Federal Register: January 26, 2005 (Volume 70, Number 16)
Rules and Regulations            
Page 3599-3614

-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

10 CFR Part 824

[Docket No. SO-RM-00-01]
RIN 1992-AA28

 
Procedural Rules for the Assessment of Civil Penalties for 
Classified Information Security Violations

AGENCY: Office of Security, Department of Energy.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of Energy (DOE) is today publishing a final 
rule to assist in implementing section 234B of the Atomic Energy Act of 
1954. Section 234B makes DOE contractors and their subcontractors 
subject to civil penalties for violations of DOE rules, regulations and 
orders regarding the safeguarding and security of Restricted Data and 
other classified information.

EFFECTIVE DATE: February 25, 2005.

FOR FURTHER INFORMATION CONTACT: Geralyn Praskievicz, Office of 
Security, SO-1, U.S. Department of Energy, 1000 Independence Ave., SW., 
Washington, DC 20585, (202) 586-4451; JoAnn Williams, Office of General 
Counsel, GC-53, U.S. Department of Energy, 1000 Independence Ave., SW., 
Washington, DC 20585, (202) 586-6899.

SUPPLEMENTARY INFORMATION: 
I. Introduction.
II. DOE's Response to Comments.
III. Regulatory Review and Procedural Requirements.
    A. Review Under Executive Order 12866.
    B. Review Under the Regulatory Flexibility Act.
    C. Review Under the Paperwork Reduction Act.
    D. Review Under the National Environmental Policy Act.
    E. Review Under Executive Order 12988.
    F. Review Under Executive Order 13132.
    G. Review Under the Treasury and General Appropriations Act, 
1999.
    H. Review Under the Treasury and General Appropriations Act, 
2001.
    I. Review Under Executive Order 13084.
    J. Review Under the Unfunded Mandate Reform Act of 1995.
    K. Review under Executive Order 13211.
    L. Congressional Notification.

[[Page 3600]]

I. Introduction

    Pursuant to the Atomic Energy Act of 1954 and other laws, DOE 
carries out a variety of national defense and energy research, 
development and demonstration activities at facilities around the 
nation that are owned by the United States Government, under the 
control and custody of DOE, and operated by management and operating 
contractors under the supervision of DOE. The use of private industry 
and educational institutions to operate these kinds of facilities, 
including the national laboratories and their predecessors, dates back 
to the Atomic Energy Commission, if not to the Manhattan Project. It 
has allowed the United States to attract the best minds to do the 
cutting edge scientific, engineering and technical work critical to 
DOE's national security mission. By its nature, that work involves 
highly classified information regarding atomic weapons and other 
weapons of mass destruction; nuclear naval propulsion; intelligence 
related to terrorism and other topics of great sensitivity. For more 
than 50 years, DOE, like its predecessor the Atomic Energy Commission, 
has had to balance two sets of considerations. On the one hand, DOE 
must attract the best minds that it can to do cutting edge scientific 
work at the heart of DOE's national security mission, and DOE must 
permit its operating and management contractors to function in a manner 
that permits sufficient dissemination of classified work to be put to 
the various uses that U.S. national security demands. At the same time, 
it obviously must take all prudent steps to prevent enemies of this 
nation from gaining access to work that could be used to the detriment, 
rather than the enhancement, of vital national security interests.
    Over the years periodic contractor lapses in adherence to processes 
designed to safeguard Restricted Data or other classified information 
have given rise to concerns about the adequacy of efforts by 
contractors to protect this kind of information. In order to give DOE 
an additional tool to assure that these processes are being followed, 
Congress enacted section 234B of the Atomic Energy Act of 1954. This 
section grants DOE new authority to impose civil penalties for 
violations of DOE regulations and orders directed to the safeguarding 
of this kind of information, as well as confirming DOE's preexisting 
authority to withhold portions of a contractor's fee by reason of poor 
performance arising out of such violations. DOE had previously 
promulgated regulations specifying how it would carry out this latter 
authority, and today's rule specifies the manner in which it will carry 
out its civil penalty authority. DOE believes that today's regulation 
will assist in providing greater emphasis on a culture of security 
awareness in existing DOE operations, and strong incentives for 
contractors to identify and correct noncompliance conditions and 
processes in order to protect classified information of vital 
significance to this nation. It will also facilitate, encourage and 
support contractor initiatives for the prompt identification and 
correction of security problems.
    Section 3147 of the National Defense Authorization Act for Fiscal 
Year 2000 (Public Law 106-65) added a new section 234B to the Atomic 
Energy Act of 1954 (the Act) (42 U.S.C. 2282b). Section 234B has two 
subsections. The first subsection, subsection a., provides that any 
person who: (1) Has entered into a contract or agreement with DOE, or a 
subcontract or subagreement thereto, and (2) violates (or whose 
employee violates) any applicable rule, regulation, or order prescribed 
or otherwise issued by the Secretary of Energy pursuant to the Act 
relating to the safeguarding or security of Restricted Data or other 
classified or sensitive information, shall be subject to a civil 
penalty not to exceed $100,000 for each such violation. The second 
subsection, subsection b., requires that each DOE contract contain 
provisions which provide an appropriate reduction in the fees or 
amounts paid to the contractor under the contract in the event of a 
violation by the contractor or contractor employee of any rule, 
regulation or order relating to the safeguarding or security of 
Restricted Data or other classified or sensitive information.
    DOE elected to implement section 234B in two separate rulemakings, 
one establishing procedural rules to implement subsection a. similar to 
the procedural rules to achieve compliance with DOE nuclear safety 
requirements found at 10 CFR part 820, ``Procedural Rules for DOE 
Nuclear Activities,'' and the other establishing a procurement clause 
like the existing clause for conditional payment of fee, profit or 
incentives, 48 CFR (DEAR) 970.5215-3. On February 1, 2001, DOE 
published a notice of proposed rulemaking (NOPR) (66 FR 8560) to 
implement subsection b. of section 234B, concerning reductions in fees 
or amounts paid to contractors in the event of a security violation. 
DOE received numerous comments in response to that notice, and 
responded to them in a notice of interim final rulemaking on December 
10, 2003 (68 FR 68771).
    On April 1, 2002, DOE published a NOPR at 67 FR 15339 to solicit 
comments on its proposed framework for an enforcement program for the 
civil penalty provisions in subsection a. The NOPR requested written 
comments by July 1, 2002, and invited oral comments at public hearings 
held in Las Vegas, Nevada on May 22, 2002, and in Washington, DC on May 
29, 2002. Written comments were received from eleven sources and oral 
comments from two. All comments were from representatives of DOE 
contractors. DOE responds to the major issues raised in comments in 
part II of this SUPPLEMENTARY INFORMATION.
    To a large extent, the regulations in this notice of final 
rulemaking are self-explanatory. There are, however, several 
fundamental features which were discussed in the NOPR that bear 
repeating here. DOE will apply civil penalties only to violations of 
requirements for the protection of classified information. Classified 
information is defined as ``Restricted Data'' or ``Formerly Restricted 
Data'' protected against unauthorized disclosure pursuant to the Act 
and ``National Security Information'' protected against unauthorized 
disclosure pursuant to Executive Order 12958, as amended on March 25, 
2003, or any predecessor or successor order. Although section 234B 
refers to ``sensitive information,'' DOE does not employ this term in 
today's final regulations because: (1) Neither the statute nor its 
legislative history defines the term; (2) There is no commonly accepted 
definition of ``sensitive information'' within DOE or the Executive 
Branch; and (3) the legislative history of subsection a. indicates that 
the Congress was concerned with unauthorized disclosures of classified 
information. The additional category of unclassified information that 
might merit inclusion in a regulation imposing civil penalties is 
Unclassified Controlled Nuclear Information (UCNI), a category of 
unclassified government information concerning atomic energy defense 
programs established by section 148 of the Act (42 U.S.C. 2168). 
However, DOE already has a preexisting regime in place with respect to 
such information that includes civil penalties. Section 148 provides 
that any person who violates a regulation or order issued under that 
section shall be subject to a civil penalty not to exceed $100,000. DOE 
implemented the provisions of section 148 in regulations contained in 
10 CFR part 1017. Since part 1017 already imposes a civil

[[Page 3601]]

monetary penalty for unauthorized dissemination of UCNI comparable to 
the penalty specified in section 234B, DOE determined that it is 
unnecessary to include UCNI in regulations implementing section 234B.
    Today's final regulations permit DOE to assess civil penalties for 
violations of regulations, rules or orders described in Sec.  824.4 of 
part 824. These are violations of: (1) 10 CFR part 1016 (``Safeguarding 
of Restricted Data''); (2) 10 CFR part 1045 (``Nuclear Classification 
and Declassification''); or (3) any other DOE regulation or rule 
(including any DOE order or manual enforceable under a contractual 
provision) related to the safeguarding or security of Restricted Data 
or other classified information that specifically indicates that 
violation of its provisions may result in a civil penalty pursuant to 
section 234B, and (4) compliance orders issued pursuant to part 824.
    In addition, section 161 of the Act broadly authorizes DOE to 
prescribe regulations and issue orders deemed necessary to protect the 
common defense and security (42 U.S.C. 2201). Consistent with the 
proposed rule, part 824 implements this authority by providing that the 
Secretary may issue a compliance order requiring a person to take 
corrective action if a person by act or omission causes, or creates a 
risk of, the loss, compromise or unauthorized disclosure of classified 
information even if that person has not violated a rule or regulation 
specified in Sec.  824.4(a) of part 824. Violation of the compliance 
order may also result in the assessment of a civil penalty if the order 
so specifies. While the recipient of a compliance order may request the 
Secretary to rescind or modify the compliance order, the request does 
not stay the effectiveness of the order unless the Secretary issues a 
new order to that effect. The compliance order provisions in 10 CFR 
824.4(b) and (c) are modeled after a similar mechanism in 10 CFR part 
820, the rule implementing procedures for section 234A of the Act with 
respect to nuclear safety.
    Today's final rule only applies to contractors and others who have 
entered into agreements or contracts with DOE or subagreements or 
subcontracts thereto. This is because subsection a. of section 234B 
provides that what triggers the availability of a civil penalty is the 
fact that a ``person * * * has entered into a contract or agreement 
with the Department of Energy, or a subcontract or subagreement 
thereto, and * * * violates (or whose employee violates) any applicable 
rule, regulation or order.'' It is clear from the statutory language, 
particularly the parenthetical ``or whose employee violates'' that 
Congress intended contractors and their subcontractors or suppliers to 
be responsible for the acts or omissions of their employees who fail to 
observe these rules, regulations, and orders, rather than contemplating 
the imposition of civil penalties on employees themselves. 
Consequently, part 824 provides for the assessment of civil penalties 
against contractors or subcontractors for their employees' actions but 
not against the employees themselves. The Atomic Energy Act establishes 
a separate regime of criminal penalties applicable to individuals for 
the knowing unauthorized communication of Restricted Data. See sections 
224 and 227 of the Atomic Energy Act (42 U.S.C. 2274, 2277).
    Subsection d. of section 234B sets limitations on civil penalties 
assessed against certain nonprofit entities specified at subsection d. 
of section 234A (hereafter the ``named contractors''). For each of the 
named contractors, the statute provides that no civil penalty may be 
assessed until the entity enters into a new contract with DOE after 
October 5, 1999 (the date of enactment) or an extension of a current 
contract with DOE after October 5, 1999. The statute also limits the 
total amount of civil penalties assessed against the named contractors 
in any fiscal year to the total amount of fees paid to that entity in 
that fiscal year. It should be noted that the limitations applicable to 
the named contractors also apply to their subcontractors and suppliers 
regardless of whether they are for-profit or nonprofit.
    The fee that represents the cap for civil penalties of nonprofits 
will be determined pursuant to the provisions of the specific contracts 
covered by the limitation on nonprofits in section 234B.d.(2).
    DOE has decided not to finalize its proposal to cap civil penalties 
assessed against other DOE contractors that are nonprofit educational 
institutions under the United States Internal Revenue Code in the same 
manner as penalties are capped for the named contractors. The statute 
identifies only the named contractors as those that should receive this 
treatment. While Congress gave DOE authority to mitigate civil 
penalties, DOE has concluded that there is not a strong enough case to 
warrant using that authority in a categorical fashion to cap these 
penalties without regard to any other consideration for contractor 
security violations by entities other than those that Congress 
determined should have their penalties capped in this fashion. Rather, 
DOE has concluded that its mitigation authority would be better 
exercised on a case-by-case basis, taking into account all 
circumstances, both aggravating and extenuating. The final rule and 
enforcement policy make clear that DOE plans to exercise that authority 
to mitigate civil penalties based on many considerations, including an 
entity's financial circumstances. That should be sufficient to ensure 
that the civil penalty authority is not exercised in a manner that 
discourages non-profit institutions from seeking DOE contracts. 
Finally, our decision is consistent with DOE's proposed regulations for 
10 CFR part 851 to implement section 234C of the Atomic Energy Act 
(civil penalties for worker health and safety violations), the most 
recent legislation providing DOE civil penalty authority.
    DOE also has determined on a somewhat different approach from the 
one in the proposed rule for allocating responsibility among various 
DOE officials for the performance of certain administrative 
responsibilities relating to the imposition of civil penalties, 
including issuance of the preliminary notice of violation, issuance of 
final notice of violation, and settlement of enforcement actions. DOE's 
NOPR called for all of these responsibilities to be carried out by the 
Deputy Secretary on the recommendation of the Director of the Office of 
Security. DOE has concluded that there is no compelling reason for 
making the Deputy Secretary responsible for these functions in the 
first instance. Moreover, DOE believes it is desirable to make the 
procedures for part 824 consistent with the procedural framework in 10 
CFR part 820 (civil penalties for nuclear safety violations) and the 
proposed part 851 regulations (civil penalties for worker health and 
safety violations). In both those frameworks, a DOE official 
subordinate to the Secretary and the Deputy Secretary is the official 
charged with initiating enforcement and related responsibilities in the 
case of non-NNSA contractors; in the case of NNSA contractors, the 
subordinate DOE official makes a recommendation to the NNSA 
Administrator, who then determines whether or not to accept that 
recommendation. In the case of a dispute between the responsible DOE 
official and the NNSA Administrator, the matter may be referred to the 
Deputy Secretary.
    The part 824 rule adopted today adopts a similar framework, under 
which the Secretary designated a subordinate DOE official to carry out 
the administrative responsibilities in the case of non-NNSA 
contractors, but in the case of NNSA contractors this official makes a 
recommendation to the

