32 CFR 117.23 – Supplement to this rule: Security Requirements for Alternative Compensatory Control Measures (ACCM), Special Access Programs (SAPs), Sensitive Compartmented Information (SCI), Restricted Data (RD), Formerly
(a) General. Given the sensitive nature of Alternative Compensatory Control Measures (ACCM), SAPs, SCI, RD, FRD, TFNI, and NNPI, the security requirements prescribed in this section exceed baseline standards for this rule and must be applied, as applicable, through specific contract requirements.
(1) Compliance. The contractor will comply with the security measures reflected in this section and other documents specifically referenced, when applied by the GCA or designee as part of a contract. Acceptance of the contract security measures is a prerequisite to any negotiations leading to program participation and an area accreditation (e.g., an SCI facility or SAP facility accreditation).
(2) CSA-imposed higher standards. In some cases, security or sensitive factors of a CSA-created program may require security measures that exceed the standards of this section. In such cases, the CSA-imposed higher standards specifically detailed in the contract or conveyed through other applicable directives will be binding on USG and contractor participants. In cases of doubt over the specific provisions, the contractor should consult the program security officer and the contracting officer before taking any action or expending program-related funds. In cases of extreme emergencies requiring immediate attention, the action taken should protect the USG’s interest and the security of the program from loss or compromise.
(3) Waivers. Every effort will be made to avoid waivers to established standards unless they are in the best interest of the USG. In those cases where waivers are deemed necessary, a request will be submitted in accordance with the procedures established by the CSA.
(b) Intelligence information. National intelligence is under the jurisdiction and control of the DNI, who establishes security policy for the protection of national intelligence and intelligence sources, methods, and activities. In addition to the guidance in this rule, contractors will follow Intelligence Community directives, policy guidance, standards, and specifications for the protection of classified national intelligence and SCI.
(c) ACCM. Contractors may participate in ACCMs, or be directed to participate, only when such access and the associated security plan are identified in DD Form 254 or equivalent. Care must be taken to ensure identification of the security plan does not disclose ACCM-protected data.
(1) ACCM contracts. DoD contractors will implement the security requirements for ACCMs, when established by contract, in accordance with applicable statutes, E.O.s, CSA directives, instructions, manuals, regulations, standards, and memorandums.
(2) Non-DoD with ACCMs. Contractors performing on ACCM contracts issued by other than DoD GCAs will implement ACCM protection requirements imposed in their contracts.
(d) SAPs—(1) DoD SAP contracts. Contractors will implement the security requirements for SAPs codified in SAP-related policy, when established by contract. These documents include, but are not limited to, statutes, E.O.s, CSA directives, instructions, manuals, regulations, standards, memorandums, and other SAP security related policy documents.
(2) Non-DoD SAPs. Contractors performing on SAP contracts issued by non-DoD GCAs will implement SAP protection requirements imposed in their contracts. These requirements may be from, but are not limited to, statutes, E.O.s, CSA directives, instructions, manuals, regulations, standards, memorandums, and other SAP security related policy documents.
(e) RD, FRD, and TFNI—(1) General. This section describes some of the requirements for nuclear-related information designated RD, FRD, or TFNI in accordance with the AEA and 10 CFR part 1045. 10 CFR part 1045 contains the full requirements for classification and declassification of RD, FRD, and TFNI. Information on safeguarding of RD by access permittees is contained in 10 CFR part 1016. For RD that is NNPI, the additional provisions of paragraph (f) of this section apply.
(i) The DOE is the sole authority for establishing requirements for classifying, accessing, handling, securing, and protecting RD. The DOE and the DoD share authority for the requirements for FRD. The DOE and ODNI share authority for establishing requirements for TFNI.
(ii) RD, FRD, and TFNI categories are distinguished from the NSI category, which is governed in accordance with E.O. 13526.
(A) RD, FRD, and TFNI have unique marking requirements and are not subject to automatic declassification. In addition, RD and FRD have special restrictions regarding foreign release.
(B) It is necessary to differentiate between the handling of this information and NSI because of its direct relationship to our nation’s nuclear deterrent.
