OIG/98A-16 - Review of NRC Controls to Prevent the Inadvertent Release of Sensitive Information
February 3, 1999
|MEMORANDUM TO:||Chairman Jackson|
|FROM:||Thomas J. Barchi
Assistant Inspector General for Audits
|SUBJECT:||REVIEW OF NRC CONTROLS TO PREVENT THE INADVERTENT RELEASE OF SENSITIVE INFORMATION|
Attached is the Office of the Inspector General's audit report titled "Review of NRC Controls to Prevent the Inadvertent Release of Sensitive Information." Due to recent releases of sensitive information, you requested that the Office of the Inspector General conduct an agencywide review of the controls to prevent such unauthorized releases.
On December 21, 1998, we provided a draft of this report to the Chief Information Officer (CIO). On January 25, 1999, the CIO responded to our draft report and generally agreed with the report's findings and recommendations. He partially agreed with our first recommendation and suggested alternate wording. The CIO's comments are contained in Appendix II of this report.
Please contact me on 415-5915 if we can assist you further in this matter.
Attachment: As stated
- Report Synopsis
- Agency Guidance and Policies Regarding Sensitive Information--Adequate But Scattered
- Staff Usually Implement Agency Guidance, But Have Varying Levels of Training and Awareness
- ADAMS Sensitive Information Security Planning and Training Are Imperative
- I. Agency Comments
- II. Objectives, Scope, and Methodology
- III. U.S. NRC Organizational Chart
- IV. NRC Guidance/Policy Regarding Sensitive Information
- V. Sample of Resources Available to Nrc Employees Responding to Foia Requests
- VI. Agency "Good Practices"
- VII. Glossary
- VIII. Major Contributors to this Report
- IX. Glossary: Office of The Inspector General Products
The Chairman of the U.S. Nuclear Regulatory Commission (NRC) requested that the Office of the Inspector General conduct an agencywide review of the controls protecting the agency's sensitive information from unauthorized release. Our overall objectives in conducting this audit were to determine if NRC's management controls protecting sensitive unclassified information from inadvertent release are adequate and if agency guidance is being implemented. Additionally, we reviewed the development plans for the Agencywide Documents Access and Management System (ADAMS), NRC's upcoming electronic document management system, to determine if appropriate security measures will be taken to protect sensitive information.
NRC controls preventing the unauthorized release of sensitive information generally appear adequate, yet occasionally, unintentional unauthorized releases of sensitive information occur. We believe the agency can take steps to improve its processes and enhance employee awareness. We found the agency's guidance and policies on sensitive information to be scattered among at least 38 management directives, manuals, and other resources. Furthermore, we found that the guidance, particularly the information contained in the management directives, is not consistently cross-referenced or indexed. We also found that agency staff have varied levels of training and awareness regarding sensitive information, increasing the potential for inadvertent releases to occur.
With regard to ADAMS, we found that security measures for protecting sensitive information are still under development. Therefore, we were unable to test the effectiveness of the proposed measures. However, NRC needs to assure that it identifies and addresses information security requirements prior to implementing ADAMS to minimize the chance of inadvertent release.
Our report makes four recommendations to improve the effectiveness of NRC's sensitive unclassified information protection program. In addition, our work identified numerous "good practices" used by individual offices and regions. We have included a listing of those "good practices" as an appendix to our report so that agency managers may consider their use on a case-by-case basis.
Due to recent releases of sensitive information, the Chairman of the U.S. Nuclear Regulatory Commission (NRC) requested that the Office of the Inspector General (OIG) conduct an agencywide review of the controls to prevent such unauthorized releases. Because agency employees deal with sensitive unclassified information in a variety of forms on a daily basis, there are many opportunities for unauthorized releases of information to occur. Furthermore, the premature or unauthorized release of sensitive information could have adverse effects on the agency.
Because of the extensive restrictions on employee access to classified information, we focused our review exclusively on unclassified information. Also, recognizing the agency's inability to preclude intentional release of sensitive information,(1) our review covered only inadvertent unauthorized releases of this information.
Our overall objectives were to determine if NRC's management controls protecting sensitive unclassified information from inadvertent release are adequate and if agency guidance is being implemented. Additionally, we reviewed the development plans for the agency's new electronic document management system to determine if appropriate security measures will be taken to protect sensitive information. Appendix I contains additional information on our objectives, scope, and methodology.
The agency defines sensitive information in Management Directive 12, "Glossary," as "data that requires a degree of protection because of the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data." Categories of sensitive unclassified information include personal, proprietary, predecisional, and investigatory data.
