POLICY

A. Purpose

This policy describes information controls to help maintain the legal and security status of Lawrence Berkeley National Laboratory (Berkeley Lab), while facilitating its scientific mission.

B. Persons Affected

This policy applies to employees and affiliates.

C. Exceptions

Not applicable.

D. Policy Statement

Employees and affiliates must adhere to policies, approvals, and controls for prohibited and controlled information categories. Policies and controls apply to both electronic and physical collections of information and may differ depending on whether the use is for research or operations.

D.1 Prohibited Information Categories

Employees and affiliates may not create, access, or store information that is prohibited at Berkeley Lab. The existence of prohibited information at Berkeley Lab, either physically or electronically, alters the fundamental security posture of the Laboratory. If employees or affiliates encounter prohibited information, they must stop work immediately and contact Blackberry Gate at (510) 486-6999 and they will enact the Classified and Sensitive Information Protocol.
Berkeley Lab prohibits the following information categories:

• Classified Information, including but not limited to: Secret (S), Top Secret (TS), National Security Information (NSI), Secret Restricted Data (SRD), Special Access Required (SAR), etc. This includes information that is classified but has entered the public domain.
• Unclassified Controlled Nuclear Information (UCNI)
• Naval Nuclear Propulsion Information (NNPI)

D.2 Controlled Information Categories

Berkeley Lab is an unclassified, open research environment. The Laboratory's work is such that it can be freely communicated to the scientific and technical community. The Laboratory's computing environment supports research work intended for publication. Additional steps must be taken to secure information not intended for publication when it resides on Laboratory systems.

