1. The CSA shall be responsible for accrediting Secured Areas that meet the requirements of Article 18 of Decision 2015/444 and CISs for handling EUCI.
2. Commission departments shall consult the Security Accreditation Authority in coordination with their LSO and their LISO as appropriate whenever a department intends to:
(a)
construct a Secured Area;
(b)
implement a CIS to handle EUCI;
(c)
install any other equipment for the handling of classified information, including connections to a third party CIS.
The SAA shall provide advice in respect of these activities during both the planning and the construction or development processes.
3. EUCI shall not be handled in a Secured Area or CIS before the Security Accreditation Authority has issued an accreditation at the appropriate level of EUCI.
4. The requirements for accrediting a Secured Area shall include:
(a)
approval of the plans for the Secured Area;
(b)
approval of any contracts for works performed by external contractors, taking into consideration the provisions on industrial security such as any requirements for security clearances of the contractors and their staff;
(c)
availability of all requisite declarations and certificates of conformity;
(d)
a physical inspection of the Secured Area to verify that the building materials and methods, access controls, security equipment and any other items comply with the requirements issued by the CSA;
(e)
validation of the countermeasures against electromagnetic radiation for any technically Secured Area;
(f)
approval of the security operating procedures (SecOPs) for the Secured Area.
5. The requirements for accrediting a CIS handling EUCI shall include:
(a)
creation of a System Accreditation Strategy;
(b)
validation of the CIS’s security plan, based on a risk management approach;
(c)
validation of the SecOPs for the CIS;
(d)
validation of all other required security documentation, as determined by the Security Accreditation Authority;
(e)
approval of any use of encrypting technologies;
(f)
validation of the countermeasures against electromagnetic radiation for a CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above;
(g)
an inspection of the CIS to verify that the documented security measures are correctly implemented.
6. Following successful fulfilment of the requirements for accreditation, the Security Accreditation Authority shall issue a formal authorisation for the handling of EUCI in the Secured Area or CIS, for a stated maximum level of EUCI and for up to 5 years, depending on the levels of EUCI handled and the risks involved.
7. Upon notification of a security breach or a significant change in the design or security measures of a Secured Area or CIS, the Security Accreditation Authority shall review and, if necessary, may revoke the authorisation to handle EUCI until any identified issues are resolved.