EFCOG Best Practice #34

PDF Version

Title:  Enhanced Worker Classification Awareness as an Activity Risk Control (3/23/05)

FACILITY:   Los Alamos National Laboratory

POINT OF CONTACT:   Meredith Brown, 505-667-3731 or meb@lanl.gov

DOE requires Authorized Derivative Classifier (ADC) review of all material, including email, generated in a subject area that may be classified. LANL developed this practice to assist the responsible manager and ADCs with detailed knowledge of both the activity and the applicable classification guidance to analyze each activity’s risk of generating classified information. The manager and ADC(s) can then determine the classification awareness enhancements necessary within the organization to ensure that emails do not include classified information while permitting specified types of information to be transmitted without ADC review, or determine that the risk of including classified information is high and ADC review is required. Following the ISSM 5-step process, each activity, project, or subject area of research is analyzed with worker input as appropriate to identify areas of risk resulting from insufficient worker awareness of classification rules.

In 2004 the LANL Security Inquiry Team reported 25 cases of improperly transmitted classified matter (email, fax, etc.). In the case of email, the Laboratory determined that ADC review of every email was not necessary or feasible but that increased awareness of information that does require review was needed to reduce the incidents of unauthorized disclosure. Additionally, the Laboratory recognized that institutional security training could not address specific activities within individual projects that have the potential to generate classified information. A high level of classification awareness among workers specific to their organization’s activities was needed to mitigate security incidents resulting from inadvertent disclosure of classified information, especially when the communication is by email or where ADC review is problematic (e.g., verbal communication).

The intent of this practice is to encourage manager and ADC interactions through application of the ISSM 5-steps such that risks are analyzed and controls are implemented to ensure that classified information is not compromised by inadvertent inclusion in unclassified email, phone conversations, etc. Enhanced awareness can also help avoid inadvertent contamination of unclassified computer systems when workers draft a document that will receive subsequent classification review before dissemination.

This process is not intended to replace or circumvention DOE classification review requirements for documents or other material generated in potentially classified subject areas. Workers must apply enhanced awareness to determine whether ADC review is required, not to determine whether information is classified or unclassified.

The success of this process will be measured in two ways: reduction in reportable security incidents involving unauthorized disclosure of classified information through email and by increased ADC involvement in organizational risk assessment.

Information risk categories were established as follows. For all categories, authors of unclassified email are responsible for appropriately handling Unclassified Controlled Information such as UCNI, OUO, etc.

• UNRESTRICTED: No risk of generating classified information. This includes but is not limited to information relating to administrative activities (i.e, no technical or programmatic content) and information falling under an existing approved Designated Unclassified Subject Area. ADC review of email is not required.

• CONDITIONAL: Risk of generating classified information exists and is controlled by means of mandatory enhanced classification awareness. Workers are provided classification awareness briefings, presentations, etc. as identified by the manager and developed and delivered by the ADC(s). Upon completion and documentation of actions taken to enhance worker awareness, ADC review of email is not required.

• RESTRICTED: Risk of generating classified information exists and is controlled by requiring ADC review because worker awareness cannot be expected to provide sufficient assurance that compromise can be avoided without review. This determination is primarily based on the complexity of the subject matter and/or the relevant classification guidance.

An activity must be categorized as RESTRICTED if it falls in areas where the subject matter, the applicable classification guidance, or both are sufficiently complex or detailed to preclude attaining an acceptable level of awareness for all involved workers.

A variety of formats can be used to document the risk analysis and controls. Each such document should identify and describe the activity, project, research subject area, etc., including classified aspects if applicable, and specify the risk category. All activities should be described in sufficient detail to ensure workers understand the boundaries and scope within which ADC review of email is or is not required.

Information in the conditional or restricted categories must be consistent with and reflect applicable approved classification guidance.

 It is strongly recommended that workers be explicitly instructed to stop work if they are unsure of the activity scope, risk categorization, or applicability of the awareness briefings they have received. Note that awareness materials may be classified and must be handled accordingly.