Title 10

PART 824 APPENDIX A



Appendix A to Part 824 - General Statement of Enforcement Policy

10:4.0.2.5.26.0.74.17.19 : Appendix A

Appendix A to Part 824 - General Statement of Enforcement Policy I. Introduction

a. This policy statement sets forth the general framework through which DOE will seek to ensure compliance with its classified information security regulations and rules and classified information security-related compliance orders (hereafter collectively referred to as classified information security requirements).

The policy set forth herein is applicable to violations of classified information security requirements by DOE contractors and their subcontractors (hereafter collectively referred to as DOE contractors). This policy statement is not a regulation and is intended only to provide general guidance to those persons subject to the classified information security requirements. It is not intended to establish a formulaic approach to the initiation and resolution of situations involving noncompliance with these requirements. Rather, DOE intends to consider the particular facts of each noncompliance situation in determining whether enforcement penalties are appropriate and, if so, the appropriate magnitude of those penalties. DOE reserves the option to deviate from this policy statement when appropriate in the circumstances of particular cases.

b. Both the Department of Energy Organization Act, 42 U.S.C. 7101, and the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2011, require DOE to protect and provide for the common defense and security of the United States in conducting its nuclear activities, and grant DOE broad authority to achieve this goal.

c. The DOE goal in the compliance arena is to enhance and protect the common defense and security at DOE facilities by fostering a culture among both DOE line organizations and contractors that actively seeks to attain and sustain compliance with classified information security requirements. The enforcement program and policy have been developed with the express purpose of achieving a culture of active commitment to security and voluntary compliance. DOE will establish effective administrative processes and incentives for contractors to identify and report noncompliances promptly and openly and to initiate comprehensive corrective actions to resolve both the noncompliances themselves and the program or process deficiencies that led to noncompliance.

d. In the development of the DOE enforcement policy, DOE believes that the reasonable exercise of its enforcement authority can help to reduce the likelihood of serious security incidents. This can be accomplished by providing greater emphasis on a culture of security awareness in existing DOE operations and strong incentives for contractors to identify and correct noncompliance conditions and processes in order to protect classified information of vital significance to this nation. DOE wants to facilitate, encourage, and support contractor initiatives for the prompt identification and correction of problems. These initiatives and activities will be duly considered in exercising enforcement discretion.

e. Section 234B of the Act provides DOE with the authority to impose civil penalties and also with the authority to compromise, modify, or remit civil penalties with or without conditions. In implementing section 234B, DOE will carefully consider the facts of each case of noncompliance and will exercise appropriate judgment in taking any enforcement action. Part of the function of a sound enforcement program is to assure a proper and continuing level of security vigilance. The reasonable exercise of enforcement authority will be facilitated by the appropriate application of security requirements to nuclear facilities and by promoting and coordinating the proper contractor attitude toward complying with those requirements.

II. Purpose

The purpose of the DOE enforcement program is to promote and protect the common defense and security of the United States by:

a. Ensuring compliance by DOE contractors with applicable classified information security requirements.

b. Providing positive incentives for a DOE contractor's:

(1) Timely self-identification of security deficiencies,

(2) Prompt and complete reporting of such deficiencies to DOE,

(3) Root cause analyses of security deficiencies,

(4) Prompt correction of security deficiencies in a manner which precludes recurrence, and

(5) Identification of modifications in practices or facilities that can improve security.

c. Deterring future violations of DOE requirements by a DOE contractor.

d. Encouraging the continuous overall improvement of operations at DOE facilities.

III. Statutory Authority

Section 234B of the Act subjects contractors, and their subcontractors and suppliers, to civil penalties for violations of DOE regulations, rules and orders regarding the safeguarding and security of Restricted Data and other classified information.

