ML18101A003: Difference between revisions

From kanterella
Jump to navigation Jump to search
(Created page by program invented by StriderTol)
 
(Created page by program invented by StriderTol)
 
(2 intermediate revisions by the same user not shown)
Line 2: Line 2:
| number = ML18101A003
| number = ML18101A003
| issue date = 04/11/2018
| issue date = 04/11/2018
| title = 04/11/2018 Insider Threat Program and Security Executive Agent Directive 3 for NRC-Licensed Facilities
| title = Insider Threat Program and Security Executive Agent Directive 3 for NRC-Licensed Facilities
| author name = Duvigneaud D D
| author name = Duvigneaud D
| author affiliation = NRC/NMSS/DFCSE/PORB
| author affiliation = NRC/NMSS/DFCSE/PORB
| addressee name =  
| addressee name =  
Line 9: Line 9:
| docket =  
| docket =  
| license number =  
| license number =  
| contact person = Duvigneaud D D
| contact person = Duvigneaud D
| package number = ML18100B106
| package number = ML18100B106
| document type = Meeting Briefing Package/Handouts, Slides and Viewgraphs
| document type = Meeting Briefing Package/Handouts, Slides and Viewgraphs
Line 16: Line 16:


=Text=
=Text=
{{#Wiki_filter:}}
{{#Wiki_filter:Insider Threat Program and Security Executive Agent Directive 3 for NRC-Licensed Facilities Office of Nuclear Security and Incident Response Office of Administration Office of Nuclear Reactor Regulation Office of Nuclear Material Safety and Safeguards
 
===Introductions===
* Darryl Parsons, Branch Chief Information Security Branch Division of Security Operations Office of Nuclear Security and Incident Response Darryl.Parsons@nrc.gov Agenda Overview of SEAD 3 and Insider Threat Programs Next Steps Questions and Answers
 
Information on SEAD 3 and Insider Threat Programs
 
Insider Threat Program
* Executive Order 13587 was adopted by National Industrial Security Program to cover all contractors and licensees who have exposure to classified information. https://www.gpo.gov/fdsys/granule/CFR-2012-title3-vol1/CFR-2012-title3-vol1-eo13587
* The National Industrial Security Program Operating Manual (NISPOM) Change 2 incorporated May 2016 covers the implementation of an Insider Threat Program (ITP) http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf
 
Non-Possessing Facility Security Clearance
* Any facility which has cleared individuals (those with personnel security clearances) and is not authorized to possess classified information considered a non-possessing facility.
* The majority of NRCs contractors and licensees within the scope of these requirements are non-possessing entities.
 
Possessing Facility Security Clearance
* The NRC issues possessing facility clearances and associated personnel security clearances to licensees and licensee contractors that meet the requirements of 10 CFR Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data, and 10 CFR Part 25, Access Authorization, and possess a demonstrable need to store classified information at their facility.
* A small number of facilities have possessing facility clearances issued by the NRC.
* These facilities handle and process classified information in order to perform their licensed activities.
 
NISPOM ITP for Non-Possessing Licensees Four Minimum Requirements
* SENIOR OFFICIAL: Appointment by the licensee of an ITP Senior Official who is a U.S. citizen and a senior official of the company.
  - This can be the Facility Security Officer (FSO) as defined by the NISPOM.
* ANNUAL SELF-REVIEW: Annual self-review or self inspection of the ITP.
* ITP TRAINING: Insider Threat training for program management and cleared individual awareness.
* REPORTING: Report any indication of an insider threat to the NRC.
 
NISPOM ITP for Possessing Licensees Five Minimum Requirements
* SENIOR OFFICIAL: Appointment by the licensee of an ITP Senior Official who is a U.S. citizen and a senior official of the company.
  - This can be the Facility Security Officer (FSO) as defined by the NISPOM.
* ANNUAL SELF-REVIEW: Annual self-review or self inspection of the ITP.
* ITP TRAINING: Insider threat training for program management and cleared individual awareness.
* REPORTING: Report any indication of an insider threat to the NRC.
* USER ACTIVITY MONITIORING: Provide User Activity Monitoring on any classified IT system.
 
Implementation of NISPOM ITP
* The NRC staff are recommending to the Commission that we pursue a license commitment by incorporating the requirements into the Standard Practice Procedures Plan (SPPP) in accordance with 10 CFR Part 95.
* ITP requirements planned implementation upon Commission direction. The staff are seeking input from licensees throughout this process.
* By modifying the SPPP, which is already committed to in each license, the licensee makes the ITP requirements a license commitment without having to do an amendment to the license itself.
 