The NRC's policy is to release agency health and safety related information to the public in keeping with the spirit of openness required by the Freedom of Information Act (FOIA). However, the agency must also comply with its legal obligations to protect information and its decision-making and investigative processes. While the NRC protects predecisional information from inadvertent release, the release of this information may be required to resolve a significant safety or safeguards issue or an emergency. Furthermore, the NRC also strives to protect the identity of allegers and confidential sources. That is, the agency will make all reasonable efforts to protect the identity of anyone who brings safety concerns to the NRC consistent with applicable statutes.
In addition, the agency is preparing to implement the Agencywide Documents Access and Management System (ADAMS) beginning in March 1999. ADAMS is an electronic information system that will maintain NRC's unclassified records in a centralized electronic document repository. NRC staff are addressing information security, including the protection of sensitive information contained in the system, as part of the ADAMS development process.
NRC controls preventing the unauthorized release of sensitive information appear adequate and are usually implemented by the NRC staff. However, opportunities exist to further reduce the risk of inadvertent releases of sensitive information through improved access and enhanced employee awareness of pertinent guidance. In this section, we will discuss our findings with regard to the agency's guidance concerning sensitive information, implementation of that guidance, and plans for protecting sensitive information in ADAMS.
Agency Guidance and Policies Regarding Sensitive Information--Adequate But Scattered
Although NRC's management controls for protecting sensitive information from inadvertent release appear adequate, the agency's guidance and policies are scattered among many management directives, manuals, and other documents. Furthermore, we found that the guidance, particularly the information contained in the management directives, is not consistently cross-referenced or indexed. As a result, the potential exists for staff to miss pertinent guidance or apply it incorrectly.
For optimal benefit, agency guidance and policies regarding the protection of sensitive information should be easy to identify and access. NRC employees deal with many forms of sensitive information such as investigative reports, draft inspection reports, and proprietary information. According to a former Executive Director for Operations (EDO),(2) employees are prohibited from releasing sensitive information in violation of the NRC's procedures and will be subject to appropriate disciplinary action or may be subject to other legal liability. Therefore, staff need easy access to the procedures and policies governing the release of sensitive information.
We found agency guidance and policy relating to the protection of sensitive information in a variety of forms. NRC employees need to review numerous management directives, manuals and handbooks, NUREG publications, regional and office procedures, and other communications such as e-mail messages and memoranda to find all the pertinent guidance related to sensitive information. In total, we identified more than 38 sources that provide agency guidance relating to the subject (see Appendix IV). The figure in Appendix V illustrates the agency's process flow regarding sensitive information guidance. This flow chart is an example of some resources that agency employees use to respond to FOIA requests.
Furthermore, agency guidance relating to sensitive information is not indexed or consistently cross-referenced. For example, the agency's own FOIA Audit(3) report recommended that Management Directive 3.1, "FOIA," be referenced to Management Directive 8.8, "Management of Allegations." A member of the audit team related that one of their biggest concerns was that not all management directives on the issue were cross-referenced to each other. As stated, we identified more than 38 sources, including 25 management directives, that provide agency guidance relating to sensitive information. Agency staff are currently revising several related management directives and some guidance is already cross-referenced; however, more needs to be done because sensitive information touches many subjects.
Because agency guidance relating to sensitive unclassified information is scattered and not easy to identify, the potential exists for missing pertinent guidance or applying it incorrectly. For example, NRC recently experienced an inappropriate release of names and identifying information in two FOIA responses resulting in legal action against the agency. We believe that techniques such as indexing and cross-referencing of pertinent agency guidance could further minimize the risk of inadvertent release of sensitive information.
Staff Usually Implement Agency Guidance, But Have Varying Levels of Training and Awareness
While NRC offices and regions usually implement agency guidance as it applies to their missions, inadvertent releases of sensitive information occasionally occur. We believe that these releases may occur because agency staff have varied levels of training and awareness regarding sensitive information. While the agency's overall record on protecting sensitive information appears adequate, even one unauthorized release can have far-reaching consequences that could ultimately interfere with NRC's ability to perform its regulatory and public health and safety missions.
Although NRC policy does not explicitly state that the agency's goal is to have no inadvertent releases of sensitive information, this goal is implied in various management directives and other forms of agency guidance. Furthermore, as mentioned in the preceding section, NRC employees are held personally accountable for protecting sensitive information in accordance with NRC procedures.
