224 of 234
First Highlight
Graphics, exponents, and equations will not display within the text file. A link to the PDF version of this section will be in this spot in the future.
CHAPTER VII
PHYSICAL SECURITY REQUIREMENTS
1. BASELINE REQUIREMENTS. Each classified AIS, including remote terminals,
printers, or other output devices, communication links, memory, and
other interconnected devices, shall be afforded physical security
commensurate with the highest classification level and most restrictive
classification category of information to which it provides access.
Components of the classified AIS shall be contained in security areas
authorized by an approved Site Safeguards and Security Plan or a Site
Security Plan. Security controls to protect the equipment apply not
only to the classified AIS and its components but also to all removable
media such as magnetic tapes, magnetic disk packs, and spare or
replacement parts once they are identifiable with a specific Classified
AIS or Network.
2. PROTECTION REQUIREMENTS FOR PROTECTION INDEX ZERO, ONE, TWO, OR THREE.
Any accredited classified AISs with a Protection Index of zero, one,
two, or three shall be located in at least a DOE Limited Area. The
following protection requirements also apply:
a. The classified AIS or components can only be left unattended,
without additional action as described in subparagraph (b) below,
under the following conditions:
(1) The area is authorized by an approved Site Safeguards and
Security Plan or Site Security Plan for the open storage of
classified information; and,
(2) All personnel authorized unescorted access have a need-to-know
for all the information processed, stored, transferred, or
accessed by the classified AIS.
b. If the classified AIS or any of its components is to be left
unattended and the area is not authorized by an approved Site
Safeguards and Security Plan or Site Security Plan for the open
storage of classified information, then:
(1) All classified information shall be removed from the
classified AIS and its components and shall be stored in
DOE-approved security containers as defined by DOE 5632.5,
PHYSICAL PROTECTION OF CLASSIFIED MATTER;
(2) The classified AIS and/or component shall be sanitized as
described in Chapter IX; and
(3) All interfaces to Protected Distribution Systems shall be
disconnected and shall be secured (both the disconnection and
securing of the interface shall be accomplished with a
DAA-approved mechanism).
3. PROTECTION REQUIREMENTS FOR PROTECTION INDEX OF FOUR OR FIVE. Any
accredited classified AIS with a Protection Index of four or five (see
Chapter IV) shall be located in at least a DOE Limited Area and the
following restrictions shall also apply:
a. Components that are exclusively in the unclassified portion of a
multilevel AIS shall be located within at least a DOE Property
Protection Area as described by DOE 5632.1B, PROTECTION PROGRAM
OPERATIONS.
b. The physical security controls over the components and their
associated communications channels shall be commensurate with the
highest classification level and most restrictive classification
category of information released to or processed by that component.
c. The classified AIS or components can only be left unattended,
without additional action as described in subparagraph (d) below,
under the following conditions:
(1) The area is authorized by an approved Site Safeguards and
Security Plan or Site Security Plan for the open storage of
classified information; and,
(2) All personnel authorized unescorted access have a common
need-to-know for all the information processed, stored,
transferred, or accessed by the classified AIS.
d. If the classified AIS or any of its components is to be left
unattended and the area is not authorized by an approved Site
Safeguards and Security Plan or Site Security Plan for the open
storage of classified information, then:
(1) All classified information shall be removed from the
classified AIS or its components and shall be stored in
DOE-approved security containers as defined by DOE 5632.5;
(2) The classified AIS or component shall be sanitized as
described in guidance published periodically by the CSPM; and
(3) All interfaces to a Protected Distribution System shall be
disconnected and shall be secured (both the disconnection and
securing of the interface shall be accomplished with a
DAA-approved mechanism).
4. UNESCORTED PHYSICAL ACCESS TO THE CLASSIFIED AIS.
a. Protection Index of Zero, One, or Two. Unescorted physical access
to a Classified AIS shall be controlled and limited to personnel
whose "need-to-know" has been verified by the CSSO and cleared for
access to the highest classification level and most restrictive
classification category of information processed, stored,
transferred, or accessible by the classified AIS.
b. Protection Index of Three or Greater. Unescorted physical access
to components of a classified AIS shall be controlled and limited
to personnel whose "need-to-know" has been verified by the CSSO,
and cleared for access to the highest classification level and most
restrictive classification category of information processed,
stored, transferred, or accessible by that component.
c. Temporary Access. If it is necessary for personnel who are not
cleared to the highest classification level and most restrictive
classification category to have temporary access to the Classified
AIS security area, they shall be escorted by a trained classified
AIS escort authorized by the CSSO.
5. VISUAL ACCESS REQUIREMENTS. Each classified AIS shall be protected in a
manner which prevents unauthorized personnel from having visual access
to the information being displayed.
Top of Document