[[Page 3602]]

NNSA Administrator who decides whether or not to accept that 
recommendation. If the NNSA Administrator disagrees with the cognizant 
DOE official's recommendation, and the disagreement cannot be resolved 
by the two officials, the DOE official may refer the matter to the 
Deputy Secretary for resolution.
    The Secretary of Energy has approved this notice of final 
rulemaking for publication.

II. DOE's Response to Comments

    The following discussion describes the major issues raised in 
comments, provides DOE's response to these comments, and sets forth or 
describes any resulting changes to the rule. DOE has also made a few 
editorial, stylistic and format changes for clarity and consistency, 
but DOE does not describe them in detail because they do not 
substantially change the terms of the proposed regulations.

A. Enforcement Policy

    A number of commenters argued that DOE's proposed enforcement 
program under section 234B was deficient in that it lacked an important 
feature of 10 CFR part 820, a general enforcement policy statement. 
Without a statement of general enforcement policy, these commenters 
viewed the proposed regulations as vague and thus susceptible to 
uneven, or unduly harsh application. Commenters feared that this could 
mean that a single inadvertent mis-classification of a document might 
result in a civil penalty.
    Based on consideration of these comments, DOE has included in 
today's final regulations ``Appendix A to Part 824--General Statement 
of Enforcement Policy,'' which is closely modeled after ``Appendix A to 
Part 820.'' Appendix A to part 824 includes the following important 
features of the part 820 model:
1. Severity Levels
    Violations of DOE classified information security requirements have 
varying degrees of security significance. Therefore, the security 
significance of each violation is to be identified as the first step in 
the enforcement process. Violations of DOE classified information 
security requirements are categorized in three levels of severity. 
These levels are discussed in section V. of appendix A to this part. 
Table 1.--Severity Level Base Civil Penalties in appendix A provides 
the base civil penalty amount for each level of violation.
2. Incentives for Both Timely Identification of Potential 
Noncompliances and Conducting Appropriate Corrective Actions
    Many comments were received regarding the overall fairness of the 
proposed regulations and the need to ensure a consistent and equitable 
enforcement process.
    Appendix A specifically states that DOE's goal in the compliance 
arena is to enhance and protect the common defense and security at DOE 
facilities by fostering a culture among both DOE line organizations and 
contractors that actively seeks not only to attain compliance with DOE 
classified information security requirements but also to sustain it. 
The DOE enforcement program and policy has been developed with the 
express purpose of achieving a culture committed to the best possible 
security at DOE's facilities. Appendix A sets out substantial 
incentives to the contractors for the early self-identification, 
reporting and prompt correction of problems which constitute, or could 
lead to, violations. Thus, the application of adjustment factors may 
result in no civil penalty being assessed for violations that are 
identified, reported and promptly and effectively corrected by the 
contractor. On the other hand, ineffective programs for problem 
identification and correction are unacceptable. For example, if a 
contractor fails to disclose and promptly correct violations of which 
it should be aware or should have been aware, substantial civil 
penalties are warranted and may be sought, including the assessment of 
civil penalties for continuing violations on a per day basis.

B. Timing of the Regulations

    DOE received several comments that expressed the view that these 
regulations are premature principally because DOE is imposing new 
security standards by this rulemaking and contractors deserve 
additional funding and time to meet these new standards. DOE disagrees 
with these comments. No new DOE classified information security 
requirements are being imposed on contractors by these regulations 
themselves, which only set up the policies and procedures for an 
enforcement program that may impose civil penalties for requirements 
established elsewhere.

C. Contract Issues

1. Applicability to Violations Prior to Effective Date
    Several comments objected to civil penalties applying to violations 
that occurred prior to the effective date of these regulations, 30 days 
after the date of this publication. Paragraph (b) of section 3147 of 
the National Defense Authorization Act for Fiscal Year 2000 
specifically states that ``[s]ubsection a. of section 234B of the 
Atomic Energy Act * * * applies to any violation after the date of 
enactment of this Act.'' Congress specified a different effective date 
for the application of civil penalties against nonprofit contractors 
listed in section 234A.d. (after entry into a new contract or extension 
of a current contract), but did not provide a similar limitation with 
respect to other DOE contractors.
2. Limitation of Liability for Nonprofits
    Two issues were raised with respect to the limitation of liability 
for nonprofits in proposed Sec.  824.2(b). This section would implement 
subsection d. of section 234B that sets limitations on civil penalties 
assessed against certain entities specified at subsection d. of section 
234A. Some commenters argued that the cap on civil penalties, 
specifying that the total amount of civil penalties imposed may not 
exceed the fee for that fiscal year, should apply to all contractors. 
For reasons similar to those noted above for not finalizing its 
proposed approach of extending this limitation to all non-profits, DOE 
has not accepted this position. Rather it has concluded that it should 
not broaden the category of contractors to whom this limitation applies 
beyond the specific list identified by Congress. As DOE explained, in 
all other instances, it will evaluate mitigation on a case-by-case 
basis taking into account all relevant aggravating and mitigating 
circumstances.
    The second issue relates to the limitation of liability for 
subcontractors of nonprofit contractors. Consistent with sections 234A. 
and 234B., today's final regulations provide at Sec.  824.2(b)(1) that 
the limitations on liability apply to all subcontractors and suppliers, 
whether for-profit or nonprofit, of the seven named entities working at 
the named sites specified in subsection d. of section 234A. Commenters 
have indicated that this list in section 234A.d. is not current in that 
some of the named sites are no longer operated by the named 
contractors. Therefore, these commenters argue that the limitations on 
liability should extend to all subcontractors and suppliers of any 
contractor at the named sites. DOE rejects this view on the ground that 
Congress expressly cross-referenced, in section 234B.d., the section 
234A.d. list of exceptions and that any change in that list should be 
accomplished, if at all, by legislative amendment.

[[Page 3603]]

3. Relationship With Fee Reduction Regulations
    A number of comments expressed the view that DOE needed to clarify 
the relationship between these regulations and the regulations of DOE's 
Office of Procurement and Assistance Management that implement 
paragraph b. of section 234B. That paragraph requires that each DOE 
contract contain provisions which provide an appropriate reduction in 
the fees or amounts paid to the contractor under the contract in the 
event of a violation by the contractor or contractor employee of any 
rule, regulation or order relating to the security of classified 
information. Commenters raising this issue were concerned that 
contractors might be subjected to both a civil penalty and a reduction 
in fee for one violation. Congress contemplated this possibility when 
it enacted both subsections a. and b. of section 234B without a 
requirement to choose between the two. By contrast, in the later 
enacted section 234C Congress specifically did require DOE to elect 
between civil and contractual penalties (see section 234C.d.). 
Consistent with the omission of any such provision in section 234B, 
today's regulations neither require nor preclude such a choice.
4. Contract Disputes Act
    Certain contractors commented in favor of implementing section 234B 
by using the process and procedures in the Contract Disputes Act, 41 
U.S.C. 601-613, rather than the procedures in the proposed rule. In 
DOE's view, the administration of a system for imposition of civil 
penalties, as required by a statute, does not fall under the purposes 
of the Contract Disputes Act. Jurisdiction for agency boards of 
contract appeals, defined at 41 U.S.C. 607(d), consists only of appeals 
of contracting officer decisions. Section 234B provides that the powers 
and limitations applicable to the assessment of civil penalties under 
section 234A shall apply to the assessment of civil penalties under 
section 234B. Section 234A gives the Secretary the authority to 
determine, compromise or modify civil penalties to be imposed under 
section 234A. after opportunity for an agency hearing pursuant to 5 
U.S.C. 554, before an administrative law judge appointed pursuant to 5 
U.S.C. 3105. Appeals from these determinations may be made to a U.S. 
court of appeals.
5. Major Fraud Act
    The applicability of the Major Fraud Act, 41 U.S.C. 256(k), to 
civil penalty proceedings for security violations was raised by 
commenters who stated that DOE needs to clarify how that Act relates to 
investigations into suspected or alleged violations of DOE classified 
information security requirements. They recommended that DOE issue an 
interpretation stating that as long as a contractor is exempt by 
statute from the payment of civil penalties, the Major Fraud Act shall 
not be considered applicable by reason of the ``monetary penalty'' 
provision of that act. The Major Fraud Act does not make distinctions 
in its reimbursement prohibitions for different categories of 
contractors. Even those contractors that are exempt from civil 
penalties under other statutory or regulatory authority are subject to 
the reimbursement prohibitions of the Major Fraud Act. In other words, 
once a government-initiated proceeding has commenced which relates to a 
violation of, or failure to comply with, a law or regulation, the Act's 
restrictions apply to investigation proceeding costs, even if the 
outcome of the proceeding cannot be the actual payment of a monetary 
penalty. The cost principle at 48 CFR (FAR) 31.205-47, which implements 
the Act, provides that proceeding costs not made unallowable may be 
reimbursed, but only to the extent that the amounts of such costs do 
not exceed 80% of the reasonable and allocable proceeding costs 
incurred by a contractor.
6. Statute of Limitations
    Some commenters argued that without a ``statute of limitations'' a 
Management and Operating (M&O) contractor might be held liable for the 
acts or omissions of a former M&O contractor at a DOE site thus 
nullifying DEAR 970.5231-4 ``Preexisting Conditions'' which currently 
provides some protection to contractors new to a facility. DOE's 
experience with Part 820 regarding nuclear safety violations has not 
indicated that the absence of a ``statute of limitations'' provision is 
a problem. DOE will adopt a common sense approach in applying Part 824 
and not penalize an M&O contractor for the acts or omissions of a 
predecessor unless the new contractor knows or should reasonably know 
that a violation exists. Also, one of the provisions in the 
``Preexisting Conditions'' clause places a duty on the new contractor 
to inspect the facility and timely identify to the contracting officer 
conditions which could give rise to a liability.

