Title: EFCOG, IOSC Best Practices Guide

Members of the Energy Facility Contractors Group (EFCOG), Safeguards and Security Working Group, Information Security Sub-Working Group Incidents of Security Concern (IOSC) Team prepared this best practice guide. For the purposes of this guide, “best practices” are “positive examples of work processes, procedures, good ideas, or effective solutions. The team made up of IOSC Subject Matter Experts (SME) identified these best practices as a result of actual operational experience and training. The guide describes best practices for categorizing incidents and managing inquiries. These practices may serve as guidelines for developing program plans, policy and procedures. These practices are suggestions for Department sites to consider while working in the IOSC subject area. The authors acknowledge that there may be alternatives to the practices identified in this guide. Subject matter Experts from the IOSC program across the Department developed this guide. Extensive discussion and document reviews were conducted to identify best practices relating to security inquiries. It was not within the scope of this study to assess individual site performance or evaluate compliance. Department of Energy’s (DOE), Order 470.4B, Chg.2, Safeguards and Security Program, July-21-2011, Chg 2, January-17-2017, Attachment 5, Incidents of Security Concern, contains the requirements for the IOSC program. In accordance with DOE directives and requirements established by DOE/National Nuclear Security Administration (NNSA) oversight, the working group evaluated elements of the IOSC program at each of the working group member’s sites such as categorizing events, conducting inquiries, and reporting events. Inconsistencies in categorization across the sites may be due to various factors, including each local field office having different reporting expectations, subjectivity in making determinations, and potential inherent deficiencies in the categorization tables and category descriptions. Many sites have adopted a sub reportable category for a security anomaly event that it believes does not meet the criteria as a reportable IOSC. The sites typically establish a local standardized process for reporting, analyzing, and trending sub-reportable events. Security incident program managers may need to discuss inconsistent categorization with other Inquiry Officials (IO) and suggest standardized solutions (ie…through policy changes or a forum attended by incident program managers and inquiry officials to discuss standardization solutions. At least one EFCOG IOSC team member’s site is currently using the best practices identified in this guide.