Classified information security violations; civil penalties assessment procedural rules , 3599-3614 [05-1303]
Agencies
[Federal Register: January 26, 2005 (Volume 70, Number 16)]
[Rules and Regulations]
[Page 3599-3614]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr26ja05-2]
-----------------------------------------------------------------------
DEPARTMENT OF ENERGY
10 CFR Part 824
[Docket No. SO-RM-00-01]
RIN 1992-AA28
Procedural Rules for the Assessment of Civil Penalties for
Classified Information Security Violations
AGENCY: Office of Security, Department of Energy.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Energy (DOE) is today publishing a final
rule to assist in implementing section 234B of the Atomic Energy Act of
1954. Section 234B makes DOE contractors and their subcontractors
subject to civil penalties for violations of DOE rules, regulations and
orders regarding the safeguarding and security of Restricted Data and
other classified information.
EFFECTIVE DATE: February 25, 2005.
FOR FURTHER INFORMATION CONTACT: Geralyn Praskievicz, Office of
Security, SO-1, U.S. Department of Energy, 1000 Independence Ave., SW.,
Washington, DC 20585, (202) 586-4451; JoAnn Williams, Office of General
Counsel, GC-53, U.S. Department of Energy, 1000 Independence Ave., SW.,
Washington, DC 20585, (202) 586-6899.
SUPPLEMENTARY INFORMATION:
I. Introduction.
II. DOE's Response to Comments.
III. Regulatory Review and Procedural Requirements.
A. Review Under Executive Order 12866.
B. Review Under the Regulatory Flexibility Act.
C. Review Under the Paperwork Reduction Act.
D. Review Under the National Environmental Policy Act.
E. Review Under Executive Order 12988.
F. Review Under Executive Order 13132.
G. Review Under the Treasury and General Appropriations Act,
1999.
H. Review Under the Treasury and General Appropriations Act,
2001.
I. Review Under Executive Order 13084.
J. Review Under the Unfunded Mandate Reform Act of 1995.
K. Review under Executive Order 13211.
L. Congressional Notification.
[[Page 3600]]
I. Introduction
Pursuant to the Atomic Energy Act of 1954 and other laws, DOE
carries out a variety of national defense and energy research,
development and demonstration activities at facilities around the
nation that are owned by the United States Government, under the
control and custody of DOE, and operated by management and operating
contractors under the supervision of DOE. The use of private industry
and educational institutions to operate these kinds of facilities,
including the national laboratories and their predecessors, dates back
to the Atomic Energy Commission, if not to the Manhattan Project. It
has allowed the United States to attract the best minds to do the
cutting edge scientific, engineering and technical work critical to
DOE's national security mission. By its nature, that work involves
highly classified information regarding atomic weapons and other
weapons of mass destruction; nuclear naval propulsion; intelligence
related to terrorism and other topics of great sensitivity. For more
than 50 years, DOE, like its predecessor the Atomic Energy Commission,
has had to balance two sets of considerations. On the one hand, DOE
must attract the best minds that it can to do cutting edge scientific
work at the heart of DOE's national security mission, and DOE must
permit its operating and management contractors to function in a manner
that permits sufficient dissemination of classified work to be put to
the various uses that U.S. national security demands. At the same time,
it obviously must take all prudent steps to prevent enemies of this
nation from gaining access to work that could be used to the detriment,
rather than the enhancement, of vital national security interests.
Over the years periodic contractor lapses in adherence to processes
designed to safeguard Restricted Data or other classified information
have given rise to concerns about the adequacy of efforts by
contractors to protect this kind of information. In order to give DOE
an additional tool to assure that these processes are being followed,
Congress enacted section 234B of the Atomic Energy Act of 1954. This
section grants DOE new authority to impose civil penalties for
violations of DOE regulations and orders directed to the safeguarding
of this kind of information, as well as confirming DOE's preexisting
authority to withhold portions of a contractor's fee by reason of poor
performance arising out of such violations. DOE had previously
promulgated regulations specifying how it would carry out this latter
authority, and today's rule specifies the manner in which it will carry
out its civil penalty authority. DOE believes that today's regulation
will assist in providing greater emphasis on a culture of security
awareness in existing DOE operations, and strong incentives for
contractors to identify and correct noncompliance conditions and
processes in order to protect classified information of vital
significance to this nation. It will also facilitate, encourage and
support contractor initiatives for the prompt identification and
correction of security problems.
Section 3147 of the National Defense Authorization Act for Fiscal
Year 2000 (Public Law 106-65) added a new section 234B to the Atomic
Energy Act of 1954 (the Act) (42 U.S.C. 2282b). Section 234B has two
subsections. The first subsection, subsection a., provides that any
person who: (1) Has entered into a contract or agreement with DOE, or a
subcontract or subagreement thereto, and (2) violates (or whose
employee violates) any applicable rule, regulation, or order prescribed
or otherwise issued by the Secretary of Energy pursuant to the Act
relating to the safeguarding or security of Restricted Data or other
classified or sensitive information, shall be subject to a civil
penalty not to exceed $100,000 for each such violation. The second
subsection, subsection b., requires that each DOE contract contain
provisions which provide an appropriate reduction in the fees or
amounts paid to the contractor under the contract in the event of a
violation by the contractor or contractor employee of any rule,
regulation or order relating to the safeguarding or security of
Restricted Data or other classified or sensitive information.
DOE elected to implement section 234B in two separate rulemakings,
one establishing procedural rules to implement subsection a. similar to
the procedural rules to achieve compliance with DOE nuclear safety
requirements found at 10 CFR part 820, ``Procedural Rules for DOE
Nuclear Activities,'' and the other establishing a procurement clause
like the existing clause for conditional payment of fee, profit or
incentives, 48 CFR (DEAR) 970.5215-3. On February 1, 2001, DOE
published a notice of proposed rulemaking (NOPR) (66 FR 8560) to
implement subsection b. of section 234B, concerning reductions in fees
or amounts paid to contractors in the event of a security violation.
DOE received numerous comments in response to that notice, and
responded to them in a notice of interim final rulemaking on December
10, 2003 (68 FR 68771).
On April 1, 2002, DOE published a NOPR at 67 FR 15339 to solicit
comments on its proposed framework for an enforcement program for the
civil penalty provisions in subsection a. The NOPR requested written
comments by July 1, 2002, and invited oral comments at public hearings
held in Las Vegas, Nevada on May 22, 2002, and in Washington, DC on May
29, 2002. Written comments were received from eleven sources and oral
comments from two. All comments were from representatives of DOE
contractors. DOE responds to the major issues raised in comments in
part II of this SUPPLEMENTARY INFORMATION.