D. Applicability

    DOE has revised proposed Sec. Sec.  824.2 (``Applicability'') and 
824.3 (``Definitions'') to address comments requesting clarification of 
the applicability of the regulations. These comments expressed the view 
that the regulations were vague and overly broad. DOE agrees that more 
precise language in two places in these two subsections is warranted. 
One comment pointed out that proposed Sec.  824.2(a) was too broad in 
that it made the regulations applicable to ``any entity that is subject 
to DOE security requirements for the protection of classified 
information.'' This exceeds the authority conferred by the statute, 
which is limited to contractors and subcontractors of the Department. 
Section 824.2(a), as published today, tracks the language of section 
234B which states that the regulations apply to any person that has 
entered into a contract or agreement with DOE, or a subcontract or 
subagreement thereto.
    Also, in response to comments raising questions about the 
applicability of the proposed regulations to the National Nuclear 
Security Administration (NNSA), Sec.  824.3 now contains a definition 
of the ``Department of Energy.'' This definition clarifies that these 
regulations are applicable to contractors of all components of DOE, 
including the NNSA.

E. Definitions

    In addition to adding a definition of the term ``Department of 
Energy'' discussed in section D of this supplementary information, DOE 
has made other changes in the definitions in Sec.  824.3, in response 
to the comments or for purposes of clarification. DOE has revised the 
definition of the term ``classified information'' in response to a 
comment to track more clearly the language in the definition of that 
term in Executive Order 12958, as amended on March 25, 2003. We have 
deleted the definition of the term ``contractor'' because the term is 
not actually used in the operational sections of the regulation. 
Finally, we also have revised the definition of the term ``Director'' 
and, as revised, the term means ``the DOE Official, or his or her 
designee, to whom the Secretary has assigned responsibility for 
enforcement under this part.''
    DOE did not accept the comment that the definition of the term 
``person'' is too broad in that it includes parents and affiliates of a 
contractor. Those making this comment argued that extending liability 
to parents and affiliates goes beyond what is permitted by section 234B 
and that this extension of liability is unfair. DOE disagrees. The last 
sentence of the definition of the term ``person'' in Sec.  820.2, the 
DOE nuclear safety regulations implementing section 234A, states that, 
for purposes of civil

[[Page 3604]]

penalty assessment, the term also includes affiliated entities, such as 
a parent corporation. Section 234B.c. states that the powers and 
limitations applicable to the assessment of civil penalties under 
section 234A, with certain exceptions pertaining to the nonprofit 
entities identified at subsection d. of that section, shall apply to 
the assessment of civil penalties under section 234B. Therefore, DOE 
believes that a broad definition of the term ``person'' is appropriate.

F. Sources of Classified Information Protection Requirements

    It was clear to DOE from a number of comments received about the 
proposed scope of the regulations that DOE should revise Sec.  824.4 
(Civil penalties'') to identify more clearly the DOE security 
requirements covered by these regulations. In response to one comment, 
DOE has incorporated language that specifies that Sec.  824.4 applies 
only to acts or omissions related to ``classified information 
protection'' requirements, rather than security requirements more 
generally.
    DOE agrees with the comment that the reference to 10 CFR part 1046 
``Physical Protection of Security Interests'' should not be included in 
Sec.  824.4. Section 234B makes civil penalties applicable to 
classified information protection requirements, not requirements for 
the DOE protective force, such as medical and physical fitness 
standards. The two remaining DOE regulations, 10 CFR part 1016 
(``Safeguarding of Restricted Data'') and 10 CFR part 1045 (``Nuclear 
Classification and Declassification'') are the only current DOE 
regulations containing classified information protection requirements 
whose violation is a predicate for civil penalties under today's rule.
    DOE received one comment that DOE should impose civil penalties 
only for violations of regulations promulgated in accordance with the 
Administrative Procedure Act (APA), 5 U.S.C. 551 et seq., and of those 
DOE orders and other documents in the DOE Directive System specifically 
identified in the contractor's contract with DOE. Other commenters 
argued that no civil penalties should arise out of the violation of any 
classified information protection requirement except a requirement set 
forth in a DOE regulation. In some cases, the commenters did not 
indicate why DOE should exclude violations of DOE orders as the grounds 
for assessing a civil penalty. Commenters who did say why they opposed 
including DOE orders argued that inclusion: (1) Would make the proposed 
regulations overly broad; (2) would not provide contractors with 
adequate notice of what requirements DOE intended to enforce with civil 
penalties; and (3) would differ from DOE's enforcement policy in 10 CFR 
part 820 which implements section 234A of the Act with respect to 
nuclear safety violations.
    In the rule adopted today, DOE has revised the language of the 
proposed rule to clarify the extent to which civil penalties will be 
imposed for violations of requirements in DOE orders or manuals as well 
as for violations of compliance orders. Specifically, Sec.  824.4(a) 
and (b) have been rewritten to read as follows:

Section 824.4 Civil Penalties

    (a) Any person who violates a classified information protection 
requirement of any of the following is subject to a civil penalty under 
this part:
    (1) 10 CFR part 1016--Safeguarding of Restricted Data;
    (2) 10 CFR part 1045--Nuclear Classification and Declassification; 
or
    (3) Any other DOE regulation or rule (including any DOE order or 
manual enforceable against the contractor or subcontractor under a 
contractual provision in that contractor's or subcontractor's contract) 
related to the safeguarding or security of classified information if 
the regulation or rule provides that violation of its provisions may 
result in a civil penalty pursuant to subsection a. of section 234 B. 
of the Act.
    (b) If, without violating any regulation or rule under paragraph 
(a) of this section, a person by any act or omission jeopardizes the 
security of classified information, the Secretary may issue a 
compliance order to that person requiring that person to take 
corrective action and notifying the person that violation of the 
compliance order is subject to a notice of violation and assessment of 
a civil penalty. If a person wishes to contest that compliance order, 
the person must file a notice of appeal with the Secretary within 15 
days of receipt of the compliance order.''
    DOE believes that this approach appropriately carries out the 
Congressional policy set out in section 234B. Section 234B stressed two 
considerations in determining whether a civil penalty should be 
imposed: the status of the entity on whom the penalty might be imposed 
as a contractor or subcontractor, and the violation by that entity of 
an ``applicable rule, regulation or order prescribed or otherwise 
issued by the Secretary pursuant to this Act relating to the 
safeguarding or security of Restricted Data or other classified 
information.'' DOE's security orders and manuals are rules within the 
meaning of the APA (5 U.S.C. 551(4)). In light of these two 
considerations, DOE believes the statute is best carried out, with 
respect to orders and directives, by applying it to violations of those 
that are applicable to the contractor by virtue of its contract and 
that provide for the imposition of civil penalties, as well as to 
violations of any applicable regulations.
    DOE believes that the revised language should resolve contractor 
concerns about vagueness and uncertainty as to what are the sources for 
classified information control requirements that may give rise to 
violations subject to civil penalties. Certain commenters feared that 
they might be penalized for violations of verbal, e-mail or other 
guidance in documents that supplemented DOE orders or manuals. Today's 
rule makes clear that the contractor will have fair notice since DOE 
only intends to enforce by civil penalties the provisions of a DOE 
order or manual enforceable against the contractor under its contract 
that provides that violations of its classified information protection 
provisions may result in a civil penalty. DOE considers it the 
responsibility of its contractors to ``flow down'' to their 
subcontractors and suppliers the requirements of those orders and 
directives to which civil penalties apply.
    In today's rule, DOE is departing from the practice under 10 CFR 
part 820 regarding the imposition of civil penalties for of nuclear 
safety violations. Part 820 limits the scope of penalty-bearing nuclear 
safety requirements to those published in the CFR or set forth in 
compliance orders. DOE has not taken the step of departing from the 
approach taken in part 820 lightly. However, DOE does not believe that 
it can fully implement the kind of comprehensive security enforcement 
program that both Congress and DOE believe is required for the 
protection of sensitive national security interests without inclusion 
of relevant DOE orders and manuals. In the security area, DOE and its 
predecessor agencies have historically imposed requirements on 
contractors by internal directives rather than codified regulations. 
While more may be done by regulation in the future, the current reality 
is that many significant DOE security requirements are not promulgated 
by regulation. To fully carry out the program Congress contemplated in 
light of the serious security issues that face us today, DOE believes 
it should include provisions in orders and manuals enforceable against 
the contractor under its contract that

[[Page 3605]]

provide that their violation carries with it the risk of a civil 
penalty, thereby allowing it to impose civil penalties for such 
violations in appropriate circumstances.

G. Standard for Violation

    Several commenters asserted that the language of proposed Sec.  
824.4(b) was too vague and overly broad in that it stated that the 
Secretary may issue a compliance order if a person by act or omission 
``jeopardizes'' the security of classified information. DOE agrees with 
this comment and has modified that provision to track the language of a 
comparable provision in part 820. The sentence now states that the 
Secretary may issue a compliance order if a person by act or omission 
causes, or creates a risk of, the loss, compromise or unauthorized 
disclosure of classified information.
    DOE did not accept the comment made by a number of contractors that 
civil penalties should be assessed only if there is actual loss or 
compromise of classified information, not just the threat of the loss 
or compromise. DOE believes this takes an overly narrow view of its 
contractors' and its own obligations to protect classified information. 
If a contractor by its acts or omissions places classified information 
at risk, that contractor has already failed to live up to those 
obligations. To the extent actual compromise is relevant, it is 
relevant in the context of the exercise of enforcement discretion. As 
stated in the enforcement policy at appendix A, DOE may exercise that 
discretion not to assess a civil penalty or to mitigate the civil 
penalty under appropriate circumstances, when, for example, the 
contractor self reports and takes corrective actions.

H. Continuing Violations

    DOE received several comments asserting that section 234B does not 
specify that a violation that is a continuing violation must constitute 
a separate violation for purposes of computing the civil penalty. DOE 
disagrees. Section 234B.c. cross-references section 234A which provides 
in subsection a. that if any violation is a continuing one, each day of 
such violation shall constitute a separate violation for the purpose of 
computing the applicable civil penalty. Consistent with subsection b. 
of section 234A, which is also picked up by section 234B's cross-
reference, DOE does have authority to address inequities that may arise 
from this through its authority to compromise, modify or remit a 
penalty. It anticipates that it will exercise that authority based on 
mitigating factors in Sec.  824.13 and the general enforcement policy 
in appendix A if the contractor exercises due diligence in identifying 
and correcting security problems. But as an initial matter, under the 
statutory provision as Congress enacted it, DOE believes that the 
cross-reference has the effect of defining each day of violation as a 
separate violation.
    DOE also received comments seeking clarification of when a civil 
penalty will begin, i.e., the date the violation is noticed or first 
occurred, and when will it end. The civil penalty begins on the date 
the act or omission that gives rise to the violation first occurred, 
but in no case before October 5, 1999. It ends when corrective action 
has been completed.

