ANNEX III
[Annex IV (to the ………)]
SECURITY ASPECTS LETTER (SAL)
( 1 )
[Model]
Appendix A
SECURITY REQUIREMENTS
The granting authority must include the following security requirements in the security aspects letter (SAL). Some clauses may not be applicable to the grant agreement. These are shown in square brackets.
The list of clauses is not exhaustive. Further clauses may be added depending on the nature of the classified grant.
GENERAL CONDITIONS [ N.B.: applicable to all classified grant agreements ]
1.
This security aspects letter (SAL) is an integral part of the classified grant agreement [or subcontract] and describes grant agreement-specific security requirements. Failure to meet these requirements may constitute sufficient grounds to terminate the grant agreement.
2.
Grant beneficiaries are subject to all obligations set out in Commission Decision (EU, Euratom) 2015/444 ( 2 ) (hereinafter ‘CD 2015/444’) and its implementing rules ( 3 ) . If the grant beneficiary faces a problem of application of the applicable legal framework in a Member State, it must refer to the Commission security authority and the national security authority (NSA) or designated security authority (DSA).
3.
Classified information generated when performing the grant agreement must be marked as EU classified information (EUCI) at security classification level, as determined in the security classification guide (SCG) in Appendix B to this letter. Deviation from the security classification level stipulated by the SCG is permissible only with the written authorisation of the granting authority.
4.
The rights pertaining to the originator of any EUCI created and handled for the performance of the classified grant agreement are exercised by the Commission, as the granting authority.
5.
Without the written consent of the granting authority, the beneficiary or subcontractor must not make use of any information or material furnished by the granting authority or produced on behalf of that authority for any purpose other than that of the grant agreement.
6.
Where a facility security clearance (FSC) is required for the performance of a grant agreement, the beneficiary must ask the granting authority to proceed with the FSC request.
7.
The beneficiary must investigate all security breaches related to EUCI and report them to the granting authority as soon as is practicable. The beneficiary or subcontractor must immediately report to its NSA or DSA, and, where national laws and regulations so permit, to the Commission security authority, all cases in which it is known or there is reason to suspect that EUCI provided or generated pursuant to the grant agreement has been lost or disclosed to unauthorised persons.
8.
After the end of the grant agreement, the beneficiary or subcontractor must return any EUCI it holds to the granting authority as soon as possible. Where practicable, the beneficiary or subcontractor may destroy EUCI instead of returning it. This must be done in accordance with the national laws and regulations of the country where the beneficiary is based, with the prior agreement of the Commission security authority, and under the latter’s instruction. EUCI must be destroyed in such a way that it cannot be reconstructed, either wholly or in part.
9.
Where the beneficiary or subcontractor is authorised to retain EUCI after termination or conclusion of the grant agreement, the EUCI must continue to be protected in accordance with CD 2015/444 and with its implementing rules ( 4 ) .
10.
Any electronic handling, processing and transmission of EUCI must abide by the provisions laid down in Chapters 5 and 6 of CD 2015/444. These include, inter alia , the requirement that communication and information systems owned by the beneficiary and used to handle EUCI for the purpose of the grant agreement (hereinafter ‘beneficiary CIS’) must be subject to accreditation ( 5 ) ; that any electronic transmission of EUCI must be protected by cryptographic products approved in accordance with Article 36(4) of CD 2015/444, and that TEMPEST security measures must be implemented in accordance with Article 36(6) of CD 2015/444.
11.
The beneficiary or subcontractor shall have business contingency plans (BCPs) to protect any EUCI handled in the performance of the classified grant agreement in emergency situations and shall put in place preventive and recovery measures to minimise the impact of incidents associated with the handling and storage of EUCI. The beneficiary or subcontractor must inform the granting authority of its BCP.
GRANT AGREEMENTS REQUIRING ACCESS TO INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED
12.
In principle, personnel security clearance (PSC) is not required for compliance with the grant agreement ( 6 ) . However, information or material classified RESTREINT UE/EU RESTRICTED must be accessible only to beneficiary personnel who require such information to perform the grant agreement ( need-to-know principle ), who have been briefed by the beneficiary’s security officer on their responsibilities and on the consequences of any compromise or breach of security of such information, and who have acknowledged in writing the consequences of a failure to protect EUCI.
