10 C.F.R. PART 824—PROCEDURAL RULES FOR THE ASSESSMENT OF CIVIL PENALTIES FOR CLASSIFIED INFORMATION SECURITY VIOLATIONS


Title 10 - Energy


Title 10: Energy

Browse Previous |  Browse Next

PART 824—PROCEDURAL RULES FOR THE ASSESSMENT OF CIVIL PENALTIES FOR CLASSIFIED INFORMATION SECURITY VIOLATIONS

Section Contents
§ 824.1   Purpose and scope.
§ 824.2   Applicability.
§ 824.3   Definitions.
§ 824.4   Civil penalties.
§ 824.5   Investigations.
§ 824.6   Preliminary notice of violation.
§ 824.7   Final notice of violation.
§ 824.8   Hearing.
§ 824.9   Hearing Counsel.
§ 824.10   Hearing Officer.
§ 824.11   Rights of the person at the hearing.
§ 824.12   Conduct of the hearing.
§ 824.13   Initial decision.
§ 824.14   Special procedures.
§ 824.15   Collection of civil penalties.
§ 824.16   Direction to NNSA contractors.
Appendix A to Part 824—General Statement of Enforcement Policy


Authority:  42 U.S.C. 2201, 2282b, 7101 et seq., 50 U.S.C. 2401 et seq.

Source:  70 FR 3607, Jan. 26, 2005, unless otherwise noted.

§ 824.1   Purpose and scope.
top

This part implements subsections a., c., and d. of section 234B. of the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2282b. Subsection a. provides that any person who has entered into a contract or agreement with the Department of Energy, or a subcontract or subagreement thereto, and who violates (or whose employee violates) any applicable rule, regulation or order under the Act relating to the security or safeguarding of Restricted Data or other classified information, shall be subject to a civil penalty not to exceed $100,000 for each violation. Subsections c. and d. specify certain additional authorities and limitations respecting the assessment of such penalties.

§ 824.2   Applicability.
top

(a) General. These regulations apply to any person that has entered into a contract or agreement with DOE, or a subcontract or sub-agreement thereto.

(b) Limitations. DOE may not assess any civil penalty against any entity (including subcontractors and suppliers thereto) specified at subsection d. of section 234A of the Act until the entity enters, after October 5, 1999, into a new contract with DOE or an extension of a current contract with DOE, and the total amount of civil penalties may not exceed the total amount of fees paid by the DOE to that entity in that fiscal year.

(c) Individual employees. No civil penalty may be assessed against an individual employee of a contractor or any other entity which enters into an agreement with DOE.

[70 FR 3607, Jan. 26, 2005, as amended at 70 FR 8716, Feb. 23, 2005]

§ 824.3   Definitions.
top

As used in this part:

Act means the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).

Administrator means the Administrator of the National Nuclear Security Administration.

Classified information means Restricted Data and Formerly Restricted Data protected against unauthorized disclosure pursuant to the Act and National Security Information that has been determined pursuant to Executive Order 12958, as amended March 25, 2003, or any predecessor or successor executive order to require protection against unauthorized disclosure and that is marked to indicate its classified status when in documentary form.

DOE means the United States Department of Energy, including the National Nuclear Security Administration.

Director means the DOE Official, or his or her designee, to whom the Secretary has assigned responsibility for enforcement of this part.

Person means any person as defined in section 11.s. of the Act, 42 U.S.C. 2014, and includes any affiliate or parent corporation thereof, who enters into a contract or agreement with DOE, or is a party to a contract or subcontract under a contract or agreement with DOE.

Secretary means the Secretary of Energy.

§ 824.4   Civil penalties.
top

(a) Any person who violates a classified information protection requirement of any of the following is subject to a civil penalty under this part:

(1) 10 CFR part 1016—Safeguarding of Restricted Data;

(2) 10 CFR part 1045—Nuclear Classification and Declassification; or

(3) Any other DOE regulation or rule (including any DOE order or manual enforceable against the contractor or subcontractor under a contractual provision in that contractor's or subcontractor's contract) related to the safeguarding or security of classified information if the regulation or rule provides that violation of its provisions may result in a civil penalty pursuant to subsection a. of section 234B. of the Act.

(b) If, without violating a classified information protection requirement of any regulation or rule under paragraph (a) of this section, a person by an act or omission causes, or creates a risk of, the loss, compromise or unauthorized disclosure of classified information, the Secretary may issue a compliance order to that person requiring the person to take corrective action and notifying the person that violation of the compliance order is subject to a notice of violation and assessment of a civil penalty. If a person wishes to contest the compliance order, the person must file a notice of appeal with the Secretary within 15 days of receipt of the compliance order.

(c) The Director may propose imposition of a civil penalty for violation of a requirement of a regulation or rule under paragraph (a) of this section or a compliance order issued under paragraph (b) of this section, not to exceed $100,000 for each violation.

(d) If any violation is a continuing one, each day of such violation shall constitute a separate violation for the purpose of computing the applicable civil penalty.

(e) The Director may enter into a settlement, with or without conditions, of an enforcement proceeding at any time if the settlement is consistent with the objectives of DOE's classified information protection requirements.

