S&S program planning and management is integrated with other programs such as physical protection, protective force (PF), information security, personnel security, and nuclear material control & accountability (MC&A). The following FAQs will help in better understanding some of the common topics within program planning and management.

Q: Are contractor organizations permitted to retain or to store on behalf of federal site offices, the SF-312s (Classified Information Nondisclosure Agreement) signed by their employees?

A: The Information Security Oversight Office (ISOO) is responsible for requirements pertaining to the SF-312, which is a binding legal agreement between an individual who holds a security clearance and the federal government. ISOO's implementing the requirements for the SF-312, which are found in Title 32, Code of Federal Regulations (CFR) Section 2003.20, states that a contractor may retain an SF-312 signed by its employee "during the time of employment." Upon the employee's termination, the contractor must deliver the SF-312 to the Government agency primarily responsible for the employee's classified work. Contractors may not hold or store the SF-312 after the termination of employment. The SF-312 is a scheduled federal record, and as such must be delivered promptly to the custody of the appropriate federal entity, which must store it in accordance with the requirements promulgated by the National Archives and Records Administration (NARA) for the storage of federal records These requirements are published in 36 CFR 1228, Subparts I through K. Having the records stored by a contractor violates the provisions of 36 CFR 1228. Violations of this section of the CFR are felony offenses under Title 18 of the United States Code (USC) Section 2071, with a prescribed penalty of a $2000 fine, 3 years in prison, or both. DOE federal employees should contact the Records Management Division, Office of the Chief Information Officer, for assistance in meeting the statutory requirements governing the handling of federal records.

Q: How will the new Graded Security Protection Policy affect the publication of the draft DOE M 470.4-1, Program Planning and Management manual?

A: The draft revision of DOE M 470.4-1 was held in abeyance until DOE Order 470.3B, Graded Security Protection (GSP) Policy (8/12/08) was finalized. Now that the GSP has been signed, the provisions contained in that document are being reviewed and incorporated as necessary into the draft manual. It is not anticipated that the GSP will have a major impact on the policy requirements contained in the manual; however, some revisions to the planning sections will be necessary to reflect the GSP.

Q: How often must security surveys of non-possessing contractors be conducted?

A: A non-possessing facility is the term for a contractor that does not possess classified information or matter, or SNM, at the contractor's place of business and only accesses such security assets at other cleared facilities. Non-possessing facilities are not subject to a comprehensive initial survey under the facility clearance program, but must have an initial review to ensure that they meet all the applicable requirements other than those which pertain to the storage and handling of classified on the premises. Regular surveys of the contractor's business premises are not required. However, a documented review of the contractor's facilities must be performed by the DOE cognizant security authority at least every 5 years. In addition, the contractor is subject to the security plans of the facilities where its employees are afforded access to classified information or matter or SNM, and any offices or other spaces occupied by the contractor's employees at those facilities are subject to and must be included in all the survey activities conducted on those premises. Non-possessing contractors must also file the annual certifications and reports of changes required of all contractors holding facility clearances, and must have a separate security plan on file with the DOE cognizant security authority covering the non-possessing contractor's security responsibilities.

Q: What are the conditions necessary for something to be a survey finding under the Program Planning and Management directive? Must a finding be something that fails to meet the requirements of a DOE directive, or can it also be something that is not required by DOE directive, such as a violation of a local directive?

A: DOE M 470.4-1 chg 1, Program Planning and Management, defines a finding as "any validated program deficiency (failure to meet a performance or compliance requirement) regardless of source." A deficiency need not be based solely on a DOE directive in order to be the basis for a valid finding. A deficiency might also arise, for example, from a failure to comply with a statutory or other legal requirement, such as a violation of a provision of the United States Code, a regulatory provision of the Code of Federal Regulations, or an Executive Order; a failure to meet a requirement in a Site Safeguards and Security Plan or Site Security Plan; an investigation by the Government Accountability Office (GAO) or the Office of the Inspector General; or an inspection by the Office of Independent Oversight. It is also possible that a finding might have a basis in multiple sources, such as in cases where a provision in a DOE directive is based on a national-level requirement found in a law, regulation, or Executive Order; or where a requirement in a DOE directive has been incorporated in a locally-issued procedure or instruction. Regardless of the source, all identified findings and corrective actions taken must be tracked until closed.

