ML24228A174

From kanterella
Jump to navigation Jump to search
Management Directive 12.9, NRC Operations Security Program
ML24228A174
Person / Time
Issue date: 10/04/2024
From: Mirela Gavrilas
NRC/EDO
To:
Shared Package
ML24228A172 List:
References
MD 12.9
Download: ML24228A174 (1)
v  d  e


Text

U.S. NUCLEAR REGULATORY COMMISSION MANAGEMENT DIRECTIVE (MD)

For updates or revisions to policies contained in this MD that were issued after the MD was signed, please see the Yellow Announcement to Management Directive index (YA-to-MD index).

MD 12.9 NRC OPERATIONS SECURITY PROGRAM DT-24-18 Volume 12:

Security Approved By:

Mirela Gavrilas, Executive Director for Operations Date Approved:

October 4, 2024 Cert. Date:

N/A, for the latest version of any NRC directive or handbook, see the online MD Catalog.

Issuing Office:

Office of Administration Division of Facility and Security Contact Name:

Michael England EXECUTIVE

SUMMARY

Management Directive (MD) 12.9, NRC Operations Security Program, is a new MD and is written to Describe the agencys new operations security program, consistent with the regulations set forth and prescribed by National Security Presidential Memorandum-28 (NSPM-28), The National Operations Security Program.

Outline the roles and responsibilities of agency offices in implementing the U.S.

Nuclear Regulatory Commissions Operations Security program.

TABLE OF CONTENTS I.

POLICY.............................................................................................................................. 2 II.

OBJECTIVES.................................................................................................................... 2 III.

ORGANIZATIONAL RESPONSIBILITIES AND DELEGATIONS OF AUTHORITY............ 3 A. Executive Director for Operations................................................................................. 3 B. Director, Office of Public Affairs (OPA).......................................................................... 3 C. Director, Office of Administration (ADM)........................................................................ 3 D. Office of the Chief Human Capital Officer (OCHCO)..................................................... 4 E. Office of the General Counsel (OGC)........................................................................... 4 F. Office Directors and Regional Administrators................................................................ 4 G. Director, Division of Acquisition Management, ADM...................................................... 5 H. OPSEC Program Manager and Alternate Program Manager........................................ 5 I.

HQ/ADM OPSEC Program Coordinator/Alternate......................................................... 6

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

2 J. Regional OPSEC Coordinators/Alternates.................................................................... 6 IV. APPLICABILITY.................................................................................................................... 7 V. DEFINITION........................................................................................................................... 7 VI.DIRECTIVE HANDBOOK....................................................................................................... 7 VII. REFERENCES..................................................................................................................... 7 I. POLICY A. In January 2022, the U.S. Nuclear Regulatory Commission (NRC) established its Operations Security (OPSEC) Program as prescribed by National Security Presidential Memorandum (NSPM) 28, The National Operations Security Program (NOP). The establishment of the NRC OPSEC program was announced to the agency on December 23, 2021.

B. The NOP is led by the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence (ODNI). NSPM-28 mandates that each Executive department and agency assigned or supporting national security missions with classified or sensitive activities shall establish a formal OPSEC program.

II. OBJECTIVES Protect United States Government (USG) data, physical and electronic, against the constantly evolving threats posed by competitors and adversaries.

Assess, identify, and facilitate mitigation of OPSEC conditions in accordance with NSPM-28 and the NOP.

Ensure that all NRC staff understand and are familiar with the OPSEC process. The OPSEC process includes the following six steps:

Analyze Threat, Identify Critical Information, Analyze Vulnerabilities, Assess Risk, Apply Countermeasures, Assess Effectiveness.

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

3 III. ORGANIZATIONAL RESPONSIBILITIES AND DELEGATIONS OF AUTHORITY A. Executive Director for Operations (EDO)

1. Oversees the NRC OPSEC Program in accordance with NSPM-28.
2. Delegates to the Director, Office of Administration, the role of Operations Security Senior Official, along with the primary responsibility for the NRC OPSEC Program (ML21328A016).

B. Director, Office of Public Affairs (OPA)

Ensures that the OPSEC Process is incorporated into public affairs activities.

C. Director, Office of Administration (ADM)

1. Serves as the Operations Security Senior Official and has primary responsibility for the NRC OPSEC Program.
2. As the Operations Security Senior Official, performs the following:

(a) Manages the overall NRC OPSEC Program by providing advice, guidance, and assistance to senior management regarding OPSEC program development, including marketing, awareness, training, compliance, and assessment.