Security Executive Agent Directive (SEAD) 3
* In December 2016, the Office of the Director of National Intelligence (ODNI) issued SEAD 3, Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, to executive branch agencies and covered individuals; these individuals include NRC employees, contractors, licensees, licensees contractors, and other individuals such as members of the Nuclear Energy Institute whom NRC has granted a national security clearance.
* SEAD 3 defines covered individuals as:
  - certain persons who perform work on behalf of the executive branch and have been granted access to classified information or hold sensitive positions;
  - certain persons who perform work on behalf of a State, local, Tribe, or private sector entity and have been granted access to classified information or hold sensitive positions; and
  - certain persons working in or for the legislative or judicial branches and have been granted access to classified information and the investigation or determination has been conducted by the executive branch.
 
SEAD 3
* SEAD 3 was to be implemented on June 12, 2017. The NRC requested an extension to these requirements until June 12, 2018. Implementation will occur after Commission review.
* SEAD 3 requires reporting of 19 new data elements consistent with the Standard Form-86, Questionnaire for National Security Positions, which applicants and clearance holders complete during the initial and periodic reinvestigation processes, respectively.
However, SEAD 3 now requires these elements to be reported prior to participation in such activities or otherwise as soon as possible following the start of their involvement.
 
SEAD 3
* Most notably, SEAD 3 requires covered individuals to obtain prior agency approval before conducting unofficial foreign travel.
* The staff benchmarked 10 other Federal agencies to understand the different implementation approaches across the Government.
  - The staffs benchmarking efforts concluded that other Federal agencies apply SEAD 3 to all cleared staff and contractors, and in some cases to others deemed to be in sensitive positions.
  - Generally, other Federal agencies require pre-travel approval for travel to countries that do not reside on an agency-developed approved destination country list.
  - Additionally, some other Federal agencies disapprove travel to destination countries on an agency-developed threat country list.
  - No agencies are allowing covered individuals to travel without pre-travel approval except as noted in SEAD 3, such as travel to U.S.
territories or short notice emergent travel.
 
SEAD 3, Element 1 -
Unofficial Foreign Travel Reporting
* Complete itinerary
* Unplanned contacts with foreign governments, companies, or citizens
* Dates of travel                              during foreign travel and reason for contact (post-travel reporting)
* Mode of transportation and identification of carriers
* Name, address, telephone number, and relationship of emergency point of
* Passport data                                contact
* Names and association (business,
* Unusual or suspicious occurrences friend, relative, etc.) of foreign national traveling companions                          during travel, including those of possible security or counterintelligence
* Planned contacts with foreign                significance (post-travel reporting) governments, companies, or citizens during foreign travel and reason for
* Any foreign legal or customs incidents contact (business, friend, relative, etc.)    encountered (post-travel reporting)
 
SEAD 3, Other 18 Reporting Elements
* Unofficial contact with a known or suspected
* Adoption of non-U.S. citizen children (new) foreign intelligence entity
* Continuing association with a known foreign
* Attempted elicitation, exploitation, blackmail, national(s) or foreign national roommate(s)              coercion, or enticement to obtain classified information or other information specifically
* Involvement in Foreign Business prohibited by law from disclosure (new)
* Foreign bank accounts (new)
* Media Contacts
* Ownership of Foreign Property (new)
* Foreign Citizenship (new)
* Arrests
* Application for a foreign passport or identity card for travel (new)
* Financial issues and anomalies
* Possession of a foreign passport or identity card
* Cohabitant(s) for travel (new)
* Use of a foreign passport or identity card for
* Marriage travel
* Alcohol- and drug-related treatment
* Voting in a foreign election (new)
*New to Part 25 requirements but similar to requirements already in Standard Form 86 timeframe for reporting has changed
 
Current Reporting Requirements under 10 CFR Part 25
* Arrests/charges/detentions
* Enrollment in a drug or alcohol treatment program
* Involvement in civil court actions
* Changes in financial status (debt collection, bankruptcy, foreclosure, federally- guaranteed
* Change in marital status (including legal            loans, tax liens, or failure to file or pay Federal separation)                                          or State taxes)
* Change of name
* Treatment for emotional, mental, or personality disorders (except marriage, grief, or family
* Change in cohabitation                              counseling not related to violence by you or strictly related to adjustments from service in a military combat environment)
* Outside employment that creates a conflict of interest
* Travel to a foreign country where a passport other than a U.S. passport is used to enter or
* Foreign national contacts including business or      leave the country personal contacts
* While on travel, any arrests, and detentions,
* Any travel to foreign countries for which the U.S. issues with customs or law enforcement, or Department of State has issued a travel warning      concerns that you were being followed or monitored while on official or unofficial foreign travel
 
Implementation of SEAD 3 Staff proposed implementation of SEAD 3 is consistent with the staffs proposed implementation of the NISPOM ITP as previously discussed:
* The NRC staff are recommending to the Commission that we pursue a license commitment by incorporating the requirements into the Standard Practice Procedures Plan in accordance with 10 CFR Part 95.
* SEAD 3 requirements implementation after Commission review. The staff are seeking input from licensees throughout this process.
* By modifying the SPPP, which is already committed to in each license, the licensee makes the requirements a license commitment without having to do an amendment to the license itself.
 