§ 824.5   Investigations.
top

The Director may conduct investigations and inspections relating to the scope, nature and extent of compliance by a person with DOE security requirements specified in §824.4(a) and (b) and take such action as the Director deems necessary and appropriate to the conduct of the investigation or inspection, including signing, issuing and serving subpoenas.

§ 824.6   Preliminary notice of violation.
top

(a) In order to begin a proceeding to impose a civil penalty under this part, the Director shall notify the person by a written preliminary notice of violation sent by certified mail, return receipt requested, of:

(1) The date, facts, and nature of each act or omission constituting the alleged violation;

(2) The particular provision of the regulation, rule or compliance order involved in each alleged violation;

(3) The proposed remedy for each alleged violation, including the amount of any civil penalty proposed; and,

(4) The right of the person to submit a written reply to the Director within 30 calendar days of receipt of such preliminary notice of violation.

(b) A reply to a preliminary notice of violation must contain a statement of all relevant facts pertaining to an alleged violation. The reply must:

(1) State any facts, explanations and arguments which support a denial of the alleged violation;

(2) Demonstrate any extenuating circumstances or other reason why a proposed remedy should not be imposed or should be mitigated;

(3) Discuss the relevant authorities which support the position asserted, including rulings, regulations, interpretations, and previous decisions issued by DOE;

(4) Furnish full and complete answers to any questions set forth in the preliminary notice; and

(5) Include copies of all relevant documents.

(c) If a person fails to submit a written reply within 30 calendar days of receipt of a preliminary notice of violation:

(1) The person relinquishes any right to appeal any matter in the preliminary notice; and

(2) The preliminary notice, including any remedies therein, constitutes a final order.

(d) The Director, at the request of a person notified of an alleged violation, may extend for a reasonable period the time for submitting a reply or a hearing request letter.

§ 824.7   Final notice of violation.
top

(a) If a person submits a written reply within 30 calendar days of receipt of a preliminary notice of violation, the Director must make a final determination whether the person violated or is continuing to violate a classified information security requirement.

(b) Based on a determination by the Director that a person has violated or is continuing to violate a classified information security requirement, the Director may issue to the person a final notice of violation that concisely states the determined violation, the amount of any civil penalty imposed, and further actions necessary by or available to the person. The final notice of violation also must state that the person has the right to submit to the Director, within 30 calendar days of the receipt of the notice, a written request for a hearing under §824.8 or, in the alternative, to elect the procedures specified in section 234A.c.(3) of the Act, 42 U.S.C. 2282a.c.(3).

(c) The Director must send a final notice of violation by certified mail, return receipt requested, within 30 calendar days of the receipt of a reply.

(d) Subject to paragraphs (h) and (i) of this section, the effect of final notice shall be:

(1) If a final notice of violation does not contain a civil penalty, it shall be deemed a final order 15 days after the final notice is issued.

(2) If a final notice of violation contains a civil penalty, the person must submit to the Director within 30 days after the issuance of the final notice:

(i) A waiver of further proceedings;

(ii) A request for an on-the-record hearing under §824.8; or

(iii) A notice of intent to proceed under section 234A.c.(3) of the Act, 42 U.S.C. 2282a.(c)(3).

(e) If a person waives further proceedings, the final notice of violation shall be deemed a final order enforceable against the person. The person must pay the civil penalty set forth in the notice of violation within 60 days of the filing of waiver unless the Director grants additional time.

(f) If a person files a request for an on-the-record hearing, then the hearing process commences.

(g) If the person files a notice of intent to proceed under section 234A.c.(3) of the Act, 42 U.S.C. 2282a.(c)(3), the Director, by order, shall assess the civil penalty set forth in the Notice of Violation.

(h) The Director may amend the final notice of violation at any time before the time periods specified in paragraphs (d)(1) or (d)(2) expire. An amendment shall add fifteen days to the time period under paragraph (d) of this section.

(i) The Director may withdraw the final notice of violation, or any part thereof, at any time before the time periods specified in paragraphs (d)(1) or (d)(2) expire.

§ 824.8   Hearing.
top

(a) Any person who receives a final notice of violation under §824.7 may request a hearing concerning the allegations contained in the notice. The person must mail or deliver any written request for a hearing to the Director within 30 calendar days of receipt of the final notice of violation.

(b) Upon receipt from a person of a written request for a hearing, the Director shall:

(1) Appoint a Hearing Counsel; and

(2) Select an administrative law judge appointed under section 3105 of Title 5, U.S.C., to serve as Hearing Officer.

§ 824.9   Hearing Counsel.
top

The Hearing Counsel:

(a) Represents DOE;

(b) Consults with the person or the person's counsel prior to the hearing;

(c) Examines and cross-examines witnesses during the hearing; and

(d) Enters into a settlement of the enforcement proceeding at any time if settlement is consistent with the objectives of the Act and DOE security requirements.