IV. Procedural Framework

a. 10 CFR part 824 sets forth the procedures DOE will use in exercising its enforcement authority, including the issuance of notices of violation and the resolution of contested enforcement actions in the event a DOE contractor elects to adjudicate contested issues before an administrative law judge.

b. Pursuant to § 824.6, the Director initiates the civil penalty process by issuing a preliminary notice of violation that specifies a proposed civil penalty. The DOE contractor is required to respond in writing to the preliminary notice of violation, either admitting the violation and waiving its right to contest the proposed civil penalty and paying it; admitting the violation, but asserting the existence of mitigating circumstances that warrant either the total or partial remission of the civil penalty; or denying that the violation has occurred and providing the basis for its belief that the preliminary notice of violation is incorrect. After evaluation of the DOE's contractor response, the Director may determine that no violation has occurred; that the violation occurred as alleged in the preliminary notice of violation, but that the proposed civil penalty should be remitted in whole or in part; or that the violation occurred as alleged in the preliminary notice of violation and that the proposed civil penalty is appropriate notwithstanding the asserted mitigating circumstances. In the latter two instances, the Director will issue a final notice of violation or a final notice of violation with proposed civil penalty.

c. An opportunity to challenge a proposed civil penalty either before an administrative law judge or in a United States District Court is provided in 42 U.S.C. 2282a(c). Part 824 sets forth the procedures associated with an administrative hearing, should the contractor opt for that method of challenging the proposed civil penalty.

V. Severity of Violations

a. Violations of classified information security requirements have varying degrees of security significance. Therefore, the relative importance of each violation must be identified as the first step in the enforcement process. Violations of classified information security requirements are categorized in three levels of severity to identify their relative security significance. Notices of violation are issued for noncompliance and propose civil penalties commensurate with the severity level of the violation(s) involved.

b. Severity Level I has been assigned to violations that are the most significant and Severity Level III violations are the least significant. Severity Level I is reserved for violations of classified information security requirements which involve actual or high potential for adverse impact on the national security. Severity Level II violations represent a significant lack of attention or carelessness toward responsibilities of DOE contractors for the protection of classified information which could, if uncorrected, potentially lead to an adverse impact on the national security. Severity Level III violations are less serious, but are of more than minor concern: i.e., if left uncorrected, they could lead to a more serious concern. In some cases, violations may be evaluated in the aggregate and a single severity level assigned for a group of violations.

c. Isolated minor violations of classified information security requirements will not be the subject of formal enforcement action through the issuance of a notice of violation. However, these minor violations will be identified as noncompliances and tracked to assure that appropriate corrective/remedial action is taken to prevent their recurrence, and evaluated to determine if generic or specific problems exist. If circumstances demonstrate that a number of related minor noncompliances have occurred in the same time frame (e.g., all identified during the same assessment), or that related minor noncompliances have recurred despite prior notice to the DOE contractor and sufficient opportunity to correct the problem, DOE may choose in its discretion to consider the noncompliances in the aggregate as a more serious violation warranting a Severity Level III designation, a notice of violation and a possible civil penalty.

d. The severity level of a violation will depend, in part, on the degree of culpability of the DOE contractor with regard to the violation. Thus, inadvertent or negligent violations will be viewed differently from those in which there is gross negligence, deception or willfulness. In addition to the significance of the underlying violation and level of culpability involved, DOE will also consider the position, training and experience of the person involved in the violation. Thus, for example, a violation may be deemed to be more significant if a senior manager of an organization is involved rather than a foreman or non-supervisory employee. In this regard, while management involvement, direct or indirect, in a violation may lead to an increase in the severity level of a violation and proposed civil penalty, the lack of such involvement will not constitute grounds to reduce the severity level of a violation or mitigate a civil penalty. Allowance of mitigation in such circumstances could encourage lack of management involvement in DOE contractor activities and a decrease in protection of classified information.

e. Other factors which will be considered by DOE in determining the appropriate severity level of a violation are the duration of the violation, the past performance of the DOE contractor in the particular activity area involved, whether the DOE contractor had prior notice of a potential problem, and whether there are multiple examples of the violation in the same time frame rather than an isolated occurrence. The relative weight given to each of these factors in arriving at the appropriate severity level will depend on the circumstances of each case.

f. DOE expects contractors to provide full, complete, timely, and accurate information and reports. Accordingly, the severity level of a violation involving either failure to make a required report or notification to DOE or an untimely report or notification will be based upon the significance of, and the circumstances surrounding, the matter that should have been reported. A contractor will not normally be cited for a failure to report a condition or event unless the contractor was actually aware or should have been aware of the condition or event which it failed to report.