(iii) Some access requirements for RD and FRD exceed the requirements for NSI. Due to the unique national security implications of RD and FRD, and to facilitate maintaining consistency of codified requirement, they are not repeated in the baseline of this rule, but may be applied through specific contract requirements.
(iv) When RD is transclassified as TFNI, it is safeguarded as NSI. Such information will be labeled as TFNI. The label TFNI will be included on documents to indicate it is exempt from automatic declassification as specified in 10 CFR part 1045, the AEA, E.O. 13526, and 32 CFR part 2001.
(2) Unauthorized disclosures. Contractors will report all unauthorized disclosures involving RD, FRD and TFNI information to the CSA.
(3) International requirements. The AEA provides for a program of international cooperation to promote common defense and security and to make available to cooperating nations the benefits of peaceful applications of atomic energy as widely as expanding technology and considerations of the common defense and security will permit.
(i) Information controlled in accordance with the AEA, RD, and FRD may be shared with another nation only under the terms of an agreement for cooperation. The disclosure by a contractor of RD and FRD will not be permitted until an agreement is signed by the United States and participating governments, and disclosure guidance and security arrangements are established.
(ii) RD and FRD will not be transmitted to a foreign national or regional defense organization unless such action is approved and undertaken under an agreement for cooperation between the United States and the cooperating entity and supporting statutory determinations, as prescribed in the AEA.
(4) Personnel security clearance and access. Only the DOE, the NRC, the DoD, and the National Aeronautics and Space Agency can grant access to RD and FRD that is under their cognizance. Access to RD and FRD must be granted in accordance with the AEA. Baseline requirements for access to RD and FRD are codified in specific DoD, DOE, NRC, and the National Aeronautics and Space Agency directives and regulations. In addition, need-to-know and other restrictions on access apply.
(5) Classification and declassification. (i) All persons with access to RD and FRD must receive initial and periodic refresher training as required under § 1045.120 10 CFR. The training must include the following information:
(A) What information is potentially RD and FRD.
(B) Matter that potentially contains RD or FRD must be reviewed by an RD derivative classifier to determine whether it is RD or FRD.
(C) The DOE must review matter that potentially contains RD or TFNI for public release and DOE or DoD must review matter that potentially contains FRD for public release.
(D) RD derivative classification authority is required to classify or upgrade matter containing RD or FRD, or to downgrade the level of matter containing RD or FRD.
(E) Only a person trained in accordance with § 1045.120 10 CFR may classify matter containing TFNI.
(F) Matter containing RD, FRD, and TFNI is not automatically declassified and only DOE-authorized persons may downgrade the category or declassify matter marked as containing RD. Only DOE or DoD authorized persons may downgrade the category or declassify matter marked as containing FRD.
(G) How to submit a challenge if they believe RD, FRD, or TFNI information (e.g., a guide topic) or matter containing RD, FRD, or TFNI is not properly classified.
(H) Access requirements for matter marked as containing RD or FRD.
(ii) All persons with access to TFNI must receive initial and periodic refresher training as required under § 1045.120 10 CFR. This training may be combined with the training for access to RD and FRD. The training must include the following information:
(A) What information is potentially TFNI.
(B) Only a person with appropriate training may determine if matter contains TFNI.
(C) Marking requirements for matter containing TFNI.
(D) Matter containing TFNI is not automatically declassified and only DOE authorized persons may downgrade the category or declassify matter marked as containing TFNI.
(E) How to submit a challenge if they believe TFNI information (e.g., a guide topic) or matter containing TFNI is not properly classified.
(iii) Persons with access to RD, FRD, or TFNI must submit matter that potentially contains RD or FRD to an RD derivative classifier for review. If matter potentially contains TFNI, it must be submitted to a person trained to make TFNI determinations. Matter potentially containing RD, FRD, or TFNI must be reviewed, even if the potential RD, FRD, or TFNI is derived from the open literature. Prior to review, the matter must be marked as a working paper under 10 CFR 1045.140(c). If the matter is intended for pubic release and potentially contains RD or TFNI, it must be submitted to the DOE for review. If the matter is intended for public release and contains FRD, it must be submitted to the DOE or the DoD.