§ 824.10   Hearing Officer.
top

The Hearing Officer:

(a) Is responsible for the administrative preparations for the hearing;

(b) Convenes the hearing as soon as is reasonable;

(c) Administers oaths and affirmations;

(d) Issues subpoenas, at the request of either party or on the Hearing Officer's motion;

(e) Rules on offers of proof and receives relevant evidence;

(f) Takes depositions or has depositions taken when the ends of justice would be served;

(g) Conducts the hearing in a manner which is fair and impartial;

(h) Holds conferences for the settlement or simplification of the issues by consent of the parties;

(i) Disposes of procedural requests or similar matters;

(j) Requires production of documents; and

(k) Makes an initial decision under §824.13.

§ 824.11   Rights of the person at the hearing.
top

The person may:

(a) Testify or present evidence through witnesses or by documents;

(b) Cross-examine witnesses and rebut records or other physical evidence, except as provided in §824.12(d);

(c) Be present during the entire hearing, except as provided in §824.12(d); and

(d) Be accompanied, represented and advised by counsel of the person's choosing.

§ 824.12   Conduct of the hearing.
top

(a) DOE shall make a transcript of the hearing;

(b) Except as provided in paragraph (d) of this section, the Hearing Officer may receive any oral or documentary evidence, but shall exclude irrelevant, immaterial or unduly repetitious evidence;

(c) Witnesses shall testify under oath and are subject to cross-examination, except as provided in paragraph (d) of this section;

(d) The Hearing Officer must use procedures appropriate to safeguard and prevent unauthorized disclosure of classified information or any other information protected from public disclosure by law or regulation, with minimum impairment of rights and obligations under this part. The classified or otherwise protected status of any information shall not, however, preclude its being introduced into evidence. The Hearing Officer may issue such orders as may be necessary to consider such evidence in camera including the preparation of a supplemental initial decision to address issues of law or fact that arise out of that portion of the evidence that is classified or otherwise protected.

(e) DOE has the burden of going forward with and of proving by a preponderance of the evidence that the violation occurred as set forth in the final notice of violation and that the proposed civil penalty is appropriate. The person to whom the final notice of violation has been addressed shall have the burden of presenting and of going forward with any defense to the allegations set forth in the final notice of violation. Each matter of controversy shall be determined by the Hearing Officer upon a preponderance of the evidence.

§ 824.13   Initial decision.
top

(a) The Hearing Officer shall issue an initial decision as soon as practicable after the hearing. The initial decision shall contain findings of fact and conclusions regarding all material issues of law, as well as reasons therefor. If the Hearing Officer determines that a violation has occurred and that a civil penalty is appropriate, the initial decision shall set forth the amount of the civil penalty based on:

(1) The nature, circumstances, extent, and gravity of the violation or violations;

(2) The violator's ability to pay;

(3) The effect of the civil penalty on the person's ability to do business;

(4) Any history of prior violations;

(5) The degree of culpability; and

(6) Such other matters as justice may require.

(b) The Hearing Officer shall serve all parties with the initial decision by certified mail, return receipt requested. The initial decision shall include notice that it constitutes a final order of DOE 30 days after the filing of the initial decision unless the Secretary files a Notice of Review. If the Secretary files a notice of Notice of Review, he shall file a final order as soon as practicable after completing his review. The Secretary, at his discretion, may order additional proceedings, remand the matter, or modify the amount of the civil penalty assessed in the initial decision. DOE shall notify the person of the Secretary's action under this paragraph in writing by certified mail, return receipt requested. The person against whom the civil penalty is assessed by the final order shall pay the full amount of the civil penalty assessed in the final order within thirty days (30) unless otherwise agreed by the Director.

§ 824.14   Special procedures.
top

A person receiving a final notice of violation under §824.7 may elect in writing, within 30 days of receipt of such notice, the application of special procedures regarding payment of the penalty set forth in section 234A.c.(3) of the Act, 42 U.S.C. 2282a(c)(3). The Director shall promptly assess a civil penalty, by order, after the date of such election. If the civil penalty has not been paid within sixty calendar days after the assessment has been issued, the DOE shall institute an action in the appropriate District Court of the United States for an order affirming the assessment of the civil penalty.

§ 824.15   Collection of civil penalties.
top

If any person fails to pay an assessment of a civil penalty after it has become a final order or after the appropriate District Court has entered final judgment for DOE under §824.14, DOE shall institute an action to recover the amount of such penalty in an appropriate District Court of the United States.

§ 824.16   Direction to NNSA contractors.
top

(a) Notwithstanding any other provision of this part, the NNSA Administrator, rather than the Director, signs, issues, serves, or takes the following actions that direct NNSA contractors or subcontractors.

(1) Subpoenas;

(2) Orders to compel attendance;

(3) Disclosures of information or documents obtained during an investigation or inspection;

(4) Preliminary notices of violation; and

(5) Final notices of violations.

(b) The Administrator shall act after consideration of the Director's recommendation. If the Administrator disagrees with the Director's recommendation, and the disagreement cannot be resolved by the two officials, the Director may refer the matter to the Deputy Secretary for resolution.

Appendix A to Part 824—General Statement of Enforcement Policy
top

I. Introduction

a. This policy statement sets forth the general framework through which DOE will seek to ensure compliance with its classified information security regulations and rules and classified information security-related compliance orders (hereafter collectively referred to as classified information security requirements).