We found that despite the obvious good intentions by NRC staff, inadvertent releases of information to the public sometimes do occur. NRC does not perform any centralized tracking of inadvertent releases of sensitive information, but information provided by the Office of the Chief Information Officer (OCIO) and Office of the Executive Director for Operations (OEDO) staff, and anecdotal information gathered through our interviews, suggest that the number of inadvertent releases is relatively small. According to statistics provided by OCIO staff, during the first 11 months of fiscal year 1998, 67,398 documents were sent to the NRC's Public Document Room (PDR). Of that total, 52 -- or less than 1 percent -- were withdrawn from the PDR. Some of these documents were withdrawn because they contained sensitive information and had been sent to the PDR in error. Reportedly, almost half of the withdrawals occurred before the items were actually placed on the PDR shelves.
OEDO staff also provided information pointing to a relatively small number of inadvertent releases of sensitive information. Management Directive 3.4 requires NRC office directors and regional administrators to inform the EDO in writing of corrective action taken in response to any inadvertent release of information to the public. While OEDO staff do not formally track these documents, they said that their office receives only about two such memoranda per year.
Our review disclosed that inadvertent releases of sensitive information may be attributable to the varying levels of staff training and awareness of applicable guidance. For the most part, staff appeared generally aware of the agency's guidance concerning sensitive information as it applies to their offices' missions. However, we noted varying levels of staff knowledge and understanding about the guidance. For example, in one incident of inadvertent release, staff misunderstood their responsibilities under agency FOIA procedures; in others, staff conveyed sensitive information verbally either in an inappropriate setting or to inappropriate individuals. In yet another case, staff misapplied their own office procedures for sending material to the PDR resulting in the public perception that NRC was involved in a cover-up. Other releases occurred due to miscommunication among staff members or when staff mistakenly shuffled sensitive information in with a stack of non-sensitive material.
In addition, agency staff members expressed concern regarding what they perceive as "conflicting goals" in NRC's guidance regarding sensitive information. The conflict, as seen by staff, is between the need to release information under FOIA and the need to protect the identity of allegers and confidential sources. Although the perceived notion of conflicting goals is outside the scope of our review, we recognize the importance of achieving balance between the two goals. We believe there is a need for additional employee education regarding NRC's open disclosure policy and NRC's policy for protecting allegers and confidential sources.
We also found that many headquarters and regional offices had developed their own practical and workable techniques to protect sensitive information in their jurisdiction. A list of these agency "good practices" appears in Appendix VI of this report. However, our review also showed that different offices and regions pursue staff training on sensitive information in different ways. In some offices, co-workers convey procedural information to new employees, while other offices supplement such on-the-job training with written procedures and training sessions.
While the number of inadvertent releases of sensitive information appears to be relatively small, it is critical to note that even one unauthorized release of sensitive information can have far reaching effects. One of the clearest examples of this pertains to the role that allegers play in nuclear industry health and safety matters. NRC policy encourages individuals to come forward and identify safety concerns to their employers or to the NRC. The same policy emphasizes the need to protect the identities of these individuals "to preclude potential retaliation by employers against individuals raising concerns to the NRC." In this case, the link between protecting identities and health and safety implications is obvious. If individuals lose confidence that NRC will protect their identity, they may hesitate to come forward and report what they perceive as safety concerns or wrongdoing. This could jeopardize the effectiveness of NRC's oversight activities.
Our review suggests that while NRC staff generally are successful in preventing inadvertent releases of sensitive information, there is opportunity to reduce risk by heightening employee awareness through training and education. While some NRC offices and regions offer training courses relevant to specific sensitive information topics periodically, we were unable to identify any agencywide training requirement to regularly heighten employee awareness about their responsibility with regard to all categories of sensitive information. The incidents of inadvertent release that we reviewed seem to share, at their root, a lack of awareness by some staff members of the appropriate way to handle sensitive unclassified information and suggest that additional training is warranted.
ADAMS Sensitive Information Security Planning and Training Are Imperative
As NRC prepares to move into an electronic document management environment, it is important that sufficient attention is paid to protecting all categories of sensitive information. According to OCIO staff, they intend to include all current sensitive information protection measures in ADAMS, the agency's automated document management and workflow system currently under development. If ADAMS security planning does not account for all categories of sensitive information, categories not accounted for may make their way into the public domain. In addition, if NRC does not adequately train its employees in applying appropriate security measures, accidental releases may occur.