(b) Appoints, the OPSEC Program Manager and Alternate OPSEC Program Manager. The OPSEC Program Manager is responsible for developing, organizing, and administrating the OPSEC Program. In addition, the OPSEC Manager also oversees the integration, coordination, and synchronization of subordinate OPSEC programs.

(c) Ensures that the OPSEC Program Manager and Alternate Program Manager complete the required training in (i) The fundamentals of operations security, security, counterintelligence awareness, protection of CUI, unauthorized disclosures, insider threat, and cybersecurity, to include applicable legal issues; (ii) Risk management principles; (iii) Developing and maintaining an OPSEC program; and (iv) Integrating OPSEC into the planning, execution, and assessment of their organizations operations, processes, and activities.

(v) Participates and represents the NRC on the Department of Homeland Security (DHS) OPSEC Working Group.

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

4 (vi) Establishes procedures and facilitates NRC interagency and intra-agency coordination for OPSEC.

(d) Monitors and inspects NRC compliance with OPSEC Training and Awareness Standards outlined in this management directive (MD), applicable NCSC directives, and the Interagency OPSEC Support Staff (IOSS) guidelines.

(e) Establishes NRC OPSEC reporting requirements and prepares the NRC Annual OPSEC Review for submission to NCSC (Enclosure 6).

(f) Actively promotes the OPSEC concept through available media (i.e., posters) and other information sources, and in conjunction with training programs.

(g) Maintains the OPSEC SharePoint sub-site on the ADM SharePoint site:

https://usnrc.sharepoint.com/sites/adm-hub/SitePages/NRC-Operations-Security-(OPSEC).aspx.

(h) Reviews and recommends any updates to the NRC OPSEC policy, procedures, and practices.

D. Office of the Chief Human Capital Officer (OCHCO)

Ensures that an initial OPSEC orientation is incorporated into the onboarding procedures for new employees and those persons detailed from other services within 30 days of onboarding as required by NOP PMO-ADVISORY-2022-001, National Operations Security Program Training Standards.

E. Office of the General Counsel (OGC)

Addresses questions and conflicts that may arise between the OPSEC Program and NRC statutory requirements.

F. Office Directors and Regional Administrators

1. Designate an OPSEC Coordinator and alternate OPSEC Coordinator and provide their names to ADM/DFS.
2. Ensure that the OPSEC Coordinator and alternate Coordinator complete the required training in (a) The fundamentals of operations security, security, counterintelligence awareness, protection of controlled unclassified information, unauthorized disclosures, insider threat, and cybersecurity, to include applicable legal issues; (b) Risk management principles; (c) Developing and maintaining an OPSEC program; and

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

5 (d) Integrating OPSEC into the planning, execution, and assessment of their organizations operations, processes, and activities.

3. Ensure compliance with the provisions of DH 12.9 by incorporating sound OPSEC principles into all operational planning and activities.
4. Ensure that Enterprise Architecture and Configuration Management Activities incorporates the OPSEC procedures and processes.

G. Director, Division of Acquisition Management (AMD), ADM Ensures that all acquisition activities apply the OPSEC procedures and processes.

H. OPSEC Program Manager and Alternate Program Manager

1. Complete the required OPSEC training courses within 3 months of being assigned the role of OPSEC Program Manager. The OPSEC training courses are as follows:

(a) OPSEC and Public Release Course 1500, (b) OPSEC and the Internet Course 3500, (c) OPSEC Analysis Course 2830, and (d) OPSEC Program Manager Course 2390.

2. Review organizational OPSEC programs and plans to ensure compliance with NSPM-28 and MD12.1.
3. Include OPSEC as an item to be reviewed during the annual security assessments and confirm the following:

(a) Office/region OPSEC Coordinator/Alternate is appointed in writing.

(b) Office/region has an OPSEC plan, (c) Office/region has a Critical Information List (CIL), and (d) Office/region OPSEC Coordinator/Alternate has completed the required OPSEC training.

4. Maintain a list of all office/regional OPSEC Coordinator/Alternate names and contact information.
5. Submit an annual report of OPSEC activities to the OPSEC Senior Agency Official by November 30.

