SECTION 1.  PURPOSE.

.01          This Order prescribes the functions and responsibilities of the Office of Security (OSY). (The position of Director for Security is authorized in DOO 10-5, “Chief Financial Officer and Assistant Secretary for Administration.”)

.02          This revision: 

a.              Updates the structure of OSY by eliminating the Investigations and Threat Management Division and reflects the realignment of the Executive Security Protection Unit to report to the Office of the Chief of Staff (See DOO 15-20, Chief of Staff).

b.              Clarifies the Department does not possess the authority to conduct counterintelligence activities.

c.              Clarifies the authority of OSY to conduct administrative investigations of violations of Department policy or Department security incidents and establishes responsibilities related to training and oversight for these activities.

d.              Aligns OSY to report directly to the Department’s Deputy Assistant Secretary for Intelligence and Security.

e.              Separates the former Information and Personnel Security Division into two divisions, the Personnel Security Division and the Information Security Division.

f.              Assigns OSY responsibility for the Department’s Foreign Access Management and Research Security programs.

 

SECTION 2.  STATUS AND LINE OF AUTHORITY.

.01           The Office of Security, a Departmental office, is headed by a Director, who reports to and is responsible to the Deputy Assistant Secretary for Intelligence and Security, who in turn, reports and is responsible to the Chief Financial Officer and Assistant Secretary for Administration (the Assistant Secretary).

.02           The Director shall be assisted by a Deputy Director who shall participate with the Director in management of activities of OSY and who shall perform all functions and duties of the Director in his/her absence. In the absence of both the Director and Deputy Director, the Director for Client Security Services shall perform all functions and duties of the Director.

.03          The head of each operating unit is responsible for ensuring the security of the personnel, facilities, property, information, and assets of their respective organizations in accordance with applicable laws, regulations, Executive Orders (E.O.s), and directives. The Director is responsible for advising and assisting heads of operating units. Additionally, the Director will provide security services when it is more operationally efficient, practical, or economical to consolidate them at the Department of Commerce (the Department) level. For the purpose of administering the Department’s security programs, the Office of the Secretary is considered an "operating unit" and is subject to policy and procedural requirements levied on all other Departmental units. The Director shall serve as the security officer for the Office of the Secretary.

.04 Departmental facility and senior office managers are responsible for ensuring the security of the personnel, facilities, property, information, and assets of their respective facilities in accordance with applicable laws, regulations, E.O.s, and directives. Security officers providing client security services to bureaus and operating units will assist facility managers in carrying out these responsibilities.

.05          The Director will head the Department’s Security Council composed of representatives from each operating unit. The representatives will communicate security requirements from their respective operating units, exchange security-related information, and coordinate security services. Designating an employee to assist in performing security activities will not relieve the operating unit head, senior facility manager, or servicing security officer of their responsibilities.

.06           The Director may redelegate the authority prescribed by this Order to designated personnel in OSY and to the operating units of the Department.

SECTION 3.  FUNCTIONS.

.01            Pursuant to the authority vested in the Assistant Secretary in DOO 10-5, and subject to such policies and directives as the Assistant Secretary may prescribe or other delegations by the Secretary, the Director is hereby delegated the following authorities:

a.              Execute Department-wide staff management responsibility for establishing policies and procedures for: personnel security; industrial security; the safeguarding of classified national security information (NSI), and Sensitive Compartmented Information (SCI) and documents; Sensitive Compartmented Information Facilities (SCIF); protection of Department personnel, facilities, property, assets and activities; security risk assessments; continuity programs, emergency actions and preparedness; physical security; communications security; operations security; foreign access management; research security; security education, awareness, and training; and compliance with security policies and procedures.

b.              Provide services in the functional areas, outlined in subparagraph a. above, as required by the Office of the Secretary and all Department organizations and personnel.