The policy set forth herein is applicable to violations of classified information security requirements by DOE contractors and their subcontractors (hereafter collectively referred to as DOE contractors). This policy statement is not a regulation and is intended only to provide general guidance to those persons subject to the classified information security requirements. It is not intended to establish a formulaic approach to the initiation and resolution of situations involving noncompliance with these requirements. Rather, DOE intends to consider the particular facts of each noncompliance situation in determining whether enforcement penalties are appropriate and, if so, the appropriate magnitude of those penalties. DOE reserves the option to deviate from this policy statement when appropriate in the circumstances of particular cases.

b. Both the Department of Energy Organization Act, 42 U.S.C. 7101, and the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2011, require DOE to protect and provide for the common defense and security of the United States in conducting its nuclear activities, and grant DOE broad authority to achieve this goal.

c. The DOE goal in the compliance arena is to enhance and protect the common defense and security at DOE facilities by fostering a culture among both DOE line organizations and contractors that actively seeks to attain and sustain compliance with classified information security requirements. The enforcement program and policy have been developed with the express purpose of achieving a culture of active commitment to security and voluntary compliance. DOE will establish effective administrative processes and incentives for contractors to identify and report noncompliances promptly and openly and to initiate comprehensive corrective actions to resolve both the noncompliances themselves and the program or process deficiencies that led to noncompliance.

d. In the development of the DOE enforcement policy, DOE believes that the reasonable exercise of its enforcement authority can help to reduce the likelihood of serious security incidents. This can be accomplished by providing greater emphasis on a culture of security awareness in existing DOE operations and strong incentives for contractors to identify and correct noncompliance conditions and processes in order to protect classified information of vital significance to this nation. DOE wants to facilitate, encourage, and support contractor initiatives for the prompt identification and correction of problems. These initiatives and activities will be duly considered in exercising enforcement discretion.

e. Section 234B of the Act provides DOE with the authority to impose civil penalties and also with the authority to compromise, modify, or remit civil penalties with or without conditions. In implementing section 234B, DOE will carefully consider the facts of each case of noncompliance and will exercise appropriate judgment in taking any enforcement action. Part of the function of a sound enforcement program is to assure a proper and continuing level of security vigilance. The reasonable exercise of enforcement authority will be facilitated by the appropriate application of security requirements to nuclear facilities and by promoting and coordinating the proper contractor attitude toward complying with those requirements.

II. Purpose

The purpose of the DOE enforcement program is to promote and protect the common defense and security of the United States by:

a. Ensuring compliance by DOE contractors with applicable classified information security requirements.

b. Providing positive incentives for a DOE contractor's:

(1) Timely self-identification of security deficiencies,

(2) Prompt and complete reporting of such deficiencies to DOE,

(3) Root cause analyses of security deficiencies,

(4) Prompt correction of security deficiencies in a manner which precludes recurrence, and

(5) Identification of modifications in practices or facilities that can improve security.

c. Deterring future violations of DOE requirements by a DOE contractor.

d. Encouraging the continuous overall improvement of operations at DOE facilities.

III. Statutory Authority

Section 234B of the Act subjects contractors, and their subcontractors and suppliers, to civil penalties for violations of DOE regulations, rules and orders regarding the safeguarding and security of Restricted Data and other classified information.

IV. Procedural Framework

a. 10 CFR part 824 sets forth the procedures DOE will use in exercising its enforcement authority, including the issuance of notices of violation and the resolution of contested enforcement actions in the event a DOE contractor elects to adjudicate contested issues before an administrative law judge.

b. Pursuant to 10 CFR part 824.6, the Director initiates the civil penalty process by issuing a preliminary notice of violation that specifies a proposed civil penalty. The DOE contractor is required to respond in writing to the preliminary notice of violation, either admitting the violation and waiving its right to contest the proposed civil penalty and paying it; admitting the violation, but asserting the existence of mitigating circumstances that warrant either the total or partial remission of the civil penalty; or denying that the violation has occurred and providing the basis for its belief that the preliminary notice of violation is incorrect. After evaluation of the DOE's contractor response, the Director may determine that no violation has occurred; that the violation occurred as alleged in the preliminary notice of violation, but that the proposed civil penalty should be remitted in whole or in part; or that the violation occurred as alleged in the preliminary notice of violation and that the proposed civil penalty is appropriate notwithstanding the asserted mitigating circumstances. In the latter two instances, the Director will issue a final notice of violation or a final notice of violation with proposed civil penalty.

c. An opportunity to challenge a proposed civil penalty either before an administrative law judge or in a United States District Court is provided in 42 U.S.C. 2282a(c). Part 824 sets forth the procedures associated with an administrative hearing, should the contractor opt for that method of challenging the proposed civil penalty.