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

6 I. HQ/ADM OPSEC Program Coordinator/Alternate

1. Complete the required OPSEC training courses (see III.G.2) within 3 months of being assigned HQ OPSEC Coordinator duties. If training cant be completed within the 3-month window, a memo needs to be submitted to the OPSEC Program Manager with the reason why and the verification of the upcoming scheduled training. Prepare the Annual Summary Report of OPSEC Activities for the Office of Administration. The format for this report will be determined and distributed by the OPSEC Program Manager as provided by the NOP.
2. Assist in compiling OPSEC support service requests from all regional OPSEC coordinators for external OPSEC services (e.g., training, survey, program development) to the OPSEC Program Manager, annually by September 1.
3. Conduct an annual self-assessment of the OPSEC Program (contact Program Manager for example).

J. Regional OPSEC Coordinators/Alternates

1. Ensure compliance with the provisions of this MD by incorporating sound OPSEC principles into all operational planning and activities to include the development and maintenance of a unit OPSEC plan and unit Critical Information List.
2. Complete the required OPSEC training courses (see III.G.2) within 3 months of being assigned regional OPSEC Coordinator duties. If training cant be completed within the 3-month window, a memo needs to be submitted to the OPSEC Program Manager with the reason why and the verification of the upcoming scheduled training.
3. Ensure regional staff compliance with annual OPSEC Awareness Training requirement.
4. Conduct an annual self-assessment of the OPSEC Program.
5. Prepare an Annual Summary Report of OPSEC Activities and forward it to the OPSEC Program Manager no later than September 1. The format for this report is contained in OPSEC Binder.
6. Submit requests for external OPSEC support services (e.g., training, survey, program development) to the cognizant OPSEC Coordinator.
7. Actively promote the OPSEC concept to the local office through available information sources and in conjunction with training programs.
8. Conduct random spot checks, including trash/recycle bin checks, to ensure proper disposal of CUI, previously known as (SBI/PII/OUO/PII) information and unobtrusively observe office chatter on phones and in public spaces for any OPSEC concerns. These spot checks should be conducted monthly, at a minimum.

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

7 IV. APPLICABILITY The provisions of this MD apply to and must be followed by all NRC employees and contractors who have knowledge of NRC activities, operations, capabilities, and intentions.

NRC personnel are actively encouraged to share the concepts in Handbook 12.9 with visitors and their family members as they can contribute to and be an integral part of the overall NRC OPSEC effort by judicious application of OPSEC principles.

V. DEFINITION Counterintelligence Efforts made to prevent foreign intelligence services or other malevolent actors from obtaining information that may be harmful to U.S. national interests.

Operational Planning Systematic and proven process by which potential adversaries can be denied information about capabilities and intentions by identifying, controlling, and protecting generally unclassified evidence of the planning and execution of sensitive activities.

VI.DIRECTIVE HANDBOOK Handbook 12.9 contains guidelines and procedures regarding the NRC OPSEC Program.

The Defensive Counterintelligence Program Guide provides additional information regarding the implementing procedures for the agencys limited scope, OPSEC program and is available here, for internal use only.

VII. REFERENCES Code of Federal Regulations 10 CFR Part 70, "Domestic Licensing of Special Nuclear Material."

10 CFR Part 95, "Facility Security Clearance and Safeguarding of National Security Information and Restricted Data."

Nuclear Regulatory Commission Documents Commission Papers SECY-09-0166, Counterintelligence Programs for Licensees and Certificate Holders Who Possess Classified Uranium Enrichment Technologies, dated November 5, 2009 (ML091320379).

SECY-10-0158, Staff Options for a Potential Counterintelligence Program for Licensees who Possess Uranium Enrichment Technologies and U.S. Nuclear Regulatory Commission Staff, dated December 7, 2010 (ML103280305).

MD 12.9 NRC Operations Security Program Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

8 Staff Requirements Memorandum (SRM) SECY-10-0158, Staff Options for a Potential Counterintelligence Program for Licensees Who Possess Uranium Enrichment Technologies and U.S. Nuclear Regulatory Commission Staff, dated February 1, 2011 (ML110320666).

Defensive Counterintelligence Program Guide, at https://adamsxt.nrc.gov/navigator/AdamsXT/content/downloadContent.faces?objectS toreName=MainLibrary&vsId=%7b47893275-F2AC-C22C-A56D-843EC4400000%7d&ForceBrowserDownloadMgrPrompt=false.

Management Directives 5.13, NRC International Activities, Practices, and Procedures.

12.1, NRC Facility Security Program.

12.2, NRC Classified Information Security Program.