(iv) Only RD derivative classifiers may classify matter containing RD or FRD. RD derivative classifiers must receive initial training and refresher training every two years as required under 10 CFR 1045.120. The training must include the content for persons with access to RD and FRD, along with the following:
(A) The use of classification guides, classification bulletins, and portion-marked source documents to classify matter containing RD and FRD.
(B) What to do if applicable classification guidance is not available.
(C) Limitations on an RD derivative classifier’s authority to remove RD or FRD portions from matter.
(D) Marking requirements for matter containing RD and FRD.
(v) Only persons with appropriate training may review matter to determine if it contains TFNI. Training must be completed prior to making determinations and every two years after. The training must include the content for persons with access to TFNI and the following:
(A) The markings applied to matter containing TFNI.
(B) Limitations on their authority to remove TFNI portions from matter.
(C) Only DOE authorized persons may determine that classified matter no longer contains TFNI.
(D) Only DOE-authorized persons may declassify matter marked as containing TFNI.
(E) The DOE must review matter that potentially contains TFNI for public release.
(vi) RD derivative classifiers must use approved classification guides, classification bulletins, or portion-marked source documents as the basis for classifying matter containing RD and FRD.
(vii) Persons trained to make TFNI determinations must use approved TFNI guidelines, classification guides, classification bulletins, or portion-marked source documents as the basis for classifying or upgrade matter containing TFNI.
(6) Marking matter containing RD, FRD, and TFNI. The front page of matter containing RD or FRD must have the highest classification level of the information on the top and bottom of the first page, the RD or FRD admonishment, the subject or title marking, and the classification authority block. Matter containing TFNI must include the TFNI identifier on each page unless the matter also contains RD or FRD, in which case the RD or FRD takes precedence.
(i) Documents classified as RD or FRD must also include a Classification Authority Block with the RD derivative classifier’s name and position, title, or unique identifier and the classification guide or source document (by title and date) used to classify the document. No declassification date or event may be placed on a document containing RD, FRD, or TFNI. If a document containing RD, FRD, or TFNI also contains NSI, “N/A to RD/FRD/TFNI” (as appropriate) must be placed on the “Declassify On:” line.
(ii) Each interior page of matter containing RD or FRD must be clearly marked at the top and bottom with the overall classification level and category of the matter or the overall classification level and category of the page, whichever is preferred. The abbreviations “RD” or “FRD” may be used in conjunction with the matter classification (e.g., SECRET//RD, CONFIDENTIAL//FRD).
Table 1 to Paragraph (
Document containing | Admonishment that must be included on the front page of the document |
---|---|
RD | “RESTRICTED DATA This document contains RESTRICTED DATA as defined in the Atomic Energy Act of 1954. Unauthorized disclosure is subject to administrative and criminal sanctions.” |
FRD | “FORMERLY RESTRICTED DATA Unauthorized disclosure subject to administrative and criminal sanctions. Handle as Restricted Data in foreign dissemination. Section 144b, AEA 1954.” |
(iii) Documents classified as RD or FRD must also include a Classification Authority Block with the RD derivative classifier’s name and position, title, or unique identifier and the classification guide or source document (by title and date) used to classify the document.
(iv) Other than the required subject or title markings, portion marking is permitted, but not required, for matter containing RD or FRD. Each agency that generates matter containing RD or FRD determines the policy for portion-marking matter generated within the agency. If matter containing RD or FRD is portion-marked, each portion containing RD or FRD must be marked with the level and category of the information in the portion (e.g., SRD, CFRD, S//RD, C//FRD).
(v) Additional information and requirements are in 10 CFR 1045.140. Requests for additional information about the classification and declassification of RD, FRD, and TFNI can be directed to Agency RD Management Officials or the DOE Office of Classification at outreach@hq.doe.gov or at (301) 903-7567.