To assure that all current sensitive information protection measures will be incorporated into ADAMS, OCIO staff said they have developed strategies for overall system security, specific library security, and individual document security. Overall system security protects against threats to penetrate, corrupt, or disable the system. In this regard, NRC has performed a risk assessment and will develop and test a detailed security and disaster recovery plan before implementing ADAMS. Library security refers to the measures invoked to protect specific groupings of information. Agency allegation information has already been flagged to receive special library protection. OCIO staff said ADAMS will also require that NRC staff mark and categorize each document according to its sensitivity level. If staff label a document as "sensitive," appropriate warning labels will be visible on the computer monitor and on the document when printed. In addition, OCIO staff plan to provide general ADAMS training that will address sensitive information protection measures, and noted that such training might be mandatory for each NRC employee. OCIO staff expect that NRC headquarters and regional office staff will develop their own sensitive information protection programs using the available ADAMS library and document security functions and inform their employees regarding these measures.
Since the security plan for ADAMS is currently under development, we were unable to test the effectiveness of the proposed measures. However, we note that if NRC does not properly identify all sensitive libraries needing additional protection measures and comprehensive training is not taken by staff before ADAMS is implemented, sensitive unclassified information could be inadvertently released.
Although NRC controls protecting sensitive unclassified information appear to be adequate and usually well implemented, occasionally, unintentional releases of sensitive information still occur. The unauthorized release of sensitive information could have far reaching effects on the agency. For example, it could diminish the NRC's ability to perform the regulatory function assigned it and to protect public health, safety, and the environment. It could also lead to decreased respect for the NRC and loss of credibility with the public and other Federal agencies. In some cases, a release could invade an individual's privacy or compromise a confidential agreement. We believe the agency can improve its current sensitive information protection program by making its policies and procedures easier to identify and by providing training to heighten NRC staff awareness. In addition, NRC needs to assure that it identifies and addresses its information security needs prior to implementing ADAMS.
To improve the effectiveness of NRC's sensitive unclassified information protection program and to ensure the program remains effective when ADAMS is implemented, we recommend that the Chief Information Officer (CIO):
Look for opportunities to consolidate the guidance on protecting sensitive information with a view towards reducing the number of sources of such guidance. In addition, create a management directive index that would list and provide the location of all guidance related to sensitive information. In addition, review existing directives to ensure that each is adequately cross-referenced to other related guidance.
Make the management directives (and corresponding handbooks) available on NRC's web site to facilitate easy search and retrieval of pertinent guidance.
Educate all employees on a regular basis to increase their awareness regarding sensitive information.
Provide agencywide mandatory training on the protection of sensitive information in ADAMS before implementing the system. In addition, provide more detailed courses, tailored to specific sensitive office functions.
I. Agency Comments
On January 25, 1999, the CIO responded to our draft report. We have included the response in Appendix II of this report.
The CIO generally agreed with the report's findings and recommendations. He partially agreed with our first recommendation and suggested alternate wording. We reviewed Management Directive 3.4, Release of Information to the Public (approved for publication by the Executive Director for Operations on 1/25/99), and disagree that this document satisfies the objective of our recommendation. While recognizing that the revised Management Directive 3.4 contains more cross-referencing and information than its predecessor, we believe this does not constitute a complete index that identifies and provides the location of all guidance related to sensitive information. (For further clarification of the term "index," please refer to the definition of the term which we included in Appendix VII, Glossary.) We incorporated a portion of the CIO's alternate wording into our recommendation to clarify the notion of cross-referencing, and left the remainder of the recommendation as originally stated. We note that the CIO's wording suggests a promising approach for meeting our intent with regard to consolidation.
While agreeing with our second recommendation, the CIO commented that the Office of Administration has recently announced to NRC employees the availability of the agency's Management Directives on CD-ROM. Additionally, a searchable version of this guidance will be available on the NRC's website by October 1, 1999. While looking forward to the availability of the Management Directives online, we caution that this version should allow for real-time updates to coincide with revisions to the Management Directives.
Beside responding to our recommendations, the CIO provided comments on several of the report's findings. The CIO's memo indicated that he found our use of the word "scattered" to be negative and that he believes OIG views this condition as "a problem." In fact, we do not believe that the number of guidance sources is in and of itself a problem. Rather, the important issue is one of accessibility. Because so many sources of guidance on handling sensitive information exist, and there is no central index of these sources for employees, it seems probable that a staff member could miss pertinent guidance. This is particularly important since NRC employees are held personally accountable for protecting sensitive information.
The CIO's memo states that the report fails to recognize that Management Directive 3.4 "already serves as a single reference for guidance on the release of information to the public." We have reviewed the recently approved Management Directive 3.4 and believe that it provides an overview of the topic of sensitive information, but does not cover the topic fully enough to serve as a "single reference." Again, we emphasize our view that an index to all other guidance related to sensitive information is needed to optimize an employee's ability to access the appropriate guidance.