c.              Coordinate, establish, and maintain a Departmental Occupant Emergency Program (OEP) in accordance with the provisions of the General Services Administration's (GSA) Federal Management Regulations (FMR 102-74.230 to 102-74.260) at 41 CFR 102-74.230 to 102-74.260 pertaining to the OEP.

d.              Serve as the principal Departmental official for coordinating and assisting in the establishment and continuation of a Department-wide emergency action program, to include emergency management, particularly as applicable to the requirements of E.O. 12656, Assignment of Emergency Preparedness Responsibilities.

e.              Serve as the principal Departmental official for matters involving security.

f.              Serve as Department’s senior official tasked with ensuring implementation and compliance with E.O. 12977, Interagency Security Committee (ISC), and the Department's support of Facility Security Committees, when applicable, in the performance of their duties.

g.               Conduct administrative investigations, solely as authorized under the authorities, functions, and responsibilities of OSY.

h.              Carry out and ensure compliance with delegated protective security services and/or law enforcement functions and ensure acceptable levels of law enforcement proficiency in connection with the protection of specific buildings, grounds, and property owned or occupied by the Department and only to the extent lawfully authorized, and by Delegation of Authority from the Department of Homeland Security to the Secretary pursuant to 40 U.S.C. § 1315.

i.             Directly manage the law enforcement and site security programs of NIST pursuant to Pub. L. Number 114-329, § 113. 

j.             Provide support to the Department’s facility managers on security matters related to facility management and provide advice and assistance to facility management staff as required for security purposes.

k.              Carry out and ensure compliance with special security programs related to SCI and SCIFs in accordance with applicable Intelligence Community Directives (ICD), Intelligence Community Standards (ICS), and other special security policies, memoranda of agreement, and successor policies.

SECTION 4.  SPECIFIED AUTHORITY.

.01             In addition to the authority implicit in and essential to carrying out the functions hereby assigned, the Director shall:

a.               Ensure effective implementation of E.O. 13526, Classified National Security Information, as amended, or successor policy, as the senior agency official designated by the Secretary of Commerce (the Secretary) under the provisions of § 5.4(d) of that E.O. 

b.               Ensure effective implementation of E.O. 12968, Access to Classified Information, or successor policy, as the senior agency official designated by the Secretary under the provisions of § 6.1(a) of that E.O.

c.               Ensure effective implementation of National Security Presidential Memorandum (NSPM) 28, The National Operations Security Program, as the Departmental planner for operations security.

d.               Ensure effective implementation of E.O. 12829, National Industrial Security Program, or successor policy, as the senior agency official to direct and administer the Department’s implementation of and compliance with the National Industrial Security Program.

e.               Ensure the Department’s compliance with E.O. 10450, as amended, Security Requirements for Government Employment, and 5 CFR Part 732, National Security Positions, relating to investigative requirements and consultation on position designations.

f.                Ensure the Department’s compliance with E.O. 13467, as amended, Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information.

g.               Ensure the Department’s compliance with E.O. 13488, as amended, Granting Reciprocity on Excepted Service and Federal Contractor Employee Fitness and Reinvestigating Individuals in Positions of Public Trust, or successor policy.

h.               Ensure effective implementation of Presidential Policy Directive 19 (PPD-19), Protecting Whistleblowers with Access to Classified Information, so that employees who have access to classified information can effectively report waste, fraud, and abuse, while protecting classified information.

i.                Coordinate with Office of the Chief Information Officer and pursuant to DOO 15-23, on the effective implementation of E.O. 13556, November 4, 2010, Controlled Unclassified Information, or successor policy.

j.                Ensure effective implementation of ICD, ICS, and other special security program agreements, policies and successor policies in coordination with the Department’s designated IC Cognizant Security Authority and Accrediting Official.

k.               Ensure effective support for the implementation of E.O. 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information; assisting the senior agency official designated by the Secretary under the provisions of § 2.1 of that E.O. to oversee classified information sharing and safeguarding efforts of the Department; and support to Departmental programs implementing the National Insider Threat Policy.