To a large extent, the regulations in this notice of final
rulemaking are self-explanatory. There are, however, several
fundamental features which were discussed in the NOPR that bear
repeating here. DOE will apply civil penalties only to violations of
requirements for the protection of classified information. Classified
information is defined as ``Restricted Data'' or ``Formerly Restricted
Data'' protected against unauthorized disclosure pursuant to the Act
and ``National Security Information'' protected against unauthorized
disclosure pursuant to Executive Order 12958, as amended on March 25,
2003, or any predecessor or successor order. Although section 234B
refers to ``sensitive information,'' DOE does not employ this term in
today's final regulations because: (1) Neither the statute nor its
legislative history defines the term; (2) There is no commonly accepted
definition of ``sensitive information'' within DOE or the Executive
Branch; and (3) the legislative history of subsection a. indicates that
the Congress was concerned with unauthorized disclosures of classified
information. The additional category of unclassified information that
might merit inclusion in a regulation imposing civil penalties is
Unclassified Controlled Nuclear Information (UCNI), a category of
unclassified government information concerning atomic energy defense
programs established by section 148 of the Act (42 U.S.C. 2168).
However, DOE already has a preexisting regime in place with respect to
such information that includes civil penalties. Section 148 provides
that any person who violates a regulation or order issued under that
section shall be subject to a civil penalty not to exceed $100,000. DOE
implemented the provisions of section 148 in regulations contained in
10 CFR part 1017. Since part 1017 already imposes a civil
[[Page 3601]]
monetary penalty for unauthorized dissemination of UCNI comparable to
the penalty specified in section 234B, DOE determined that it is
unnecessary to include UCNI in regulations implementing section 234B.
Today's final regulations permit DOE to assess civil penalties for
violations of regulations, rules or orders described in Sec. 824.4 of
part 824. These are violations of: (1) 10 CFR part 1016 (``Safeguarding
of Restricted Data''); (2) 10 CFR part 1045 (``Nuclear Classification
and Declassification''); or (3) any other DOE regulation or rule
(including any DOE order or manual enforceable under a contractual
provision) related to the safeguarding or security of Restricted Data
or other classified information that specifically indicates that
violation of its provisions may result in a civil penalty pursuant to
section 234B, and (4) compliance orders issued pursuant to part 824.
In addition, section 161 of the Act broadly authorizes DOE to
prescribe regulations and issue orders deemed necessary to protect the
common defense and security (42 U.S.C. 2201). Consistent with the
proposed rule, part 824 implements this authority by providing that the
Secretary may issue a compliance order requiring a person to take
corrective action if a person by act or omission causes, or creates a
risk of, the loss, compromise or unauthorized disclosure of classified
information even if that person has not violated a rule or regulation
specified in Sec. 824.4(a) of part 824. Violation of the compliance
order may also result in the assessment of a civil penalty if the order
so specifies. While the recipient of a compliance order may request the
Secretary to rescind or modify the compliance order, the request does
not stay the effectiveness of the order unless the Secretary issues a
new order to that effect. The compliance order provisions in 10 CFR
824.4(b) and (c) are modeled after a similar mechanism in 10 CFR part
820, the rule implementing procedures for section 234A of the Act with
respect to nuclear safety.
Today's final rule only applies to contractors and others who have
entered into agreements or contracts with DOE or subagreements or
subcontracts thereto. This is because subsection a. of section 234B
provides that what triggers the availability of a civil penalty is the
fact that a ``person * * * has entered into a contract or agreement
with the Department of Energy, or a subcontract or subagreement
thereto, and * * * violates (or whose employee violates) any applicable
rule, regulation or order.'' It is clear from the statutory language,
particularly the parenthetical ``or whose employee violates'' that
Congress intended contractors and their subcontractors or suppliers to
be responsible for the acts or omissions of their employees who fail to
observe these rules, regulations, and orders, rather than contemplating
the imposition of civil penalties on employees themselves.
Consequently, part 824 provides for the assessment of civil penalties
against contractors or subcontractors for their employees' actions but
not against the employees themselves. The Atomic Energy Act establishes
a separate regime of criminal penalties applicable to individuals for
the knowing unauthorized communication of Restricted Data. See sections
224 and 227 of the Atomic Energy Act (42 U.S.C. 2274, 2277).
Subsection d. of section 234B sets limitations on civil penalties
assessed against certain nonprofit entities specified at subsection d.
of section 234A (hereafter the ``named contractors''). For each of the
named contractors, the statute provides that no civil penalty may be
assessed until the entity enters into a new contract with DOE after
October 5, 1999 (the date of enactment) or an extension of a current
contract with DOE after October 5, 1999. The statute also limits the
total amount of civil penalties assessed against the named contractors
in any fiscal year to the total amount of fees paid to that entity in
that fiscal year. It should be noted that the limitations applicable to
the named contractors also apply to their subcontractors and suppliers
regardless of whether they are for-profit or nonprofit.
The fee that represents the cap for civil penalties of nonprofits
will be determined pursuant to the provisions of the specific contracts
covered by the limitation on nonprofits in section 234B.d.(2).
DOE has decided not to finalize its proposal to cap civil penalties
assessed against other DOE contractors that are nonprofit educational
institutions under the United States Internal Revenue Code in the same
manner as penalties are capped for the named contractors. The statute
identifies only the named contractors as those that should receive this
treatment. While Congress gave DOE authority to mitigate civil
penalties, DOE has concluded that there is not a strong enough case to
warrant using that authority in a categorical fashion to cap these
penalties without regard to any other consideration for contractor
security violations by entities other than those that Congress
determined should have their penalties capped in this fashion. Rather,
DOE has concluded that its mitigation authority would be better
exercised on a case-by-case basis, taking into account all
circumstances, both aggravating and extenuating. The final rule and
enforcement policy make clear that DOE plans to exercise that authority
to mitigate civil penalties based on many considerations, including an
entity's financial circumstances. That should be sufficient to ensure
that the civil penalty authority is not exercised in a manner that
discourages non-profit institutions from seeking DOE contracts.
Finally, our decision is consistent with DOE's proposed regulations for
10 CFR part 851 to implement section 234C of the Atomic Energy Act
(civil penalties for worker health and safety violations), the most
recent legislation providing DOE civil penalty authority.