13.
Except where the granting authority has given its written consent, the beneficiary or subcontractor must not provide access to information or material classified RESTREINT UE/EU RESTRICTED to any entity or person other than those of its personnel who have a need-to-know.
14.
The beneficiary or subcontractor must maintain the security classification markings of classified information generated by or provided during the performance of a grant agreement and must not declassify information without written consent from the granting authority.
15.
Information or material classified RESTREINT UE/EU RESTRICTED must be stored in locked office furniture when not in use. When in transit, documents must be carried inside an opaque envelope. The documents must not leave the possession of the bearer and they must not be opened en route .
16.
The beneficiary or subcontractor may transmit documents classified RESTREINT UE/EU RESTRICTED to the granting authority using commercial courier companies, postal services, hand carriage or electronic means. To this end, the beneficiary or subcontractor must follow the programme (or project) security instruction (PSI) issued by the Commission and/or the Commission implementing rules on industrial security with regard to classified grants ( 7 ) .
17.
When no longer required, documents classified RESTREINT UE/EU RESTRICTED must be destroyed in such a way that they cannot be reconstructed, either wholly or in part.
18.
The security accreditation of beneficiary CIS handling EUCI at RESTREINT UE/EU RESTRICTED level and any interconnection thereof may be delegated to the beneficiary’s security officer if national laws and regulations so permit. Where accreditation is thus delegated, the NSAs, DSAs or security accreditation authorities (SAAs) retain responsibility for protecting any RESTREINT UE/EU RESTRICTED information that is handled by the beneficiary and the right to inspect the security measures taken by the beneficiary. In addition, the beneficiary shall provide the granting authority and, where required by national laws and regulations, the competent national SAA with a statement of compliance certifying that the beneficiary CIS and the related interconnections have been accredited for handling EUCI at RESTREINT UE/EU RESTRICTED level.
HANDLING OF INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED IN COMMUNICATION AND INFORMATION SYSTEMS (CIS)
19.
Minimum requirements for CIS handling information classified RESTREINT UE/EU RESTRICTED are laid down in Appendix E to this SAL.
CONDITIONS UNDER WHICH THE BENEFICIARY MAY SUBCONTRACT
20.
The beneficiary must obtain permission from the granting authority before subcontracting any part of a classified grant agreement.
21.
No subcontract may be awarded to an entity registered in a non-EU country or to an entity belonging to an international organisation, if that non-EU country or international organisation has not concluded a security of information agreement with the EU or an administrative arrangement with the Commission.
22.
Where the beneficiary has let a subcontract, the security provisions of the grant agreement shall apply mutatis mutandis to the subcontractor(s) and its (their) personnel. In such a case, it is the beneficiary’s responsibility to ensure that all subcontractors apply these principles to their own subcontracting arrangements. To ensure appropriate security oversight, the beneficiary’s and subcontractor’s NSAs and/or DSAs shall be notified by the Commission security authority of the letting of all related classified subcontracts at the levels of CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET. Where appropriate, the beneficiary’s and subcontractor’s NSAs and/or DSAs shall be provided with a copy of the subcontract-specific security provisions. NSAs and DSAs requiring notification about the security provisions of classified grant agreements at RESTREINT UE/EU RESTRICTED level are listed in the annex to the Commission’s implementing rules on industrial security with regard to classified grant agreements ( 8 ) .
23.
The beneficiary may not release any EUCI to a subcontractor without the prior written approval of the granting authority. If EUCI to subcontractors is to be sent frequently or as a matter of routine, then the granting authority may give its approval for a specified length of time (e.g. 12 months) or for the duration of the subcontract.
VISITS
If the standard request for visit (RFV) procedure is to be applied to visits involving information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, the granting authority must include paragraphs 24, 25 and 26 and delete paragraph 27. If visits involving information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET are arranged directly between the sending and receiving establishments, the granting authority must delete paragraphs 25 and 26 and include paragraph 27 only.
24.
Visits involving access or potential access to information classified RESTREINT UE/EU RESTRICTED shall be arranged directly between the sending and receiving establishments without the need to follow the procedure described in paragraphs 25 to 27 below.
[25.