l.                Ensure effective support for E.O. 12656, Assignment of Emergency Preparedness Responsibilities, as the Department’s designated lead agent assisting the Emergency Coordinator, and responsible for developing and maintaining a multi-year, national security emergency preparedness plan for the department or agency to include objectives, programs, and budgetary requirements.

m.              Ensure effective implementation of and compliance with NSPM 33, which purpose is to strengthen protections of United States Government-Supported Research and Development (R&D) against foreign government interference and exploitation, or successor policy.

n.             Ensure effective implementation of PPD-40, National Continuity Policy, which directs the Secretary of Homeland Security through the Administrator of the Federal Emergency Management Agency (FEMA), through guidelines set forth in Federal Continuity Directive 1 (FCD-1), Federal Executive Branch National Continuity Program and Requirements, to assist the Department’s Continuity Coordinator, as the lead agent for the Department and primary point of contact with FEMA National Continuity Programs Directorate for Department continuity program matters.

o.            Ensure the effective implementation of NSPM 32, Presidential Critical Information Requirements.   

p.            Ensure effective implementation of E.O. 12977, Interagency Security Committee, as the Department’s Senior Official regarding the implementation and compliance with the Order. 

q.            Ensure effective implementation of authorities, such as protective security or law enforcement authorities, delegated by the Secretary of Homeland Security for the protection of public property pursuant to 40 U.S.C. § 1315. 

SECTION 5.  ORGANIZATION.

The Director shall advise and represent the Assistant Secretary on policies and procedures for assessing threats to the mission, operations and activities of the Department and provide guidance and assistance to Departmental offices and operating units on the protection of personnel, facilities, property, assets and activities as well as classified and sensitive information.  Except for those functions maintained in the immediate Office of the Director, the functions of OSY shall be organized and carried out under the direction and supervision of the Director through the following security components:

.01             The Information Security Division consists of the Information and Special Security programs. Responsibilities include the management and oversight of all Departmental policies and procedures relating to the handling and safeguarding of classified NSI in accordance with E.O. 13526, as amended; management and oversight of the protection of SCI and SCIFs in accordance with ICDs and Standards, and other applicable laws, E.O.s, directives, regulations, and agreements; developing and implementing security awareness training; overseeing administrative investigations relating to violations of Department policies on safeguarding classified NSI on behalf of the Director for Security; overseeing the Department Industrial Security Program; overseeing the Department’s Foreign Travel Briefing program; overseeing the Department’s Operations Security program; and providing guidance and oversight of Departmental Communications Security through the implementation of the policies and procedures required to protect and use cryptographic keying material and equipment.

a.        The Information Security Program staff establish, implement and maintain policies, procedures and oversight for the safeguarding of collateral classified NSI. Functions include: developing, coordinating and disseminating all Departmental policies and procedures related to the handling and safeguarding of classified NSI; Mandatory Declassification Review; developing professional standards and comprehensive national security information education and awareness program activities to enhance employee knowledge of classified NSI requirements, including personal protection, proper management of classified and sensitive information, and means of countering threats to Departmental facilities and personnel; conduct administrative investigations; administer the provisions of the National Industrial Security Program as set forth in the 32 CFR Part 117, National Industrial Security Program Operations Manual; managing the Department’s Foreign Travel Briefing program by developing and providing defensive foreign travel briefings to covered individuals within the Department; administers the Department’s OPSEC program and assist bureaus with OPSEC program development and maintenance; and provide oversight of Departmental Communications Security through the implementation of the policies and procedures required to protect and use cryptographic keying material and equipment. Program staff also maintain liaison with operating unit and bureau program managers during the contract, award, and grant process where performance will be accomplished by classified contractors who require access to classified information, and coordinate Facility Clearance status.

b.       The Special Security Program staff establish, implement and maintain policies, procedures and oversight of the protection of SCI material and SCIFs. Functions include, but are not limited to, SCIF oversight and management and the delegation of daily SCIF management; SCI indoctrination briefings and SCI debriefings; SCI and SCIF security awareness training; liaising with SCIF Accreditation Official on SCIF and SCI security matters; overseeing or conducting annual SCIF inspections; transmitting and processing SCI access information for incoming or outgoing visit requests; and ensuring Department compliance with ICD security doctrine.  