DOE also has determined on a somewhat different approach from the
one in the proposed rule for allocating responsibility among various
DOE officials for the performance of certain administrative
responsibilities relating to the imposition of civil penalties,
including issuance of the preliminary notice of violation, issuance of
final notice of violation, and settlement of enforcement actions. DOE's
NOPR called for all of these responsibilities to be carried out by the
Deputy Secretary on the recommendation of the Director of the Office of
Security. DOE has concluded that there is no compelling reason for
making the Deputy Secretary responsible for these functions in the
first instance. Moreover, DOE believes it is desirable to make the
procedures for part 824 consistent with the procedural framework in 10
CFR part 820 (civil penalties for nuclear safety violations) and the
proposed part 851 regulations (civil penalties for worker health and
safety violations). In both those frameworks, a DOE official
subordinate to the Secretary and the Deputy Secretary is the official
charged with initiating enforcement and related responsibilities in the
case of non-NNSA contractors; in the case of NNSA contractors, the
subordinate DOE official makes a recommendation to the NNSA
Administrator, who then determines whether or not to accept that
recommendation. In the case of a dispute between the responsible DOE
official and the NNSA Administrator, the matter may be referred to the
Deputy Secretary.
The part 824 rule adopted today adopts a similar framework, under
which the Secretary designated a subordinate DOE official to carry out
the administrative responsibilities in the case of non-NNSA
contractors, but in the case of NNSA contractors this official makes a
recommendation to the
[[Page 3602]]
NNSA Administrator who decides whether or not to accept that
recommendation. If the NNSA Administrator disagrees with the cognizant
DOE official's recommendation, and the disagreement cannot be resolved
by the two officials, the DOE official may refer the matter to the
Deputy Secretary for resolution.
The Secretary of Energy has approved this notice of final
rulemaking for publication.
II. DOE's Response to Comments
The following discussion describes the major issues raised in
comments, provides DOE's response to these comments, and sets forth or
describes any resulting changes to the rule. DOE has also made a few
editorial, stylistic and format changes for clarity and consistency,
but DOE does not describe them in detail because they do not
substantially change the terms of the proposed regulations.
A. Enforcement Policy
A number of commenters argued that DOE's proposed enforcement
program under section 234B was deficient in that it lacked an important
feature of 10 CFR part 820, a general enforcement policy statement.
Without a statement of general enforcement policy, these commenters
viewed the proposed regulations as vague and thus susceptible to
uneven, or unduly harsh application. Commenters feared that this could
mean that a single inadvertent mis-classification of a document might
result in a civil penalty.
Based on consideration of these comments, DOE has included in
today's final regulations ``Appendix A to Part 824--General Statement
of Enforcement Policy,'' which is closely modeled after ``Appendix A to
Part 820.'' Appendix A to part 824 includes the following important
features of the part 820 model:
1. Severity Levels
Violations of DOE classified information security requirements have
varying degrees of security significance. Therefore, the security
significance of each violation is to be identified as the first step in
the enforcement process. Violations of DOE classified information
security requirements are categorized in three levels of severity.
These levels are discussed in section V. of appendix A to this part.
Table 1.--Severity Level Base Civil Penalties in appendix A provides
the base civil penalty amount for each level of violation.
2. Incentives for Both Timely Identification of Potential
Noncompliances and Conducting Appropriate Corrective Actions
Many comments were received regarding the overall fairness of the
proposed regulations and the need to ensure a consistent and equitable
enforcement process.
Appendix A specifically states that DOE's goal in the compliance
arena is to enhance and protect the common defense and security at DOE
facilities by fostering a culture among both DOE line organizations and
contractors that actively seeks not only to attain compliance with DOE
classified information security requirements but also to sustain it.
The DOE enforcement program and policy has been developed with the
express purpose of achieving a culture committed to the best possible
security at DOE's facilities. Appendix A sets out substantial
incentives to the contractors for the early self-identification,
reporting and prompt correction of problems which constitute, or could
lead to, violations. Thus, the application of adjustment factors may
result in no civil penalty being assessed for violations that are
identified, reported and promptly and effectively corrected by the
contractor. On the other hand, ineffective programs for problem
identification and correction are unacceptable. For example, if a
contractor fails to disclose and promptly correct violations of which
it should be aware or should have been aware, substantial civil
penalties are warranted and may be sought, including the assessment of
civil penalties for continuing violations on a per day basis.
B. Timing of the Regulations
DOE received several comments that expressed the view that these
regulations are premature principally because DOE is imposing new
security standards by this rulemaking and contractors deserve
additional funding and time to meet these new standards. DOE disagrees
with these comments. No new DOE classified information security
requirements are being imposed on contractors by these regulations
themselves, which only set up the policies and procedures for an
enforcement program that may impose civil penalties for requirements
established elsewhere.
C. Contract Issues
1. Applicability to Violations Prior to Effective Date
Several comments objected to civil penalties applying to violations
that occurred prior to the effective date of these regulations, 30 days
after the date of this publication. Paragraph (b) of section 3147 of
the National Defense Authorization Act for Fiscal Year 2000
specifically states that ``[s]ubsection a. of section 234B of the
Atomic Energy Act * * * applies to any violation after the date of
enactment of this Act.'' Congress specified a different effective date
for the application of civil penalties against nonprofit contractors
listed in section 234A.d. (after entry into a new contract or extension
of a current contract), but did not provide a similar limitation with
respect to other DOE contractors.
2. Limitation of Liability for Nonprofits
Two issues were raised with respect to the limitation of liability
for nonprofits in proposed Sec. 824.2(b). This section would implement
subsection d. of section 234B that sets limitations on civil penalties
assessed against certain entities specified at subsection d. of section
234A. Some commenters argued that the cap on civil penalties,
specifying that the total amount of civil penalties imposed may not
exceed the fee for that fiscal year, should apply to all contractors.
For reasons similar to those noted above for not finalizing its
proposed approach of extending this limitation to all non-profits, DOE
has not accepted this position. Rather it has concluded that it should
not broaden the category of contractors to whom this limitation applies
beyond the specific list identified by Congress. As DOE explained, in
all other instances, it will evaluate mitigation on a case-by-case
basis taking into account all relevant aggravating and mitigating
circumstances.