Visits involving access or potential access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET shall be subject to the following procedure:
(a)
the security officer of the facility sending the visitor shall complete all relevant parts of the RFV form (Appendix C) and submit the request to the facility’s NSA or DSA;
(b)
the sending facility’s NSA or DSA needs to confirm the visitor’s PSC before submitting the RFV to the host facility’s NSA or DSA (or to the Commission security authority if the visit is to the premises of the granting authority);
(c)
the security officer of the sending facility shall then obtain from its NSA or DSA the reply of the host facility’s NSA or DSA (or the Commission security authority) either authorising or denying the RFV;
(d)
an RFV is considered approved if no objections are raised until five working days before the date of the visit.]
[26.
Before giving the visitor(s) access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, the host facility must have received authorisation from its NSA or DSA.]
[27.
Visits involving access or potential access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET shall be arranged directly between the sending and receiving establishments (an example of the form that may be used for this purpose is provided in Appendix C).]
28.
Visitors must prove their identity on arrival at the host facility by presenting a valid ID card or passport.
29.
The facility hosting the visit must ensure that records are kept of all visitors. These must include their names, the organisation they represent, the date of expiry of the PSC (if applicable), the date of the visit and the name(s) of the person(s) visited. Without prejudice to European data protection rules, such records are to be retained for a period of no less than five years or in accordance with national rules and regulations, as appropriate.
ASSESSMENT VISITS
30.
The Commission security authority may, in cooperation with the relevant NSAs or DSAs, conduct visits to beneficiaries’ or subcontractors’ facilities to check that the security requirements for handling EUCI are being complied with.
SECURITY CLASSIFICATION GUIDE
31.
A list of all the elements in the grant agreement which are classified or to be classified in the course of the performance of the grant agreement, the rules for so doing and the specification of the applicable security classification levels are contained in the security classification guide (SCG). The SCG is an integral part of this grant agreement and can be found in Appendix B to this Annex.
Appendix B
SECURITY CLASSIFICATION GUIDE
[specific text to be adjusted depending on the subject of the grant agreement]
Appendix C
REQUEST FOR VISIT (MODEL)
DETAILED INSTRUCTIONS FOR COMPLETION OF REQUEST FOR VISIT
(The application must be submitted in English only)
HEADING
Check boxes for visit type, information type, and indicate how many sites are to be visited and the number of visitors.
4.
ADMINISTRATIVE DATA
To be completed by requesting NSA/DSA.
5.
REQUESTING ORGANISATION OR INDUSTRIAL FACILITY
Give full name and postal address.
Include city, state and post code as applicable.
6.
ORGANISATION OR INDUSTRIAL FACILITY TO BE VISITED
Give full name and postal address. Include city, state, post code, telex or fax number (if applicable), telephone number and e-mail. Give the name and telephone/fax numbers and e-mail of your main point of contact or the person with whom you have made the appointment for the visit.
Remarks:
(1)
Giving the correct post code (zip code) is important because a company may have various different facilities.
(2)
When applying manually, Annex 1 can be used when two or more facilities have to be visited in connection with the same subject. When an Annex is used, item 3 should state: ‘SEE ANNEX 1, NUMBER OF FAC.:..’ (state number of facilities).
7.
DATES OF VISIT
Give the actual date or period (date-to-date) of the visit in the format ‘day – month – year’. Where applicable, give an alternate date or period in brackets.
8.
TYPE OF INITIATIVE
Specify whether the visit has been initiated by the requesting organisation or facility or by invitation of the facility to be visited.
9.
THE VISIT RELATES TO:
Specify the full name of the project, contract or call for tender using commonly used abbreviations only.
10.
SUBJECT TO BE DISCUSSED/
JUSTIFICATION
Give a brief description of the reason(s) for the visit. Do not use unexplained abbreviations.
Remarks:
In the case of recurring visits this item should state ‘Recurring visits’ as the first words in the data element (e.g. Recurring visits to discuss_____).
11.
ANTICIPATED LEVEL OF CLASSIFIED INFORMATION TO BE INVOLVED
State SECRET UE/EU SECRET (S-UE/EU-S)
or
CONFIDENTIEL UE/EU CONFIDENTIAL (C-UE/EU-C), as appropriate.
12.