The CIO further asserts that the report does not cite examples of problems arising out of "varied levels of training." To the contrary, the last paragraph on page 4 of the report describes the varying levels of staff training and awareness of applicable guidance we observed, and it lists specific examples of problems that have occurred due to varying levels of staff knowledge and understanding about the agency's guidance. We believe there is an obvious link between training and knowledge/awareness and that the CIO indicates concurrence with this view. In his memo, he agrees with our third recommendation and states "in light of this report, we will have all offices review their areas of sensitive information and identify needs for increased awareness and training and take appropriate action to ensure that this is accomplished."
The CIO's memo also pointed out the need to reword an agency "good practice" listed in Appendix VI of the report. We made the appropriate change to our description of the good practice.
Finally, in response to a January 8, 1999, memo sent to OIG from the Chairman, Executive Council (EC), we have redirected our recommendations. Because our recommendations affect the entire agency, we initially directed them to the EC. However, we were informed that actions should not be assigned to the EC as a body, but rather to a specific organizational component within the NRC. In this case, the Chairman, EC, asked that we direct our recommendations to the CIO.
II. Objectives, Scope, and Methodology
The objectives of our audit were to: (1) determine if NRC's management controls protecting sensitive information from inadvertent release are adequate; (2) determine if offices/regions are implementing the agency's guidance to protect sensitive information from inadvertent release; and (3) determine if the Agencywide Document Access and Management System (ADAMS) development process is taking into consideration the need to protect sensitive data from unauthorized release. Our audit focused on a review of the agency's controls to prevent the unauthorized release of sensitive information and the adequacy and implementation of those controls.
To determine if the agency's management controls for protecting sensitive information from inadvertent release are adequate, we reviewed NRC's policies and procedures. We also reviewed agency data to determine how many documents are sent to the Public Document Room and how many documents were sent in error for fiscal year 1998. Furthermore, we interviewed senior agency managers and their staff members to identify the internal procedures used by offices and regions for protecting sensitive information.
In addition, we interviewed Office of the Chief Information Officer staff and reviewed related documentation to identify the agency's planned approach for protecting sensitive data from inadvertent release once ADAMS is implemented.
Our audit was conducted from August 1998 to November 1998 in accordance with generally accepted Government auditing standards.
IV. NRC Guidance/Policy Regarding Sensitive Information
|1||Management Directive (MD) 3.1 -- Freedom of Information Act (FOIA)||Defines responsibilities/authorities for processing FOIA requests and informs staff of the types of records that can be released or are exempt (FOIA exemptions included).|
|2||MD 3.2 -- Privacy Act||To ensure the lawful use of identifiable personal information.|
|3||MD 3.4 -- Release of Information to the Public||General policy guidance on the public release of information (e.g., draft, predecisional). Also includes information on the Nuclear Documents System (NUDOCS) and the Public Document Room (PDR).|
|4||MD 3.7 -- Unclassified Staff Publications in the NUREG Series||To ensure that sensitive unclassified information is not compromised by the release or publication of information by NRC.|
|5||MD 3.8 -- Unclassified Contractor and Grantee Publications in the NUREG Series||To ensure that sensitive unclassified information is not compromised by the release or publication of information by NRC.|
|6||MD 3.11 -- Conferences and Conference Proceedings||To ensure that classified or sensitive unclassified information is not released at public conferences or in publicly released conference proceedings.|
|7||MD 3.12 -- Handling and Disposition of Foreign Documents and Translations||To assign responsibilities and establish procedures for handling unclassified, sensitive unclassified, and classified foreign documents and their translations.|
|8||MD 3.23 -- Mail Management||To ensure that classified and unclassified sensitive information is not compromised by handling, marking, preparing, and transmitting such information.|
|9||MD 3.50 -- Document Management||Includes information on NUDOCS and guidelines protecting proprietary and copyrighted material.|
|10||MD 3.53 -- NRC Records Management Program||To foster effective and efficient filing and records management practices including the protection of sensitive unclassified information.|
|11||MD 7.4 -- Reporting Suspected Wrongdoing and Processing Office of the Inspector General (OIG) Referrals||To describe NRC management responsibilities in handling OIG investigative referrals and reports.|
|12||MD 8.8 -- Management of Allegations||Guidance regarding the allegations program, including the protection of allegers' identities.|
