This report presents the results of inspection activities by the U.S. Department of Energy (DOE) Office of Independent Oversight, Office of Security Evaluations in the area of classification and information control (CIC) at the two DOE offices at the Hanford Site—the Richland Operations Office (RL) and the Office of River Protection (ORP)—each of which oversees separate contracts held by private companies. This effort was the first CIC inspection of the Hanford Site conducted by the Office of Security Evaluations since that office assumed responsibility for oversight of CIC activities throughout the DOE/National Nuclear Security Administration complex in October 2005. Before October 2005, the Office of Classification and its predecessor organizations were responsible for the CIC oversight program. The Office of Security Evaluations conducted this inspection to evaluate the subtopical areas of program administration, authorities, guidance, training, document reviews, and program evaluation. Data collection activities were conducted August 30 and 31, 2006.

The inspection scope consisted of an assessment of the RL and Project Hanford Management Contract (PHMC) classification programs and practices to safeguard controlled unclassified information, such as Unclassified Controlled Nuclear Information (UCNI) and Official Use Only (OUO) information. PHMC, the management and integration contractor for Hanford Site programs and facilities, includes Fluor Hanford, Inc. and several subcontractors. The mission of RL and PHMC is to clean up the site’s shutdown plutonium production complex, consisting of nine nuclear reactors and associated processing and waste facilities used in the 1940s for the Manhattan Project. As a result of RL’s and PHMC’s mission, these organizations process classified information categorized up to Secret/Restricted Data. In contrast, ORP requires no classified holdings to perform its mission, which is to retrieve and treat Hanford’s high-level radioactive tank waste. Accordingly, the focus of the ORP inspection was to assess the protection of controlled unclassified information. For ORP, CH2M Hill Hanford Group, Inc. and Bechtel National, Inc. are the primary contractors.

The Office of Classification conducted the last oversight review of the RL and PHMC CIC programs in April 2003. That review determined that RL and PHMC were meeting applicable requirements in the areas of program administration, authorities, training, document reviews, and program evaluation. However, RL was issued one finding related to the need to update all Headquarters guides used by the operations office, and PHMC was issued findings related to the need to maintain a current list of guides on hand and update guides that were not current with Headquarters changes. All previous RL and PHMC findings were closed and validated. This is the first CIC independent oversight review of ORP.

Data collection activities involved interviews with management, classifiers, and other personnel associated with the CIC programs; evaluation of information submitted in advance by RL (including ORP) and PHMC; onsite reviews and assessments of documentation and procedures; and responses to inquiries during the inspection. Reviews were conducted of 167 documents selected from a cross-section of organizations that generate classified, UCNI, or OUO documents. In addition, 182 documents on the RL, ORP, and PHMC web pages and related web sites and 19 documents in the public reading room were reviewed.

2.1    Program Administration

Leadership and Responsibilities

At RL, the classification, UCNI, and OUO programs are administered by a classification officer who is supported by three derivative classifiers and one administrative assistant within RL’s Security and Emergency Services Division. The RL classification officer also serves as a team leader for the Security and Emergency Services Division and spends about 10 percent of his time on classification, UCNI, and OUO functions. The classification officer and his staff, using mainly two derivative classifiers, provide classification program support to ORP through a memorandum of agreement. The RL program receives subject matter expert support from PHMC and the Pacific Northwest National Laboratory as needed to assist in classification and declassification decisions.

Because of the large number of classified documents generated, the PHMC classification officer spends about 90 percent of his time administering the classification and UCNI programs and is supported by one classification analyst and a part-time subcontractor. The OUO program is administered by the Chief Information Officer, who has developed a very robust program that implements many of the requirements being considered in the update of the OUO order and manual. The RL/PHMC program has prepared managers and staff to make informed decisions on what can be released to the public and how to best control and protect sensitive, unclassified information. The approach is particularly useful because the Hanford Site is of great public interest and receives many requests for information. Features of the program include general employee training, subject matter expert training, and requirements for periodic self-assessments.