I. Preliminary Notice of Violation

    DOE has revised proposed Sec.  824.5, ``Notice of violation.'' DOE 
revised the rule to accommodate comments objecting to the use of 
criminal law enforcement terminology in the preliminary notice of a 
civil violation. Specifically, commenters objected to the words 
``accused'' and ``charged.'' Therefore, the preliminary notice of 
violation will notify the person of the date, facts, and nature of each 
act or omission, ``constituting the alleged violation,'' not ``with 
which the person is charged.'' Section 824.6(d) now refers to a person 
``notified of an alleged violation,'' rather than ``accused of a 
violation.''
    In response to numerous comments, DOE has also decided that 
Sec. Sec.  824.6 and 824.7 in this final rule should more closely 
follow the procedures in part 820 with which DOE contractors are 
familiar. Therefore, DOE has replaced procedures regarding a ``notice 
of violation'' in proposed Sec.  824.5 with more extensive and detailed 
procedures regarding a ``preliminary notice of violation'' and a 
``final notice of violation'' in Sec. Sec.  824.6 and 824.7. These 
sections set forth more precisely the responsibilities of both the 
agency and the recipient of either type of notice and the effect of 
various actions by the agency or the recipient.

J. Discovery

    The one comment DOE received regarding discovery argued that a 
contractor should have equal rights with the agency. More specifically, 
the comment suggested that the authority of the Deputy Secretary to 
issue subpoenas in Sec.  824.5 should be deleted and that language 
should be added to Sec.  824.10(d) to provide that the Hearing Officer 
may issue subpoenas on behalf of the contractor. DOE has accepted this 
comment with respect to the Hearing Officer's authority, but DOE 
believes that the officials responsible for the administration of the 
civil penalty rule also should possess the authority to issue subpoenas 
since, for example, there may be a need to issue subpoenas in the 
investigatory stage of a case prior to a hearing. As discussed above in 
section I, while the NOPR called for the Deputy Secretary to carry out 
the administrative responsibilities under part 824 in the case of both 
non-NNSA contractors and NNSA contractors, the final rule makes a 
subordinate DOE official designated by the Secretary responsible for 
exercising the rule's procedural functions when non-NNSA contractors 
are involved, and the Administrator of NNSA, on the recommendation of 
the Director, responsible for exercising the rule's principal 
procedural functions when NNSA contractors are involved.

K. Burden of Proof

    One comment suggested that DOE revise proposed Sec.  824.7 to make 
clear that the purpose of the hearing is not for the contractor ``to 
answer under oath or affirmation'' the allegations. DOE agrees and the 
proposed section, renumbered Sec.  824.8 now states that any person who 
receives a final notice of violation under Sec.  824.7 may request a 
hearing concerning the allegations contained in that notice. Another 
comment stated that proposed Sec.  824.11(e) should provide that DOE 
not only has the burden of proving, by a preponderance of the evidence, 
that a violation has occurred, but also the appropriateness of the 
amount of the proposed civil penalty. DOE has accepted this comment and 
revised what is now Sec.  824.12(e) to track the language of 10 CFR 
part 820.29(d) with which contractors are familiar. Section 824.12(e) 
now reads as follows:
    ``DOE has the burden of going forward with and of proving by a 
preponderance of the evidence that the violation occurred as set forth 
in the final notice of violation and that the proposed civil penalty is 
appropriate. The person to whom the final notice of violation has been 
addressed has the burden of presenting and of going forward with any 
defense to the allegations set forth in the final notice of violation. 
Each matter of controversy shall be determined by the Hearing Officer 
upon a preponderance of the evidence.''

L. Classified Evidence at the Hearing

    One comment objected on due process grounds to language that could 
be interpreted to mean that the Hearing Officer could exclude pertinent 
testimony from the hearing if the

[[Page 3606]]

testimony is classified. This was not DOE's intent, and DOE has revised 
proposed Sec.  824.11(d) to clarify how the Hearing Officer is to treat 
classified information and other information protected from public 
disclosure by law or regulation. Section 824.12(d) now provides as 
follows:
    ``The Hearing Officer must use procedures appropriate to safeguard 
and prevent unauthorized disclosure of classified information or any 
other information protected from public disclosure by law or 
regulation, with minimum impairment of rights and obligations under 
this part. The classified or otherwise protected status of any 
information shall not, however, preclude its being introduced into 
evidence. The Hearing Officer may issue such orders as may be necessary 
to consider such evidence in camera, including the preparation of a 
supplemental initial decision to address issues of law or fact that 
arise out of that portion of the evidence that is classified or 
otherwise protected.''

M. Mitigation

    Section 824.13 sets out the mitigating factors that the Hearing 
Officer will consider in determining the amount of the civil penalty. 
The mitigating factors listed are identical to those in section 234A of 
the Act, since section 234B provides that, ``the powers and limitations 
applicable to the assessment of civil penalties under section 234A 
shall apply.'' DOE has added the general enforcement policy at appendix 
A to explain further how DOE intends to determine the amount of a civil 
penalty and what actions a contractor may take to influence that 
penalty. DOE believes that Sec.  824.13, combined with appendix A, 
adequately addresses all appropriate mitigation factors. Accordingly, 
DOE has rejected comments urging that such factors as lack of funding 
or intentional misconduct of an employee be added to the list in Sec.  
824.13.

N. Final Agency Action and Judicial Review

    DOE received one comment suggesting that the proposed regulations 
should be amended to specify clearly when the agency's final action has 
occurred in order for the contractor to calculate the deadline for 
seeking judicial review of the agency's action. DOE has revised the 
regulations to expand and clarify the stages in the enforcement 
process, including what constitutes a final order enforceable against a 
person (see Sec. Sec.  824.7 and 824.13). Additionally, although the 
proposed regulations provided that judicial review of a Hearing 
Officer's initial decision would be available only after a party 
appealed that decision to the Secretary, the final regulations do not 
provide for a losing party to appeal the Hearing Officer's initial 
decision to the Secretary. Instead, the regulations permit the 
Secretary, at his discretion, within thirty days after the Hearing 
Officer files the initial decision, to review the initial decision and 
file a final order. If the Secretary does not choose to review the 
initial decision within 30 days of its filing, then it becomes a final 
agency action.

O. Miscellaneous

    One comment sought clarification as to whether DOE Headquarters and 
a DOE local office could each assess a penalty for the same offense. 
Only DOE Headquarters has authority to assess civil penalties.
    DOE received one comment asking whether security violations 
revealed during audits and inspections may give rise to civil 
penalties. Audits and inspections may form the basis for an allegation 
or finding of violation under part 824, just as is the case with 
respect to nuclear safety violations under part 820.

III. Regulatory Review and Procedural Requirements

A. Review Under Executive Order 12866

    Today's regulatory action has been determined not to be a 
``significant regulatory action'' under Executive Order 12866, 
``Regulatory Planning and Review,'' (58 FR 51735, October 4, 1993). 
Accordingly, today's action was not subject to review under the 
Executive Order by the Office of Information and Regulatory Affairs of 
the Office of Management and Budget.

B. Review Under the Regulatory Flexibility Act

    The rule was reviewed under the Regulatory Flexibility Act of 1980, 
Public Law 96-354, which requires preparation of an initial regulatory 
flexibility analysis for any rule that is likely to have significant 
economic impact on a substantial number of small entities. This 
rulemaking applies principally to large entities who are M&O 
contractors and establishes procedures but does not itself impose costs 
on the contractors or subcontractors. Therefore, DOE certifies that 
this regulation will not have a significant economic impact on a 
substantial number of small entities and, therefore, no regulatory 
flexibility analysis has been prepared.

C. Review Under the Paperwork Reduction Act

    No new information or record keeping requirements are imposed by 
this rulemaking. Accordingly, no Office of Management and Budget 
clearance is required under the Paperwork Reduction Act. (44 U.S.C. 
3501 et seq.)

D. Review Under the National Environmental Policy Act

    DOE has concluded that promulgation of this rule falls into a class 

of actions that would not individually or cumulatively have a 
significant impact on the human environment, as determined by DOE's 
regulations implementing the National Environmental Policy Act of 1969 
(42 U.S.C. 4321 et seq.). Specifically, this rule deals only with 
agency procedures, and, therefore is covered under the Categorical 
Exclusion in paragraph A6 to subpart D, 10 CFR part 1021. Accordingly, 
neither an environmental assessment nor an environmental impact 
statement is required.

E. Review Under Executive Order 12988

    With respect to the promulgation of new regulations, section 3(a) 
of Executive Order 12988, ``Civil Justice Reform,'' 61 FR 4729 
(February 7, 1996) imposes on Executive agencies the general duty to: 
(1) Eliminate drafting errors and ambiguity; (2) write regulations to 
minimize litigation; and (3) provide a clear legal standard for 
affected conduct rather than a general standard and to promote 
simplification and burden reduction. With regard to the review required 
by section 3(a), section 3(b) of Executive Order 12988 specifically 
requires that Executive agencies make every reasonable effort to ensure 
that a regulation: (1) Clearly specifies its preemptive effect, if any; 
(2) clearly specifies any effect on existing federal law or regulation; 
(3) provides a clear legal standard for affected conduct while 
promoting simplification and burden reduction; (4) specifies its 

retroactive effect, if any; (5) adequately defines key terms; and (6) 
addresses other important issues affecting clarity and general 
draftsmanship under any guidelines issued by the Attorney General. 
Section 3(c) of Executive Order 12988 requires Executive agencies to 
review regulations in light of the applicable standards in section 3(a) 
and 3(b) to determine whether they are met or if it is unreasonable to 
meet one or more of them. DOE has completed the required reviews and 
has determined that, to the extent allowed by law, the rule meets the 
relevant standards of Executive Order 12988.

[[Page 3607]]

F. Review Under Executive Order 13132

    Executive Order 13132 (64 FR 43255, August 4, 1999) imposes certain 
requirements on agencies formulating and implementing policies or 
regulations that preempt State law or that have federalism 
implications. Agencies are required to examine the constitutional and 
statutory authority supporting any action that would limit the 
policymaking discretion of the States and carefully assess the 
necessity for such actions. DOE has examined today's rule and has 
determined that it does not preempt State law and does not have a 
substantial direct effect on the States, on the relationship between 
the national government and the States, or on the distribution of power 
and responsibilities among the various levels of government. No further 
action is required by Executive Order 13132.

G. Review Under Treasury and General Government Appropriations Act, 
1999

    Section 654 of the Treasury and General Government Appropriations 
Act, 1999 (Public Law 105-277) requires Federal agencies to issue a 
Family Policymaking Assessment for any proposed rule that may affect 
family well-being. Today's rulemaking would not have any impact on the 
autonomy or integrity of the family as an institution. Accordingly, DOE 
has not prepared a family policymaking assessment.

H. Review Under the Treasury and General Government Appropriations Act, 
2001

    The Treasury and General Government Appropriations Act, 2001 (44 
U.S.C. 3516, note) provides for agencies to review most dissemination 
of information to the public under guidelines established by each 
agency pursuant to general guidelines issued by OMB. OMB's guidelines 
were published at 67 FR 8452 (Feb. 22, 2002), and DOE's guidelines were 
published at 67 FR 62446 (Oct 7, 2002). DOE has reviewed today's notice 
under the OMB and DOE guidelines, and has concluded that is consistent 
with applicable policies in those guidelines.

I. Review Under Executive Order 13084

    Under Executive Order 13084 (Consultation and Coordination with 
Indian Tribal Governments), DOE may not issue a discretionary rule that 
significantly or uniquely affects Indian tribal governments and imposes 
substantial direct compliance costs. This rulemaking would not have 
such effects. Accordingly, Executive Order 13084 does not apply to this 
rulemaking.

J. Review Under the Unfunded Mandates Reform Act of 1995

    Title II of the Unfunded Mandates Reform Act of 1995 requires each 
agency to prepare a written assessment of the effects of any Federal 
mandate in a proposed or final rule that may result in the expenditure 
by State, local, and tribal governments and the private sector, of $100 
million in any single year. DOE has determined that today's regulatory 
action does not impose a Federal mandate on State, local, or tribal 
governments or on the private sector.