V. Severity of Violations

a. Violations of classified information security requirements have varying degrees of security significance. Therefore, the relative importance of each violation must be identified as the first step in the enforcement process. Violations of classified information security requirements are categorized in three levels of severity to identify their relative security significance. Notices of violation are issued for noncompliance and propose civil penalties commensurate with the severity level of the violation(s) involved.

b. Severity Level I has been assigned to violations that are the most significant and Severity Level III violations are the least significant. Severity Level I is reserved for violations of classified information security requirements which involve actual or high potential for adverse impact on the national security. Severity Level II violations represent a significant lack of attention or carelessness toward responsibilities of DOE contractors for the protection of classified information which could, if uncorrected, potentially lead to an adverse impact on the national security. Severity Level III violations are less serious, but are of more than minor concern: i.e., if left uncorrected, they could lead to a more serious concern. In some cases, violations may be evaluated in the aggregate and a single severity level assigned for a group of violations.

c. Isolated minor violations of classified information security requirements will not be the subject of formal enforcement action through the issuance of a notice of violation. However, these minor violations will be identified as noncompliances and tracked to assure that appropriate corrective/remedial action is taken to prevent their recurrence, and evaluated to determine if generic or specific problems exist. If circumstances demonstrate that a number of related minor noncompliances have occurred in the same time frame (e.g., all identified during the same assessment), or that related minor noncompliances have recurred despite prior notice to the DOE contractor and sufficient opportunity to correct the problem, DOE may choose in its discretion to consider the noncompliances in the aggregate as a more serious violation warranting a Severity Level III designation, a notice of violation and a possible civil penalty.

d. The severity level of a violation will depend, in part, on the degree of culpability of the DOE contractor with regard to the violation. Thus, inadvertent or negligent violations will be viewed differently from those in which there is gross negligence, deception or willfulness. In addition to the significance of the underlying violation and level of culpability involved, DOE will also consider the position, training and experience of the person involved in the violation. Thus, for example, a violation may be deemed to be more significant if a senior manager of an organization is involved rather than a foreman or non-supervisory employee. In this regard, while management involvement, direct or indirect, in a violation may lead to an increase in the severity level of a violation and proposed civil penalty, the lack of such involvement will not constitute grounds to reduce the severity level of a violation or mitigate a civil penalty. Allowance of mitigation in such circumstances could encourage lack of management involvement in DOE contractor activities and a decrease in protection of classified information.

e. Other factors which will be considered by DOE in determining the appropriate severity level of a violation are the duration of the violation, the past performance of the DOE contractor in the particular activity area involved, whether the DOE contractor had prior notice of a potential problem, and whether there are multiple examples of the violation in the same time frame rather than an isolated occurrence. The relative weight given to each of these factors in arriving at the appropriate severity level will depend on the circumstances of each case.

f. DOE expects contractors to provide full, complete, timely, and accurate information and reports. Accordingly, the severity level of a violation involving either failure to make a required report or notification to DOE or an untimely report or notification will be based upon the significance of, and the circumstances surrounding, the matter that should have been reported. A contractor will not normally be cited for a failure to report a condition or event unless the contractor was actually aware or should have been aware of the condition or event which it failed to report.

VI. Enforcement Conferences

a. Should DOE determine, after completion of all assessment and investigation activities associated with a potential or alleged violation of classified information security requirements, that there is a reasonable basis to believe that a violation has actually occurred, and the violation may warrant a civil penalty, DOE will normally hold an enforcement conference with the DOE contractor involved prior to taking enforcement action. DOE may also elect to hold an enforcement conference for potential violations which would not ordinarily warrant a civil penalty but which could, if repeated, lead to such action. The purpose of the enforcement conference is to assure the accuracy of the facts upon which the preliminary determination to consider enforcement action is based, discuss the potential or alleged violations, their significance and causes, and the nature of and schedule for the DOE contractor's corrective actions, determine whether there are any aggravating or mitigating circumstances, and obtain other information which will help determine the appropriate enforcement action.

b. DOE contractors will be informed prior to a meeting when that meeting is considered to be an enforcement conference. Such conferences are informal mechanisms for candid pre-decisional discussions regarding potential or alleged violations and will not normally be open to the public. In circumstances for which immediate enforcement action is necessary in the interest of the national security, such action will be taken prior to the enforcement conference, which may still be held after the necessary DOE action has been taken.

VII. Enforcement Letter

a. In cases where DOE has decided not to issue a notice of violation, DOE may send an enforcement letter to the contractor signed by the Director. The enforcement letter is intended to communicate the basis of the decision not to pursue further enforcement action for a noncompliance. The enforcement letter is intended to point contractors to the desired level of security performance. It may be used when the Director concludes the specific noncompliance at issue is not of the level of significance warranted for issuance of a notice of violation. The enforcement letter will typically describe how the contractor handled the circumstances surrounding the noncompliance and address additional areas requiring the contractor's attention and DOE's expectations for corrective action. The enforcement letter notifies the contractor that, when verification is received that corrective actions have been implemented, DOE will close the enforcement action. In the case of NNSA contractors or subcontractors, the enforcement letter will take the form of advising the contractor or subcontractor that the Director has consulted with the NNSA Administrator who agrees that further enforcement action should not be pursued if verification is received that corrective actions have been implemented by the contractor or subcontractor.

b. In many investigations, an enforcement letter may not be required. When DOE decides that a contractor has appropriately corrected a noncompliance or that the significance of the noncompliance is sufficiently low, it may close out an investigation without such enforcement letter. A closeout of a noncompliance with or without an enforcement letter may only take place after the Director has issued a letter confirming that corrective actions have been completed. In the case of NNSA contractors or subcontractors, the Director's letter will take the form of confirming that corrective actions have been completed and advising that the Director has consulted with the NNSA Administrator who agrees that no enforcement action should be pursued.