VI. Enforcement Conferences

a. Should DOE determine, after completion of all assessment and investigation activities associated with a potential or alleged violation of classified information security requirements, that there is a reasonable basis to believe that a violation has actually occurred, and the violation may warrant a civil penalty, DOE will normally hold an enforcement conference with the DOE contractor involved prior to taking enforcement action. DOE may also elect to hold an enforcement conference for potential violations which would not ordinarily warrant a civil penalty but which could, if repeated, lead to such action. The purpose of the enforcement conference is to assure the accuracy of the facts upon which the preliminary determination to consider enforcement action is based, discuss the potential or alleged violations, their significance and causes, and the nature of and schedule for the DOE contractor's corrective actions, determine whether there are any aggravating or mitigating circumstances, and obtain other information which will help determine the appropriate enforcement action.

b. DOE contractors will be informed prior to a meeting when that meeting is considered to be an enforcement conference. Such conferences are informal mechanisms for candid pre-decisional discussions regarding potential or alleged violations and will not normally be open to the public. In circumstances for which immediate enforcement action is necessary in the interest of the national security, such action will be taken prior to the enforcement conference, which may still be held after the necessary DOE action has been taken.

VII. Enforcement Letter

a. In cases where DOE has decided not to issue a notice of violation, DOE may send an enforcement letter to the contractor signed by the Director. The enforcement letter is intended to communicate the basis of the decision not to pursue further enforcement action for a noncompliance. The enforcement letter is intended to point contractors to the desired level of security performance. It may be used when the Director concludes the specific noncompliance at issue is not of the level of significance warranted for issuance of a notice of violation. The enforcement letter will typically describe how the contractor handled the circumstances surrounding the noncompliance and address additional areas requiring the contractor's attention and DOE's expectations for corrective action. The enforcement letter notifies the contractor that, when verification is received that corrective actions have been implemented, DOE will close the enforcement action. In the case of NNSA contractors or subcontractors, the enforcement letter will take the form of advising the contractor or subcontractor that the Director has consulted with the NNSA Administrator who agrees that further enforcement action should not be pursued if verification is received that corrective actions have been implemented by the contractor or subcontractor.

b. In many investigations, an enforcement letter may not be required. When DOE decides that a contractor has appropriately corrected a noncompliance or that the significance of the noncompliance is sufficiently low, it may close out an investigation without such enforcement letter. A closeout of a noncompliance with or without an enforcement letter may only take place after the Director has issued a letter confirming that corrective actions have been completed. In the case of NNSA contractors or subcontractors, the Director's letter will take the form of confirming that corrective actions have been completed and advising that the Director has consulted with the NNSA Administrator who agrees that no enforcement action should be pursued.

VIII. Enforcement Actions

The nature and extent of the enforcement action is intended to reflect the seriousness of the violation involved. For the vast majority of violations for which DOE assigns severity levels as described previously, a notice of violation will be issued, requiring a formal response from the recipient describing the nature of and schedule for corrective actions it intends to take regarding the violation.