K. Review Under Executive Order 13211

    Executive Order 13211, ``Actions Concerning Regulations That 
Significantly Affect Energy Supply, Distribution or Use'' (66 FR 28355, 
May 22, 2001) requires Federal agencies to prepare and submit to the 
Office of Information and Regulatory Affairs (OIRA), Office of 
Management and Budget, a Statement of Energy Effects for any proposed 
significant energy action. A ``significant energy action'' is defined 
as any action by an agency that promulgated or is expected to lead to 
promulgation of a final rule, and that: (1) Is a significant regulatory 
action under Executive Order 12866, or any successor order; and (2) is 
likely to have a significant adverse effect on the supply, 
distribution, or use of energy, or (3) is designated by the 
Administrator of OIRA as a significant energy action. For any proposed 
significant energy action, the agency must give a detailed statement of 
any adverse effects on the energy supply, distribution, or use should 
the proposal be implemented, and of reasonable alternatives to the 
action and their expected benefits on energy supply, distribution, and 
use. Today's regulatory action is not a significant energy action. 
Accordingly, DOE has not prepared a Statement of Energy Effects.

L. Congressional Notification

    As required by 5 U.S.C. 801, DOE will report to Congress 
promulgation of the rule prior to its effective date. The report will 
state that it has been determined that the rule is not a ``major rule'' 
as defined by 5 U.S.C. 804.

List of Subjects in 10 CFR Part 824

    Government contracts, Nuclear materials, Penalties, Security 
measures.

    Issued in Washington, DC on January 18, 2005.
Glenn S. Podonsky, Director,
Office of Security and Safety Performance Assurance.

0
For the reasons set forth in the preamble, DOE hereby amends chapter 
III of title 10 of the Code of Federal Regulations by adding a new part 
824 as set forth below.

PART 824--PROCEDURAL RULES FOR THE ASSESSMENT OF CIVIL PENALTIES 
FOR CLASSIFIED INFORMATION SECURITY VIOLATIONS

Sec.
824.1 Purpose and scope.
824.2 Applicability.
824.3 Definitions.
824.4 Civil penalties.
824.5 Investigations.
824.6 Preliminary notice of violation.
824.7 Final notice of violation.
824.8 Hearing.
824.9 Hearing Counsel.
824.10 Hearing Officer.
824.11 Rights of the person at the hearing.
824.12 Conduct of the hearing.
824.13 Initial decision.
824.14 Special procedures.
824.15 Collection of civil penalties.
824.16 Direction to NNSA contractors.
Appendix A to part 824--general statement of enforcement policy

    Authority: 42 U.S.C. 2201, 2282b, 7101 et seq., 50 U.S.C. 2401 
et seq.


Sec.  824.1  Purpose and scope.

    This part implements subsections a., c., and d. of section 234B. of 
the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2282b. Subsection a. 
provides that any person who has entered into a contract or agreement 
with the Department of Energy, or a subcontract or subagreement 
thereto, and who violates (or whose employee violates) any applicable 
rule, regulation or order under the Act relating to the security or 
safeguarding of Restricted Data or other classified information, shall 
be subject to a civil penalty not to exceed $100,000 for each 
violation. Subsections c. and d. specify certain additional authorities 
and limitations respecting the assessment of such penalties.


Sec.  824.2  Applicability.

    (a) General. These regulations apply to any person that has entered 
into a contract or agreement with DOE, or a subcontract or sub-
agreement thereto.
    (b) Limitations. DOE may not assess any civil penalty against any 
entity (including subcontractors and suppliers thereto) specified at 
subsection d. of section 234A of the Act until the entity enters, after 
October 5, 1999, into a new contract with DOE or an extension of a 
current contract with DOE, and the total amount of civil penalties may 
not exceed the total amount of fees paid by the DOE to that entity in 
that fiscal year.
    (c) Individual employees. No civil penalty may be assessed against 
a

[[Page 3608]]

person which enters into an agreement with DOE.


Sec.  824.3  Definitions.

    As used in this part:
    Act means the Atomic Energy Act of 1954 (42 U.S.C. 2011 et seq.).
    Administrator means the Administrator of the National Nuclear 
Security Administration.
    Classified information means Restricted Data and Formerly 
Restricted Data protected against unauthorized disclosure pursuant to 
the Act and National Security Information that has been determined 
pursuant to Executive Order 12958, as amended March 25, 2003, or any 
predecessor or successor executive order to require protection against 
unauthorized disclosure and that is marked to indicate its classified 
status when in documentary form.
    DOE means the United States Department of Energy, including the 
National Nuclear Security Administration.
    Director means the DOE Official, or his or her designee, to whom 
the Secretary has assigned responsibility for enforcement of this part.
    Person means any person as defined in section 11.s. of the Act, 42 
U.S.C. 2014, and includes any affiliate or parent corporation thereof, 
who enters into a contract or agreement with DOE, or is a party to a 
contract or subcontract under a contract or agreement with DOE.
    Secretary means the Secretary of Energy.


Sec.  824.4  Civil penalties.

    (a) Any person who violates a classified information protection 
requirement of any of the following is subject to a civil penalty under 
this part:
    (1) 10 CFR part 1016--Safeguarding of Restricted Data;
    (2) 10 CFR part 1045--Nuclear Classification and Declassification; 
or
    (3) Any other DOE regulation or rule (including any DOE order or 
manual enforceable against the contractor or subcontractor under a 
contractual provision in that contractor's or subcontractor's contract) 
related to the safeguarding or security of classified information if 
the regulation or rule provides that violation of its provisions may 
result in a civil penalty pursuant to subsection a. of section 234B. of 
the Act.
    (b) If, without violating a classified information protection 
requirement of any regulation or rule under paragraph (a) of this 
section, a person by an act or omission causes, or creates a risk of, 
the loss, compromise or unauthorized disclosure of classified 
information, the Secretary may issue a compliance order to that person 
requiring the person to take corrective action and notifying the person 
that violation of the compliance order is subject to a notice of 
violation and assessment of a civil penalty. If a person wishes to 
contest the compliance order, the person must file a notice of appeal 
with the Secretary within 15 days of receipt of the compliance order.
    (c) The Director may propose imposition of a civil penalty for 
violation of a requirement of a regulation or rule under paragraph (a) 
of this section or a compliance order issued under paragraph (b) of 
this section, not to exceed $100,000 for each violation.
    (d) If any violation is a continuing one, each day of such 
violation shall constitute a separate violation for the purpose of 
computing the applicable civil penalty.
    (e) The Director may enter into a settlement, with or without 
conditions, of an enforcement proceeding at any time if the settlement 
is consistent with the objectives of DOE's classified information 
protection requirements.


Sec.  824.5  Investigations.

    The Director may conduct investigations and inspections relating to 
the scope, nature and extent of compliance by a person with DOE 
security requirements specified in Sec.  824.4(a) and (b) and take such 
action as the Director deems necessary and appropriate to the conduct 
of the investigation or inspection, including signing, issuing and 
serving subpoenas.


Sec.  824.6  Preliminary notice of violation.

    (a) In order to begin a proceeding to impose a civil penalty under 
this part, the Director shall notify the person by a written 
preliminary notice of violation sent by certified mail, return receipt 
requested, of:
    (1) The date, facts, and nature of each act or omission 
constituting the alleged violation;
    (2) The particular provision of the regulation, rule or compliance 
order involved in each alleged violation;
    (3) The proposed remedy for each alleged violation, including the 
amount of any civil penalty proposed; and,
    (4) The right of the person to submit a written reply to the 
Director within 30 calendar days of receipt of such preliminary notice 
of violation.
    (b) A reply to a preliminary notice of violation must contain a 
statement of all relevant facts pertaining to an alleged violation. The 
reply must:
    (1) State any facts, explanations and arguments which support a 
denial of the alleged violation;
    (2) Demonstrate any extenuating circumstances or other reason why a 
proposed remedy should not be imposed or should be mitigated;
    (3) Discuss the relevant authorities which support the position 
asserted, including rulings, regulations, interpretations, and previous 
decisions issued by DOE;
    (4) Furnish full and complete answers to any questions set forth in 
the preliminary notice; and
    (5) Include copies of all relevant documents.
    (c) If a person fails to submit a written reply within 30 calendar 
days of receipt of a preliminary notice of violation:
    (1) The person relinquishes any right to appeal any matter in the 
preliminary notice; and
    (2) The preliminary notice, including any remedies therein, 
constitutes a final order.
    (d) The Director, at the request of a person notified of an alleged 
violation, may extend for a reasonable period the time for submitting a 
reply or a hearing request letter.


Sec.  824.7  Final notice of violation.

    (a) If a person submits a written reply within 30 calendar days of 
receipt of a preliminary notice of violation, the Director must make a 
final determination whether the person violated or is continuing to 
violate a classified information security requirement.
    (b) Based on a determination by the Director that a person has 
violated or is continuing to violate a classified information security 
requirement, the Director may issue to the person a final notice of 
violation that concisely states the determined violation, the amount of 
any civil penalty imposed, and further actions necessary by or 
available to the person. The final notice of violation also must state 
that the person has the right to submit to the Director, within 30 
calendar days of the receipt of the notice, a written request for a 
hearing under Sec.  824.8 or, in the alternative, to elect the 
procedures specified in section 234A.c.(3) of the Act, 42 U.S.C. 
2282a.c.(3).
    (c) The Director must send a final notice of violation by certified 
mail, return receipt requested, within 30 calendar days of the receipt 
of a reply.
    (d) Subject to paragraphs (h) and (i) of this section, the effect 
of final notice shall be:
    (1) If a final notice of violation does not contain a civil 
penalty, it shall be deemed a final order 15 days after the final 
notice is issued.
    (2) If a final notice of violation contains a civil penalty, the 
person must submit to the Director within 30 days after the issuance of 
the final notice:

[[Page 3609]]

    (i) A waiver of further proceedings;
    (ii) A request for an on-the-record hearing under Sec.  824.8; or
    (iii) A notice of intent to proceed under section 234A.c.(3) of the 
Act, 42 U.S.C. 2282a.(c)(3).
    (e) If a person waives further proceedings, the final notice of 
violation shall be deemed a final order enforceable against the person. 
The person must pay the civil penalty set forth in the notice of 
violation within 60 days of the filing of waiver unless the Director 
grants additional time.
    (f) If a person files a request for an on-the-record hearing, then 
the hearing process commences.
    (g) If the person files a notice of intent to proceed under section 
234A.c.(3) of the Act, 42 U.S.C. 2282a.(c)(3), the Director, by order, 
shall assess the civil penalty set forth in the Notice of Violation.
    (h) The Director may amend the final notice of violation at any 
time before the time periods specified in paragraphs (d)(1) or (d)(2) 
expire. An amendment shall add fifteen days to the time period under 
paragraph (d) of this section.
    (i) The Director may withdraw the final notice of violation, or any 
part thereof, at any time before the time periods specified in 
paragraphs (d)(1) or (d)(2) expire.


Sec.  824.8  Hearing.

    (a) Any person who receives a final notice of violation under Sec.  
824.7 may request a hearing concerning the allegations contained in the 
notice. The person must mail or deliver any written request for a 
hearing to the Director within 30 calendar days of receipt of the final 
notice of violation.
    (b) Upon receipt from a person of a written request for a hearing, 
the Director shall:
    (1) Appoint a Hearing Counsel; and
    (2) Select an administrative law judge appointed under section 3105 
of Title 5, U.S.C., to serve as Hearing Officer.


Sec.  824.9  Hearing Counsel.

    The Hearing Counsel:
    (a) Represents DOE;
    (b) Consults with the person or the person's counsel prior to the 
hearing;
    (c) Examines and cross-examines witnesses during the hearing; and
    (d) Enters into a settlement of the enforcement proceeding at any 
time if settlement is consistent with the objectives of the Act and DOE 
security requirements.


Sec.  824.10  Hearing Officer.