Proposed SPPP Language and Discussion
 
NISPOM ITP suggested language for SPPP for possessing facilities Procedures have been developed which establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with the latest change to the Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements.
These procedures include at a minimum: (1) appointment of an insider threat program senior official (ITPSO); (2) training for employees covered under the program; (3) annual self-inspections of the insider threat program; (4) timely reporting for any potential or actual insider threat; and (5) user activity monitoring on any classified information system.
 
NISPOM ITP suggested language for SPPP for non-possessing facilities Procedures have been developed which establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with the latest change to the Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements.
These procedures include at a minimum: (1) appointment of an insider threat program senior official (ITPSO); (2) training for employees covered under the program; (3) annual self-inspections of the insider threat program; and (4) timely reporting for any potential or actual insider threat.
 
SEAD 3 suggested language for SPPP for both possessing and non-possessing facilities Procedures have been developed for individuals who have access to classified information which establish and maintain standardized reporting requirements in accordance with the 19 elements as required by the Office of the Director of National Intelligence (ODNI) Security Executive Agent Directive 3, Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, dated December 14, 2016.
 
Example of what the Staff will be looking for during SPPP Reviews Reviewers Checklist for Non-Possessors SPPP Does the licensee commit to having procedures that establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements?
Do the licensees insider threat program procedures commit to addressing the appointment of an insider threat program senior official (ITPSO)?
Do the licensees insider threat program procedures commit to training for employees covered under the program?
Do the licensees insider threat program procedures commit to annual self-inspections of the insider threat program?
Do the licensees insider threat program procedures commit to timely reporting for any potential or actual insider threat?
Does the licensee commit to having procedures for individuals who have access to classified information or hold a sensitive position which establish and maintain standardized reporting requirements in accordance with the Office of the Director of National Intelligence (ODNI) Security Executive Agent Directive 3 (SEAD 3), Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, dated December 14, 2016?
Does the licensee address the fact that there are 19 required data elements for reporting under SEAD 3 and that the information under each element must either be self-reported or reported for others? See the table below to ensure the 19 data elements are acknowledged and addressed in licensee procedures.
 
Next Steps
* Proposal to Commission on how to implement requirements
* Awaiting Commission direction
* After Commission direction, will provide update to stakeholders on implementation steps
* Potentially a public Meeting to discuss Commission direction}}

Latest revision as of 15:49, 30 November 2019

Insider Threat Program and Security Executive Agent Directive 3 for NRC-Licensed Facilities
ML18101A003
Person / Time
Issue date: 04/11/2018
From: Dylanne Duvigneaud
Programmatic Oversight and Regional Support Branch
To:
Duvigneaud D
Shared Package
ML18100B106 List:
References
Download: ML18101A003 (22)


Text

Insider Threat Program and Security Executive Agent Directive 3 for NRC-Licensed Facilities Office of Nuclear Security and Incident Response Office of Administration Office of Nuclear Reactor Regulation Office of Nuclear Material Safety and Safeguards

Introductions

  • Darryl Parsons, Branch Chief Information Security Branch Division of Security Operations Office of Nuclear Security and Incident Response Darryl.Parsons@nrc.gov Agenda Overview of SEAD 3 and Insider Threat Programs Next Steps Questions and Answers

Information on SEAD 3 and Insider Threat Programs

Insider Threat Program

Non-Possessing Facility Security Clearance

  • Any facility which has cleared individuals (those with personnel security clearances) and is not authorized to possess classified information considered a non-possessing facility.
  • The majority of NRCs contractors and licensees within the scope of these requirements are non-possessing entities.

Possessing Facility Security Clearance

  • The NRC issues possessing facility clearances and associated personnel security clearances to licensees and licensee contractors that meet the requirements of 10 CFR Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data, and 10 CFR Part 25, Access Authorization, and possess a demonstrable need to store classified information at their facility.
  • A small number of facilities have possessing facility clearances issued by the NRC.
  • These facilities handle and process classified information in order to perform their licensed activities.