.02             The Personnel Security Division consists of Personnel Security Program. Responsibilities include: receiving and processing requests for personnel security clearances for job applicants, employees, and other individuals requiring access to classified national security information at any Department location worldwide; receiving and processing requests for access to SCI in coordination with the IC Cognizant Security Authority; requesting investigations for security clearances in accordance with E.O. 10450, as amended, E.O. 12968 and 5 CFR Chapter 1, Parts 731, 732, and 736; reviewing the closed investigation received from the Investigation Service Provider and determine if a favorable adjudication can be made in connection with the issuance of certificates of security clearance, the imposition of security restrictions on individuals, and other decisions affecting security clearances; taking action as appropriate, on withholding or withdrawing the security clearance of job applicants, employees, contractors, grantees, or other individuals, and, for employees, recommending action under the provisions of 5 U.S.C. §§ 7312 and 7531-32 and E.O.s 12968 and 10450, as amended; as requested by responsible Department officials, assisting in the verification, review and evaluation of adverse information concerning Department employees, job applicants, and other individuals for the purpose of making suitability determinations (in accordance with 5 CFR Part 731) and Security Executive Agent Directives (SEADs), established by the Director of National Intelligence as Security Executive Agent for uniform policies and procedures governing the conduct of investigations and adjudications for eligibility for access to classified information; and reviewing, evaluating, and taking appropriate action under the provisions of E.O. 10450, as amended, and E.O. 12968, with regard to any notifications of investigation of employee misconduct received by the Director from the Office of Inspector General. 

.03             The Security and Emergency Management Division and its related program staff develops a comprehensive program for emergency programs; coordinates and reviews emergency preparedness plans and programs for utility and responsiveness to E.O. 12656, PPD-40, FCD-1, and NSPM-32; manages the Department’s Operation Center; and oversees the development and implementation of Occupant Emergency, Continuity of Operations and Continuity of Government plans for the Department.

a.               The Herbert C. Hoover Building (HCHB) Security Program staff establish and maintain HCHB security procedures including oversight of the HCHB protective services; installation, operation and maintenance of electronic security systems (i.e. Physical Access Control Systems, Intrusion Detection Systems, and Video Surveillance Systems); coordinate security for non-standard building events; maintain a Security Operations Center; maintain a service center to provide fingerprinting services; issue Homeland Security Presidential Directive 12 (HSPD-12) compliant Personal Identity Verification Cards and lifecycle management services; perform key and lock services; process foreign national visitor requests; assist with protective operations for visiting dignitaries in HCHB; oversee response and follow-up to building incidents; and conduct crime prevention programs and implement procedures to protect persons and property.

b.               The Continuity and Emergency Programs staff manage the Departmental Operations Center housed in the HCHB, as well as oversee the Occupant Emergency Program for the Department and the HCHB Occupant Emergency Plan. Staff also assist with the Department’s continuity missions by supporting the Continuity of Government and Continuity of Operations functions as required by PPD-40, FCD-1, and NSPM-32 while also facilitating the involvement of the Department’s leadership in interagency senior level exercises associated with the National Exercise Program.