(7) Declassification. (i) No date or event for automatic declassification ever applies to RD, FRD, or TFNI documents, even if they contain classified NSI. RD, FRD, or TFNI documents remain classified until a positive action by a designated DOE official (for RD, FRD, or TFNI) or an appropriate DoD official (for FRD) is taken to declassify them.
(ii) RD derivative classifiers may remove RD or FRD from portion-marked source matter if the resulting matter is not for public release. RD derivative classifiers cannot declassify matter marked as containing RD, FRD, and TFNI. Matter that potentially contains RD or TFNI must be sent to designated individuals in the DOE and those containing FRD must be sent to designated individuals in the DoD for declassification or removal of the RD, FRD, or TFNI prior to public release.
(iii) Matter containing TFNI is excluded from the automatic declassification provisions of E.O. 13526 until the TFNI designation is properly removed by the DOE. When the DOE determines that a TFNI designation may be removed, any remaining classified information must be referred to the appropriate agency.
(iv) Any matter marked as or that potentially contains RD, FRD, or TFNI within a document intended for public release that contains RD or FRD subject area indicators must be reviewed by the appropriate DOE organization.
(8) Challenges to RD, FRD, and TFNI. A contractor employee who believes RD, FRD, or TFNI is classified improperly or unnecessarily may challenge that classification following the procedures established by the GCA. They may also send challenges directly to the Director, Office of Classification, AU-60/Germantown Building; U.S. Department of Energy; 1000 Independence Avenue SW, Washington, DC 20585, at any time. Under no circumstance is an employee subject to retribution for challenging the classification status of RD, FRD, or TFNI.
(9) Commingling. Commingling of RD, FRD, and TFNI with NSI in the same document should be avoided to the greatest degree possible. When mixing this information cannot be avoided, the marking requirements in 10 CFR part 1045, section 140(f) and declassification requirements of 10 CFR part 1045, section 155 apply.
(10) Protection of RD and FRD. Most of the protection requirements for RD and FRD are similar to NSI and are based on the classification level. However, there are some protection requirements for certain RD information that may be applied through specific contract requirements by the GCA. These range from distribution limitations through the limitation of access to specifically authorized individuals to specific storage requirements, including the requirement for IDSs, and additional accountability records.
(i) Any DOE contractor that violates a classified information security requirement may be subject to a civil penalty under the provisions of 10 CFR part 824.
(ii) Certification is required for individuals authorized access to specific Sigma categories, as appropriate. Address questions regarding these requirements to DOE’s National Nuclear Security Administration, Office of Defense Programs.
(iii) Storage and distribution requirements are determined by the classification level, category, and Sigma category. Sigma designation is not a requirement for all RD documents. Storage and distribution requirements will be dependent only on classification level and category.
(11) Accountability. In addition to TOP SECRET information, some SECRET RD information is considered accountable (e.g., specific Sigma 14 matter). Each nuclear weapon data control point will keep a record of transactions involving Secret nuclear weapon data documents under its jurisdiction including origination, receipt, transmission, current custodian, reproduction, change of classification, declassification, and destruction.
(12) Cybersecurity. Classified databases, systems, and networks containing RD and FRD are protected under the requirements developed and distributed by the DOE Office of the Chief Information Officer.
(f) NNPI. NNPI is information associated with the Naval Nuclear Propulsion Program and is governed by Office of the Chief of Naval Operations Instruction (OPNAVINST) N9210.3, “Safeguarding of Naval Nuclear Propulsion Information” (available at: https://www.secnav.navy.mil/doni/Directives/09000%20General%20Ship%20Design%20and%20Support/09-200%20Propulsion%20Plants%20Support/N9210.3%20(Unclas%20Portion).pdf). Naval Reactors, a joint DOE/Department of Navy organization established under 50 U.S.C. § 2406 and 2511, is responsible for the protection of this information. All contracts which grant access to NNPI must require compliance with the specific safeguarding requirements contained in OPNAVINST N9210.3. All waivers or deviations involving security requirements protecting NNPI require Naval Reactors’ concurrence. Classified NNPI may not be processed on any contractor information system unless approved by the cognizant authorizing authority with concurrence from Naval Reactors.