VIII. Enforcement Actions

The nature and extent of the enforcement action is intended to reflect the seriousness of the violation involved. For the vast majority of violations for which DOE assigns severity levels as described previously, a notice of violation will be issued, requiring a formal response from the recipient describing the nature of and schedule for corrective actions it intends to take regarding the violation.

1. Notice of Violation

a. A Notice of Violation (preliminary or final) is a document setting forth the conclusion that one or more violations of classified information security requirements have occurred. Such a notice normally requires the recipient to provide a written response which may take one of several positions described in Section IV of this policy statement. In the event that the recipient concedes the occurrence of the violation, it is required to describe corrective steps which have been taken and the results achieved; remedial actions which will be taken to prevent recurrence; and the date by which full compliance will be achieved.

b. DOE will use the notice of violation as the standard method for formalizing the existence of a possible violation and the notice of violation will be issued in conjunction with the proposed imposition of a civil penalty. In certain limited instances, as described in this section, DOE may refrain from the issuance of an otherwise appropriate notice of violation. However, a notice of violation normally will be issued for willful violations, for violations where past corrective actions for similar violations have not been sufficient to prevent recurrence and there are no other mitigating circumstances.

c. DOE contractors are not ordinarily cited for violations resulting from matters not within their control, such as equipment failures that were not avoidable by reasonable quality assurance measures, proper maintenance, or management controls. With regard to the issue of funding, however, DOE does not consider an asserted lack of funding to be a justification for noncompliance with classified information security requirements. Should a contractor believe that a shortage of funding precludes it from achieving compliance with one or more of these requirements, it may request, in writing, an exemption from the requirement(s) in question from the appropriate Secretarial Officer (SO). If no exemption is granted, the contractor, in conjunction with the SO, must take appropriate steps to modify, curtail, suspend or cease the activities which cannot be conducted in compliance with the classified information security requirement(s) in question.

d. DOE expects the contractors which operate its facilities to have the proper management and supervisory systems in place to assure that all activities at DOE facilities, regardless of who performs them, are carried out in compliance with all classified information security requirements. Therefore, contractors normally will be held responsible for the acts or omissions of their employees and subcontractor employees in the conduct of activities at DOE facilities.

2. Civil Penalty

a. A civil penalty is a monetary penalty that may be imposed for violations of applicable classified information security requirements, including compliance orders. Civil penalties are designed to emphasize the need for lasting remedial action, deter future violations, and underscore the importance of DOE contractor self-identification, reporting and correction of violations.

b. Absent mitigating circumstances as described below, or circumstances otherwise warranting the exercise of enforcement discretion by DOE as described in this section, civil penalties will be proposed for Severity Level I and II violations. Civil penalties also will be proposed for Severity Level III violations which are similar to previous violations for which the contractor did not take effective corrective action. “Similar” violations are those which could reasonably have been expected to have been prevented by corrective action for the previous violation. DOE normally considers civil penalties only for similar Severity Level III violations that occur over an extended period of time.

c. DOE will impose different base level civil penalties considering the severity level of the violation(s). Table 1 shows the daily base civil penalties for the various categories of severity levels. However, as described in Section V, the imposition of civil penalties will also take into account the gravity, circumstances, and extent of the violation or violations and, with respect to the violator, any history of prior similar violations and the degree of culpability and knowledge.

d. Regarding the factor of ability of DOE contractors to pay the civil penalties, it is not DOE's intention that the economic impact of a civil penalty is such that it puts a DOE contractor out of business. Contract termination, rather than civil penalties, is used when the intent is to terminate a contractor's management of a DOE facility. The deterrent effect of civil penalties is best served when the amount of such penalties takes this factor into account. However, DOE will evaluate the relationship of entities affiliated with the contractor (such as parent corporations) when it asserts that it cannot pay the proposed penalty.

e. DOE will review each case involving a proposed civil penalty on its own merit and adjust the base civil penalty values upward or downward appropriately. As indicated in paragraph 2.c of this section, Table 1 identifies the daily base civil penalty values for different severity levels. After considering all relevant circumstances, civil penalties may be escalated or mitigated based upon the adjustment factors described below in this section. In no instance will a civil penalty for any one violation exceed the $100,000 statutory limit per violation. However, it should be noted that if a violation is a continuing one, under the statute, each day the violation continued constitutes a separate violation for purposes of computing the civil penalty. Thus, the per violation cap will not shield a DOE contractor that is or should have been aware of an ongoing violation and has not reported it to DOE and taken corrective action despite an opportunity to do so from liability significantly exceeding $100,000. Further, as described in this section, the duration of a violation will be taken into account in determining the appropriate severity level of the base civil penalty.

