Guidance Guidelines For The Classification Of Information . PDF

17d ago
1 Views
0 Downloads
532.24 KB
21 Pages
Transcription

EUROPEAN COMMISSIONDirectorate-General for Migration and Home AffairsH2020 ProgrammeGuidanceGuidelines for the classification of informationin research projectsVersion 2.207 January 2020

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020IMPORTANT NOTICETable ofContentsThis document aims to assist nationalexpertswith the security scrutiny of H2020proposals, inform applicants on how information will be EU-classified and helpCommission staff to decide about the sensitivity of their call for proposals.This guidance concerns solely protective measures to be taken to preserve theconfidentiality of security-sensitive information in H2020 research projects. Other aspects(e.g. data protection, ethical issues, dual-use, etc.) are covered in other parts of theevaluation procedure.Pending the adoption of implementing rules for Commission Decision 2015/444 on thesecurity rules for protecting EU classified information, certain provisions in this guide arestill based on Commission Decision 2001/844. In the absence of new guidelines they shouldcontinue to be applied.Under the new security rules, all classification markings must now be written in FR/ENformat (e.g. RESTREINT UE/EU RESTRICTED).2

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020HISTORY OF CHANGESVersionPublicationDate1.011.07.2013 Initial version2.023.02.2015 DGT and LS redraft2.121.10.2016 Change of title. Small changes.LS validation of new sections 3.8 and 3.92.207.01.2020 Updated to VM 4.0 / PP FTP. Updated GoFund links. Change ofheader (PP Document to EU grants)ChangeTABLE OF CONTENTS1. When and for how long must information be classified? . 42. Classification levels . 43. How to classify information? . 53.1 Explosives research.73.2 CBRN research .93.3 Critical infrastructures and utilities research . 113.4 Border security research . 133.5 Intelligent surveillance research . 153.6 Terrorism research. 163.7 Organised crime research . 183.8 Digital security research . 203.9 Space research . 213

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.20201. When and for how long must information be classified?Under the Decision 2015/4441, information must be classified if its unauthoriseddisclosure could adversely impact the interests of the EU or of one (or more) ofits Member States.Example: some of the information produced by a project could potentially be used to planterrorist attacks or avoid detection of criminal activitiesTo minimise costs and restrictions caused by classifying project information, theclassification will be for a limited time — after which classification will be reviewedand possibly downgraded, declassified or even extended.Classification of information may be combined with other securityrecommendations (REC) (e.g. limited dissemination, creation of a securityadvisory group, limiting the level of detail, using a fake scenario, excluding the useof classified information, etc.).2. Classification levelsThere are four levels of classification:2 TRÈS SECRET UE/EU TOP-SECRET (TS-UE)TRÈS SECRET UE/EU TOP-SECRET is NOT used for the security scrutiny ofresearch proposals. SECRET UE/EU SECRET (SEC-UE)Use this classification for information which could seriously harm essential EUor national interests.Example: threatening of life or the serious prejudicing of public order or individual securityand liberty CONFIDENTIEL UE/EU CONFIDENTIAL (CON-UE)Use this for information which could harm essential EU or national interests.Example: inception of damage to the operational effectiveness or security of a MemberState or other State’s forces or to the effectiveness of valuable security or intelligenceoperations RESTREINT UE/EU RESTRICTED (RES-UE)Use this for information which could be disadvantageous to those interests.1See Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EUclassified information (OJ L 72, 17.3.2015, p.53.)2See. Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protectingEU classified information (OJ L 72, 17.3.2015, p.53.)4

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020Example: information which could potentially make it more difficult to maintain theoperational effectiveness or security of Member States or other State’s forces3. How to classify information?The classification of information produced by research projects will normally dependon two parameters: the subject-matter of the research: explosives CBRN critical infrastructure and utilities border security intelligent surveillance terrorism organised crime digital security spaceAND the type of the research/results and whether it is being done in simulatedenvironments (e.g. serious gaming, etc.) or in real world experimentation threat assessments (i.e. estimation of the likelihood of a malicious actagainst an asset, with particular reference to factors such as intention,capacity and potential impact) vulnerability assessments (i.e. description of gaps or weaknesses innetworks, services, systems, assets, operations or processes which can beexploited during malicious acts, and often contain suggestions to eliminateor diminish these weaknesses) specifications (i.e. exact guidelines on the design, composition,manufacture, maintenance or operation of threat substances orcountermeasure substances, technologies and procedures) capability assessments (i.e. description of the ability of an asset,system, network, service or authority to fulfil its intended role — and inparticular the capacity of units, installations, systems, technologies,substances and personnel that have security-related functions to carrythese out successfully) incidents/scenarios (i.e. detailed informationincidents and potential threat scenarios:onreal-life security5

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020 on past incidents (often including details not otherwise publiclyavailable, demonstrating the real-life effects of particular attackmethods or security gaps which have since been addressed) on devised scenarios (commonly derived directly from existingvulnerabilities, but normally with a lower level of detail, particularlyof the attack preparation phase)).These categories are not exhaustive, and may overlap.6