Q: When a contractor has contracts with several DOE offices at different locations, where should the security clearances for key management personnel (KMPs), who are cleared in connection with the facility clearance (FCL), be held? Can the clearances be held at any office which has a contractual interest in the individual?

A: Personnel security clearances for key management personnel of a contractor in this situation will normally be processed by the personnel security office that handles access authorizations for the DOE element which has the contract involving the highest classification level (Top Secret, Secret, Confidential) and category of information (Restricted Data, Formerly Restricted Data, National Security Information). In accordance with DOE M 470.4-1, chg 1 (Program Planning and Management), Part 2, Section I, Chapter 1, paragraph 1.e(4), that office is considered the cognizant security authority for the contractor. However, if all the contracts are at the same classification level and category, this paragraph allows for one office to be delegated by mutual agreement as the cognizant security authority for the contractor. In that case, the responsibility for holding the personnel security clearances of the KMPs would be included in the delegation and activities related to those clearances would be handled by the personnel security office which processes clearances for the cognizant security authority.

Q: I've heard that the Program Planning and Management Manual (DOE M 470.4-1) is being revised. Who is working on that revision and when will the new version be available for review?

A: HSS has initiated a major zero based policy review effort to examine the content and format of the core safeguards and security directives in the 470.4 series. As part of that effort, the Program Planning and Management Manual is undergoing a comprehensive review by three working groups consisting of subject matter experts from throughout the DOE complex. Because of the complexity of this Manual, each group is looking at a single topical area.

  • The Program Planning group has been assigned to evaluate policies pertaining to such topics as safeguards and security program planning, site safeguards and security plans, resource planning, and vulnerability assessments.

  • The Implementation group has been evaluating topics related to FOCI determinations, facility clearances, safeguards and security training, security awareness programs, and control of classified visits.

  • The Evaluation and Feedback group is working on topics including performance assurance, surveys and self-assessments, and incidents of security concern.

When all of the groups have finished their reviews and initial drafts of their topical areas, the drafts will be combined and reviewed by an implementation focused "red team." A review of the approach DOE uses for safeguards and security planning, which began in late 2007, delayed the final draft and review of the by the "red team". It is anticipated that the new planning document will be accepted in early July and work on the Manual will resume in mid-summer.

Q: Several DOE 470.4 series Manuals use the term "Departmental element." What does that term mean?

A: The term "Departmental Element" is a common-use term from the DOE directives system. DOE M 251.1-1B, Departmental Directives Program Manual defines Departmental Element: "First-tier organizations reporting directly to the Secretary, Deputy Secretary, or Under Secretaries. The National Nuclear Security Administration is a Departmental element. First-tier organizations at Headquarters include the Secretary, Deputy Secretary, Under Secretaries, and Secretarial Officers (Assistant Secretaries and staff Office Directors). First-tier organizations include managers of the field offices and Administrators of the Power Marketing Administrations." The latest list of Departmental Elements can be found at: http://www.directives.doe.gov/pdfs/reftools/org-list.pdf.

Q: Are there any resources available within DOE for people involved in developing and managing a security awareness program as required in DOE M 470.4-1?

A: Yes. The National Training Center (NTC) offers a four and one-half day introductory course, Safeguards and Security Awareness Coordinators' Training, for individuals who are involved in developing, implementing, and maintaining security awareness programs. More information on the course is available on the NTC website at http://www.ntc.doe.gov/docs/NTCCourseCatalog_Final.pdf. The Security Awareness Special Interest Group (SASIG) is an active networking group of Federal and contractor personnel involved with safeguards and security awareness programs. The members of SASIG work to promote safeguards and security awareness within the DOE, assist sites and facilities in carrying out the security awareness program requirements and share security awareness resources. Membership is open to anyone with a work-related interest in promoting security awareness, and there is no membership fee. More information about SASIG, including how to join the group, is available on the SASIG website at http://www.orau.gov/sasig/.

Q: What is expected of an organization which assumes security cognizance for another site? Are there specific duties and services that the organization with security cognizance has to provide?