1. Protected Information (i.e., Personally Identifiable Information [PII] and Protected Health Information [PHI])
   1. Policy. By law, Berkeley Lab must protect the privacy and security of personal information. The collection or use of Protected Information is prohibited unless approved, and should occur under limited circumstances.
   2. Protected Information Requirements. Individuals involved in the collection, use, and management of collections of Protected Information must comply with the Protected Information Requirements, which address approvals and required protections throughout the lifecycle of the data.
   3. Reporting Unapproved Use and Other Violations. Employees and affiliates must report any unapproved use or disclosure of protected information, or for approved uses, violations of the Protected Information Requirements.
2. Official Use Only (OUO), Controlled Unclassified Information (CUI), and Sensitive But Unclassified (SBU)
   1. Policy. Berkeley Lab does not use OUO, CUI, or SBU designations. If required and under limited circumstances, employees in Operations may receive documents with these designations (for example, DOE materials that reflect pre-decisional program information or planning information). Employees should encourage collaborators at other institutions not to use this designation for collaborative research projects or operational purposes.
   2. Approvals. Operations employees may receive limited amounts of OUO or SBU materials during the course of their work. No additional approvals are required for this limited use. Researchers who receive material marked OUO or SBU must seek guidance from the Export Control Officer at (510) 486-7096. Employees that intend or expect to receive CUI must follow the processes detailed on the Lab’s CUI Commons page.
   3. Requirements
      1. Creation. Do not create CUI, OUO, or SBU Information at Berkeley Lab. Use "UC Confidential" when generating University of California records that are not publicly releasable. If under a CRADA, use "Protected CRADA Information."
      2. Management and Storage. Follow the OUO Management and Storage Requirements.
3. Proprietary Information (e.g., Information under a CRADA or NDA)
   1. Policy. Berkeley Lab permits the use of proprietary information for both research and operations.
   2. Approvals. Technology Transfer and Intellectual Property Management (TTIPM) or the Office of Sponsored Projects and Industry Partnerships (OSPIP) must approve agreements regarding the use of proprietary information and should consult, if necessary, with physical and cyber security. The data-protection level for agreements must not exceed the Laboratory's approved data-protection level for unclassified research: Low for confidentiality, integrity, and availability per Federal Information Processing Standards Publication: Standards for Security Categorization of Federal Information and Information Systems, FIPS PUB 199.
   3. Controls
      1. Creation. Do not create proprietary information at Berkeley Lab unless approved by the Laboratory Director. Work with TTIPM or OSPIP to obtain approval.
      2. Management and Storage. Adhere to any disclosure requirements specified in signed agreements.
      3. Additional. OSPIP must approve proprietary use of Berkeley Lab resources, such as user facilities. The agreement language must limit Berkeley Lab commitments to protecting information or knowledge acquired from proprietary use of Laboratory resources.
   4. Other Applicable Policies
      1. Cooperative Research & Development Agreements (CRADAs)
      2. Material Transfer Agreements
      3. Nondisclosure Agreements
      4. Designated User Facility Agreements
      5. Strategic Partnership Projects (SPP)
4. Export Controlled
   1. Policy. Berkeley Lab does not create export-controlled information unless approved and only in rare circumstances. In the course of research or operations, access to export-controlled information may be necessary to provide background information. Employees may not access or use export-controlled information unless approved. Employees who take on the obligation of protecting export-controlled information expose themselves to personal civil and criminal liability for export-control violations.
   2. Approvals. The Export Control Officer must approve the creation of export-controlled information. The Export Control Officer or TTIPM (for NDAs and MTAs) must approve the use of export-controlled information and ensure that its use is commensurate with Berkeley Lab requirements, including the development of a Technology Control Plan as necessary.
   3. Controls
      1. Creation. Do not create export-controlled information at Berkeley Lab unless approved by the Export Control Officer who will require a plan to ensure that the creation of export-controlled information complies with applicable laws and regulations.
      2. Management and Storage. Develop a plan to appropriately manage and store export-controlled information to ensure compliance with applicable laws and regulations. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
5. Foreign National Access Restrictions (e.g., NOFORN Marking)
   1. Policy. Berkeley Lab operates under the University of California nondiscrimination policy, which prohibits discrimination based on nationality in the conduct of fundamental research; therefore, the Laboratory prohibits information with foreign national access restrictions unless approved.
   2. Approvals. Senior Laboratory Management and the cyber and physical security groups may receive and store this information when necessary. The Export Control Officer, with input from cyber security and physical security as needed, must approve additional exceptions.
   3. Controls
      1. Creation. Do not create materials with foreign national access restrictions at Berkeley Lab.
      2. Management and Storage. Coordinate with the Export Control Officer who will consult with physical or cyber security, as appropriate.
   4. Additional. Berkeley Lab prohibits employees from attending meetings where foreign nationals are prohibited without prior approval from the Export Control Officer.

D.3 Prudent to Protect Information

During the course of research or for operational purposes, employees and affiliates may generate, use, or encounter information that is Prudent to Protect. Prudent to Protect is information that should not be publicly available but does not rise to the level of requiring specific controls. Prudent to Protect information may include materials from ethics investigations, material under attorney-client privilege, animal welfare protocols, passport numbers, etc., as well as Privileged Information.

Prudent to Protect Information is not public and may not be shared or published. Precautions must be taken to limit public exposure of this information.

Refer to Use of Privileged Information for additional policies regarding conflict of interest.

E. Roles and Responsibilities

Employees and affiliates are responsible for adhering to this policy.

F. Definitions/Acronyms

G. Recordkeeping Requirements

None

H. Implementing Documents

I. Contact Information

Information Technology Policy Manager
Information Technology Division
[email protected]

J. Revision History

DOCUMENT INFORMATION

Source Requirements Documents

• Contract 31, Clause I.106, DEAR 952.204-72, Disclosure of Information (APR 1994) (prev. I.063)
• DOE O 471.3, Identifying and Protecting Official Use Only Information
• DOE M 471.3-1 Manual for Identifying and Protecting Official Use Only Information
• DOE O 205.1C, Department of Energy Cybersecurity Management, CRD
• DOE P 205.1, Departmental Cyber Security Management Policy
• UCOP IS-3, Electronic Information Security

Implementing Documents