Year
2008
Abstract
During the past year, the Office of Security Policy has aggressively pursued the goal of significantly improving the DOE safeguards and security directives set. One of the major initiatives pursued in this effort was the effort to increase the use of performance-based requirements statements in DOE directives. It was believed that this approach would be especially appropriate in an agency such as the DOE because of the prevalence of highly educated and intelligent personnel who make up the population of our laboratory population, including our security professionals. The directives re-write effort was successful in improving the directives set, especially in creating an increased emphasis on performance versus simple compliance with directive requirements. This has significantly reduced the incidence of requirements based on prescriptive methods to be used to ensure adequate security (how to do things). In general, such prescriptive requirements were modified to define outcomes rather than methods (what needs to be done.) In the course of pursuing this goal of emphasizing demonstrated performance as a success metric instead of simple compliance, a number of lessons were learned that will influence future efforts to proceed along this path in the development of directives. This paper will provide examples of converting “how”