NISPOM ITP for Non-Possessing Licensees Four Minimum Requirements

  • SENIOR OFFICIAL: Appointment by the licensee of an ITP Senior Official who is a U.S. citizen and a senior official of the company.

- This can be the Facility Security Officer (FSO) as defined by the NISPOM.

  • ANNUAL SELF-REVIEW: Annual self-review or self inspection of the ITP.
  • ITP TRAINING: Insider Threat training for program management and cleared individual awareness.
  • REPORTING: Report any indication of an insider threat to the NRC.

NISPOM ITP for Possessing Licensees Five Minimum Requirements

  • SENIOR OFFICIAL: Appointment by the licensee of an ITP Senior Official who is a U.S. citizen and a senior official of the company.

- This can be the Facility Security Officer (FSO) as defined by the NISPOM.

  • ANNUAL SELF-REVIEW: Annual self-review or self inspection of the ITP.
  • ITP TRAINING: Insider threat training for program management and cleared individual awareness.
  • REPORTING: Report any indication of an insider threat to the NRC.
  • USER ACTIVITY MONITIORING: Provide User Activity Monitoring on any classified IT system.

Implementation of NISPOM ITP

  • The NRC staff are recommending to the Commission that we pursue a license commitment by incorporating the requirements into the Standard Practice Procedures Plan (SPPP) in accordance with 10 CFR Part 95.
  • ITP requirements planned implementation upon Commission direction. The staff are seeking input from licensees throughout this process.
  • By modifying the SPPP, which is already committed to in each license, the licensee makes the ITP requirements a license commitment without having to do an amendment to the license itself.

Security Executive Agent Directive (SEAD) 3

  • In December 2016, the Office of the Director of National Intelligence (ODNI) issued SEAD 3, Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, to executive branch agencies and covered individuals; these individuals include NRC employees, contractors, licensees, licensees contractors, and other individuals such as members of the Nuclear Energy Institute whom NRC has granted a national security clearance.
  • SEAD 3 defines covered individuals as:

- certain persons who perform work on behalf of the executive branch and have been granted access to classified information or hold sensitive positions;

- certain persons who perform work on behalf of a State, local, Tribe, or private sector entity and have been granted access to classified information or hold sensitive positions; and

- certain persons working in or for the legislative or judicial branches and have been granted access to classified information and the investigation or determination has been conducted by the executive branch.

SEAD 3

  • SEAD 3 was to be implemented on June 12, 2017. The NRC requested an extension to these requirements until June 12, 2018. Implementation will occur after Commission review.
  • SEAD 3 requires reporting of 19 new data elements consistent with the Standard Form-86, Questionnaire for National Security Positions, which applicants and clearance holders complete during the initial and periodic reinvestigation processes, respectively.

However, SEAD 3 now requires these elements to be reported prior to participation in such activities or otherwise as soon as possible following the start of their involvement.

SEAD 3

  • Most notably, SEAD 3 requires covered individuals to obtain prior agency approval before conducting unofficial foreign travel.
  • The staff benchmarked 10 other Federal agencies to understand the different implementation approaches across the Government.

- The staffs benchmarking efforts concluded that other Federal agencies apply SEAD 3 to all cleared staff and contractors, and in some cases to others deemed to be in sensitive positions.

- Generally, other Federal agencies require pre-travel approval for travel to countries that do not reside on an agency-developed approved destination country list.

- Additionally, some other Federal agencies disapprove travel to destination countries on an agency-developed threat country list.

- No agencies are allowing covered individuals to travel without pre-travel approval except as noted in SEAD 3, such as travel to U.S.

territories or short notice emergent travel.

SEAD 3, Element 1 -

Unofficial Foreign Travel Reporting

  • Complete itinerary
  • Unplanned contacts with foreign governments, companies, or citizens
  • Dates of travel during foreign travel and reason for contact (post-travel reporting)
  • Mode of transportation and identification of carriers
  • Name, address, telephone number, and relationship of emergency point of
  • Passport data contact
  • Names and association (business,
  • Unusual or suspicious occurrences friend, relative, etc.) of foreign national traveling companions during travel, including those of possible security or counterintelligence
  • Planned contacts with foreign significance (post-travel reporting) governments, companies, or citizens during foreign travel and reason for
  • Any foreign legal or customs incidents contact (business, friend, relative, etc.) encountered (post-travel reporting)