1. Notice of Violation

a. A Notice of Violation (preliminary or final) is a document setting forth the conclusion that one or more violations of classified information security requirements have occurred. Such a notice normally requires the recipient to provide a written response which may take one of several positions described in Section IV of this policy statement. In the event that the recipient concedes the occurrence of the violation, it is required to describe corrective steps which have been taken and the results achieved; remedial actions which will be taken to prevent recurrence; and the date by which full compliance will be achieved.

b. DOE will use the notice of violation as the standard method for formalizing the existence of a possible violation and the notice of violation will be issued in conjunction with the proposed imposition of a civil penalty. In certain limited instances, as described in this section, DOE may refrain from the issuance of an otherwise appropriate notice of violation. However, a notice of violation normally will be issued for willful violations, for violations where past corrective actions for similar violations have not been sufficient to prevent recurrence and there are no other mitigating circumstances.

c. DOE contractors are not ordinarily cited for violations resulting from matters not within their control, such as equipment failures that were not avoidable by reasonable quality assurance measures, proper maintenance, or management controls. With regard to the issue of funding, however, DOE does not consider an asserted lack of funding to be a justification for noncompliance with classified information security requirements. Should a contractor believe that a shortage of funding precludes it from achieving compliance with one or more of these requirements, it may request, in writing, an exemption from the requirement(s) in question from the appropriate Secretarial Officer (SO). If no exemption is granted, the contractor, in conjunction with the SO, must take appropriate steps to modify, curtail, suspend or cease the activities which cannot be conducted in compliance with the classified information security requirement(s) in question.

d. DOE expects the contractors which operate its facilities to have the proper management and supervisory systems in place to assure that all activities at DOE facilities, regardless of who performs them, are carried out in compliance with all classified information security requirements. Therefore, contractors normally will be held responsible for the acts or omissions of their employees and subcontractor employees in the conduct of activities at DOE facilities.

2. Civil Penalty

a. A civil penalty is a monetary penalty that may be imposed for violations of applicable classified information security requirements, including compliance orders. Civil penalties are designed to emphasize the need for lasting remedial action, deter future violations, and underscore the importance of DOE contractor self-identification, reporting and correction of violations.

b. Absent mitigating circumstances as described below, or circumstances otherwise warranting the exercise of enforcement discretion by DOE as described in this section, civil penalties will be proposed for Severity Level I and II violations. Civil penalties also will be proposed for Severity Level III violations which are similar to previous violations for which the contractor did not take effective corrective action. “Similar” violations are those which could reasonably have been expected to have been prevented by corrective action for the previous violation. DOE normally considers civil penalties only for similar Severity Level III violations that occur over an extended period of time.

c. DOE will impose different base level civil penalties considering the severity level of the violation(s). Table 1 shows the daily base civil penalties for the various categories of severity levels. However, as described in Section V, the imposition of civil penalties will also take into account the gravity, circumstances, and extent of the violation or violations and, with respect to the violator, any history of prior similar violations and the degree of culpability and knowledge.

d. Regarding the factor of ability of DOE contractors to pay the civil penalties, it is not DOE's intention that the economic impact of a civil penalty is such that it puts a DOE contractor out of business. Contract termination, rather than civil penalties, is used when the intent is to terminate a contractor's management of a DOE facility. The deterrent effect of civil penalties is best served when the amount of such penalties takes this factor into account. However, DOE will evaluate the relationship of entities affiliated with the contractor (such as parent corporations) when it asserts that it cannot pay the proposed penalty.

e. DOE will review each case involving a proposed civil penalty on its own merit and adjust the base civil penalty values upward or downward appropriately. As indicated in paragraph 2.c of this section, Table 1 identifies the daily base civil penalty values for different severity levels. After considering all relevant circumstances, civil penalties may be escalated or mitigated based upon the adjustment factors described below in this section. In no instance will a civil penalty for any one violation exceed the statutory limit, as periodically adjusted for inflation as required by law, per violation. However, it should be noted that if a violation is a continuing one, under the statute, each day the violation continued constitutes a separate violation for purposes of computing the civil penalty. Thus, the per violation cap will not shield a DOE contractor that is or should have been aware of an ongoing violation and has not reported it to DOE and taken corrective action despite an opportunity to do so from liability significantly exceeding the limit. Further, as described in this section, the duration of a violation will be taken into account in determining the appropriate severity level of the base civil penalty.

Table 1 - Severity level Base Civil Penalties

Severity level Base civil penalty amount (percentage of maximum civil penalty per violation per day)
I 100
II 50
III 10