The second issue relates to the limitation of liability for
subcontractors of nonprofit contractors. Consistent with sections 234A.
and 234B., today's final regulations provide at Sec. 824.2(b)(1) that
the limitations on liability apply to all subcontractors and suppliers,
whether for-profit or nonprofit, of the seven named entities working at
the named sites specified in subsection d. of section 234A. Commenters
have indicated that this list in section 234A.d. is not current in that
some of the named sites are no longer operated by the named
contractors. Therefore, these commenters argue that the limitations on
liability should extend to all subcontractors and suppliers of any
contractor at the named sites. DOE rejects this view on the ground that
Congress expressly cross-referenced, in section 234B.d., the section
234A.d. list of exceptions and that any change in that list should be
accomplished, if at all, by legislative amendment.
[[Page 3603]]
3. Relationship With Fee Reduction Regulations
A number of comments expressed the view that DOE needed to clarify
the relationship between these regulations and the regulations of DOE's
Office of Procurement and Assistance Management that implement
paragraph b. of section 234B. That paragraph requires that each DOE
contract contain provisions which provide an appropriate reduction in
the fees or amounts paid to the contractor under the contract in the
event of a violation by the contractor or contractor employee of any
rule, regulation or order relating to the security of classified
information. Commenters raising this issue were concerned that
contractors might be subjected to both a civil penalty and a reduction
in fee for one violation. Congress contemplated this possibility when
it enacted both subsections a. and b. of section 234B without a
requirement to choose between the two. By contrast, in the later
enacted section 234C Congress specifically did require DOE to elect
between civil and contractual penalties (see section 234C.d.).
Consistent with the omission of any such provision in section 234B,
today's regulations neither require nor preclude such a choice.
4. Contract Disputes Act
Certain contractors commented in favor of implementing section 234B
by using the process and procedures in the Contract Disputes Act, 41
U.S.C. 601-613, rather than the procedures in the proposed rule. In
DOE's view, the administration of a system for imposition of civil
penalties, as required by a statute, does not fall under the purposes
of the Contract Disputes Act. Jurisdiction for agency boards of
contract appeals, defined at 41 U.S.C. 607(d), consists only of appeals
of contracting officer decisions. Section 234B provides that the powers
and limitations applicable to the assessment of civil penalties under
section 234A shall apply to the assessment of civil penalties under
section 234B. Section 234A gives the Secretary the authority to
determine, compromise or modify civil penalties to be imposed under
section 234A. after opportunity for an agency hearing pursuant to 5
U.S.C. 554, before an administrative law judge appointed pursuant to 5
U.S.C. 3105. Appeals from these determinations may be made to a U.S.
court of appeals.
5. Major Fraud Act
The applicability of the Major Fraud Act, 41 U.S.C. 256(k), to
civil penalty proceedings for security violations was raised by
commenters who stated that DOE needs to clarify how that Act relates to
investigations into suspected or alleged violations of DOE classified
information security requirements. They recommended that DOE issue an
interpretation stating that as long as a contractor is exempt by
statute from the payment of civil penalties, the Major Fraud Act shall
not be considered applicable by reason of the ``monetary penalty''
provision of that act. The Major Fraud Act does not make distinctions
in its reimbursement prohibitions for different categories of
contractors. Even those contractors that are exempt from civil
penalties under other statutory or regulatory authority are subject to
the reimbursement prohibitions of the Major Fraud Act. In other words,
once a government-initiated proceeding has commenced which relates to a
violation of, or failure to comply with, a law or regulation, the Act's
restrictions apply to investigation proceeding costs, even if the
outcome of the proceeding cannot be the actual payment of a monetary
penalty. The cost principle at 48 CFR (FAR) 31.205-47, which implements
the Act, provides that proceeding costs not made unallowable may be
reimbursed, but only to the extent that the amounts of such costs do
not exceed 80% of the reasonable and allocable proceeding costs
incurred by a contractor.
6. Statute of Limitations
Some commenters argued that without a ``statute of limitations'' a
Management and Operating (M&O) contractor might be held liable for the
acts or omissions of a former M&O contractor at a DOE site thus
nullifying DEAR 970.5231-4 ``Preexisting Conditions'' which currently
provides some protection to contractors new to a facility. DOE's
experience with Part 820 regarding nuclear safety violations has not
indicated that the absence of a ``statute of limitations'' provision is
a problem. DOE will adopt a common sense approach in applying Part 824
and not penalize an M&O contractor for the acts or omissions of a
predecessor unless the new contractor knows or should reasonably know
that a violation exists. Also, one of the provisions in the
``Preexisting Conditions'' clause places a duty on the new contractor
to inspect the facility and timely identify to the contracting officer
conditions which could give rise to a liability.
D. Applicability
DOE has revised proposed Sec. Sec. 824.2 (``Applicability'') and
824.3 (``Definitions'') to address comments requesting clarification of
the applicability of the regulations. These comments expressed the view
that the regulations were vague and overly broad. DOE agrees that more
precise language in two places in these two subsections is warranted.
One comment pointed out that proposed Sec. 824.2(a) was too broad in
that it made the regulations applicable to ``any entity that is subject
to DOE security requirements for the protection of classified
information.'' This exceeds the authority conferred by the statute,
which is limited to contractors and subcontractors of the Department.
Section 824.2(a), as published today, tracks the language of section
234B which states that the regulations apply to any person that has
entered into a contract or agreement with DOE, or a subcontract or
subagreement thereto.
Also, in response to comments raising questions about the
applicability of the proposed regulations to the National Nuclear
Security Administration (NNSA), Sec. 824.3 now contains a definition
of the ``Department of Energy.'' This definition clarifies that these
regulations are applicable to contractors of all components of DOE,
including the NNSA.
E. Definitions
In addition to adding a definition of the term ``Department of
Energy'' discussed in section D of this supplementary information, DOE
has made other changes in the definitions in Sec. 824.3, in response
to the comments or for purposes of clarification. DOE has revised the
definition of the term ``classified information'' in response to a
comment to track more clearly the language in the definition of that
term in Executive Order 12958, as amended on March 25, 2003. We have
deleted the definition of the term ``contractor'' because the term is
not actually used in the operational sections of the regulation.
Finally, we also have revised the definition of the term ``Director''
and, as revised, the term means ``the DOE Official, or his or her
designee, to whom the Secretary has assigned responsibility for
enforcement under this part.''