|13||MD 8.9 -- Accident Investigation||Notes that Director, Accident Review Group, is charged with preparing and reviewing all data for classified or sensitive unclassified information and distributing the investigation report and related documents.|
|14||MD 9.7 -- Organization and Functions, Office of the General Counsel (OGC)||Lists OGC's functions, including the service it provides in connection with FOIA and Privacy Act administration.|
|15||MD 9.13 -- Organization and Functions, Office of Congressional Affairs (OCA)||Lists OCA's functions, including the responsibility it has to use a special cover letter when transmitting documents to Congress that are not publicly available (unclassified).|
|16||MD 9.21 -- Organization and Functions, Office of Administration (ADM)||Lists ADM as having responsibility for the FOIA and Privacy Act programs. However, MD 9.21 is out of date. Per NRC Yellow Announcement No. 16, dated 2/12/98, these programs are under the Office of the Chief Information Officer.|
|17||MD 10.159 -- Differing Professional Views or Opinions (DPV/DPO)||Includes guidance for determining which DPV/DPO documents or portions of documents should or should not be released to the public.|
|18||MD 11.1 -- NRC Acquisition of Supplies and Services||Includes guidance for ensuring that, when necessary, contractors are approved for access to sensitive unclassified information.|
|19||MD 11.7 -- NRC Procedures for Placement and Monitoring of Work with The U.S. Department of Energy (DOE)||Includes guidance for providing sensitive unclassified information (including proprietary and safeguards) to DOE.|
|20||MD 12 -- Glossary||Defines sensitive information.|
|21||MD 12.1 -- NRC Facility Security Program||To ensure that classified and sensitive unclassified information is protected from unauthorized disclosure.|
|22||MD 12.3 -- NRC Personnel Security Program||To provide effective controls to further protect classified and sensitive unclassified information.|
|23||MD 12.4 -- NRC Telecommunications Systems Security Program||To safeguard classified or sensitive unclassified information communicated over telecommunications systems (e.g., telephones, facsimiles, networks).|
|24||MD 12.5 -- NRC Automated Information Systems (AIS) Security Program||To safeguard AIS facilities and classified safeguards information (SGI) and sensitive unclassified information that is processed, stored, or produced on AISs.|
|25||MD 12.6 -- NRC Sensitive Unclassified Information Security Program||Includes guidance concerning required markings on proprietary and other documents.|
|26||Manual Chapter 4161 -- Employee Health Services Program||Addresses the confidentiality of health and medical records.|
|27||12/17/93 (Office of the Executive Director for Operations) Memo: FOIA Disclosure Policy||Advises that "foreseeable harm" must be shown when withholding information from release (per the Department of Justice's and President Clinton's FOIA guidance).|
|28||NRC Enforcement Manual||Includes guidance on the proper handling and marking of predecisional enforcement information.|
|29||NRC Inspection Manual||Covers draft inspection reports, FOIA requests, and PDR releases.|
|30||Operating Reactor Project Manager's Handbook||Includes guidance on how project managers should handle and process sensitive information and FOIA requests and allegations.|
|31||Commission Policy Statement on Protecting the Identity of Allegers and Confidential Sources||Provides the distinction between allegers and confidential sources and how the agency "protects" these two groups.|
|32||Code of Federal Regulations (CFR) 10, Energy||Provides guidance on public inspections, exemptions, requests for withholding official records, and public records provisions.|
|33||NUREG/BR-0027 NRC Security: You Are the Key||Provides general information regarding sensitive unclassified information at NRC.|
|34||NUREG/BR-0124 FOIA Handbook||Provides NRC policies/procedures regarding FOIA. NOTE: Per OGC, the Handbook is out of date and does not reflect current procedures. However, some NRC staff still find it a useful reference tool.|
|35||NUREG/BR-0168 Security Policy for Processing and Handling of Sensitive Unclassified Information in the Agency Upgrade of Technology for Office Systems (AUTOS)/Local Area Network (LAN) Environment||Provides information on processing and handling sensitive unclassified information in an AUTOS/LAN environment.|
|36||NUREG-0794 Protection of Unclassified Safeguards Information||Assists licensees and other persons who possess Safeguards Information in establishing an information protection system that satisfies the requirements of 10 CFR 73.21.|
|37||Yellow Announcement No. 21, 03/19/97, RE: Staff Internet Use||Provides interim guidance concerning the use of the Internet and sensitive information.|
|38||Various regional procedures/instructions, office procedures/instructions||Provides guidance on numerous topics relating to the protection of sensitive information.|
V. Sample of Resources Available to NRC Employees Responding to FOIA Requests
VI. Agency "Good Practices"
The agency's management directives pertaining to sensitive information prescribe basic controls to be used to prevent inadvertent release of such information. However, there are additional controls, which go beyond the management directive prescriptions, that offices can take to assure protection of sensitive information.