PARTICULARS OF VISITOR
Remark: when more than two visitors are involved in the visit, Annex 2 should be used.
13.
THE SECURITY OFFICER OF THE REQUESTING ENTITY
This item requires the name, telephone number, fax number and e-mail of the requesting facility’s Security Officer.
14.
CERTIFICATION OF SECURITY CLEARANCE
This field is to be completed by the certifying authority.
Notes for the certifying authority:
a.
Give name, address, telephone number, fax number and e-mail (can be pre-printed).
b.
This item should be signed and stamped (if applicable).
15.
REQUESTING SECURITY AUTHORITY
This field is to be completed by the NSA/DSA.
Note for the NSA/DSA:
a.
Give name, address, telephone number, fax number and e-mail (can be pre-printed).
b.
This item should be signed and stamped (if applicable).
All fields must be completed and the form submitted via Government-to-Government channels ( 9 )
REQUEST FOR VISIT
(MODEL)
TO: _______________________________________
1.
TYPE OF VISIT REQUEST
2.
TYPE OF INFORMATION
3.
SUMMARY
☐
Single
☐
Recurring
☐
Emergency
☐
Amendment
☐
Dates
☐
Visitors
☐
Facility
For an amendment, insert the NSA/DSA original RFV Reference No_____________
☐
C-UE/EU-C
☐
S-UE/EU-S
No of sites: _______
No of visitors: _____
4.
ADMINISTRATIVE DATA:
Requester:
To:
NSA/DSA RFV Reference No________________
Date (dd/mm/yyyy) : _____/_____/_____
5.
REQUESTING ORGANISATION OR INDUSTRIAL FACILITY:
NAME:
POSTAL ADDRESS:
E-MAIL ADDRESS:
FAX NO:
TELEPHONE NO:
6.
ORGANISATION(S) OR INDUSTRIAL FACILITY(IES) TO BE VISITED (Annex 1 to be completed)
7.
DATE OF VISIT (dd/mm/yyyy) : FROM _____/_____/_____ TO _____/_____/_____
8.
TYPE OF INITIATIVE:
☐
Initiated by requesting organisation or facility
☐
By invitation of the facility to be visited
9.
THE VISIT RELATES TO CONTRACT:
10.
SUBJECT TO BE DISCUSSED/REASONS/PURPOSE (Include details of host entity and any other relevant information. Abbreviations should be avoided):
11.
ANTICIPATED HIGHEST CLASSIFICATION LEVEL OF INFORMATION/MATERIAL OR SITE ACCESS TO BE INVOLVED:
12.
PARTICULARS OF VISITOR(S) (Annex 2 to be completed)
13.
THE SECURITY OFFICER OF THE REQUESTING ORGANISATION OR INDUSTRIAL FACILITY:
NAME:
TELEPHONE NO:
E-MAIL ADDRESS:
SIGNATURE:
14.
CERTIFICATION OF SECURITY CLEARANCE LEVEL:
NAME:
ADDRESS:
TELEPHONE NO:
E-MAIL ADDRESS:
SIGNATURE:
DATE (dd/mm/yyyy) : _____/_____/_____
15.
REQUESTING NATIONAL SECURITY AUTHORITY/DESIGNATED SECURITY AUTHORITY:
NAME:
ADDRESS:
TELEPHONE NO:
E-MAIL ADDRESS:
SIGNATURE:
DATE (dd/mm/yyyy) : _____/_____/_____
16.
REMARKS (Mandatory justification required in the case of an emergency visit) :
<Placeholder for reference to applicable personal data legislation and link to mandatory information for the data subject, e.g. how Article 13 of the General Data Protection Regulation ( 10 ) is implemented.>
ANNEX 1 to RFV FORM
ORGANISATION(S) OR INDUSTRIAL FACILITY(IES) TO BE VISITED
1.
NAME:
ADDRESS:
TELEPHONE NO:
FAX NO:
NAME OF POINT OF CONTACT:
E-MAIL:
TELEPHONE NO:
NAME OF SECURITY OFFICER OR
SECONDARY POINT OF CONTACT:
E-MAIL:
TELEPHONE NO:
2.