               Table 1_Severity level Base Civil Penalties------------------------------------------------------------------------                                                           Base civil                                                         penalty amount                                                         (percentage of                    Severity level                       maximum civil                                                          penalty per                                                         violation per                                                              day)------------------------------------------------------------------------I....................................................                100II...................................................                 50III..................................................                 10------------------------------------------------------------------------

3. Adjustment Factors

a. DOE's enforcement program is not an end in itself, but a means to achieve compliance with classified information security requirements, and civil penalties are not assessed for revenue purposes, but rather to emphasize the importance of compliance and to deter future violations. The single most important goal of the DOE enforcement program is to encourage early identification and reporting of security deficiencies and violations of classified information security requirements by the DOE contractors themselves rather than by DOE, and the prompt correction of any deficiencies and violations so identified. With respect to their own practices and those of their subcontractors, DOE believes that DOE contractors are in the best position to identify and promptly correct noncompliance with classified information security requirements. DOE expects that these contractors should have in place internal compliance programs which will ensure the detection, reporting and prompt correction of security-related problems that may constitute, or lead to, violations of classified information security requirements before, rather than after, DOE has identified such violations. Thus, DOE contractors are expected to be aware of and to address security problems before they are discovered by DOE. Obviously, protection of classified information is enhanced if deficiencies are discovered (and promptly corrected) by the DOE contractor, rather than by DOE, which may not otherwise become aware of a deficiency until later on, during the course of an inspection, performance assessment, or following an incident at the facility. Early identification of classified information security-related problems by DOE contractors can also have the added benefit of allowing information which could prevent such problems at other facilities in the DOE complex to be shared with other appropriate DOE contractors.

b. Pursuant to this enforcement philosophy, DOE will provide substantial incentive for the early self-identification, reporting and prompt correction of problems which constitute, or could lead to, violations of classified information security requirements. Thus, application of the adjustment factors set forth below may result in no civil penalty being assessed for violations that are identified, reported, and promptly and effectively corrected by the DOE contractor.

c. On the other hand, ineffective programs for problem identification and correction are unacceptable. Thus, for example, where a contractor fails to disclose and promptly correct violations of which it was aware or should have been aware, substantial civil penalties are warranted and may be sought, including the assessment of civil penalties for continuing violations on a per day basis.

d. Further, in cases involving factors of willfulness, repeated violations, patterns of systematic violations, flagrant DOE-identified violations or serious breakdown in management controls, DOE intends to apply its full statutory enforcement authority where such action is warranted. Based on the degree of such factors, DOE may escalate the amount of civil penalties up to the statutory maximum of $100,000 per violation per day for continuing violations.

4. Identification and Reporting

Reduction of up to 50% of the base civil penalty shown in Table 1 may be given when a DOE contractor identifies the violation and promptly reports the violation to the DOE. In weighing this factor, consideration will be given to, among other things, the opportunity available to discover the violation, the ease of discovery and the promptness and completeness of any required report. No consideration will be given to a reduction in penalty if the DOE contractor does not take prompt action to report the problem to DOE upon discovery, or if the immediate actions necessary to restore compliance with classified information security requirements or place the facility or operation in a safe configuration are not taken.

5. Self-Identification and Tracking Systems

a. DOE strongly encourages contractors to self-identify noncompliances with classified information security requirements before the noncompliances lead to a string of similar and potentially more significant events or consequences. When a contractor identifies a noncompliance through its own self-monitoring activity, DOE will normally allow a reduction in the amount of civil penalties, regardless of whether prior opportunities existed for contractors to identify the noncompliance. DOE normally will not allow a reduction in civil penalties for self-identification if DOE intervention was required to induce the contractor to report a noncompliance.

b. Self-identification of a noncompliance is possibly the single most important factor in considering a reduction in the civil penalty amount. Consideration of self-identification is linked to, among other things, whether prior opportunities existed to discover the violation, and if so, the age and number of such opportunities; the extent to which proper contractor controls should have identified or prevented the violation; whether discovery of the violation resulted from a contractor's self-monitoring activity; the extent of DOE involvement in discovering the violation or in prompting the contractor to identify the violation; and the promptness and completeness of any required report. Self-identification is also considered by DOE in deciding whether to pursue an investigation.

6. Self-Disclosing Events

a. DOE expects contractors to demonstrate acceptance of responsibility for security of classified information and to pro-actively identify noncompliance conditions in their programs and processes. In deciding whether to reduce any civil penalty proposed for violations revealed by the occurrence of a self-disclosing event (e.g. belated discovery of the disappearance of classified information or material subject to accountability rules), DOE will consider the ease with which a contractor could have discovered the noncompliance, i.e. failure to comply with classified information accountability rules, that contributed to the event and the prior opportunities that existed to discover the noncompliance. When the occurrence of an event discloses noncompliances that the contractor could have or should have identified before the event, DOE will not generally allow a reduction in civil penalties for self-identification. If a contractor simply reacts to events that disclose potentially significant consequences or downplays noncompliances which did not result in significant consequences, such contractor actions do not lead to the improvement in protection of classified information contemplated by the Act.

b. The key test is whether the contractor reasonably could have detected any of the underlying noncompliances that contributed to the event. Failure to utilize events and activities to address noncompliances may result in higher civil penalty assessments or a DOE decision not to reduce civil penalty amounts.

