Over the past 12 months, there have been 14 security incidents at DOE Headquarters wherein classified information was included in an unclassified e-mail. This is the second most frequent type of security incident that occurs at DOE Headquarters (leaving safes or vaults unsecured is the most frequent type of security incident). Most of these "classified data spills" (also known as "e-mail contaminations") must be reported to the Emergency Operations Center through the submission of a DOE Form 471.1, Security Incident Notification Report.
The purpose of this HSO Spotlight is to provide guidance on how to report data spills/e-mail contaminations to the Office of Chief Information Officer (IM) and describe what follow-up actions will be taken by that office. When it becomes known that classified information has been transmitted via an unclassified e-mail, the HSO should first coordinate with Jeffrey A. Zarkin, the Headquarters Security Incident and Infractions Program Manager, by calling him at x6-9934. During your conversation with Mr. Zarkin, do not identify the date or time the e-mail was transmitted because that information is itself classified. He will advise you if a DOE Form 471.1 needs to be submitted. He will also advise you to report the matter to IM in order to initiate computer sanitization efforts. The HSO makes the report to the IM by:
- Telephoning the Enterprise Service Center Help Desk at x3-2500. Immediately press "0" to talk with a Help Desk representative.
- Telling the Help Desk representative that you want to report a "classified data spill." Answer whatever questions the Help Desk representative might have. These questions should relate to verifying the HSO's identity and contact information. The questions should not include the property number(s) of the computer(s) involved, the date or time of transmission, or any other specific details of the event. If a DOE F 471.1 is required, the HSO can now state on that form that sanitization efforts have been initiated.
The Help Desk representative will create a "ticket" reflecting that a "classified data spill" has occurred. The ticket is passed to the IM Cyber Incident Response Team (IM-CIRT) for action. The IM-CIRT will contact the HSO who reported the security incident for the additional information needed to locate and sanitize the contaminated computers and Blackberry devices, if any.
The IM-CIRT will sanitize the servers used to transmit the e-mail and the desktop or laptop computers of each recipient of the contaminated e-mail. The IM-CIRT may ask the HSO to assist in contacting all those with contaminated computers. Please be aware that it often takes a minimum of 8 hours to fully sanitize a contaminated computer.
If the e-mail was transmitted to a Blackberry device, that device will have to be recovered and stored as classified information. Currently, all Blackberry devices involved in a contamination must be destroyed; however, alternatives to destruction are under consideration.
The IM-CIRT will provide training on this topic at the next HSO Quarterly Meetings to be held on May 12 and 13, 2010. If you have any questions regarding this HSO Spotlight, please contact Christopher Crowley, the IM-CIRT leader, at (301) 903-8222, (301) 525-6782, or by encrypted e-mail.