NAME:
ADDRESS:
TELEPHONE NO:
FAX NO:
NAME OF POINT OF CONTACT:
E-MAIL:
TELEPHONE NO:
NAME OF SECURITY OFFICER OR
SECONDARY POINT OF CONTACT:
E-MAIL:
TELEPHONE NO:
(Continue as required)
<Placeholder for reference to applicable personal data legislation and link to mandatory information for the data subject, e.g. how Article 13 of the General Data Protection Regulation ( 11 12 ) is implemented.>
ANNEX 2 to RFV FORM
PARTICULARS OF VISITOR(S)
1.
SURNAME:
FIRST NAMES (as per passport) :
DATE OF BIRTH (dd/mm/yyyy) :____/____/____
PLACE OF BIRTH:
NATIONALITY:
SECURITY CLEARANCE LEVEL:
PP/ID NUMBER:
POSITION:
COMPANY/ORGANISATION:
2.
SURNAME:
FIRST NAMES (as per passport) :
DATE OF BIRTH (dd/mm/yyyy) :____/____/____
PLACE OF BIRTH:
NATIONALITY:
SECURITY CLEARANCE LEVEL:
PP/ID NUMBER:
POSITION:
COMPANY/ORGANISATION:
(Continue as required)
<Placeholder for reference to applicable personal data legislation and link to mandatory information for the data subject, e.g. how Article 13 of the General Data Protection Regulation ( 11 12 ) is implemented.>
Appendix D
FACILITY SECURITY CLEARANCE INFORMATION SHEET (FSCIS) (MODEL)
1. INTRODUCTION
1.1.
Attached is a sample Facility Security Clearance Information Sheet (FSCIS) for the rapid exchange of information between the National Security Authority (NSA) or Designated Security Authority (DSA), other competent national security authorities and the Commission Security Authority (acting on behalf of granting authorities) with regard to the Facility Security Clearance (FSC) of a facility involved in application for, and implementation of, classified grants or subcontracts.
1.2.
The FSCIS is valid only if stamped by the relevant NSA, DSA or other competent authority.
1.3.
The FSCIS is divided into a request and reply section and can be used for the purposes identified above or for any other purposes for which the FSC status of a particular facility is required. The reason for the enquiry must be identified by the requesting NSA or DSA in field 7 of the request section.
1.4.
The details contained in the FSCIS are not normally classified; accordingly, when an FSCIS is to be sent between the respective NSAs/DSAs/Commission this should preferably be done by electronic means.
1.5.
NSAs/DSAs should make every effort to respond to an FSCIS request within ten working days.
1.6.
Should any classified information be transferred or a grant or subcontract awarded in relation to this assurance, the issuing NSA or DSA must be informed.
Procedures and instructions for the use of the Facility Security Clearance Information Sheet (FSCIS)
These detailed instructions are for the NSA or DSA, or the granting authority and the Commission Security Authority that complete the FSCIS. The request should preferably be typed in capital letters.
HEADER
The requester inserts full NSA/DSA and country name.
1.
REQUEST TYPE
The requesting granting authority selects the appropriate checkbox for the type of FSCIS request. Include the level of security clearance requested. The following abbreviations should be used:
SECRET UE/EU SECRET = S-UE/EU-S
CONFIDENTIEL UE/EU CONFIDENTIAL = C-UE/EU-C
CIS = Communication and information systems for processing classified information.
2.
SUBJECT DETAILS
Fields 1 to 6 are self-evident.
In field 4 the standard two-letter country code should be used. Field 5 is optional.
3.
REASON FOR REQUEST
Give the specific reason for the request, provide project indicators, number of the call or grant. Please specify the need for storage capability, CIS classification level, etc.
Any deadline/expiry/award dates which may have a bearing on the completion of an FSC should be included.
4.
REQUESTING NSA/DSA
State the name of the actual requester (on behalf of the NSA/DSA) and the date of the request in number format (dd/mm/yyyy).
5.
REPLY SECTION
Fields 1-5: select appropriate fields.
Field 2: if an FSC is in progress, it is recommended to give the requester an indication of the required processing time (if known).
Field 6:
(a)
Although validation differs by country or even by facility, it is recommended that the expiry date of the FSC be given.
(b)
In cases where the expiry date of the FSC assurance is indefinite, this field may be crossed out.
(c)
In compliance with respective national rules and regulations, the requester or either the beneficiary or subcontractor is responsible for applying for a renewal of the FSC.