A: An organization which is listed as the cognizant security authority for another location is expected to be able to perform specific security functions on behalf of the client location. Those security duties and services include but may not be limited to surveys to determine security requirements, review and storage of safeguards and security plans and other documents, oversight activities, FOCI considerations, registration of a facility clearance, personnel security clearance activities, and SSIMS entries. In accordance with DOE M 470.4-1 and the requirements of the NISPOM, the security authority must possess a facility security clearance at the same level or higher as an office over which it exercises responsibility. This means that the cognizant security organization must be surveyed and registered in SSIMS, and must set up a limited area and classified processing capabilities. The organization must meet the requirements and be capable of undertaking the security activities itself; there is no provision for establishing a Memorandum of Agreement or other vehicle as a "paper" designation to allow the security activities to be performed by another organization on behalf of the organization with security cognizance.

Q: Some forms that DOE uses in connection with various activities (such as the Visit Request form and the Security Acknowledgement and Termination Statements) are really outdated. Are there any plans to revise these forms and bring them up to date?

A: As the zero-based policy review proceeds, some review of the forms used in connection with specific activities is being conducted. The Security Acknowledgment and Terminations Statements, which are used primarily in connection with the DOE personnel security program but which also have security awareness applications, are currently being revised to reflect changes to the DOE personnel security program (new drug testing requirements, revised personnel security and foreign travel reporting requirements), and to reflect current requirements pertaining to prepublication review of materials prepared by individuals who hold or previously held a DOE security clearance. Since questions have been raised concerning the Visit Request form, used in the classified visits program, we will review this form and update it as necessary. Questions pertaining to other forms which are referenced in the security directives may be addressed to HS-71.

Q: I have a question regarding the Outside Director (OD) for a company under a Security Control Agreement. Can the OD do consultant work for one of the foreign owners after he has been approved by the Office of Security? DOE M 470.4-1 Part 2, Section H, Chapter IV, FOCI Mitigation Action Plans, 3.,c.,(2) Security Control Agreement, (b) 1: "Appointment of one or more outside directors who must meet the eligibility requirements set forth in paragraph 3.b(1)(b), above. This reference reads: "Be completely disinterested individuals with no prior involvement with the cleared U. S. organization, its foreign-owned tier parent(s), or any of its foreign-owned affiliate(s). This reference, as stated, applies to "before" approval, but, what about after approval? Is this a conflict of interest? We have been told that one of our ODs has been doing consulting work for one of the parents in his company.

A: Based on the situation you've described, it appears there may be a conflict of interest here. As you have stated above, the Manual requires that when setting up the Security Control Agreement one of the stipulations for the Outside Director (OD) is that he/she must, "Be completely disinterested individuals with no prior involvement with the cleared U.S. organization, its foreign-owned tier parent(s), or any of its foreign-owned affiliate(s)." If the OD is getting paid to do work for a foreign parent, he/she is no longer a "completely disinterested individual." I think the term completely disinterested is the key to the requirement. "No prior involvement" is one characteristic of being completely disinterested. However, I don't believe it is the sole characteristic. The key to being disinterested is that the person must be unbiased by personal interest. If the OD is hired by the foreign parent, he/she is no longer disinterested.

Q: What is meant by the term cognizant security authority used in the DOE 470.4 series? Can this authority be further delegated? Does this need to be a formal appointment?

A: As used in the Manuals in this series, the term Cognizant security authority refers to DOE and NNSA Federal and contractor employees who have been granted the authority to commit security resources or direct the allocation of security personnel or approve security implementation plans and procedures in the accomplishment of specific work activities. "DOE cognizant security authority" is used when intended to apply specifically to a Federal authority. When specifically requiring a contractor to fulfill the role, the phrase "contractor cognizant security authority" is used, and when neither DOE nor contractor is specified, the authority may be assigned to either. Further delegation is typically acceptable by definition (Federal/Contractor constraints maintained) since DOE and contractor line management designate their cognizant security authorities. Any exceptions to this will be specified in the corresponding sections of the manuals. Likewise formal appointment is not required, although delegations of authority must be documented in the appropriate safeguards and security management plan. Whether the cognizant security authority role can be delegated or requires formal appointment for any particular action is determined on a Program/site-specific basis according to applicable contracts, directives, and/or security plans. Under DOE O 470.4A, the Under Secretary for Science, the Under Secretary for Energy, and the Associate Administrator for Defense Nuclear Security are designated as the DOE cognizant security authorities for their organizations and may delegate this authority as necessary to carry out the associated responsibilities.

Q: Why does the Office of Security Policy (HS-70), Office of Health, Safety and Security, need a copy of our approved S&S deviations?