DOE did not accept the comment that the definition of the term
``person'' is too broad in that it includes parents and affiliates of a
contractor. Those making this comment argued that extending liability
to parents and affiliates goes beyond what is permitted by section 234B
and that this extension of liability is unfair. DOE disagrees. The last
sentence of the definition of the term ``person'' in Sec. 820.2, the
DOE nuclear safety regulations implementing section 234A, states that,
for purposes of civil
[[Page 3604]]
penalty assessment, the term also includes affiliated entities, such as
a parent corporation. Section 234B.c. states that the powers and
limitations applicable to the assessment of civil penalties under
section 234A, with certain exceptions pertaining to the nonprofit
entities identified at subsection d. of that section, shall apply to
the assessment of civil penalties under section 234B. Therefore, DOE
believes that a broad definition of the term ``person'' is appropriate.
F. Sources of Classified Information Protection Requirements
It was clear to DOE from a number of comments received about the
proposed scope of the regulations that DOE should revise Sec. 824.4
(Civil penalties'') to identify more clearly the DOE security
requirements covered by these regulations. In response to one comment,
DOE has incorporated language that specifies that Sec. 824.4 applies
only to acts or omissions related to ``classified information
protection'' requirements, rather than security requirements more
generally.
DOE agrees with the comment that the reference to 10 CFR part 1046
``Physical Protection of Security Interests'' should not be included in
Sec. 824.4. Section 234B makes civil penalties applicable to
classified information protection requirements, not requirements for
the DOE protective force, such as medical and physical fitness
standards. The two remaining DOE regulations, 10 CFR part 1016
(``Safeguarding of Restricted Data'') and 10 CFR part 1045 (``Nuclear
Classification and Declassification'') are the only current DOE
regulations containing classified information protection requirements
whose violation is a predicate for civil penalties under today's rule.
DOE received one comment that DOE should impose civil penalties
only for violations of regulations promulgated in accordance with the
Administrative Procedure Act (APA), 5 U.S.C. 551 et seq., and of those
DOE orders and other documents in the DOE Directive System specifically
identified in the contractor's contract with DOE. Other commenters
argued that no civil penalties should arise out of the violation of any
classified information protection requirement except a requirement set
forth in a DOE regulation. In some cases, the commenters did not
indicate why DOE should exclude violations of DOE orders as the grounds
for assessing a civil penalty. Commenters who did say why they opposed
including DOE orders argued that inclusion: (1) Would make the proposed
regulations overly broad; (2) would not provide contractors with
adequate notice of what requirements DOE intended to enforce with civil
penalties; and (3) would differ from DOE's enforcement policy in 10 CFR
part 820 which implements section 234A of the Act with respect to
nuclear safety violations.
In the rule adopted today, DOE has revised the language of the
proposed rule to clarify the extent to which civil penalties will be
imposed for violations of requirements in DOE orders or manuals as well
as for violations of compliance orders. Specifically, Sec. 824.4(a)
and (b) have been rewritten to read as follows:
Section 824.4 Civil Penalties
(a) Any person who violates a classified information protection
requirement of any of the following is subject to a civil penalty under
this part:
(1) 10 CFR part 1016--Safeguarding of Restricted Data;
(2) 10 CFR part 1045--Nuclear Classification and Declassification;
or
(3) Any other DOE regulation or rule (including any DOE order or
manual enforceable against the contractor or subcontractor under a
contractual provision in that contractor's or subcontractor's contract)
related to the safeguarding or security of classified information if
the regulation or rule provides that violation of its provisions may
result in a civil penalty pursuant to subsection a. of section 234 B.
of the Act.
(b) If, without violating any regulation or rule under paragraph
(a) of this section, a person by any act or omission jeopardizes the
security of classified information, the Secretary may issue a
compliance order to that person requiring that person to take
corrective action and notifying the person that violation of the
compliance order is subject to a notice of violation and assessment of
a civil penalty. If a person wishes to contest that compliance order,
the person must file a notice of appeal with the Secretary within 15
days of receipt of the compliance order.''
DOE believes that this approach appropriately carries out the
Congressional policy set out in section 234B. Section 234B stressed two
considerations in determining whether a civil penalty should be
imposed: the status of the entity on whom the penalty might be imposed
as a contractor or subcontractor, and the violation by that entity of
an ``applicable rule, regulation or order prescribed or otherwise
issued by the Secretary pursuant to this Act relating to the
safeguarding or security of Restricted Data or other classified
information.'' DOE's security orders and manuals are rules within the
meaning of the APA (5 U.S.C. 551(4)). In light of these two
considerations, DOE believes the statute is best carried out, with
respect to orders and directives, by applying it to violations of those
that are applicable to the contractor by virtue of its contract and
that provide for the imposition of civil penalties, as well as to
violations of any applicable regulations.
DOE believes that the revised language should resolve contractor
concerns about vagueness and uncertainty as to what are the sources for
classified information control requirements that may give rise to
violations subject to civil penalties. Certain commenters feared that
they might be penalized for violations of verbal, e-mail or other
guidance in documents that supplemented DOE orders or manuals. Today's
rule makes clear that the contractor will have fair notice since DOE
only intends to enforce by civil penalties the provisions of a DOE
order or manual enforceable against the contractor under its contract
that provides that violations of its classified information protection
provisions may result in a civil penalty. DOE considers it the
responsibility of its contractors to ``flow down'' to their
subcontractors and suppliers the requirements of those orders and
directives to which civil penalties apply.
In today's rule, DOE is departing from the practice under 10 CFR
part 820 regarding the imposition of civil penalties for of nuclear
safety violations. Part 820 limits the scope of penalty-bearing nuclear
safety requirements to those published in the CFR or set forth in
compliance orders. DOE has not taken the step of departing from the
approach taken in part 820 lightly. However, DOE does not believe that
it can fully implement the kind of comprehensive security enforcement
program that both Congress and DOE believe is required for the
protection of sensitive national security interests without inclusion
of relevant DOE orders and manuals. In the security area, DOE and its
predecessor agencies have historically imposed requirements on
contractors by internal directives rather than codified regulations.
While more may be done by regulation in the future, the current reality
is that many significant DOE security requirements are not promulgated
by regulation. To fully carry out the program Congress contemplated in
light of the serious security issues that face us today, DOE believes
it should include provisions in orders and manuals enforceable against
the contractor under its contract that
[[Page 3605]]
provide that their violation carries with it the risk of a civil
penalty, thereby allowing it to impose civil penalties for such
violations in appropriate circumstances.
G. Standard for Violation
Several commenters asserted that the language of proposed Sec.
824.4(b) was too vague and overly broad in that it stated that the
Secretary may issue a compliance order if a person by act or omission
``jeopardizes'' the security of classified information. DOE agrees with
this comment and has modified that provision to track the language of a
comparable provision in part 820. The sentence now states that the
Secretary may issue a compliance order if a person by act or omission
causes, or creates a risk of, the loss, compromise or unauthorized
disclosure of classified information.