With current staffing levels and through mutual support, adequate resources are available to administer the classification, UCNI, and OUO programs at RL, ORP, and PHMC. The RL classification officer has announced plans to retire in December 2007. RL has begun a search for a replacement but has not yet identified a suitable candidate.

Procedures

RL follows the requirements in DOE classification, UCNI, and OUO orders and manuals and has issued several local procedures to implement these requirements. PHMC has a formal system of written procedures that are available to all personnel through the Project Hanford Management System. Some of the RL and PHMC procedures contain minor errors and outdated information but are consistent with order and manual requirements. RL and PHMC have no approved deviations to the requirements in the classification, UCNI, and OUO orders and manuals.

Because ORP’s mission does not require handling classified information or nuclear weapons-grade material, ORP does not have classification and UCNI programs and associated procedures. However, even though ORP generates controlled unclassified information, neither ORP nor its contractors have established an OUO program as required by DOE Order 471.3, Identifying and Protecting Official Use Only Information and DOE Manual 471.3-1, Manual for Identifying and Protecting Official Use Only Information. Additionally, the memorandum of agreement with RL does not include OUO program support.

In lieu of an OUO program, ORP and its contractors, CH2M Hill and Bechtel National, have adopted the terms "business sensitive" and "sensitive" to identify controlled unclassified information. In practice, if a document is determined to contain business sensitive or sensitive information, a pink cover sheet is placed over the document. In discussions with ORP staff, it appeared that some of the controls required for OUO are in place, such as requiring document reviews prior to public release of the information and redaction, if necessary. However, the current approach does not appear to consider the various exemptions to public release of information. ORP and its contractors have no procedures or training to ensure comprehensiveness, consistency, and effectiveness in implementing its current practices. Additionally, because ORP has not established an OUO program and associated requirements, it will not benefit from ongoing Departmental efforts to update OUO requirements to improve the protection of controlled unclassified information, in the aftermath of highly-publicized incidents of loss of privacy information.

2.2    Authorities

RL has one original classifier (the classification officer), ten Secret derivative classifiers, one derivative declassifier, and nine UCNI reviewing officials. ORP has two derivative classifiers to ensure that classified information is not inadvertently generated and released. Questionnaires and interviews with the classification officer and derivative classifiers indicate that there is an adequate number of officials at RL and ORP. The authority descriptions accurately identify the person, responsibilities, and other information required by DOE directives. Records indicate that all RL and ORP derivative classifiers successfully completed training and an examination before being granted authority and have successfully completed a recertification examination within three years. All RL UCNI reviewing officials completed training before being granted authority and have been recertified within three years.

PHMC has 33 Secret derivative classifiers, 3 derivative declassifiers, and 33 UCNI reviewing officials. Questionnaires and interviews with the classification officer and derivative classifiers indicate that there is an adequate number of officials. Although the authority descriptions contain all the required information, these documents need to be updated to reflect Fluor Hanford as the company name. Records indicate that all PHMC derivative classifiers and UCNI reviewing officials successfully completed training and an examination before being granted authority and have successfully completed recertification training and an examination within three years.

2.3    Guidance

Based on information from questionnaires and derivative classifier interviews, RL and ORP derivative classifiers have access to appropriate, up-to-date guidance. RL, ORP, and PHMC do not have any locally issued guides. The PHMC classification officer maintains a reference library of guides used at PHMC, some of which are not up to date. In addition, interviews with derivative classifiers revealed that some of them had out-of-date guidance that could lead to incorrect classification decisions and over-protection or under-protection of information. This issue was also identified during the last oversight review, in April 2003.

 RL has four contracts that generate classified information: one with Fluor Hanford, Inc., one with Westech International, Inc., and two with Advanced Technologies and Laboratories. The Contract Security Classification Specification forms for these contracts identify the guidance to be used, and the RL classification officer certified the guidance as appropriate for the contracts. PHMC has four contracts that could generate classified information. The Contract Security Classification Specification forms for these contracts identify the guidance to be used, and the PHMC classification officer certified the guidance as appropriate for the contracts. RL, ORP, and PHMC do not have any classified work-for-others projects. Adequate classification guidance has been provided to all of the contractors generating classified information.