6.
REMARKS
May be used for additional information with regard to the FSC, the facility or the foregoing items.
7.
ISSUING NSA/DSA
State the name of the providing authority (on behalf of the NSA/DSA) and the date of the reply in number format (dd/mm/yyyy).
FACILITY SECURITY CLEARANCE INFORMATION SHEET (FSCIS) (MODEL)
All fields must be completed and the form communicated via Government-to-Government or Government-to-international organisation channels.
REQUEST FOR A FACILITY SECURITY CLEARANCE ASSURANCE
TO: ____________________________________
(NSA/DSA Country name)
Please complete the reply boxes, where applicable:
[ ] Provide an FSC assurance at the level of: [ ] S-UE/EU-S [ ] C-UE/EU-C
for the facility listed below
[ ] Including safeguarding of classified material/information
[ ] Including Communication and Information Systems (CIS) for processing classified information
[ ] Initiate, directly or upon a corresponding request of a beneficiary or subcontractor, the process of obtaining an FSC up to and including the level of … with … level of safeguarding and … level of CIS, if the facility does not currently hold these levels of capabilities.
Confirm accuracy of the details of the facility listed below and provide corrections/additions as required.
1.
Full facility name:
Corrections/Additions:
…
…
2.
Full facility address:
…
…
3.
Postal address (if different from 2)
…
…
4.
Zip/post code/city/country
…
…
5.
Name of the Security Officer
………………………………………………………………
………………………………………………………………
6.
Telephone/Fax/E-mail of the Security Officer
…
…
7.
This request is made for the following reason(s): (provide details of the pre-contractual (proposal selection) stage, grant or subcontract, programme/project, etc.)
…
Requesting NSA/DSA/granting authority: Name: …
Date: (dd/mm/yyyy)…
REPLY (within ten working days)
This is to certify that:
1.
[ ] the abovementioned facility holds an FSC up to and including the level of [ ] S-UE/EU-S
[ ] C-UE/EU-C.
2.
The abovementioned facility has the capability to safeguard classified information/material:
[ ] yes, level: … [ ] no.
3.
the abovementioned facility has accredited/authorised CIS:
[ ] yes, level: … [ ] no.
4.
[ ] in relation to the abovementioned request, the FSC process has been initiated. You will be informed when the FSC has been established or refused.
5.
[ ] the abovementioned facility does not hold an FSC.
6.
This FSC assurance expires on: … ( dd/mm/yyyy ), or as advised otherwise by the NSA/DSA. In the case of earlier invalidation or any changes to the information listed above, you will be informed.
7.
Remarks:
…
Issuing NSA/DSA Name: …
Date:(dd/mm/yyyy) …
<Placeholder for reference to applicable personal data legislation and link to mandatory information for the data subject, e.g. how Article 13 of the General Data Protection Regulation ( 13 ) is implemented.>
Appendix E
Minimum requirements for protection of EUCI in electronic form at RESTREINT UE/EU RESTRICTED level handled in the beneficiary’s CIS
General
1.
The beneficiary must be responsible for ensuring that the protection of RESTREINT UE/EU RESTRICTED information complies with the minimum security requirements as laid down in this security clause and with any other additional requirements advised by the granting authority or, if applicable, by the national security authority (NSA) or designated security authority (DSA).
2.
It is the beneficiary’s responsibility to implement the security requirements identified in this document.
3.
For the purpose of this document, a communication and information system (CIS) covers all equipment used to handle, store and transmit EUCI, including workstations, printers, copiers, fax machines, servers, network management systems, network controllers and communications controllers, laptops, notebooks, tablet PCs, smart phones and removable storage devices such as USB-sticks, CDs, SD-cards, etc.
4.
Special equipment, such as cryptographic products, must be protected in accordance with its dedicated security operating procedures (SecOPs).
5.
Beneficiary must establish a structure responsible for the security management of the CIS handling information classified RESTREINT UE/EU RESTRICTED and appoint a security officer responsible for the facility concerned.
6.
The use of IT solutions (hardware, software or services) privately owned by beneficiary staff for storing or processing RESTREINT UE/EU RESTRICTED information is not permitted.
7.