Many offices have their own specific procedures that supplement the agency's overall guidance, and many implement certain measures which they find particularly useful for their specific mission within NRC. During the course of our audit, we compiled a collection of some of these agency "good practices." We present them in this appendix to offer options for managers to consider and perhaps to adopt or modify to suit their unique sensitive information needs:
In addition to covering allegation material with a blue cover sheet, one region uses a bright yellow folder to cover allegations information.
One region uses a folder color scheme to help staff distinguish the different types of documents, e.g., blue folder = allegation materials, green folder = Safeguards Information (SGI).
One region stores SGI on green diskettes and security information on red diskettes.
As part of their orientation, all new NRC employees in one region receive a briefing on the Freedom of Information Act (FOIA) process from the regional counsel and the FOIA coordinator. Materials provided by the coordinator include a briefing document which is in bulleted form and is clear and concise.
A senior public affairs officer in one region spends 15 to 30 minutes with each new employee, providing guidance on handling inquiries and their responsibilities for protecting sensitive information.
Orientation training is provided by the FOIA Branch upon request for FOIA coordinators or others who are interested. The training program, which covers the FOIA process, is flexible and can be tailored to meet individual participants' needs.
New employee orientation at headquarters includes a short presentation on the protection of sensitive information. Handouts are provided.
In several offices and regions, the entire staff is trained annually on allegations information sensitivity.
One region compiles lessons learned from all the regions throughout the year and incorporates them in its annual allegations refresher training, which is required of every employee.
In the regions, when a mistake is made, the regional administrator calls the other regions and shares the experience with them so they can learn from each other.
Some regions generate a weekly FOIA log sheet to show the status of FOIA requests within the region.
In one region, requests for information received from the general public are usually forwarded to the region's public affairs officer.
Most information released to the public is done through a regional public affairs officer, and staff are supposed to let the public affairs officer know when they do provide information to the public.
One regional enforcement office destroys all draft information and purges computer files after the enforcement package is finalized.
Information sent to allegers is mailed in unfranked, nondescript envelopes, and allegers are instructed to send information back to NRC via a post office box.
Regional allegations staff review all FOIA requests to see if they involve allegations unless they clearly are personnel or financial related. If they determine that the FOIA request comprises allegation material, the office gets involved in a final review as well.
In one region, all allegations related materials are reviewed by the region's senior allegations coordinator.
Secretarial staff in one region performed a correspondence audit on 6 months of randomly selected correspondence. This self-audit looked for sensitive information issues.
In one region, each division has a FOIA coordinator, in addition to the main regional coordinator.
In one region, the regional counsel presents FOIA training that includes a review of the exemptions.
In one region, staff request that the FOIA Branch notify them in writing, via e-mail, why the FOIA Branch released information under a FOIA request that regional staff had bracketed to be redacted.
In one region, staff have been trained on what constitutes an official agency record. In addition, a file clerk ensures that staff destroy records when they are supposed to do so.
Secretaries in one region have been given training and supplemental notebooks on Regulatory Information Distribution System (RIDS) codes.
In one region, the operator licensing branch has a file guide that shows which documents should be retained.
In one region, operator licensing branch staff have a statement in their elements and standards that speaks to their responsibility for controlling draft and internal information in accordance with NRC policy.
There is an approximate 2-week delay, which serves as a safety net, between the sending of a document to the Public Document Room (PDR) and actual placement of the item on PDR shelves.
To heighten staff awareness regarding the protection of sensitive information, ad hoc briefings are held in one headquarters office to address related topics, particularly after a relevant issue arises.
Yellow announcements and other reminders from senior management address the need to protect sensitive information.
Agency allegations advisor or agency allegations specialist conducts a final review on FOIA packages containing allegations material, before the material is returned to the FOIA branch to be sent out.
In one region, the operator licensing assistant gives a verbal warning about the private nature of the files before giving out any file for review.
In one headquarters office, pre-made stickers are placed on documents containing sensitive information indicating the type of sensitive information and the distribution rules.