2.4    Training

RL and ORP use the same initial classification training for all cleared personnel, which is incorporated in the comprehensive security briefing videotape, and the training material on classification is consistent with DOE classification directive requirements. PHMC’s initial classification training for all cleared personnel is also incorporated in their comprehensive security briefing. PHMC’s coverage of classification is extensive and consistent with DOE classification directive requirements. The computerized Hanford General Employee Training that each RL, ORP, and PHMC employee must take annually provides classification-related training. In addition, RL employees must take a separate computer-based security refresher briefing that covers classification. All the annual classification-related refresher training is consistent with DOE classification directive requirements. Both the RL and PHMC classification officers use training material provided by the Headquarters Office of Classification to initially train derivative classifiers. The RL classification officer trains and certifies ORP derivative classifiers.

Recertification training for RL, ORP, and PHMC derivative classifiers consists of refresher training and an examination. Since all UCNI reviewing officials are also derivative classifiers, they receive initial training prior to appointment and refresher training every three years. All of the training material for derivative classifiers and UCNI reviewing officials is consistent with DOE classification directive requirements.

In addition to the required classification and UCNI training, both RL and PHMC have implemented OUO training for all employees. They also have designated OUO subject matter experts in each organization who receive more extensive training and, in turn, advise employees on OUO issues.

2.5    Document Reviews

A sample of 167 documents was randomly selected from a cross-section of programs that generate classified information, UCNI, and OUO and reviewed to determine whether the documents were correctly identified as classified, declassified, unclassified, UCNI, or OUO, and whether the markings and guidance were in accordance with DOE requirements. A statistical sampling plan was employed to determine the appropriate number of documents to be reviewed and found to be classified correctly in order to be 95 percent confident that 99 percent of all documents are classified correctly.

RL has on hand approximately 60 classified documents generated since the last oversight review in 2003. Based on the statistical sampling plan, the sample had to contain at least 13 documents; however, because time was available, 24 documents were reviewed. All were found to be correctly classified and marked. PHMC has on hand approximately 1100 classified documents generated since 2003. The sampling plan for PHMC required a random sample of at least 80 documents to be reviewed; however, because time was available, 124 documents were reviewed. All were found to be correctly classified and marked. All UCNI and OUO documents that were reviewed were correctly controlled and marked. One hundred eighty-two documents on the RL, ORP, and PHMC web pages and related web sites were also reviewed, and all were found to have been correctly identified as unclassified. Nineteen documents located in the public reading room were also reviewed and found to have been correctly identified as unclassified.

Another part of document reviews is to evaluate the declassification program and resulting OpenNet entries. Documents that have been declassified and are publicly releasable must be entered in the OpenNet system to ensure public and researcher access. Declassification efforts of greater than 10,000 pages must involve the DOE Headquarters Office of Classification. RL, ORP, and PHMC have no ongoing reviews that exceed 10,000 pages and foresee no such reviews in the future. Procedures are in place for entering into OpenNet documents that are declassified outside of a formal review program.

2.6    Program Evaluation

The most recent self-assessment of the RL and ORP classification programs was conducted in January-February 2006. It was considered an "independent" self-assessment because the RL classification officer contracted with the Pacific Northwest National Laboratory to conduct the assessment instead of using resident staff. The assessment complied with DOE Manual 475.1A, Identifying Classified Information. From 2004 to 2006, the PHMC classification officer conducted annual self-assessments of the classification program in accordance with the manual. Beginning in 2007, the classification self-assessment will be incorporated into the safeguards and security self-assessment program, but the same major areas will be evaluated. The RL and PHMC classification self-assessments are conducted in accordance with DOE directive requirements.