DOE did not accept the comment made by a number of contractors that
civil penalties should be assessed only if there is actual loss or
compromise of classified information, not just the threat of the loss
or compromise. DOE believes this takes an overly narrow view of its
contractors' and its own obligations to protect classified information.
If a contractor by its acts or omissions places classified information
at risk, that contractor has already failed to live up to those
obligations. To the extent actual compromise is relevant, it is
relevant in the context of the exercise of enforcement discretion. As
stated in the enforcement policy at appendix A, DOE may exercise that
discretion not to assess a civil penalty or to mitigate the civil
penalty under appropriate circumstances, when, for example, the
contractor self reports and takes corrective actions.
H. Continuing Violations
DOE received several comments asserting that section 234B does not
specify that a violation that is a continuing violation must constitute
a separate violation for purposes of computing the civil penalty. DOE
disagrees. Section 234B.c. cross-references section 234A which provides
in subsection a. that if any violation is a continuing one, each day of
such violation shall constitute a separate violation for the purpose of
computing the applicable civil penalty. Consistent with subsection b.
of section 234A, which is also picked up by section 234B's cross-
reference, DOE does have authority to address inequities that may arise
from this through its authority to compromise, modify or remit a
penalty. It anticipates that it will exercise that authority based on
mitigating factors in Sec. 824.13 and the general enforcement policy
in appendix A if the contractor exercises due diligence in identifying
and correcting security problems. But as an initial matter, under the
statutory provision as Congress enacted it, DOE believes that the
cross-reference has the effect of defining each day of violation as a
separate violation.
DOE also received comments seeking clarification of when a civil
penalty will begin, i.e., the date the violation is noticed or first
occurred, and when will it end. The civil penalty begins on the date
the act or omission that gives rise to the violation first occurred,
but in no case before October 5, 1999. It ends when corrective action
has been completed.
I. Preliminary Notice of Violation
DOE has revised proposed Sec. 824.5, ``Notice of violation.'' DOE
revised the rule to accommodate comments objecting to the use of
criminal law enforcement terminology in the preliminary notice of a
civil violation. Specifically, commenters objected to the words
``accused'' and ``charged.'' Therefore, the preliminary notice of
violation will notify the person of the date, facts, and nature of each
act or omission, ``constituting the alleged violation,'' not ``with
which the person is charged.'' Section 824.6(d) now refers to a person
``notified of an alleged violation,'' rather than ``accused of a
violation.''
In response to numerous comments, DOE has also decided that
Sec. Sec. 824.6 and 824.7 in this final rule should more closely
follow the procedures in part 820 with which DOE contractors are
familiar. Therefore, DOE has replaced procedures regarding a ``notice
of violation'' in proposed Sec. 824.5 with more extensive and detailed
procedures regarding a ``preliminary notice of violation'' and a
``final notice of violation'' in Sec. Sec. 824.6 and 824.7. These
sections set forth more precisely the responsibilities of both the
agency and the recipient of either type of notice and the effect of
various actions by the agency or the recipient.
J. Discovery
The one comment DOE received regarding discovery argued that a
contractor should have equal rights with the agency. More specifically,
the comment suggested that the authority of the Deputy Secretary to
issue subpoenas in Sec. 824.5 should be deleted and that language
should be added to Sec. 824.10(d) to provide that the Hearing Officer
may issue subpoenas on behalf of the contractor. DOE has accepted this
comment with respect to the Hearing Officer's authority, but DOE
believes that the officials responsible for the administration of the
civil penalty rule also should possess the authority to issue subpoenas
since, for example, there may be a need to issue subpoenas in the
investigatory stage of a case prior to a hearing. As discussed above in
section I, while the NOPR called for the Deputy Secretary to carry out
the administrative responsibilities under part 824 in the case of both
non-NNSA contractors and NNSA contractors, the final rule makes a
subordinate DOE official designated by the Secretary responsible for
exercising the rule's procedural functions when non-NNSA contractors
are involved, and the Administrator of NNSA, on the recommendation of
the Director, responsible for exercising the rule's principal
procedural functions when NNSA contractors are involved.
K. Burden of Proof
One comment suggested that DOE revise proposed Sec. 824.7 to make
clear that the purpose of the hearing is not for the contractor ``to
answer under oath or affirmation'' the allegations. DOE agrees and the
proposed section, renumbered Sec. 824.8 now states that any person who
receives a final notice of violation under Sec. 824.7 may request a
hearing concerning the allegations contained in that notice. Another
comment stated that proposed Sec. 824.11(e) should provide that DOE
not only has the burden of proving, by a preponderance of the evidence,
that a violation has occurred, but also the appropriateness of the
amount of the proposed civil penalty. DOE has accepted this comment and
revised what is now Sec. 824.12(e) to track the language of 10 CFR
part 820.29(d) with which contractors are familiar. Section 824.12(e)
now reads as follows:
``DOE has the burden of going forward with and of proving by a
preponderance of the evidence that the violation occurred as set forth
in the final notice of violation and that the proposed civil penalty is
appropriate. The person to whom the final notice of violation has been
addressed has the burden of presenting and of going forward with any
defense to the allegations set forth in the final notice of violation.
Each matter of controversy shall be determined by the Hearing Officer
upon a preponderance of the evidence.''
L. Classified Evidence at the Hearing
One comment objected on due process grounds to language that could
be interpreted to mean that the Hearing Officer could exclude pertinent
testimony from the hearing if the
[[Page 3606]]
testimony is classified. This was not DOE's intent, and DOE has revised
proposed Sec. 824.11(d) to clarify how the Hearing Officer is to treat
classified information and other information protected from public
disclosure by law or regulation. Section 824.12(d) now provides as
follows:
``The Hearing Officer must use procedures appropriate to safeguard
and prevent unauthorized disclosure of classified information or any
other information protected from public disclosure by law or
regulation, with minimum impairment of rights and obligations under
this part. The classified or otherwise protected status of any
information shall not, however, preclude its being introduced into
evidence. The Hearing Officer may issue such orders as may be necessary
to consider such evidence in camera, including the preparation of a
supplemental initial decision to address issues of law or fact that
arise out of that portion of the evidence that is classified or
otherwise protected.''
M. Mitigation
Section 824.13 sets out the mitigating factors that the Hearing
Officer will consider in determining the amount of the civil penalty.