7. Corrective Action To Prevent Recurrence

The promptness (or lack thereof) and extent to which the DOE contractor takes corrective action, including actions to identify root causes and prevent recurrence, may result in up to a 50% increase or decrease in the base civil penalty shown in Table 1. For example, very extensive corrective action may result in reducing the proposed civil penalty as much as 50% of the base value shown in Table 1. On the other hand, the civil penalty may be increased as much as 50% of the base value if initiation or corrective action is not prompt or if the corrective action is only minimally acceptable. In weighing this factor, consideration will be given to, among other things, the appropriateness, timeliness and degree of initiative associated with the corrective action. The comprehensiveness of the corrective action will also be considered, taking into account factors such as whether the action is focused narrowly to the specific violation or broadly to the general area of concern.

8. DOE's Contribution to a Violation

There may be circumstances in which a violation of a classified information security requirement results, in part or entirely, from a direction given by DOE personnel to a DOE contractor to either take, or forbear from taking an action at a DOE facility. In such cases, DOE may refrain from issuing a notice of violation, and may mitigate, either partially or entirely, any proposed civil penalty, provided that the direction upon which the DOE contractor relied is documented in writing, contemporaneously with the direction. It should be emphasized, however, that no interpretation of a classified information security requirement is binding upon DOE unless issued in writing by the General Counsel. Further, as discussed in this section of this policy statement, lack of funding by itself will not be considered as a mitigating factor in enforcement actions.

9. Exercise of Discretion

Because DOE wants to encourage and support DOE contractor initiative for prompt self-identification, reporting and correction of problems, DOE may exercise discretion as follows:

a. In accordance with the previous discussion, DOE may refrain from issuing a civil penalty for a violation which meets all of the following criteria:

(1) The violation is promptly identified and reported to DOE before DOE learns of it;

(2) The violation is not willful or a violation that could reasonably be expected to have been prevented by the DOE contractor's corrective action for a previous violation;

(3) The DOE contractor, upon discovery of the violation, has taken or begun to take prompt and appropriate action to correct the violation; and

(4) The DOE contractor has taken, or has agreed to take, remedial action satisfactory to DOE to preclude recurrence of the violation and the underlying conditions which caused it.

b. DOE may refrain from proposing a civil penalty for a violation involving a past problem that meets all of the following criteria:

(1) It was identified by a DOE contractor as a result of a formal effort such as an annual self assessment that has a defined scope and timetable which is being aggressively implemented and reported;

(2) Comprehensive corrective action has been taken or is well underway within a reasonable time following identification; and

(3) It was not likely to be identified by routine contractor efforts such as normal surveillance or quality assurance activities.

c. DOE will not issue a notice of violation for cases in which the violation discovered by the DOE contractor cannot reasonably be linked to the conduct of that contractor, provided that prompt and appropriate action is taken by the DOE contractor upon identification of the past violation to report to DOE and remedy the problem.

d. DOE may refrain from issuing a notice of violation for an act or omission constituting noncompliance that meets all of the following criteria:

(1) It was promptly identified by the contractor;

(2) It is normally classified at a Severity Level III;

(3) It was promptly reported to DOE;

(4) Prompt and appropriate corrective action will be taken, including measures to prevent recurrence; and

(5) It was not a willful violation or a violation that could reasonably be expected to have been prevented by the DOE contractor's corrective action for a previous violation.

e. DOE may refrain from issuing a notice of violation for an act or omission constituting noncompliance that meets all of the following criteria:

(1) It was an isolated Severity Level III violation identified during an inspection or evaluation conducted by the Office of Independent Oversight and Performance Assurance, or a DOE security survey, or during some other DOE assessment activity;

(2) The identified noncompliance was properly reported by the contractor upon discovery;

(3) The contractor initiated or completed appropriate assessment and corrective actions within a reasonable period, usually before the termination of the onsite inspection or integrated performance assessment; and

(4) The violation was not willful or one which could reasonably be expected to have been prevented by the DOE contractor's corrective action for a previous violation.

f. In situations where corrective actions have been completed before termination of an inspection or assessment, a formal response from the contractor is not required and the inspection or integrated performance assessment report serves to document the violation and the corrective action. However, in all instances, the contractor is required to report the noncompliance through established reporting mechanisms so the noncompliance issue and any corrective actions can be properly tracked and monitored.

g. If DOE initiates an enforcement action for a violation at a Severity Level II or III and, as part of the corrective action for that violation, the DOE contractor identifies other examples of the violation with the same root cause, DOE may refrain from initiating an additional enforcement action. In determining whether to exercise this discretion, DOE will consider whether the DOE contractor acted reasonably and in a timely manner appropriate to the security significance of the initial violation, the comprehensiveness of the corrective action, whether the matter was reported, and whether the additional violation(s) substantially change the security significance or character of the concern arising out of the initial violation.

h. The preceding paragraphs are solely intended to be examples indicating when enforcement discretion may be exercised to forego the issuance of a civil penalty or, in some cases, the initiation of any enforcement action at all. However, notwithstanding these examples, a civil penalty may be proposed or notice of violation issued when, in DOE's judgment, such action is warranted on the basis of the circumstances of an individual case.

Browse Previous |  Browse Next









































































chanrobles.com