A: HS-70 is responsible for establishing the requirements and responsibilities found in S&S directives, including the requirements for the deviations process. HS-70 must be aware of deviations from these provisions for the following reasons: 1) to assure that the deviations process is being implemented correctly; e.g., that a deviation is not labeled a "variance" because of its easier requirements, when, in fact, it is a waiver or an exception; 2) to assure that the provision is one from which a deviation is allowed; e.g., that it is not a statutory, regulatory, Executive order, or Presidential directive requirement from which no deviation is allowed without further process; and 3) to evaluate the portion of the directive from which a deviation is requested to determine if the directive needs to be revised or canceled.

Q: Former policy addressed recurring classified visits by local FBI personnel; however, current policy does not. Why was this language removed? Can we establish local procedures to allow such recurring classified visits?

A: Current policy for the Classified Visits provisions is found in DOE M 470.4-1, Section L. Under this section "continuing visitor access approval" is now required when it is known that an individual's classified visits will be frequent. DOE M 470.4-1, Section L, paragraph 2.a.(3) reads: "Line management must establish local procedures for the control of classified visits. Procedures must ensure... (3) Continuing visitor access approval is necessary for individuals who frequently visit DOE facilities. However, the locally approved access approval cannot exceed a period of 1 year or the final day of a contract, whichever is less. The approval may be renewed annually (at least every 12 months)." This provision would apply to recurring visits by local FBI personnel.

Q: Can local implementation be more restrictive than DOE S&S policy?

A: The S&S directives establish the minimum requirements. Local implementation may be more restrictive, but any action beyond what is required may have to be justified by a cost/benefit analysis to satisfy financial requirements.

Q: Can a DOE Site/Office receive a deviation from an Executive Order or a regulation?

A: If there is a process for deviating from the requirements of a higher directive, that process must be followed. The deviations process in DOE M 470.4-1 covers only deviations from a DOE S&S policy requirement. When the S&S requirement is also an Executive or regulatory requirement from which a deviation is not authorized, the DOE M 470.4-1 process can be used in a limited manner only. A deviation may be considered from a DOE-originated requirement that is intended to implement a general requirement of a national-level directive, so long as the modified implementation achieves the full implementation of the national-level requirement. A deviation from an Executive or regulatory requirement can only be considered under the specific processes, if any, included in the Executive or regulatory language

Q. When the Office of Health, Safety and Security was established, the Office of Security no longer existed organizationally. Who should I contact to complete actions required in the DOE 470.4 directive series since there is no longer a position identified as the Director of Security?

A: The Office of Security Directors' responsibilities, with the establishment of the Office of Health, Safety and Security, fall under the Chief Health, Safety and Security Officer, Glenn S. Podonsky and the Deputy Chief for Operations, Michael A. Kilpatrick.

Q: If there is a change in policy, will official documentation be sent through the proper channels and forwarded to all NNSA and DOE sites?

A: Any changes to DOE S&S policy will be made through the DOE Directives System, which is established by DOE P 251.1A, Departmental Directives Program Policy, DOE O 251.1, Departmental Directives Program, and DOE M 251.1-1B, Departmental Directives Program Manual. Notifications can be received when actions are taken on DOE directives of interest by signing up for E-Mail Notification in the middle of the Directives Home Page. The web address is http://directives.doe.gov/alertmain.html. You may also want to let your Directives Point of Contact (DPC) know of your interest in particular directives. The DPC list is found on the Directives Home Page under "References" (bottom of the left side). The web address is http://www.directives.doe.gov/pdfs/doegeninfo/final/dpclist.pdf.

NNSA has statutory authority to establish NNSA-specific policy (including changes to DOE policy), unless disapproved by the Secretary. If you have questions concerning the process for changes in policy by NNSA, you may wish to contact NNSA. NNSA Policy Letter (NAP)-1 describes the process, and it is available on the NNSA website http://hq.na.gov/default.aspx?L=ITEM&ITEM=2375&CA=30&OT=86&PI=2317.

Q: On December 3, 2007, the DOE Chief Health, Safety and Security Officer signed out a memorandum establishing policy panels to increase feedback from the implementers of DOE policy. How will the PPM policy panel be organized?

