12 March 2009
[Federal Register: March 12, 2009 (Volume 74, Number 47)]
[Notices]
[Page 10786-10790]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr12mr09-113]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
[NRC-2009-0106]
Proposed Generic Communications; Protection of Safeguards
Information
AGENCY: Nuclear Regulatory Commission.
ACTION: Notice of opportunity for public comment.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing to
issue a regulatory issue summary (RIS) to remind all stakeholders of
the significant changes to Title 10 of the Code of Federal Regulations
10 CFR 73.21, 73.22 and 73.23. Previously, many licensees, applicants,
certificate holders, or other persons were issued Orders in the
aftermath of the terrorist attacks of September 11, 2001, that required
them to protect certain detailed information designated as SGI or SGI-
M. Further Orders were issued by the NRC after the enactment of the
Energy Policy Act of 2005 (EPAct), which expanded the NRC's
fingerprinting authority with respect to access to SGI. This RIS
provides clarifying information of the impact of the new rule
(effective date February 23, 2009).
This Federal Register notice is available through the NRC's
Agencywide Documents Access and Management System (ADAMS) under
accession number ML090630662.
DATES: Comment period expires April 13, 2009. Comments submitted after
this date will be considered if it is practical to do so, but assurance
of consideration cannot be given except for comments received on or
before this date.
ADDRESSES: Submit written comments to the Chief, Rulemaking, Directives
and Editing Branch, Division of Administrative Services, Office of
Administration, U.S. Nuclear Regulatory Commission, Mail Stop TWB
5B01M, Washington, DC 20555-0001, and cite the publication date and
page number of this Federal Register notice.
FOR FURTHER INFORMATION CONTACT: Robert Norman, at 301-415-2278 or by
e-mail at robert.norman@nrc.gov.
SUPPLEMENTARY INFORMATION:
NRC Regulatory Issue Summary 2009-XX
Implementation of New Final Rule, Protection of Safeguards Information
Addressees
Each NRC licensee, certificate holder, applicant, or other person
who produces, receives, or acquires Safeguards Information.
[[Page 10787]]
Intent
The U.S. Nuclear Regulatory Commission (NRC) is issuing this
regulatory issue summary (RIS) to remind all stakeholders of the
significant changes to Title 10 of the Code of Federal Regulations 10
CFR 73.21, 73.22 and 73.23. This RIS provides clarifying information of
the impact of the new rule (effective date February 23, 2009). This RIS
requires no action or written response on the part of an addressee.
Background
Previously, many licensees, applicants, certificate holders, or
other persons were issued Orders in the aftermath of the terrorist
attacks of September 11, 2001, that required them to protect certain
detailed information designated as SGI or SGI-M. Further Orders were
issued by the NRC after the enactment of the Energy Policy Act of 2005
(EPAct), which expanded the NRC's fingerprinting authority with respect
to access to SGI.
SGI, which includes both SGI and SGI-M, is a special category of
sensitive unclassified information that licensees must protect from
unauthorized disclosure under Section 147 of the Atomic Energy Act of
1954 (AEA), as amended. Section 147 of the AEA gives the Commission
authority to designate, by regulation or order, other types of
information as SGI. For example, Section 147.a.(2) of the AEA allows
the Commission to designate as SGI a licensee's or applicant's detailed
security measures (including security plans, procedures, and equipment)
for the physical protection of source material or byproduct material in
quantities that the Commission determines to be significant to the
public health and safety or the common defense and security. Prior to
the events of September 11, the Commission implemented its Section 147
authority through regulations in 10 CFR sections 73.21 and 73.57. These
requirements generally applied to security information associated with
nuclear power plants, formula quantities of strategic special nuclear
materials, and the transportation of irradiated fuel. However, changes
in the threat environment after September 11, have resulted in the need
to protect, as SGI, additional types of security related information
held by a broader group of persons, including licensees, applicants,
vendors, and certificate holders. Subsequently, orders were issued that
increased the number of licensees whose security measures would be
protected as SGI and added types of security related information that
would be considered SGI. For example, EA-04-190, issued to certain NRC
byproduct materials licensees on November 4, 2004 (69 Federal Register
(FR) 65470, November 12, 2004). The Commission determined the
unauthorized release of this information could harm the public health
and safety and the Nation's common defense and security and damage the
Nation's critical infrastructure, including nuclear power plants and
other facilities and materials licensed and regulated by the NRC or
Agreement States.