The mitigating factors listed are identical to those in section 234A of
the Act, since section 234B provides that, ``the powers and limitations
applicable to the assessment of civil penalties under section 234A
shall apply.'' DOE has added the general enforcement policy at appendix
A to explain further how DOE intends to determine the amount of a civil
penalty and what actions a contractor may take to influence that
penalty. DOE believes that Sec. 824.13, combined with appendix A,
adequately addresses all appropriate mitigation factors. Accordingly,
DOE has rejected comments urging that such factors as lack of funding
or intentional misconduct of an employee be added to the list in Sec.
824.13.
N. Final Agency Action and Judicial Review
DOE received one comment suggesting that the proposed regulations
should be amended to specify clearly when the agency's final action has
occurred in order for the contractor to calculate the deadline for
seeking judicial review of the agency's action. DOE has revised the
regulations to expand and clarify the stages in the enforcement
process, including what constitutes a final order enforceable against a
person (see Sec. Sec. 824.7 and 824.13). Additionally, although the
proposed regulations provided that judicial review of a Hearing
Officer's initial decision would be available only after a party
appealed that decision to the Secretary, the final regulations do not
provide for a losing party to appeal the Hearing Officer's initial
decision to the Secretary. Instead, the regulations permit the
Secretary, at his discretion, within thirty days after the Hearing
Officer files the initial decision, to review the initial decision and
file a final order. If the Secretary does not choose to review the
initial decision within 30 days of its filing, then it becomes a final
agency action.
O. Miscellaneous
One comment sought clarification as to whether DOE Headquarters and
a DOE local office could each assess a penalty for the same offense.
Only DOE Headquarters has authority to assess civil penalties.
DOE received one comment asking whether security violations
revealed during audits and inspections may give rise to civil
penalties. Audits and inspections may form the basis for an allegation
or finding of violation under part 824, just as is the case with
respect to nuclear safety violations under part 820.
III. Regulatory Review and Procedural Requirements
A. Review Under Executive Order 12866
Today's regulatory action has been determined not to be a
``significant regulatory action'' under Executive Order 12866,
``Regulatory Planning and Review,'' (58 FR 51735, October 4, 1993).
Accordingly, today's action was not subject to review under the
Executive Order by the Office of Information and Regulatory Affairs of
the Office of Management and Budget.
B. Review Under the Regulatory Flexibility Act
The rule was reviewed under the Regulatory Flexibility Act of 1980,
Public Law 96-354, which requires preparation of an initial regulatory
flexibility analysis for any rule that is likely to have significant
economic impact on a substantial number of small entities. This
rulemaking applies principally to large entities who are M&O
contractors and establishes procedures but does not itself impose costs
on the contractors or subcontractors. Therefore, DOE certifies that
this regulation will not have a significant economic impact on a
substantial number of small entities and, therefore, no regulatory
flexibility analysis has been prepared.
C. Review Under the Paperwork Reduction Act
No new information or record keeping requirements are imposed by
this rulemaking. Accordingly, no Office of Management and Budget
clearance is required under the Paperwork Reduction Act. (44 U.S.C.
3501 et seq.)
D. Review Under the National Environmental Policy Act
DOE has concluded that promulgation of this rule falls into a class
of actions that would not individually or cumulatively have a
significant impact on the human environment, as determined by DOE's
regulations implementing the National Environmental Policy Act of 1969
(42 U.S.C. 4321 et seq.). Specifically, this rule deals only with
agency procedures, and, therefore is covered under the Categorical
Exclusion in paragraph A6 to subpart D, 10 CFR part 1021. Accordingly,
neither an environmental assessment nor an environmental impact
statement is required.
E. Review Under Executive Order 12988
With respect to the promulgation of new regulations, section 3(a)
of Executive Order 12988, ``Civil Justice Reform,'' 61 FR 4729
(February 7, 1996) imposes on Executive agencies the general duty to:
(1) Eliminate drafting errors and ambiguity; (2) write regulations to
minimize litigation; and (3) provide a clear legal standard for
affected conduct rather than a general standard and to promote
simplification and burden reduction. With regard to the review required
by section 3(a), section 3(b) of Executive Order 12988 specifically
requires that Executive agencies make every reasonable effort to ensure
that a regulation: (1) Clearly specifies its preemptive effect, if any;
(2) clearly specifies any effect on existing federal law or regulation;
(3) provides a clear legal standard for affected conduct while
promoting simplification and burden reduction; (4) specifies its
retroactive effect, if any; (5) adequately defines key terms; and (6)
addresses other important issues affecting clarity and general
draftsmanship under any guidelines issued by the Attorney General.
Section 3(c) of Executive Order 12988 requires Executive agencies to
review regulations in light of the applicable standards in section 3(a)
and 3(b) to determine whether they are met or if it is unreasonable to
meet one or more of them. DOE has completed the required reviews and
has determined that, to the extent allowed by law, the rule meets the
relevant standards of Executive Order 12988.
[[Page 3607]]
F. Review Under Executive Order 13132
Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain
requirements on agencies formulating and implementing policies or
regulations that preempt State law or that have federalism
implications. Agencies are required to examine the constitutional and
statutory authority supporting any action that would limit the
policymaking discretion of the States and carefully assess the
necessity for such actions. DOE has examined today's rule and has
determined that it does not preempt State law and does not have a
substantial direct effect on the States, on the relationship between
the national government and the States, or on the distribution of power
and responsibilities among the various levels of government. No further
action is required by Executive Order 13132.
G. Review Under Treasury and General Government Appropriations Act,
1999
Section 654 of the Treasury and General Government Appropriations
Act, 1999 (Public Law 105-277) requires Federal agencies to issue a
Family Policymaking Assessment for any proposed rule that may affect
family well-being. Today's rulemaking would not have any impact on the
autonomy or integrity of the family as an institution. Accordingly, DOE
has not prepared a family policymaking assessment.
H. Review Under the Treasury and General Government Appropriations Act,
2001
The Treasury and General Government Appropriations Act, 2001 (44
U.S.C. 3516, note) provides for agencies to review most dissemination
of information to the public under guidelines established by each
agency pursuant to general guidelines issued by OMB. OMB's guidelines
were published at 67 FR 8452 (Feb. 22, 2002), and DOE's guidelines were
published at 67 FR 62446 (Oct 7, 2002). DOE has reviewed today's notice
under the OMB and DOE guidelines, and has concluded that is consistent
with applicable policies in those guidelines.