Accreditation of the beneficiary’s CIS handling information classified RESTREINT UE/EU RESTRICTED must be approved by the security accreditation authority (SAA) of the Member State concerned or delegated to the beneficiary’s security officer as permitted by national laws and regulations.
8.
Only information classified RESTREINT UE/EU RESTRICTED that is encrypted using approved cryptographic products may be handled, stored or transmitted (by wired or wireless means) as any other unclassified information under the grant agreement. Such cryptographic products must be approved by the EU or a Member State.
9.
External facilities involved in maintenance/repair work must be contractually obliged to comply with the applicable provisions for handling of information classified RESTREINT UE/EU RESTRICTED, as set out in this document.
10.
At the request of the granting authority or relevant NSA, DSA, or SAA, the beneficiary must provide evidence of compliance with the security clause of the grant agreement. If an audit and inspection of the beneficiary’s processes and facilities are also requested, to ensure compliance with these requirements, beneficiaries shall permit representatives of the granting authority, the NSA, DSA and/or SAA, or the relevant EU security authority to conduct such an audit and inspection.
Physical security
11.
Areas in which CIS are used to display, store, process or transmit RESTREINT UE/EU RESTRICTED information or areas housing servers, network management systems, network controllers and communications controllers for such CIS should be established as separate and controlled areas with an appropriate access control system. Access to these separate and controlled areas should be restricted to individuals with specific authorisation. Without prejudice to paragraph 8, equipment as described in paragraph 3 must be stored in such separate and controlled areas.
12.
Security mechanisms and/or procedures must be implemented to regulate the introduction or connection of removable computer storage media (such as USBs, mass storage devices or CD-RWs) to components on the CIS.
Access to CIS
13.
Access to a beneficiary’s CIS handling EUCI is allowed on a basis of strict need-to-know and authorisation of personnel.
14.
All CIS must have up-to-date lists of authorised users. All users must be authenticated at the start of each processing session.
15.
Passwords, which are part of most identification and authentication security measures, must be at least nine characters long and must include numeric and ‘special’ characters (if permitted by the system) as well as alphabetic characters. Passwords must be changed at least every 180 days. They must be changed as soon as possible if they have been compromised or disclosed to an unauthorised person, or if such compromise or disclosure is suspected.
16.
All CIS must have internal access controls to prevent unauthorised users from accessing or modifying information classified RESTREINT UE/EU RESTRICTED and from modifying system and security controls. Users are to be automatically logged off the CIS if their terminals have been inactive for some predetermined period of time, or the CIS must activate a password-protected screen saver after 15 minutes of inactivity.
17.
Each user of the CIS is allocated a unique user account and ID. User accounts must be automatically locked once at least five successive incorrect login attempts have been made.
18.
All users of the CIS must be made aware of their responsibilities and the procedures to be followed to protect information classified RESTREINT UE/EU RESTRICTED on the CIS. The responsibilities and procedures to be followed must be documented and acknowledged by users in writing.
19.
SecOPs must be available for the users and administrators and must include descriptions of security roles and associated list of tasks, instructions and plans.
Accounting, audit and incident response
20.
Any access to the CIS must be logged.
21.
The following events must be recorded:
(a)
all attempts to log on, whether successful or failed;
(b)
logging off (including being timed out, where applicable);
(c)
creation, deletion or alteration of access rights and privileges;
(d)
creation, deletion or alteration of passwords.
22.
For all of the events listed above, the following information must be communicated as a minimum:
(a)
type of event;
(b)
user ID;
(c)
date and time;
(d)
device ID.
23.
The accounting records should provide help to a security officer to examine the potential security incidents. They can also be used to support any legal investigations in the event of a security incident. All security records should be regularly checked to identify potential security incidents. The accounting records must be protected from unauthorised deletion or modification.
24.
The beneficiary must have an established response strategy to deal with security incidents. Users and administrators must be instructed on how to respond to incidents, how to report them and what to do in the event of emergency.
25.
The compromise or suspected compromise of information classified RESTREINT UE/EU RESTRICTED must be reported to the granting authority. The report must contain a description of the information involved and a description of the circumstances of the compromise or suspected compromise. All users of the CIS must be made aware of how to report any actual or suspected security incident to the security officer.
Networking and interconnection
26.