12.3, NRC Personnel Security Program.

Memorandum to Jennifer Golder, Director, Office of Administration, from Darrell Roberts, Acting Executive Director for Operations, Delegation of Authority,

[Designation as NRC's Operations Security Senior Official] (Dec. 28, 2021)

(ML21328A016).

OPSEC Program SharePoint site, at https://usnrc.sharepoint.com/sites/adm-hub/SitePages/NRC-Operations-Security-(OPSEC).aspx.

National Security Presidential Memorandum (NSPM) 28, The National Operations Security Program (NOP).

NOP PMO-ADVISORY-2022-001, National Operations Security Program Training Standards.

Nuclear Energy Institute NEI 08-11, Information Security Program Guidelines for Protection of Classified Material at Uranium Enrichment Facilities (ML091320373).

NEI 13-04, Counterintelligence Program for Uranium Enrichment Facilities (ML13199A286).

United States Code Atomic Energy Act of 1954, as amended (42 U.S.C. 2011 et seq.).

U.S. NUCLEAR REGULATORY COMMISSION DIRECTIVE HANDBOOK (DH)

For updates or revisions to policies contained in this MD that were issued after the MD was signed, please see the Yellow Announcement to Management Directive index (YA-to-MD index).

DH 12.9 NRC OPERATIONS SECURITY PROGRAM DT-24-18 Volume 12:

Security Approved By:

Mirela Gavrilas, Executive Director for Operations Date Approved:

October 4, 2024 Cert. Date:

N/A, for the latest version of any NRC directive or handbook, see the online MD Catalog.

Issuing Office:

Office of Administration Division of Facilities and Security Contact Name:

Michael England EXECUTIVE

SUMMARY

Management Directive (MD) 12.9, NRC Operations Security Program, is a new MD and is written to Describe the agencys new operations security program, consistent with the regulations set forth and prescribed by National Security Presidential Memorandum-28 (NSPM-28), The National Operations Security Program.

Outline the roles and responsibilities of agency offices in implementing the U.S.

Nuclear Regulatory Commissions Operations Security program.

TABLE OF CONTENTS I.

OPERATIONS SECURITY (OPSEC)................................................................................. 2 A. Background.................................................................................................................. 2 B. Purpose........................................................................................................................ 2 C. Authority....................................................................................................................... 3 D. Threat........................................................................................................................... 3 E. OPSEC Definition......................................................................................................... 3 F. OPSEC Process........................................................................................................... 3 II.

OPSEC PLANNING........................................................................................................... 5 III.

OPSEC TRAINING AND EDUCATION.............................................................................. 6 IV.

OPSEC EVALUATION....................................................................................................... 7 V.

COMPETING ACTIVITIES................................................................................................. 7

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

2 VI.

OPSEC RESOURCES....................................................................................................... 8 A. OPSEC SharePoint Site............................................................................................... 8 B. National Counterintelligence and Security Center (NCSC) Operations Security........................................................................................................................ 8 C. Center for Development of Security Excellence (CDSE)............................................... 9 I. OPERATIONS SECURITY (OPSEC)

A. Background

1. In January 2022, the United States Nuclear Regulatory Commission (NRC) established its Operations Security (OPSEC) program as prescribed by National Security Presidential Memorandum-28 (NSPM-28), The National Operations Security Program (NOP). The establishment of the NRC OPSEC program was announced to the agency through a Yellow Announcement on December 23, 2021.
2. The external implementation of the OPSEC Program is the responsibility of the Office of Nuclear Security and Incident Response (NSIR), the Office of Nuclear Material Safety and Safeguards (NMSS), and the Office of Nuclear Reactor Regulation (NRR). The Sensitive Unclassified Non-Safeguards Information (SUNSI) and the Safeguards Information (SGI) Program are currently being leveraged to protect critical information in use by licensees.

B. Purpose The purpose of the OPSEC Program is to protect both physical and digital U.S.

Government (USG) data against the constantly evolving threats posed by competitors and adversaries. As part of this program, the National Counterintelligence and Security Center (NCSC) in the Office of the Director of National Intelligence (ODNI) leads efforts to engage with, and assess, individual agencies to identify and facilitate mitigation in accordance with NSPM-28, NOP. This handbook describes the policies, procedures, and responsibilities for the NRC OPSEC Program. OPSEC does not replace other security disciplines, rather it enhances them. The OPSEC process includes the following steps:

1. Analyze Threat,
2. Identify Critical Information,
3. Analyze Vulnerabilities,
4. Assess Risk,
5. Apply Countermeasures, and
6. Assess Effectiveness.