A: The PPM panel will be a new policy panel, as there has not been a quality panel in this topical area. Because so many possible topics fall under the broad topic of "program planning and management" (safeguards and security planning, surveys and assessments, facility clearances and FOCI, awareness and training, etc.), it will probably be necessary to organize sub-panels or interest groups within the larger panel. One organization which may serve as a model is the existing Security Awareness Special Interest Group (SASIG). The steering committee for that group also serves as the quality panel for security awareness, and it is planned that this group will continue to fill its traditional policy assistance role. HS-70 will provide additional information as we continue to develop this new topical policy panel.

Q: The terms "critical system element" and "essential element" are used in many contexts in DOE M 470.4-1, Safeguards and Security Program Planning and Management. When these terms are used in the context of vulnerability analyses and performance assurance program evaluations, what is the difference between them, or are they interchangeable?

A: The connection between planning and the performance assurance program is important to understand. As we plan, we have the opportunity to identify protection system elements that are of greatest importance to the overall success of the site/facility protection system. If additional testing of these elements, beyond that required for topical compliance, would provide additional assurance that these elements will perform as expected, these additional tests are incorporated into a formal Performance Assurance Program Plan. The terms "critical system element" and "essential element" used in DOE Manual 470.4-1 Chg. 1, Safeguards and Security Protection Program Planning and Management, to establish requirements governing this process are broadly synonymous. HSS believes that, to eliminate confusion, it is acceptable to use a single term, "critical element," when discussing system elements identified during vulnerability analyses that are then required to be tested under the performance assurance program. The use of this term will be incorporated into the re-write of DOE M-470.4-1 to replace the two existing terms.

Q: There are all kinds of testing of security system elements required to meet compliance requirements under Protective Force, physical protection, and other programs. Isn't the testing required by the Performance Assurance Program (PAP) redundant?

A: The PAP has been established specifically to provide for additional testing above compliance-level requirements. The purpose of testing done under the PAP is to demonstrate effective performance of protection measures that have been determined to fall into the category of "critical elements" as described above. Tests conducted under the PAP are intended to ensure that all identified essential elements are performing as represented in safeguards and security plans and in any supporting analyses for those plans. The intent is to demonstrate that the elements identified as "critical elements", separately and together, do in fact provide the required levels of performance.

Q: Why should DOE field activities be required to conduct comprehensive periodic surveys of their security activities and those of their contractors, if they and their contractors are already subject to testing, special surveys, self-assessments of specific activities, and reviews or inspections by other DOE elements?

A: The periodic survey provides an opportunity for local DOE management to form a comprehensive view of a site's entire security posture and to understand the mutual dependencies among the various components of its protection program. The survey is designed to identify areas of redundancy which will allow better use of resources, identify conflicts between components that may lead to weaknesses not readily apparent when only one of the components is considered, and identify areas in which correction of identified problems in one component creates unexpected performance issues in another component. While reports of special inspections and reviews may be useful in developing the comprehensive periodic survey and evaluating the survey results, taken individually they do not provide the "big picture" overview of a site's security posture which allows identification of a program's overall strengths and weaknesses and produces results which can correct and improve the program as a whole. Even when "continuous" or "rolling" special surveys are conducted to spread the survey activity more uniformly over a survey period, a comprehensive review and analysis of these "point-in-time" data points should be made to complete each required survey period to provide a truly integrated review of site protection.

Q: In processing a request for a facility clearance (FCL), must personnel security clearances be in place for company officials designated as key management personnel (KMPs) before the FCL is granted?

A: Certain company officials must be in process or possess active security clearances in order for a company to be eligible for an FCL involving classified information or matter or special nuclear material (SNM). These company officials include the owners, officers, directors, partners, regents, trustees, or executive personnel (i.e., those individuals considered to be KMPs.) The clearances held by these individuals may be pre-existing from another classified contract, or the individuals may be submitted for security clearances concurrently with the processing of the FCL.

Return to Top of Page

Return to the FAQ Topic List

This page was last updated on November 06, 2009
Security & Privacy Notice   •    Information Collection   •    HSS Information Inventory  
Doing Business with DOE  |  Competitive Sourcing  |  DOE Directives  |  Small Business     
The White House FirstGov.gov FirstGov.gov Spanish Version E-gov IQ FOIA
U.S. Department of Energy | 1000 Independence Ave., SW | Washington, DC 20585
1-800-dial-DOE | f/202-586-4403 |
Web Policies | No Fear Act | Site Map | Privacy | Phone Book | Employment