.04             Client Security Services consists of all OSY security offices reporting to the Director for Client Security Services. The OSY security offices shall be responsible for conducting risk assessments at Department owned or leased properties; providing security program management and oversight to bureaus and operating units including implementing and maintaining a program of reviews, in conjunction with the Plans, Programs and Compliance Division, throughout the Department to ensure appropriate compliance with all security policies promulgated by OSY; providing special security officer, special security representative, and site security manager functions, as delegated, related to the implementation of the special security program and the daily management of SCIFs; coordinating searches pursuant to written Department policy and as delegated to the OSY Police Services Group pursuant to Pub. L. Number 114-329, § 113, evacuations, and other procedures to protect persons, property and information; overseeing the emergency responses of security incidents at all Departmental facilities and coordinating with bureaus when appropriate; conducting initial inquiries when a potential violation of security policies or procedures has been reported, and, if verified, conducting follow-on administrative investigations; conducting a comprehensive security education and awareness program to enhance employee knowledge of security requirements; facilitating requests for personnel security clearances for job applicants, employees, and other individuals requiring access to classified national security information at any Department location worldwide; facilitating requests for access to SCI in coordination with the OSY Personnel Security Division; reviewing background investigations for fitness determinations for Department contractors; processing access requests for foreign national visitors and guests in accordance with DAO 207-12; and provide other security services as prescribed in section 2.03 of this Order when it is more operationally efficient, practical, or economical to consolidate them at the Department. Staff also support the delivery of services to the International Trade Administration, United States and Foreign Commercial Service; and, in conjunction with the Department of State, coordinates the provisions of all State-Commerce security agreements.

.05             The Project and Administrative Management Division and its related program staff provide strategic solutions for Departmental issues including budget, personnel, training, procurement, property management, and administration support to enable OSY to perform its functions more efficiently.

.06             The Plans, Programs and Compliance Division and its related support and program staff: manages the Department’s physical security programs; provides oversight of a comprehensive security compliance and inspection program responsible for ensuring proper alignment with Federal security requirements (e.g. E.O. 12977, Interagency Security Committee) and other stakeholder guidelines; manages the Department’s foreign access management and research security programs; coordinates the development and updates to policies/procedures, performance metrics, non-financial internal controls, and responses to Freedom of Information Act as well as Privacy Act requests; conducts periodic compliance reviews of all open administrative investigations; develops a training program that ensures personnel engaging in administrative investigations receive appropriate training on records procedures, and regular training on civil rights, civil liberties, privacy and data collection, implicit bias, and related issues; ensure that all data relating to administrative investigations is collected, retained, and destroyed in accordance with applicable laws and regulations; ensure, in collaboration with the Department’s Office of Privacy and Open Government, that appropriate Privacy Act systems of records are established and records retention schedules are developed.

a.              The Physical Security Program staff coordinates physical security initiatives related to HSPD-12 regarding policies for a common identification standard for Federal employees and contractors; administers the official badge and credential program; ensures compliance with Federal standards and regulations regarding the physical protection of the agency’s facility, property, and personnel assets; evaluates and certifies risk assessment surveys; prioritizes the physical security effort; and provides guidance to facility security assessors and senior leadership to ensure countermeasure recommendations are in concurrence with the ISC Risk Management Process.

 

SECTION 6.  EFFECT ON OTHER ORDERS.

.01             This Order supersedes Department Organization Order 20-6, dated April 11, 2016.

.02             Nothing in this Order shall have the effect of, or be construed as, an exception to the responsibility and authority of the Office of the General Counsel under DOO 10-6, “Office of the General Counsel” for policy and operating guidance on legal matters. With respect to such security matters that involve legal issues, the Director for Security shall consult with the Office of the General Counsel.

.03             Nothing in this Order shall have the effect of, or be construed as, an exception to the responsibility and authority of the Department's Office of Inspector General under DOO 23-1, “Office of the Inspector General” to conduct investigations to prevent and detect fraud, waste, and abuse.  With respect to such security matters that involve such issues, the Director for Security shall consult with the Office of Inspector General, which has the right of first refusal in investigating allegations involving any Department employee, contractor, or grantee.

 

Signed By: Chief Financial Officer and Assistant Secretary for Administration