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

3 C. Authority The NOP, NSPM-28, updates the National Security Decision Directive 298 issued in 1988. The National Operations Security Program (NOP) is led by the NCSC. NSPM-28 mandates that each Executive department and agency assigned or supporting national security missions with classified or sensitive activities shall establish a formal OPSEC program.

D. Threat The NRC mission is to protect public health and safety related to the use of nuclear energy. Due to key agency functions, including overseeing reactor safety and security, licensing radioactive materials, and managing the storage, security, recycling, and disposal of spent fuel, the NRC may attract potential adversaries. Those adversaries may include other nation states, foreign governments, economic competitors, criminals, terrorists, hackers, and even insiders. Each of these adversaries has some capability to observe and monitor NRC activities and operations, and to assess vulnerabilities using the information gained through collection activities.

E. OPSEC Definition OPSEC is the systematic process that helps to deny a potential adversary access to critical information about NRCs capabilities and intentions. This process identifies, controls, and protects generally unclassified information associated with the planning and execution of both sensitive and non-sensitive activities and operations.

F. OPSEC Process The OPSEC Process consists of six steps. It is a methodology designed to guide the user through a series of steps to identify unclassified critical information and OPSEC indicators, and to develop countermeasures to mitigate vulnerabilities inherent to the critical information. The six steps are as follows:

1. Analyze Threat: An adversary with the intent and capabilities to compromise the mission or sensitive activities. A threat is an adversary who has both the capability and the intent to take any actions detrimental to the success of NRC activities or operations. If either the capability or intent is not present the threat is not considered credible.
2. Identify Critical Information:

(a) The information about the intentions and capabilities that an adversary can exploit to compromise or interrupt the agency mission. Although some critical information might be classified and afforded adequate protection, unclassified information is not afforded the same protection. It is this unclassified information, or indicators thereof that, when considered in aggregate, may provide an adversary with clues to other more critical data. Indicators are data derived from open (unprotected) sources or detectable actions. These indicators may be

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

4 prevalent in daily routines, such as administrative, operational, and logistical activities.

(b) Knowing who the adversaries are, and what information they require to meet their objective(s), is essential in determining what information is critical. In any given situation, there is likely to be more than one adversary, and each may be interested in different types of information. The adversaries ability to collect information using the following full range of intelligence disciplines must be considered:

(i) Human Intelligence (HUMINT),

(ii) Signals Intelligence (SIGINT),

(iii) Imagery Intelligence (IMINT),

(iv) Measurement and Signature Intelligence (MASINT),

(v) Acoustic Intelligence (ACINT),

(vi) Telemetry Intelligence (TELINT), and (vii) Open-Source Intelligence (OSINT).

(c) Knowing the adversarys ability to process and analyze this information, and their intention and capability to pose a credible threat, is also necessary. If an adversary lacks any element(s) regarding either intent or capability, the threat is eliminated. For example, a group that desires information contained in encrypted radio transmissions, but does not have the capability to obtain it, is not a threat, while a group that wants to know specific information about a nuclear plant, which might be observable from areas accessible to the public, and can observe it, is a threat.

(d) The objective of threat analysis is to know as much as possible about each adversary and the strategies and options available to them for targeting the unit and its operations. It is also important to analyze the adversarial threat within the context of the actual operation and, to the extent possible, determine what the adversarys capabilities will be for the specific time and location of the NRC operation. Threat analysis is done in coordination with local FBI, or other appropriate law enforcement, as required.

3. Analyze Vulnerabilities: Vulnerabilities are weaknesses that an adversary can exploit to get your critical information. Some of the vulnerabilities faced by individuals and organizations are (a) Use of email, texting, social media, and other online resources; (b) Access to physical mail, trash, and recyclables; (c) Predictable patterns, procedures, and activities;

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

5 (d) Lack of awareness of threats and vulnerabilities; and (e) Increased connectivity on insecure devices.