I. Review Under Executive Order 13084
Under Executive Order 13084 (Consultation and Coordination with
Indian Tribal Governments), DOE may not issue a discretionary rule that
significantly or uniquely affects Indian tribal governments and imposes
substantial direct compliance costs. This rulemaking would not have
such effects. Accordingly, Executive Order 13084 does not apply to this
rulemaking.
J. Review Under the Unfunded Mandates Reform Act of 1995
Title II of the Unfunded Mandates Reform Act of 1995 requires each
agency to prepare a written assessment of the effects of any Federal
mandate in a proposed or final rule that may result in the expenditure
by State, local, and tribal governments and the private sector, of $100
million in any single year. DOE has determined that today's regulatory
action does not impose a Federal mandate on State, local, or tribal
governments or on the private sector.
K. Review Under Executive Order 13211
Executive Order 13211, ``Actions Concerning Regulations That
Significantly Affect Energy Supply, Distribution or Use'' (66 FR 28355,
May 22, 2001) requires Federal agencies to prepare and submit to the
Office of Information and Regulatory Affairs (OIRA), Office of
Management and Budget, a Statement of Energy Effects for any proposed
significant energy action. A ``significant energy action'' is defined
as any action by an agency that promulgated or is expected to lead to
promulgation of a final rule, and that: (1) Is a significant regulatory
action under Executive Order 12866, or any successor order; and (2) is
likely to have a significant adverse effect on the supply,
distribution, or use of energy, or (3) is designated by the
Administrator of OIRA as a significant energy action. For any proposed
significant energy action, the agency must give a detailed statement of
any adverse effects on the energy supply, distribution, or use should
the proposal be implemented, and of reasonable alternatives to the
action and their expected benefits on energy supply, distribution, and
use. Today's regulatory action is not a significant energy action.
Accordingly, DOE has not prepared a Statement of Energy Effects.
L. Congressional Notification
As required by 5 U.S.C. 801, DOE will report to Congress
promulgation of the rule prior to its effective date. The report will
state that it has been determined that the rule is not a ``major rule''
as defined by 5 U.S.C. 804.
List of Subjects in 10 CFR Part 824
Government contracts, Nuclear materials, Penalties, Security
measures.
Issued in Washington, DC on January 18, 2005.
Glenn S. Podonsky, Director,
Office of Security and Safety Performance Assurance.
0
For the reasons set forth in the preamble, DOE hereby amends chapter
III of title 10 of the Code of Federal Regulations by adding a new part
824 as set forth below.
PART 824--PROCEDURAL RULES FOR THE ASSESSMENT OF CIVIL PENALTIES
FOR CLASSIFIED INFORMATION SECURITY VIOLATIONS
Sec.
824.1 Purpose and scope.
824.2 Applicability.
824.3 Definitions.
824.4 Civil penalties.
824.5 Investigations.
824.6 Preliminary notice of violation.
824.7 Final notice of violation.
824.8 Hearing.
824.9 Hearing Counsel.
824.10 Hearing Officer.
824.11 Rights of the person at the hearing.
824.12 Conduct of the hearing.
824.13 Initial decision.
824.14 Special procedures.
824.15 Collection of civil penalties.
824.16 Direction to NNSA contractors.
Appendix A to part 824--general statement of enforcement policy
Authority: 42 U.S.C. 2201, 2282b, 7101 et seq., 50 U.S.C. 2401
et seq.
Sec. 824.1 Purpose and scope.
This part implements subsections a., c., and d. of section 234B. of
the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2282b. Subsection a.
provides that any person who has entered into a contract or agreement
with the Department of Energy, or a subcontract or subagreement
thereto, and who violates (or whose employee violates) any applicable
rule, regulation or order under the Act relating to the security or
safeguarding of Restricted Data or other classified information, shall
be subject to a civil penalty not to exceed $100,000 for each
violation. Subsections c. and d. specify certain additional authorities
and limitations respecting the assessment of such penalties.
Sec. 824.2 Applicability.
(a) General. These regulations apply to any person that has entered
into a contract or agreement with DOE, or a subcontract or sub-
agreement thereto.
(b) Limitations. DOE may not assess any civil penalty against any
entity (including subcontractors and suppliers thereto) specified at
subsection d. of section 234A of the Act until the entity enters, after
October 5, 1999, into a new contract with DOE or an extension of a
current contract with DOE, and the total amount of civil penalties may
not exceed the total amount of fees paid by the DOE to that entity in
that fiscal year.
(c) Individual employees. No civil penalty may be assessed against
a
[[Page 3608]]
person which enters into an agreement with DOE.
Sec. 824.3 Definitions.
As used in this part:
Act means the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).
Administrator means the Administrator of the National Nuclear
Security Administration.
Classified information means Restricted Data and Formerly
Restricted Data protected against unauthorized disclosure pursuant to
the Act and National Security Information that has been determined
pursuant to Executive Order 12958, as amended March 25, 2003, or any
predecessor or successor executive order to require protection against
unauthorized disclosure and that is marked to indicate its classified
status when in documentary form.
DOE means the United States Department of Energy, including the
National Nuclear Security Administration.
Director means the DOE Official, or his or her designee, to whom
the Secretary has assigned responsibility for enforcement of this part.
Person means any person as defined in section 11.s. of the Act, 42
U.S.C. 2014, and includes any affiliate or parent corporation thereof,
who enters into a contract or agreement with DOE, or is a party to a
contract or subcontract under a contract or agreement with DOE.
Secretary means the Secretary of Energy.
Sec. 824.4 Civil penalties.
(a) Any person who violates a classified information protection
requirement of any of the following is subject to a civil penalty under
this part:
(1) 10 CFR part 1016--Safeguarding of Restricted Data;
(2) 10 CFR part 1045--Nuclear Classification and Declassification;
or
(3) Any other DOE regulation or rule (including any DOE order or
manual enforceable against the contractor or subcontractor under a
contractual provision in that contractor's or subcontractor's contract)
related to the safeguarding or security of classified information if
the regulation or rule provides that violation of its provisions may
result in a civil penalty pursuant to subsection a. of section 234B. of
the Act.
(b) If, without violating a classified information protection
requirement of any regulation or rule under paragraph (a) of this
section, a person by an act or omission causes, or creates a risk of,
the loss, compromise or unauthorized disclosure of classified
information, the Secretary may issue a compliance order to that person
requiring the person to take corrective action and notifying the person
that violation of the compliance order is subject to a notice of
violation and assessment of a civil penalty. If a person wishes to
co
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