    The Hearing Officer:
    (a) Is responsible for the administrative preparations for the 
hearing;
    (b) Convenes the hearing as soon as is reasonable;
    (c) Administers oaths and affirmations;
    (d) Issues subpoenas, at the request of either party or on the 
Hearing Officer's motion;
    (e) Rules on offers of proof and receives relevant evidence;
    (f) Takes depositions or has depositions taken when the ends of 
justice would be served;
    (g) Conducts the hearing in a manner which is fair and impartial;
    (h) Holds conferences for the settlement or simplification of the 
issues by consent of the parties;
    (i) Disposes of procedural requests or similar matters;
    (j) Requires production of documents; and
    (k) Makes an initial decision under Sec.  824.13.


Sec.  824.11  Rights of the person at the hearing.

    The person may:
    (a) Testify or present evidence through witnesses or by documents;
    (b) Cross-examine witnesses and rebut records or other physical 
evidence, except as provided in Sec.  824.12(d);
    (c) Be present during the entire hearing, except as provided in 
Sec.  824.12(d); and
    (d) Be accompanied, represented and advised by counsel of the 
person's choosing.


Sec.  824.12  Conduct of the hearing.

    (a) DOE shall make a transcript of the hearing;
    (b) Except as provided in paragraph (d) of this section, the 
Hearing Officer may receive any oral or documentary evidence, but shall 
exclude irrelevant, immaterial or unduly repetitious evidence;
    (c) Witnesses shall testify under oath and are subject to cross-
examination, except as provided in paragraph (d) of this section;
    (d) The Hearing Officer must use procedures appropriate to 
safeguard and prevent unauthorized disclosure of classified information 
or any other information protected from public disclosure by law or 
regulation, with minimum impairment of rights and obligations under 
this part. The classified or otherwise protected status of any 
information shall not, however, preclude its being introduced into 
evidence. The Hearing Officer may issue such orders as may be necessary 
to consider such evidence in camera including the preparation of a 
supplemental initial decision to address issues of law or fact that 
arise out of that portion of the evidence that is classified or 
otherwise protected.
    (e) DOE has the burden of going forward with and of proving by a 
preponderance of the evidence that the violation occurred as set forth 
in the final notice of violation and that the proposed civil penalty is 
appropriate. The person to whom the final notice of violation has been 
addressed shall have the burden of presenting and of going forward with 
any defense to the allegations set forth in the final notice of 
violation. Each matter of controversy shall be determined by the 
Hearing Officer upon a preponderance of the evidence.


Sec.  824.13  Initial decision.

    (a) The Hearing Officer shall issue an initial decision as soon as 
practicable after the hearing. The initial decision shall contain 
findings of fact and conclusions regarding all material issues of law, 
as well as reasons therefor. If the Hearing Officer determines that a 
violation has occurred and that a civil penalty is appropriate, the 
initial decision shall set forth the amount of the civil penalty based 
on:
    (1) The nature, circumstances, extent, and gravity of the violation 
or violations;
    (2) The violator's ability to pay;
    (3) The effect of the civil penalty on the person's ability to do 
business;
    (4) Any history of prior violations;
    (5) The degree of culpability; and
    (6) Such other matters as justice may require.
    (b) The Hearing Officer shall serve all parties with the initial 
decision by certified mail, return receipt requested. The initial 
decision shall include notice that it constitutes a final order of DOE 
30 days after the filing of the initial decision unless the Secretary 
files a Notice of Review. If the Secretary files a notice of Notice of 
Review, he shall file a final order as soon as practicable after 
completing his review. The Secretary, at his discretion, may order 
additional proceedings, remand the matter, or modify the amount of the 
civil penalty assessed in the initial decision. DOE shall notify the 
person of the Secretary's action under this paragraph in writing by 
certified mail, return receipt requested. The person against whom the 
civil penalty is assessed by the final order shall pay the full amount 
of the civil penalty assessed in the final order within thirty days 
(30) unless otherwise agreed by the Director.


Sec.  824.14  Special procedures.

    A person receiving a final notice of violation under Sec.  824.7 
may elect in writing, within 30 days of receipt of

[[Page 3610]]

such notice, the application of special procedures regarding payment of 
the penalty set forth in section 234A.c.(3) of the Act, 42 U.S.C. 
2282a(c)(3). The Director shall promptly assess a civil penalty, by 
order, after the date of such election. If the civil penalty has not 
been paid within sixty calendar days after the assessment has been 
issued, the DOE shall institute an action in the appropriate District 
Court of the United States for an order affirming the assessment of the 
civil penalty.


Sec.  824.15  Collection of civil penalties.

    If any person fails to pay an assessment of a civil penalty after 
it has become a final order or after the appropriate District Court has 
entered final judgment for DOE under Sec.  824.14, DOE shall institute 
an action to recover the amount of such penalty in an appropriate 
District Court of the United States.


Sec.  824.16  Direction to NNSA contractors.

    (a) Notwithstanding any other provision of this part, the NNSA 
Administrator, rather than the Director, signs, issues, serves, or 
takes the following actions that direct NNSA contractors or 
subcontractors.
    (1) Subpoenas;
    (2) Orders to compel attendance;
    (3) Disclosures of information or documents obtained during an 
investigation or inspection;
    (4) Preliminary notices of violation; and
    (5) Final notices of violations.
    (b) The Administrator shall act after consideration of the 
Director's recommendation. If the Administrator disagrees with the 
Director's recommendation, and the disagreement cannot be resolved by 
the two officials, the Director may refer the matter to the Deputy 
Secretary for resolution.

APPENDIX A TO PART 824--GENERAL STATEMENT OF ENFORCEMENT POLICY

I. Introduction

    a. This policy statement sets forth the general framework 
through which DOE will seek to ensure compliance with its classified 
information security regulations and rules and classified 
information security-related compliance orders (hereafter 
collectively referred to as classified information security 
requirements).
    The policy set forth herein is applicable to violations of 
classified information security requirements by DOE contractors and 
their subcontractors (hereafter collectively referred to as DOE 
contractors). This policy statement is not a regulation and is 
intended only to provide general guidance to those persons subject 
to the classified information security requirements. It is not 
intended to establish a formulaic approach to the initiation and 
resolution of situations involving noncompliance with these 
requirements. Rather, DOE intends to consider the particular facts 
of each noncompliance situation in determining whether enforcement 
penalties are appropriate and, if so, the appropriate magnitude of 
those penalties. DOE reserves the option to deviate from this policy 
statement when appropriate in the circumstances of particular cases.
    b. Both the Department of Energy Organization Act, 42 U.S.C. 
7101, and the Atomic Energy Act of 1954 (the Act), 42 U.S.C. 2011, 
require DOE to protect and provide for the common defense and 
security of the United States in conducting its nuclear activities, 
and grant DOE broad authority to achieve this goal.
    c. The DOE goal in the compliance arena is to enhance and 
protect the common defense and security at DOE facilities by 
fostering a culture among both DOE line organizations and 
contractors that actively seeks to attain and sustain compliance 
with classified information security requirements. The enforcement 
program and policy have been developed with the express purpose of 
achieving a culture of active commitment to security and voluntary 
compliance. DOE will establish effective administrative processes 
and incentives for contractors to identify and report noncompliances 
promptly and openly and to initiate comprehensive corrective actions 
to resolve both the noncompliances themselves and the program or 
process deficiencies that led to noncompliance.
    d. In the development of the DOE enforcement policy, DOE 
believes that the reasonable exercise of its enforcement authority 
can help to reduce the likelihood of serious security incidents. 
This can be accomplished by providing greater emphasis on a culture 
of security awareness in existing DOE operations and strong 
incentives for contractors to identify and correct noncompliance 
conditions and processes in order to protect classified information 
of vital significance to this nation. DOE wants to facilitate, 
encourage, and support contractor initiatives for the prompt 
identification and correction of problems. These initiatives and 
activities will be duly considered in exercising enforcement 
discretion.
    e. Section 234B of the Act provides DOE with the authority to 
impose civil penalties and also with the authority to compromise, 
modify, or remit civil penalties with or without conditions. In 
implementing section 234B, DOE will carefully consider the facts of 
each case of noncompliance and will exercise appropriate judgment in 
taking any enforcement action. Part of the function of a sound 
enforcement program is to assure a proper and continuing level of 
security vigilance. The reasonable exercise of enforcement authority 
will be facilitated by the appropriate application of security 
requirements to nuclear facilities and by promoting and coordinating 
the proper contractor attitude toward complying with those 
requirements.

II. Purpose

    The purpose of the DOE enforcement program is to promote and 
protect the common defense and security of the United States by:
    a. Ensuring compliance by DOE contractors with applicable 
classified information security requirements.
    b. Providing positive incentives for a DOE contractor's:
    (1) Timely self-identification of security deficiencies,
    (2) Prompt and complete reporting of such deficiencies to DOE,
    (3) Root cause analyses of security deficiencies,
    (4) Prompt correction of security deficiencies in a manner which 
precludes recurrence, and
    (5) Identification of modifications in practices or facilities 
that can improve security.
    c. Deterring future violations of DOE requirements by a DOE 
contractor.
    d. Encouraging the continuous overall improvement of operations 
at DOE facilities.

III. Statutory Authority

    Section 234B of the Act subjects contractors, and their 
subcontractors and suppliers, to civil penalties for violations of 
DOE regulations, rules and orders regarding the safeguarding and 
security of Restricted Data and other classified information.

IV. Procedural Framework

    a. 10 CFR part 824 sets forth the procedures DOE will use in 
exercising its enforcement authority, including the issuance of 
notices of violation and the resolution of contested enforcement 
actions in the event a DOE contractor elects to adjudicate contested 
issues before an administrative law judge.
    b. Pursuant to 10 CFR part 824.6, the Director initiates the 
civil penalty process by issuing a preliminary notice of violation 
that specifies a proposed civil penalty. The DOE contractor is 
required to respond in writing to the preliminary notice of 
violation, either admitting the violation and waiving its right to 
contest the proposed civil penalty and paying it; admitting the 
violation, but asserting the existence of mitigating circumstances 
that warrant either the total or partial remission of the civil 
penalty; or denying that the violation has occurred and providing 
the basis for its belief that the preliminary notice of violation is 
incorrect. After evaluation of the DOE's contractor response, the 
Director may determine that no violation has occurred; that the 
violation occurred as alleged in the preliminary notice of 
violation, but that the proposed civil penalty should be remitted in 
whole or in part; or that the violation occurred as alleged in the 
preliminary notice of violation and that the proposed civil penalty 
is appropriate notwithstanding the asserted mitigating 
circumstances. In the latter two instances, the Director will issue 
a final notice of violation or a final notice of violation with 
proposed civil penalty.
    c. An opportunity to challenge a proposed civil penalty either 
before an administrative law judge or in a United States District 
Court is provided in 42 U.S.C. 2282a(c). Part 824 sets forth the 
procedures associated with an administrative hearing, should the 
contractor opt for that method of challenging the proposed civil 
penalty.