RL classification oversight reviews of PHMC are conducted in conjunction with safeguards and security surveys. The last review, conducted February 6-17, 2006, covered the eight major areas identified in DOE Manual 475.1-1A and assessed 20 performance expectations. This scope meets DOE requirements. PHMC does not have any subordinate organizations that require oversight reviews. RL and PHMC have completed all corrective actions for findings identified in the Office of Classification oversight review conducted in April 2003.

The RL classification officer reviews all of the classified documents generated in the organization. Additionally, he reviews a sample of the unclassified documents that are generated and placed into the electronic Integrated Document Management System. The PHMC classification officer reviews all classified documents submitted to Classified Document Control and approximately 20 percent of all documents that are released to the public. The annual quality control review process for RL and PHMC is exemplary in that the extensive review by the classification officer helps ensure that controlled information is not over-protected or under-protected.

The inspection of the CIC programs at RL and PHMC revealed effective, well-managed programs. Some noteworthy accomplishments were identified during the inspection. Both RL and PHMC have implemented general OUO training for all employees and additional program-specific training for OUO subject matter experts in each organization. In addition, the RL and PHMC classification officers conduct a 100 percent quality control review of all classified documents generated. The PHMC classification officer also reviews 20 percent of all documents that are released to the public. No significant discrepancies were found at RL, and only one was found at PHMC.

One area at PHMC requires improvement: classification guidance. Some Headquarters guides maintained in the PHMC classification officer’s reference library and by some derivative classifiers were not up to date. This issue was also identified in the last oversight review conducted in April 2003. While this deficiency warrants attention, it does not substantially detract from the overall effectiveness of the CIC programs at RL and PHMC.

The CIC program at ORP is not in compliance with DOE requirements in that DOE Order 471.3 and DOE Manual 471.3-1 have not been implemented. ORP marks and handles controlled unclassified information as "business sensitive," but this marking is no longer authorized as a stand-alone marking, and the "business sensitive" program lacks formality and comprehensiveness.

The RL CIC program provides adequate assurance that applicable requirements are being met. Therefore, the topic is rated as EFFECTIVE PERFORMANCE for RL.

The PHMC CIC program provides adequate assurance that applicable requirements are being met. Therefore, the topic is rated as EFFECTIVE PERFORMANCE for PHMC.

The ORP CIC program is not in compliance with DOE requirements for handling and protecting OUO information and is therefore rated as NEEDS IMPROVEMENT.

Opportunities for improvement were identified during this inspection. These potential enhancements are not intended to be prescriptive. Rather, they are intended to be reviewed and evaluated by the responsible DOE and contractor line management and modified as appropriate, in accordance with site-specific programmatic and safeguards and security objectives.

1. RL should consider actions to ensure the continuity of CIC programs in advance of the upcoming retirement of the classification officer. Specifically, consider hiring an individual so that training and transition can occur before the current classification officer retires.

2. ORP should consider implementing an OUO program in accordance with DOE Order 471.3 and DOE Manual 471.3-1, which establish requirements for protecting controlled unclassified information that ORP currently treats as "business sensitive." Additionally, the Contractor Requirements Document for each of these directives should be incorporated into new and existing contracts.

3. The RL and PHMC classification officers should consider revising the locally issued procedures to correct the minor errors and outdated information.

4. The PHMC classification officer should consider issuing an amendment to all derivative classifier and UCNI reviewing official authority letters updating the company name from Protection Technology Hanford to Fluor Hanford.

5. The PHMC classification officer should consider updating the Headquarters guides in his reference library and ensuring that all derivative classifiers have the most current guidance.

Reece Edmonds, Team Leader
Elliott Daniels
Michael Kolbay
Cathy Maus
Pat Rhoderick
James Stone

* Formerly the Office of Security and Safety Performance Assurance. The Office of Security and Safety Performance Assurance and the Office of Environment, Safety and Health were disestablished upon the creation of the new Office of Health, Safety and Security.