|Classified Information||Information (such as a document or correspondence) that is designated National Security Information, Restricted Data, or Formerly Restricted Data.|
|Confidential Source||Any individual or organization that has provided or that may reasonably be expected to provide information to the United States on matters pertaining to the national security or law enforcement with the expectation, expressed or implied, that the information or relationship, or both, be held in confidence.|
|Freedom of Information Act (FOIA)||Generally provides that any person has a right, enforceable in court, of access to federal agency records, except to the extent that such records (or portions thereof) are protected from disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.|
|Index||Something that serves to guide, point out, or otherwise facilitate reference, e.g., an alphabetized listing of names, places, and subjects included in a printed work that gives for each item the page on which it is mentioned.|
|Proprietary Information||(Reference Sensitive Information.) Trade secrets; privileged or confidential research, development, commercial, or financial information, exempt from mandatory disclosure under 10 CFR Part 2 (Sections 2.740 and 2.790) and under 10 CFR Part 9 (section 9.5); and other information submitted in confidence to the NRC by a foreign source and determined to be unclassified by the NRC.|
|Sensitive Information||That data that requires a degree of protection because of the risk and magnitude of loss or harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the data. This term includes Proprietary Information, unclassified Safeguards Information, naval nuclear propulsion information, and other information withheld from public dissemination under the Freedom of Information Act, the Privacy Act, or the Atomic Energy Act and information not exported to foreign countries or that must not be disclosed to foreign countries. It also includes sensitive unpublished and otherwise unavailable fuel cycle information relating to the technology of enrichment or reprocessing.|
|Unclassified Information (Sensitive)||Includes unclassified Safeguard s Information, Official Use Only information, and Proprietary information. It also includes unclassified information from other Government agencies and sources outside of NRC and its contractors and licensees that requires special protective measures. Markings used by these agencies and sources include, for example, For Official Use Only, Company Confidential, and Private.|
|Unclassified Safeguards Information||(Reference Sensitive Information.) Sensitive unclassified information that specifically identifies the detailed security measures of a licensee or an applicant for the physical protection of special nuclear material; or security measures for the physical protection and location of certain plant equipment vital to the safety of production or utilization facilities. Protection of this information is required pursuant to Section 147 of the Atomic Energy Act of 1954, as amended.|
VIII. Major Contributors to this Report
Corenthis B. Kelley
Judith L. Leonhardt
Cheryl A. Miotla
Judy G. Gordon
IX. Glossary: Office of The Inspector General Products
1.INVESTIGATIVE REPORT - WHITE COVER
An Investigative Report documents pertinent facts of a case and describes available evidence relevant to allegations against individuals, including aspects of an allegation not substantiated. Investigative reports do not recommend disciplinary action against individual employees. Investigative reports are sensitive documents and contain information subject to the Privacy Act restrictions. Reports are given to officials and managers who have a need to know in order to properly determine whether administrative action is warranted. The agency is expected to advise the OIG within 90 days of receiving the investigative report as to what disciplinary or other action has been taken in response to investigative report findings.
2.EVENT INQUIRY - GREEN COVER
The Event Inquiry is an investigative product that documents the examination of events or agency actions that do not focus specifically on individual misconduct. These reports identify institutional weaknesses that led to or allowed a problem to occur. The agency is requested to advise the OIG of managerial initiatives taken in response to issues identified in these reports but tracking its recommendations is not required.
3.MANAGEMENT IMPLICATIONS REPORT (MIR) - MEMORANDUM
MIRs provide a "ROOT CAUSE" analysis sufficient for managers to facilitate correction of problems and to avoid similar issues in the future. Agency tracking of recommendations is not required.
4.AUDIT REPORT - BLUE COVER
An Audit Report is the documentation of the review, recommendations, and findings resulting from an objective assessment of a program, function, or activity. Audits follow a defined procedure that allows for agency review and comment on draft audit reports. The audit results are also reported in the OIG's "Semiannual Report" to the Congress. Tracking of audit report recommendations and agency response is required.
5.SPECIAL EVALUATION REPORT - BURGUNDY COVER
A Special Evaluation Report documents the results of short-term, limited assessments. It provides an initial, quick response to a question or issue, and data to determine whether an in-depth independent audit should be planned. Agency tracking of recommendations is not required.
6.REGULATORY COMMENTARY - BROWN COVER
Regulatory Commentary is the review of existing and proposed legislation, regulations, and policies so as to assist the agency in preventing and detecting fraud, waste, and abuse in programs and operations. Commentaries cite the IG Act as authority for the review, state the specific law, regulation or policy examined, pertinent background information considered and identifies OIG concerns, observations, and objections. Significant observations regarding action or inaction by the agency are reported in the OIG Semiannual Report to Congress. Each report indicates whether a response is required.
1. Refer to Appendix VII, Glossary, for definitions of sensitive information and other related terms.
2. Announcement No. 118, dated December 22, 1997, Subject: Release of Sensitive Information, To: All NRC Employees, From: L. Joseph Callan, Executive Director for Operations.
3. The FOIA Audit was a comprehensive review of procedures, policies, and implementing guidance for protecting the identity of allegers when preparing and reviewing responses to FOIA requests. The FOIA Audit report was issued on March 18, 1998.