When a beneficiary CIS that handles information classified RESTREINT UE/EU RESTRICTED is interconnected to a CIS that is not accredited, this significantly increases the threat to both the security of the CIS and the RESTREINT UE/EU RESTRICTED information that is handled by that CIS. This includes the internet and other public or private CIS, such as other CIS owned by the beneficiary or subcontractor. In this case, the beneficiary must perform a risk assessment to identify the additional security requirements that need to be implemented as part of the security accreditation process. The beneficiary shall provide to the granting authority, and where required by national laws and regulations, the competent SAA, a statement of compliance certifying that the beneficiary CIS and the related interconnections have been accredited for handling EUCI at RESTREINT UE/EU RESTRICTED level.
27.
Remote access from other systems to LAN services (e.g. remote access to email and remote SYSTEM support) is prohibited unless special security measures are implemented and agreed by the granting authority, and where required by national laws and regulations, approved by the competent SAA.
Configuration management
28.
A detailed hardware and software configuration, as reflected in the accreditation/approval documentation (including system and network diagrams), must be available and regularly maintained.
29.
The beneficiary’s security officer must conduct configuration checks on hardware and software to ensure that no unauthorised hardware or software has been introduced.
30.
Changes to the beneficiary CIS configuration must be assessed for their security implications and must be approved by the security officer, and where required by national laws and regulations, the SAA.
31.
The system must be scanned for any security vulnerabilities at least once a quarter. Software to detect malware must be installed and kept up-to-date. If possible, such software should have a national or recognised international approval, otherwise it should be a widely accepted industry standard.
32.
The beneficiary must develop a business continuity plan. Back-up procedures must be established to address the following:
(a)
frequency of back-ups;
(b)
storage requirements on-site (fireproof containers) or off-site;
(c)
control of authorised access to back-up copies.
Sanitisation and destruction
33.
For CIS or data storage media that have at any time held RESTREINT UE/EU RESTRICTED information the following sanitisation must be performed to the entire system or to storage media before its disposal:
(a)
flash memory (e.g. USB sticks, SD cards, solid state drives, hybrid hard drives) must be overwritten at least three times and then verified to ensure that the original content cannot be recovered, or be deleted using approved deletion software;
(b)
magnetic media (e.g. hard disks) must be overwritten or degaussed;
(c)
optical media (e.g. CDs and DVDs) must be shredded or disintegrated;
(d)
for any other storage media, the granting authority or, if appropriate, the NSA, DSA or SAA should be consulted on the security requirements to be met.
34.
Information classified RESTREINT UE/EU RESTRICTED must be sanitised on any data storage media before it is given to any entity that is not authorised to access information classified RESTREINT UE/EU RESTRICTED (e.g. for maintenance work).
( 1 ) This model of SAL applies where the Commission is considered the originator of classified information created and handled for the performance of the grant agreement. Where the originator of classified information created and handled for the performance of the grant agreement is not the Commission, and where a specific security framework is set up by the Member States participating in the grant, other models of SAL may apply.
( 2 ) Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information ( OJ L 72, 17.3.2015, p. 53 ).
( 3 ) The granting authority should insert the references once these implementing rules have been adopted.
( 4 ) The granting authority should insert the references once these implementing rules have been adopted.
( 5 ) The party undertaking the accreditation will have to provide the granting authority with a statement of compliance, through the Commission security authority, and in co-ordination with the relevant national security accreditation authority (SAA).
( 6 ) Where beneficiaries are from Member States requiring PSCs and/or FSCs for grants classified RESTREINT UE/EU RESTRICTED, the granting authority lists in the SAL these PSC and FSC requirements for the beneficiaries in question.
( 7 ) The granting authority should insert the references once these implementing rules have been adopted.
( 8 ) The granting authority should insert the references once these implementing rules have been adopted.
( 9 ) If it has been agreed that visits involving access or potential access to EUCI at CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET level can be arranged directly, the completed form can be submitted directly to the Security Officer of the establishment to be visited.
( 10 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ L 119, 4.5.2016, p. 1 ).
( 11 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ L 119, 4.5.2016, p. 1 ).
( 12 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ L 119, 4.5.2016, p. 1 ).
( 13 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ( OJ L 119, 4.5.2016, p. 1 ).