[[Page 3611]]

V. Severity of Violations

    a. Violations of classified information security requirements 
have varying degrees of security significance. Therefore, the 
relative importance of each violation must be identified as the 
first step in the enforcement process. Violations of classified 
information security requirements are categorized in three levels of 
severity to identify their relative security significance. Notices 
of violation are issued for noncompliance and propose civil 
penalties commensurate with the severity level of the violation(s) 
involved.
    b. Severity Level I has been assigned to violations that are the 
most significant and Severity Level III violations are the least 
significant. Severity Level I is reserved for violations of 
classified information security requirements which involve actual or 
high potential for adverse impact on the national security. Severity 
Level II violations represent a significant lack of attention or 
carelessness toward responsibilities of DOE contractors for the 
protection of classified information which could, if uncorrected, 
potentially lead to an adverse impact on the national security. 
Severity Level III violations are less serious, but are of more than 
minor concern: i.e., if left uncorrected, they could lead to a more 
serious concern. In some cases, violations may be evaluated in the 
aggregate and a single severity level assigned for a group of 
violations.
    c. Isolated minor violations of classified information security 
requirements will not be the subject of formal enforcement action 
through the issuance of a notice of violation. However, these minor 
violations will be identified as noncompliances and tracked to 
assure that appropriate corrective/remedial action is taken to 
prevent their recurrence, and evaluated to determine if generic or 
specific problems exist. If circumstances demonstrate that a number 
of related minor noncompliances have occurred in the same time frame 
(e.g., all identified during the same assessment), or that related 
minor noncompliances have recurred despite prior notice to the DOE 
contractor and sufficient opportunity to correct the problem, DOE 
may choose in its discretion to consider the noncompliances in the 
aggregate as a more serious violation warranting a Severity Level 
III designation, a notice of violation and a possible civil penalty.
    d. The severity level of a violation will depend, in part, on 
the degree of culpability of the DOE contractor with regard to the 
violation. Thus, inadvertent or negligent violations will be viewed 
differently from those in which there is gross negligence, deception 
or willfulness. In addition to the significance of the underlying 
violation and level of culpability involved, DOE will also consider 
the position, training and experience of the person involved in the 
violation. Thus, for example, a violation may be deemed to be more 
significant if a senior manager of an organization is involved 
rather than a foreman or non-supervisory employee. In this regard, 
while management involvement, direct or indirect, in a violation may 
lead to an increase in the severity level of a violation and 
proposed civil penalty, the lack of such involvement will not 
constitute grounds to reduce the severity level of a violation or 
mitigate a civil penalty. Allowance of mitigation in such 
circumstances could encourage lack of management involvement in DOE 
contractor activities and a decrease in protection of classified 
information.
    e. Other factors which will be considered by DOE in determining 
the appropriate severity level of a violation are the duration of 
the violation, the past performance of the DOE contractor in the 
particular activity area involved, whether the DOE contractor had 
prior notice of a potential problem, and whether there are multiple 
examples of the violation in the same time frame rather than an 
isolated occurrence. The relative weight given to each of these 
factors in arriving at the appropriate severity level will depend on 
the circumstances of each case.
    f. DOE expects contractors to provide full, complete, timely, 
and accurate information and reports. Accordingly, the severity 
level of a violation involving either failure to make a required 
report or notification to DOE or an untimely report or notification 
will be based upon the significance of, and the circumstances 
surrounding, the matter that should have been reported. A contractor 
will not normally be cited for a failure to report a condition or 
event unless the contractor was actually aware or should have been 
aware of the condition or event which it failed to report.

VI. Enforcement Conferences

    a. Should DOE determine, after completion of all assessment and 
investigation activities associated with a potential or alleged 
violation of classified information security requirements, that 
there is a reasonable basis to believe that a violation has actually 
occurred, and the violation may warrant a civil penalty, DOE will 
normally hold an enforcement conference with the DOE contractor 
involved prior to taking enforcement action. DOE may also elect to 
hold an enforcement conference for potential violations which would 
not ordinarily warrant a civil penalty but which could, if repeated, 
lead to such action. The purpose of the enforcement conference is to 
assure the accuracy of the facts upon which the preliminary 
determination to consider enforcement action is based, discuss the 
potential or alleged violations, their significance and causes, and 
the nature of and schedule for the DOE contractor's corrective 
actions, determine whether there are any aggravating or mitigating 
circumstances, and obtain other information which will help 
determine the appropriate enforcement action.
    b. DOE contractors will be informed prior to a meeting when that 
meeting is considered to be an enforcement conference. Such 
conferences are informal mechanisms for candid pre-decisional 
discussions regarding potential or alleged violations and will not 
normally be open to the public. In circumstances for which immediate 
enforcement action is necessary in the interest of the national 
security, such action will be taken prior to the enforcement 
conference, which may still be held after the necessary DOE action 
has been taken.

VII. Enforcement Letter

    a. In cases where DOE has decided not to issue a notice of 
violation, DOE may send an enforcement letter to the contractor 
signed by the Director. The enforcement letter is intended to 
communicate the basis of the decision not to pursue further 
enforcement action for a noncompliance. The enforcement letter is 
intended to point contractors to the desired level of security 
performance. It may be used when the Director concludes the specific 
noncompliance at issue is not of the level of significance warranted 
for issuance of a notice of violation. The enforcement letter will 
typically describe how the contractor handled the circumstances 
surrounding the noncompliance and address additional areas requiring 
the contractor's attention and DOE's expectations for corrective 
action. The enforcement letter notifies the contractor that, when 
verification is received that corrective actions have been 
implemented, DOE will close the enforcement action. In the case of 
NNSA contractors or subcontractors, the enforcement letter will take 
the form of advising the contractor or subcontractor that the 
Director has consulted with the NNSA Administrator who agrees that 
further enforcement action should not be pursued if verification is 
received that corrective actions have been implemented by the 
contractor or subcontractor.
    b. In many investigations, an enforcement letter may not be 
required. When DOE decides that a contractor has appropriately 
corrected a noncompliance or that the significance of the 
noncompliance is sufficiently low, it may close out an investigation 
without such enforcement letter. A closeout of a noncompliance with 
or without an enforcement letter may only take place after the 
Director has issued a letter confirming that corrective actions have 
been completed. In the case of NNSA contractors or subcontractors, 
the Director's letter will take the form of confirming that 
corrective actions have been completed and advising that the 
Director has consulted with the NNSA Administrator who agrees that 
no enforcement action should be pursued.

VIII. Enforcement Actions

    The nature and extent of the enforcement action is intended to 
reflect the seriousness of the violation involved. For the vast 
majority of violations for which DOE assigns severity levels as 
described previously, a notice of violation will be issued, 
requiring a formal response from the recipient describing the nature 
of and schedule for corrective actions it intends to take regarding 
the violation.

1. Notice of Violation

    a. A Notice of Violation (preliminary or final) is a document 
setting forth the conclusion that one or more violations of 
classified information security requirements have occurred. Such a 
notice normally requires the recipient to provide a written response 
which may take one of several positions described in Section IV of 
this policy statement. In the event that the recipient concedes the 
occurrence of the violation, it is required to describe corrective

[[Page 3612]]

steps which have been taken and the results achieved; remedial 
actions which will be taken to prevent recurrence; and the date by 
which full compliance will be achieved.
    b. DOE will use the notice of violation as the standard method 
for formalizing the existence of a possible violation and the notice 
of violation will be issued in conjunction with the proposed 
imposition of a civil penalty. In certain limited instances, as 
described in this section, DOE may refrain from the issuance of an 
otherwise appropriate notice of violation. However, a notice of 
violation normally will be issued for willful violations, for 
violations where past corrective actions for similar violations have 
not been sufficient to prevent recurrence and there are no other 
mitigating circumstances.
    c. DOE contractors are not ordinarily cited for violations 
resulting from matters not within their control, such as equipment 
failures that were not avoidable by reasonable quality assurance 
measures, proper maintenance, or management controls. With regard to 
the issue of funding, however, DOE does not consider an asserted 
lack of funding to be a justification for noncompliance with 
classified information security requirements. Should a contractor 
believe that a shortage of funding precludes it from achieving 
compliance with one or more of these requirements, it may request, 
in writing, an exemption from the requirement(s) in question from 
the appropriate Secretarial Officer (SO). If no exemption is 
granted, the contractor, in conjunction with the SO, must take 
appropriate steps to modify, curtail, suspend or cease the 
activities which cannot be conducted in compliance with the 
classified information security requirement(s) in question.
    d. DOE expects the contractors which operate its facilities to 
have the proper management and supervisory systems in place to 
assure that all activities at DOE facilities, regardless of who 
performs them, are carried out in compliance with all classified 
information security requirements. Therefore, contractors normally 
will be held responsible for the acts or omissions of their 
employees and subcontractor employees in the conduct of activities 
at DOE facilities.

2. Civil Penalty

    a. A civil penalty is a monetary penalty that may be imposed for 
violations of applicable classified information security 
requirements, including compliance orders. Civil penalties are 
designed to emphasize the need for lasting remedial action, deter 
future violations, and underscore the importance of DOE contractor 
self-identification, reporting and correction of violations.
    b. Absent mitigating circumstances as described below, or 
circumstances otherwise warranting the exercise of enforcement 
discretion by DOE as described in this section, civil penalties will 
be proposed for Severity Level I and II violations. Civil penalties 
also will be proposed for Severity Level III violations which are 
similar to previous violations for which the contractor did not take 
effective corrective action. ``Similar'' violations are those which 
could reasonably have been expected to have been prevented by 
corrective action for the previous violation. DOE normally considers 
civil penalties only for similar Severity Level III violations that 
occur over an extended period of time.
    c. DOE will impose different base level civil penalties 
considering the severity level of the violation(s). Table 1 shows 
the daily base civil penalties for the various categories of 
severity levels. However, as described in Section V, the imposition 
of civil penalties will also take into account the gravity, 
circumstances, and extent of the violation or violations and, with 
respect to the violator, any history of prior similar violations and 
the degree of culpability and knowledge.
    d. Regarding the factor of ability of DOE contractors to pay the 
civil penalties, it is not DOE's intention that the economic impact 
of a civil penalty is such that it puts a DOE contractor out of 
business. Contract termination, rather than civil penalties, is used 
when the intent is to terminate a contractor's management of a DOE 
facility. The deterrent effect of civil penalties is best served 
when the amount of such penalties takes this factor into account. 
However, DOE will evaluate the relationship of entities affiliated 
with the contractor (such as parent corporations) when it asserts 
that it cannot pay the proposed penalty.
    e. DOE will review each case involving a proposed civil penalty 
on its own merit and adjust the base civil penalty values upward or 
downward appropriately. As indicated in paragraph 2.c of this 
section, Table 1 identifies the daily base civil penalty values for 
different severity levels. After considering all relevant 
circumstances, civil penalties may be escalated or mitigated based 
upon the adjustment factors described below in this section. In no 
instance will a civil penalty for any one violation exceed the 
$100,000 statutory limit per violation. However, it should be noted 
that if a violation is a continuing one, under the statute, each day 
the violation continued constitutes a separate violation for 
purposes of computing the civil penalty. Thus, the per violation cap 
will not shield a DOE contractor that is or should have been aware 
of an ongoing violation and has not reported it to DOE and taken 
corrective action despite an opportunity to do so from liability 
significantly exceeding $100,000. Further, as described in this 
section, the duration of a violation will be taken into account in 
determining the appropriate severity level of the base civil 
penalty.