4. Assess Risk: Risk is the likelihood that an adversary will get critical information. This involves a bit of math-it is the probability that an adversary will compromise critical information or exploit a vulnerability, and the potential impact of the adversarys success. Risk assessment is used to determine the probability that an adversary will gain knowledge of critical information and the overall impact if the adversary is successful.
5. Apply Countermeasures: Countermeasures are anything that effectively mitigate or decrease an adversarys ability to exploit vulnerabilities and are typically applied to the vulnerabilities. These include educating staff on threats and vulnerabilities, using traditional security precautions (physical, personal, cyber, training, education, awareness, etc.), and enforcing policies. This could be as simple as using privacy settings on a social media account or as complex as developing a national awareness campaign on phishing scams. The result will assist in denying adversaries critical information. In mathematical terms, a risk formula looks like this:

Risk = Threat x Vulnerability x Impact

6. Assess Effectiveness: Determine if what is being done is working or if changes need to be made. Review the vulnerabilities that are remaining after the countermeasures have been applied.

II. OPSEC Planning OPSEC considerations must be integral to all operational planning. Therefore, the Program Manager must ensure that sound OPSEC principles are incorporated early into the planning and coordination process. Those principles will be codified in a written OPSEC Plan or OPSEC Annex to an Operational Plan. OPSEC planning is a continuous process. During all phases of a security operation, feedback on the success or failure of OPSEC countermeasures should be evaluated based on the effectiveness of each countermeasure, resulting in any modifications to the OPSEC plan. There are two types of OPSEC Plans:

A. Organizational Plans Outline the broad OPSEC Program objectives for the organization. A sample format for Organizational OPSEC Plans is as follows:

1.

References:

examples are this handbook, and other OPSEC references as applicable.

2.

Purpose:

To establish an OPSEC Program.

3. Scope: Concise statement of the program.
4. Policy: Statement of NRC Policy on protection of sensitive information.

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

6

5. Process/Procedures: The six-step OPSEC Process.
6. Responsibilities: Designation of the OPSEC Manager and Coordinator.
7. OPSEC Evaluation: How OPSEC will be evaluated in the organization (i.e., OPSEC Surveys, OPSEC Assessments, and OPSEC Managers Inspection).
8. Program Goals: List specific benchmarks for the organizational OPSEC Program, (i.e., establish an OPSEC Working Group, accomplish annual OPSEC Refresher Training, ensure an OPSEC Annex to all Operations Plans are published).

B. Activity Plans: These are the OPSEC Plans that are applicable to individual operations, projects, or activities undertaken by the organization. They may be published as standalone plans or as annexes to the Plans/Orders for a specific operation. The format for such plans should include the Statement of Purpose (Director of National Intelligence intent) and the six-step OPSEC process: assess the threat, identify critical information, assess vulnerabilities, assess risk, apply countermeasures, and address effectiveness (communications/control measures and logistics required to implement effective countermeasures).

III. OPSEC Training and Education OPSEC Training and Education is a continuous requirement. There are three levels of OPSEC training.

A. Introductory Training: This mandatory training is conducted as part of initial employee orientation. It consists of an introduction to basic OPSEC Principles (OPSEC Fundamentals), the broad threat directed against the NRC, and the six-step OPSEC Process.

B. Annual Awareness/Refresher Training: This mandatory training is conducted annually and serves as an OPSEC refresher for all personnel. It is conducted and coordinated, or both, by the OPSEC coordinator and normally consists of, at a minimum, a review of the current threat for operations, insider threat awareness, a review of the six-step OPSEC Process, and appropriate discussion of the practical application of countermeasures within the organizational operational framework. The refresher training is currently combined with the Defensive Counter-Intelligence training module.

C. OPSEC Management and Coordinator Training: This training may take many forms. It is designed for those staff members that are assigned OPSEC Coordinator responsibilities or are routinely involved in OPSEC Planning, Program Management, or both. The training is available from the NOP at the NCSC for OPSEC training and education.

Programs of instruction include an OPSEC Analysis Course, OPSEC Program Management Course, Public Release Decisions Course, and internet-based Capabilities Course. These courses are offered through online training. A full course catalogue is available on the NCSC web site at https://www.dni.gov/index.php/ncsc-what-we-do/operations-security.

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

7 IV. OPSEC Evaluation There are several methods to evaluate organizational OPSEC Programs.

A. OPSEC Survey

1. An OPSEC survey is a thorough examination of an office, region, or a specific operation or program to determine exploitable vulnerabilities of critical information and to recommend countermeasures. It is not an inspection; it is a fact-finding rather than fault-finding operation. The survey is conducted both onsite and offsite by a team of subject matter experts and includes collecting information directly and indirectly from a wide range of sources, making observations, and interviewing personnel.
2. An office or region OPSEC Coordinator can request an OPSEC Survey through the OPSEC Program Manager. When an OPSEC Survey is completed, a report will be prepared for the requesting office or region. Lessons learned are encouraged to be shared with other members of the OPSEC program.