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.20203.1 Explosives researchWhat?‘Explosives’ are solid or liquid substances (or mixtures of substances) which arecapable — by chemical reaction — of producing gas at such a temperature, pressureand speed as to cause damage to the surroundings.3How to deal with threat assessments?Information on e.g. the availability of precursors, the manufacturing capabilities ofadversaries and the effectiveness of explosives they produce should be classifiedCONFIDENTIEL UE/EU CONFIDENTIAL. If it adds value (e.g. by prioritising thesethreats), it should be classified SECRET UE/EU SECRET.How to deal with vulnerability assessments?Assessments of e.g. current capacity to detect explosives and mitigate explosions(which may include a critical analysis of existing practices or extant abilities) shouldbe classified CONFIDENTIEL UE/EU CONFIDENTIAL.How to deal with specifications?Specifications relatingcountermeasures.toexplosives mayreferto threatsubstancesortoSpecifications for the manufacture, safe handling or chemical and operationalcharacteristics of threat substances should be classified CONFIDENTIEL UE/EUCONFIDENTIAL. This includes in principle recipes for homemade explosives (HMEs).If the recipes have been validated or experimentally assessed, they should howeverbe classified SECRET UE/EU SECRET. HME recipes that were already publiclyavailable when the applicants applied for funding (such as manufacturing instructionspublished on the internet) do not need to be classified.The name, chemical characteristics and operation of inhibitors used incountermeasures should be classified CONFIDENTIEL UE/EU CONFIDENTIAL.Research on the removal or attempted removal of inhibitors should be classifiedSECRET UE/EU SECRET.The design, characteristics, operation and requirements of, and prototypes for, keyfunctional devices used as components in detection (such as samplers, sensors,lasers and lidars) should be classified RESTREINT UE/EU RESTRICTED. Details of softdetection methods, such as data mining, online HME resources discovery and socialmedia analysis techniques, should also be classified RESTREINT UE/EU RESTRICTED.The design, characteristics and operation of, and prototypes for, chemical or physicalmitigation and containment countermeasures should be classified RESTREINT UE/EURESTRICTED.Information concerning forensic methods and procedures, such as protocols forforensic sampling, methods of forensic analysis and detailed information on crimescene procedures should be classified RESTREINT UE/EU RESTRICTED.3See Regulation (EC) No 1272/2008 of the European Parliament and of the Council of 16 December 2008 onClassification, Labelling and Packaging of Substances and Mixtures, Amending and Repealing Directives67/548/EEC, 1999/45/EC and amending Regulation (EC) No 1907/2006. (O.J. L 35, 31.12.2008, p. 1-1355)7

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020How to deal with capability assessments?Detailed information or test reports on the capabilities of beyond the state-of-the-artdetection subsystems (such as spectroscopic subsystems) should be classifiedCONFIDENTIEL UE/EU CONFIDENTIAL. Demonstrations of systems in selectedscenarios, evaluations of detection devices and assessments of the performance ofmitigation and neutralisation methods should be classified RESTREINT UE/EURESTRICTED.How to deal with incidents/scenarios?Detailed scenarios (and any risk analysis or guidance tools that feature detailedscenarios), potential consequences or responses should be classified RESTREINTUE/EU RESTRICTED, as should detailed accounts of individual real-life incidentswhich may contain information not publicly available. Incident information to whichvalue has been added (e.g. itemised attack databases, matrices of IED events ordetailed analyses of numerous incidents) should be classified CONFIDENTIEL UE/EUCONFIDENTIAL.8

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.20203.2 CBRN researchWhat?‘CBRN’ means chemical, biological, radiological or nuclear substances and materials.CBRN research covers research on: malicious use of CBRN (‘preventive CBRN research’) and preparedness and response to accidental, man-made or natural incidents.How to deal with threat assessments?Threat assessment information, which usually concern the availability of threatsubstances and the hazard that individual substances pose to European and nationalsecurity, should be classified RESTREINT UE/EU RESTRICTED.How to deal with vulnerability assessments?Vulnerability refers mainly to the ability to detect and neutralise CBRN threatsubstances; this may include assessments of the susceptibility of certain organismsto particular threat substances. Such research should be classified RESTREINT UE/EURESTRICTED. Vulnerability assessments that take a system-of-systems approach(incorporating gap analyses of a wide range of infrastructures, countermeasures andoperations) should be classified SECRET UE/EU SECRET.How to deal with specifications?CBRN research referring to specifications for threat substances (their manufacture,characteristics, operation and effects) or to countermeasures (their design, operationand requirements) should be classified as follows:Detailed information on threat substances (e.g. toxicity and dose responseinformation) that is beyond the state-of-the-art should be classified RESTREINTUE/EU RESTRICTED.Information on CBRN countermeasures (detection devices, treatment devices andforensic tools) should be classified as follows:The design, proofs of concept, characteristics, operation and requirements of, andprototypes for, key functional devices for use in detection (such as samplers, plasticscintillators and sensors) should be classified RESTREINT UE/EU RESTRICTED.Systems-level information (such as operating systems, platforms, software andalgorithms) should also be classified RESTREINT UE/EU RESTRICTED.The design, proofs of concept, characteristics, operation and requirements of, andprototypes for, key functional devices for use in treatment, if precise, should beclassified RESTREINT UE/EU RESTRICTED, as should detailed operational informationon treatment processes.The design, proofs of concept, characteristics, operation and requirements of, andprototypes for, key functional devices, tools, processes, protocols or systems withforensic functions (such as discriminating between strains or determining whetherCBRN substances have been intentionally introduced) should be classified RESTREINTUE/EU RESTRICTED.9

EU grants: H2020 Guidance — Guidelines for the classification of information in research projects: V2.2 – 07.01.2020How to deal with capability assessments?Assessments, demonstrations or test reports on the capabilities of beyond the stateof-the-art CBRN detection or neutralisation devices in laboratory or simulatedenvironments should be classified RESTREINT UE/EU RESTRICTED.Demonstration and test reports, or other detailed information, on the performance ofbeyond the state-of-the-art CBRN detection or neutralisation devices in real-lifeenvironments (such as identifiable water treatment plants) should be classified

security rules for protecting EU classified information, certain provisions in this guide are still based on Commission Decision 2001/844. In the absence of new guidelines they should continue to be applied. Under the new security rules, all classification markings must now be written in FR/EN format (e.g. RESTREINT UE/EU RESTRICTED). EU grants: H2020 Guidance — Guidelines for the ...