              Table 1.--Severity level Base Civil Penalties
------------------------------------------------------------------------
                                                           Base civil
                                                         penalty amount
                                                         (percentage of
                    Severity level                       maximum civil
                                                          penalty per
                                                         violation per
                                                              day)
------------------------------------------------------------------------
I....................................................                100
II...................................................                 50
III..................................................                 10
------------------------------------------------------------------------

3. Adjustment Factors

    a. DOE's enforcement program is not an end in itself, but a 
means to achieve compliance with classified information security 
requirements, and civil penalties are not assessed for revenue 
purposes, but rather to emphasize the importance of compliance and 
to deter future violations. The single most important goal of the 
DOE enforcement program is to encourage early identification and 
reporting of security deficiencies and violations of classified 
information security requirements by the DOE contractors themselves 
rather than by DOE, and the prompt correction of any deficiencies 
and violations so identified. With respect to their own practices 
and those of their subcontractors, DOE believes that DOE contractors 
are in the best position to identify and promptly correct 
noncompliance with classified information security requirements. DOE 
expects that these contractors should have in place internal 
compliance programs which will ensure the detection, reporting and 
prompt correction of security-related problems that may constitute, 
or lead to, violations of classified information security 
requirements before, rather than after, DOE has identified such 
violations. Thus, DOE contractors are expected to be aware of and to 
address security problems before they are discovered by DOE. 
Obviously, protection of classified information is enhanced if 
deficiencies are discovered (and promptly corrected) by the DOE 
contractor, rather than by DOE, which may not otherwise become aware 
of a deficiency until later on, during the course of an inspection, 
performance assessment, or following an incident at the facility. 
Early identification of classified information security-related 
problems by DOE contractors can also have the added benefit of 
allowing information which could prevent such problems at other 
facilities in the DOE complex to be shared with other appropriate 
DOE contractors.
    b. Pursuant to this enforcement philosophy, DOE will provide 
substantial incentive for the early self-identification, reporting 
and prompt correction of problems which constitute, or could lead 
to, violations of classified information security requirements. 
Thus, application of the adjustment factors set forth below may 
result in no civil penalty being assessed for violations that are 
identified, reported, and promptly and effectively corrected by the 
DOE contractor.
    c. On the other hand, ineffective programs for problem 
identification and correction are unacceptable. Thus, for example, 
where a contractor fails to disclose and promptly correct violations 
of which it was aware or should have been aware, substantial civil 
penalties are warranted and may be sought, including the assessment 
of civil penalties for continuing violations on a per day basis.
    d. Further, in cases involving factors of willfulness, repeated 
violations, patterns of systematic violations, flagrant DOE-
identified violations or serious breakdown in management controls, 
DOE intends to apply its full statutory enforcement authority where 
such action is warranted. Based on the degree of such factors, DOE 
may escalate the amount of civil penalties up to the statutory

[[Page 3613]]

maximum of $100,000 per violation per day for continuing violations.

4. Identification and Reporting

    Reduction of up to 50% of the base civil penalty shown in Table 
1 may be given when a DOE contractor identifies the violation and 
promptly reports the violation to the DOE. In weighing this factor, 
consideration will be given to, among other things, the opportunity 
available to discover the violation, the ease of discovery and the 
promptness and completeness of any required report. No consideration 
will be given to a reduction in penalty if the DOE contractor does 
not take prompt action to report the problem to DOE upon discovery, 
or if the immediate actions necessary to restore compliance with 
classified information security requirements or place the facility 
or operation in a safe configuration are not taken.

5. Self-Identification and Tracking Systems

    a. DOE strongly encourages contractors to self-identify 
noncompliances with classified information security requirements 
before the noncompliances lead to a string of similar and 
potentially more significant events or consequences. When a 
contractor identifies a noncompliance through its own self-
monitoring activity, DOE will normally allow a reduction in the 
amount of civil penalties, regardless of whether prior opportunities 
existed for contractors to identify the noncompliance. DOE normally 
will not allow a reduction in civil penalties for self-
identification if DOE intervention was required to induce the 
contractor to report a noncompliance.
    b. Self-identification of a noncompliance is possibly the single 
most important factor in considering a reduction in the civil 
penalty amount. Consideration of self-identification is linked to, 
among other things, whether prior opportunities existed to discover 
the violation, and if so, the age and number of such opportunities; 
the extent to which proper contractor controls should have 
identified or prevented the violation; whether discovery of the 
violation resulted from a contractor's self-monitoring activity; the 
extent of DOE involvement in discovering the violation or in 
prompting the contractor to identify the violation; and the 
promptness and completeness of any required report. Self-
identification is also considered by DOE in deciding whether to 
pursue an investigation.

6. Self-Disclosing Events

    a. DOE expects contractors to demonstrate acceptance of 
responsibility for security of classified information and to pro-
actively identify noncompliance conditions in their programs and 
processes. In deciding whether to reduce any civil penalty proposed 
for violations revealed by the occurrence of a self-disclosing event 
(e.g. belated discovery of the disappearance of classified 
information or material subject to accountability rules), DOE will 
consider the ease with which a contractor could have discovered the 
noncompliance, i.e. failure to comply with classified information 
accountability rules, that contributed to the event and the prior 
opportunities that existed to discover the noncompliance. When the 
occurrence of an event discloses noncompliances that the contractor 
could have or should have identified before the event, DOE will not 
generally allow a reduction in civil penalties for self-
identification. If a contractor simply reacts to events that 
disclose potentially significant consequences or downplays 
noncompliances which did not result in significant consequences, 
such contractor actions do not lead to the improvement in protection 
of classified information contemplated by the Act.
    b. The key test is whether the contractor reasonably could have 
detected any of the underlying noncompliances that contributed to 
the event. Failure to utilize events and activities to address 
noncompliances may result in higher civil penalty assessments or a 
DOE decision not to reduce civil penalty amounts.

7. Corrective Action To Prevent Recurrence

    The promptness (or lack thereof) and extent to which the DOE 
contractor takes corrective action, including actions to identify 
root causes and prevent recurrence, may result in up to a 50% 
increase or decrease in the base civil penalty shown in Table 1. For 
example, very extensive corrective action may result in reducing the 
proposed civil penalty as much as 50% of the base value shown in 
Table 1. On the other hand, the civil penalty may be increased as 
much as 50% of the base value if initiation or corrective action is 
not prompt or if the corrective action is only minimally acceptable. 
In weighing this factor, consideration will be given to, among other 
things, the appropriateness, timeliness and degree of initiative 
associated with the corrective action. The comprehensiveness of the 
corrective action will also be considered, taking into account 
factors such as whether the action is focused narrowly to the 
specific violation or broadly to the general area of concern.

8. DOE's Contribution to a Violation

    There may be circumstances in which a violation of a classified 
information security requirement results, in part or entirely, from 
a direction given by DOE personnel to a DOE contractor to either 
take, or forbear from taking an action at a DOE facility. In such 
cases, DOE may refrain from issuing a notice of violation, and may 
mitigate, either partially or entirely, any proposed civil penalty, 
provided that the direction upon which the DOE contractor relied is 
documented in writing, contemporaneously with the direction. It 
should be emphasized, however, that no interpretation of a 
classified information security requirement is binding upon DOE 
unless issued in writing by the General Counsel. Further, as 
discussed in this section of this policy statement, lack of funding 
by itself will not be considered as a mitigating factor in 
enforcement actions.

9. Exercise of Discretion

    Because DOE wants to encourage and support DOE contractor 
initiative for prompt self-identification, reporting and correction 
of problems, DOE may exercise discretion as follows:
    a. In accordance with the previous discussion, DOE may refrain 
from issuing a civil penalty for a violation which meets all of the 
following criteria:
    (1) The violation is promptly identified and reported to DOE 
before DOE learns of it;
    (2) The violation is not willful or a violation that could 
reasonably be expected to have been prevented by the DOE 
contractor's corrective action for a previous violation;
    (3) The DOE contractor, upon discovery of the violation, has 
taken or begun to take prompt and appropriate action to correct the 
violation; and
    (4) The DOE contractor has taken, or has agreed to take, 
remedial action satisfactory to DOE to preclude recurrence of the 
violation and the underlying conditions which caused it.
    b. DOE may refrain from proposing a civil penalty for a 
violation involving a past problem that meets all of the following 
criteria:
    (1) It was identified by a DOE contractor as a result of a 
formal effort such as an annual self assessment that has a defined 
scope and timetable which is being aggressively implemented and 
reported;
    (2) Comprehensive corrective action has been taken or is well 
underway within a reasonable time following identification; and
    (3) It was not likely to be identified by routine contractor 
efforts such as normal surveillance or quality assurance activities.
    c. DOE will not issue a notice of violation for cases in which 
the violation discovered by the DOE contractor cannot reasonably be 
linked to the conduct of that contractor, provided that prompt and 
appropriate action is taken by the DOE contractor upon 
identification of the past violation to report to DOE and remedy the 
problem.
    d. DOE may refrain from issuing a notice of violation for an act 
or omission constituting noncompliance that meets all of the 
following criteria:
    (1) It was promptly identified by the contractor;
    (2) It is normally classified at a Severity Level III;
    (3) It was promptly reported to DOE;
    (4) Prompt and appropriate corrective action will be taken, 
including measures to prevent recurrence; and
    (5) It was not a willful violation or a violation that could 
reasonably be expected to have been prevented by the DOE 
contractor's corrective action for a previous violation.
    e. DOE may refrain from issuing a notice of violation for an act 
or omission constituting noncompliance that meets all of the 
following criteria:
    (1) It was an isolated Severity Level III violation identified 
during an inspection or evaluation conducted by the Office of 
Independent Oversight and Performance Assurance, or a DOE security 
survey, or during some other DOE assessment activity;
    (2) The identified noncompliance was properly reported by the 
contractor upon discovery;
    (3) The contractor initiated or completed appropriate assessment 
and corrective actions within a reasonable period, usually before 
the termination of the onsite inspection or integrated performance 
assessment; and

[[Page 3614]]

    (4) The violation was not willful or one which could reasonably 
be expected to have been prevented by the DOE contractor's 
corrective action for a previous violation.
    f. In situations where corrective actions have been completed 
before termination of an inspection or assessment, a formal response 
from the contractor is not required and the inspection or integrated 
performance assessment report serves to document the violation and 
the corrective action. However, in all instances, the contractor is 
required to report the noncompliance through established reporting 
mechanisms so the noncompliance issue and any corrective actions can 
be properly tracked and monitored.
    g. If DOE initiates an enforcement action for a violation at a 
Severity Level II or III and, as part of the corrective action for 
that violation, the DOE contractor identifies other examples of the 
violation with the same root cause, DOE may refrain from initiating 
an additional enforcement action. In determining whether to exercise 
this discretion, DOE will consider whether the DOE contractor acted 
reasonably and in a timely manner appropriate to the security 
significance of the initial violation, the comprehensiveness of the 
corrective action, whether the matter was reported, and whether the 
additional violation(s) substantially change the security 
significance or character of the concern arising out of the initial 
violation.
    h. The preceding paragraphs are solely intended to be examples 
indicating when enforcement discretion may be exercised to forego 
the issuance of a civil penalty or, in some cases, the initiation of 
any enforcement action at all. However, notwithstanding these 
examples, a civil penalty may be proposed or notice of violation 
issued when, in DOE's judgment, such action is warranted on the 
basis of the circumstances of an individual case.

[FR Doc. 05-1303 Filed 1-25-05; 8:45 am]

BILLING CODE 6450-01-P





Federal Register: February 23, 2005 (Volume 70, Number 35)
Rules and Regulations               
Page 8716                   

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF ENERGY

10 CFR Part 824

[Docket No. SO-RM-00-01]
RIN 1992-AA28

 
Procedural Rules for the Assessment of Civil Penalties for 
Classified Information Security Violations; Correction

AGENCY: Office of Security, Department of Energy.

ACTION: Final rule; correction.

-----------------------------------------------------------------------

SUMMARY: The Department of Energy published a final rule on January 26, 
2005, establishing 10 CFR Part 824 to implement section 234B of the 
Atomic Energy Act of 1954. This document corrects an inadvertent 
omission in one sentence of the final rule.

DATES: This final rule is effective on February 25, 2005.

FOR FURTHER INFORMATION CONTACT: Geralyn Praskievicz, (202) 586-4451 
or, JoAnn Williams, (202) 586-6899.

SUPPLEMENTARY INFORMATION: This document makes a correction to a final 
rule that was published in the Federal Register on January 26, 2005 (67 
FR 3599).
    In rule document FR Doc. 05-1303, appearing on page 3599, in the 
issue of Wednesday, January 26, 2005, the following correction is made.

PART 824--[CORRECTED]


Sec.  824.2  [Corrected]

0
Beginning on page 3607, in the third column, Sec.  824.2(c) is 
corrected to read as follows:
* * * * *
    (c) Individual employees. No civil penalty may be assessed against 
an individual employee of a contractor or any other entity which enters 
into an agreement with DOE.

    Issued in Washington, DC, on February 16, 2005.
Glenn S. Podonsky,
Director, Office of Security and Safety Performance Assurance.
[FR Doc. 05-3423 Filed 2-22-05; 8:45 am]

BILLING CODE 6450-01-P