B. Communications Security (COMSEC) Monitoring: COMSEC monitoring provides the means to detect unauthorized disclosures of classified and other forms of sensitive Government information on non-secure telecommunication circuits and systems. A properly authorized entity (e.g., the FBI) is authorized to monitor these communications.

Awareness of active COMSEC monitoring of Government telecommunication systems is an essential element of deterrence.

C. OPSEC Self-Assessment: This is a self-evaluation effort that is conducted by the organizations OPSEC Coordinator on an annual basis. The organizations OPSEC activities for a 1-year period, including training, are reviewed to determine compliance with the NRC OPSEC program guidance and national level guidelines. The effectiveness of the overall OPSEC effort is assessed and areas for improvement are identified (contact OPSEC Program Manager for answers to questions or to relay concerns).

D. Program Level Evaluations: In accordance with the NRC Facilities Security Program, the Security Management and Operations Branch conducts physical security inspections at NRC Headquarters, regional offices, and the Technical Training Center (TTC). Within the regional offices and TTC, these inspections are conducted annually. These inspections include OPSEC as a functional area for examination. In most cases the inspection team will coordinate the OPSEC portion of the evaluation with the Regional OPSEC Coordinator.

V. Competing Activities Several potential competing activities, including statutory policies and requirements, exist that may conflict with the OPSEC goal of protecting information. Examples of potentially conflicting actions or requirements include routine press/media releases, information sharing agreements (sensitive information, CUI, OUO), foreign military sales, treaty provisions, the

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

8 Freedom of Information Act, and cost-benefit analyses (of protective measures). Each of these legitimate requirements presents some degree of risk for the release of sensitive information. Staff must exercise appropriate caution in determining what information can and should be protected, while satisfying both statutory requirements, and the basic principles of a free and open Government. This judgment requires a delicate balance and, often, compromises must be made. Such compromises are inherent in the Risk Management process. To preclude potential abuse of the OPSEC Program, Managers and Coordinators should ensure that A. OPSEC Countermeasures implemented are commensurate with the value of the information being protected.

B. Countermeasures do not restrict appropriate entities from performing their oversight responsibilities relating to fiscal responsibility, waste, fraud and abuse, and compliance with open Government statutory requirements.

C. Questions that arise pertaining to a conflict between OPSEC and statutory requirements should be addressed to the Office of the General Counsel (OGC) through the OPSEC Program Manager.

VI. OPSEC Resources A. OPSEC SharePoint Site The OPSEC SharePoint site (https://usnrc.sharepoint.com/sites/adm-hub/SitePages/NRC-Operations-Security-(OPSEC).aspx) is designed to help OPSEC Coordinators develop and enhance their office or regional OPSEC Program. This site has OPSEC guidance and templates, samples, and training material that covers a wide range of OPSEC topics, and is not publicly available B. National Counterintelligence and Security Center (NCSC) Operations Security

1. The NCSC (https://www.dni.gov/index.php/ncsc-what-we-do/operations-security) website allows users to download OPSEC awareness products (posters/videos/bulletins), enroll in NCSC training courses, and to access other OPSEC resources.
2. The mission of the NCSC NOP is to act as a consultant to other U.S. Government departments or agencies by providing technical guidance and assistance that will result in self-sufficient OPSEC Programs for the protection of U.S. operations. NOP staff assesses OPSEC programs, assists in OPSEC program development, conducts surveys and assessments, and provides OPSEC training.

DH 12.9 NRC OPERATIONS SECURITY PROGRAM Date Approved: 10/4/2024 For the latest version of any NRC directive or handbook, see the online MD Catalog.

9 C. Center for Development of Security Excellence (CDSE)

The Center for Development of Security Excellence (CDSE) provides a basic working knowledge of OPSEC and how it applies to NRC staff. The CDSE offers the course OPSEC Awareness for Military Members, DOD Employees and Contractors GS130.16 (https://www.cdse.edu/Training/eLearning/GS130/), which focuses on the history of OPSEC and the OPSEC process as described in National Security Decision Directive 298.

Retrieved from "https://kanterella.com/w/index.php?title=ML24228A174&oldid=3751249"