SEAD 3, Other 18 Reporting Elements

  • Unofficial contact with a known or suspected
  • Adoption of non-U.S. citizen children (new) foreign intelligence entity
  • Continuing association with a known foreign
  • Attempted elicitation, exploitation, blackmail, national(s) or foreign national roommate(s) coercion, or enticement to obtain classified information or other information specifically
  • Involvement in Foreign Business prohibited by law from disclosure (new)
  • Foreign bank accounts (new)
  • Media Contacts
  • Ownership of Foreign Property (new)
  • Foreign Citizenship (new)
  • Arrests
  • Application for a foreign passport or identity card for travel (new)
  • Financial issues and anomalies
  • Possession of a foreign passport or identity card
  • Cohabitant(s) for travel (new)
  • Use of a foreign passport or identity card for
  • Marriage travel
  • Alcohol- and drug-related treatment
  • Voting in a foreign election (new)
  • New to Part 25 requirements but similar to requirements already in Standard Form 86 timeframe for reporting has changed

Current Reporting Requirements under 10 CFR Part 25

  • Arrests/charges/detentions
  • Enrollment in a drug or alcohol treatment program
  • Involvement in civil court actions
  • Changes in financial status (debt collection, bankruptcy, foreclosure, federally- guaranteed
  • Change in marital status (including legal loans, tax liens, or failure to file or pay Federal separation) or State taxes)
  • Change of name
  • Treatment for emotional, mental, or personality disorders (except marriage, grief, or family
  • Change in cohabitation counseling not related to violence by you or strictly related to adjustments from service in a military combat environment)
  • Outside employment that creates a conflict of interest
  • Travel to a foreign country where a passport other than a U.S. passport is used to enter or
  • Foreign national contacts including business or leave the country personal contacts
  • While on travel, any arrests, and detentions,
  • Any travel to foreign countries for which the U.S. issues with customs or law enforcement, or Department of State has issued a travel warning concerns that you were being followed or monitored while on official or unofficial foreign travel

Implementation of SEAD 3 Staff proposed implementation of SEAD 3 is consistent with the staffs proposed implementation of the NISPOM ITP as previously discussed:

  • The NRC staff are recommending to the Commission that we pursue a license commitment by incorporating the requirements into the Standard Practice Procedures Plan in accordance with 10 CFR Part 95.
  • SEAD 3 requirements implementation after Commission review. The staff are seeking input from licensees throughout this process.
  • By modifying the SPPP, which is already committed to in each license, the licensee makes the requirements a license commitment without having to do an amendment to the license itself.

Proposed SPPP Language and Discussion

NISPOM ITP suggested language for SPPP for possessing facilities Procedures have been developed which establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with the latest change to the Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements.

These procedures include at a minimum: (1) appointment of an insider threat program senior official (ITPSO); (2) training for employees covered under the program; (3) annual self-inspections of the insider threat program; (4) timely reporting for any potential or actual insider threat; and (5) user activity monitoring on any classified information system.

NISPOM ITP suggested language for SPPP for non-possessing facilities Procedures have been developed which establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with the latest change to the Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements.

These procedures include at a minimum: (1) appointment of an insider threat program senior official (ITPSO); (2) training for employees covered under the program; (3) annual self-inspections of the insider threat program; and (4) timely reporting for any potential or actual insider threat.

SEAD 3 suggested language for SPPP for both possessing and non-possessing facilities Procedures have been developed for individuals who have access to classified information which establish and maintain standardized reporting requirements in accordance with the 19 elements as required by the Office of the Director of National Intelligence (ODNI) Security Executive Agent Directive 3, Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, dated December 14, 2016.

Example of what the Staff will be looking for during SPPP Reviews Reviewers Checklist for Non-Possessors SPPP Does the licensee commit to having procedures that establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements?

Do the licensees insider threat program procedures commit to addressing the appointment of an insider threat program senior official (ITPSO)?

Do the licensees insider threat program procedures commit to training for employees covered under the program?

Do the licensees insider threat program procedures commit to annual self-inspections of the insider threat program?

Do the licensees insider threat program procedures commit to timely reporting for any potential or actual insider threat?

Does the licensee commit to having procedures for individuals who have access to classified information or hold a sensitive position which establish and maintain standardized reporting requirements in accordance with the Office of the Director of National Intelligence (ODNI) Security Executive Agent Directive 3 (SEAD 3), Reporting Requirements for Personnel with Access to Classified Information or Who Hold a Sensitive Position, dated December 14, 2016?

Does the licensee address the fact that there are 19 required data elements for reporting under SEAD 3 and that the information under each element must either be self-reported or reported for others? See the table below to ensure the 19 data elements are acknowledged and addressed in licensee procedures.

Next Steps

  • Proposal to Commission on how to implement requirements
  • Awaiting Commission direction
  • After Commission direction, will provide update to stakeholders on implementation steps
  • Potentially a public Meeting to discuss Commission direction