Subsequently, Congress enacted the EPAct (Pub. L. 109-58, 119 Stat.
594). Section 652 of the EPAct amended Section 149 of the AEA to
require the fingerprinting of a broader class of persons for the
purpose of checking criminal history records. Before the EPAct, the
NRC's fingerprinting authority was limited to requiring licensees and
applicants for a license to operate a nuclear power reactor under 10
CFR part 50, ``Domestic Licensing of Production and Utilization
Facilities,'' to fingerprint individuals before granting them access to
SGI. The EPAct expanded the NRC's authority to require fingerprinting
of individuals associated with other types of activities before
granting them access to SGI. The EPAct preserved the Commission's
authority in Section 149 of the AEA to relieve, by rule, certain
persons from the fingerprinting, identification, and criminal history
records checks required for access to SGI. The Commission exercised
that authority to relieve, by rule, certain categories of persons from
the fingerprint identification and criminal history records check along
with other elements of the background check requirement. Categories of
individuals relieved from the background check are described in 10 CFR
73.59.
In addition to the orders mentioned above, the NRC issued a second
round of orders to licensees to impose the fingerprinting requirements
mandated by the EPAct. Those orders were issued to the same persons who
had previously received SGI protection orders, and required
fingerprinting for an FBI identification and criminal history record
check for any person with access to SGI. One significant aspect of the
SGI fingerprinting orders was the requirement that the recipients
designate a ``reviewing official'' who needed access to SGI, and who
would be required to be approved by the NRC as ``trustworthy and
reliable'' based on the NRC's review of his or her fingerprint-based
criminal history records (e.g., Order EA-06-155; 71 FR 51861, 51862,
August 31, 2006, Paragraph C.2). The orders specified that only the
NRC-approved reviewing official could make determinations of access to
SGI for the licensee. In addition, the SGI fingerprinting orders also
did not require the fingerprinting of a licensee employee who ``has a
favorably-decided U.S. Government criminal history records check within
the last five (5) years, or has an active federal security clearance''
id. (Paragraph A.3).
All of the orders issued by the NRC contained a relaxation clause
that generally permitted the order issuing official (NRC Office
Director) to ``in writing, relax or rescind any of the above conditions
upon demonstration of good cause by the licensee.'' The cumulative
efforts of the staff to increase the protection requirements associated
with SGI and SGI-M, culminated in a final rulemaking. The final rule,
Protection of Safeguards Information, was published in the Federal
Register on October 24, 2008, (73 FR 63546). As stated in the final
rule, the purpose of the rulemaking was, in part, to ``implement
generally applicable requirements for SGI that are similar to
requirements imposed by the orders.''
Discussion
Since publication of the final rule in October 2008, licensees and
other stakeholders who routinely use SGI have raised a number of
questions with the NRC staff regarding implementation of the final SGI
rule, which was effective February 23, 2009. All persons subject to the
rule's requirements (meaning any person, including licensees, vendors,
industry groups, etc. who are currently in possession of SGI) were
required to be in compliance with the rule by that date. Based upon
stakeholder questions and comments with implementation of the rule, the
NRC is issuing this RIS to review rule requirements and articulate the
staff's position on several implementation issues. Stakeholders are
advised to closely examine the final rule itself to ensure that they
are in compliance with all requirements.
Continuing Effect of the Orders
A common question from stakeholders has been whether the final rule
supersedes the existing SGI Orders. It is the Commission's intent for
all SGI order requirements to be codified in regulations. However, the
final rule does not automatically supersede the SGI orders. Those
orders will remain in effect until further notice and administrative
action is taken. As the Commission noted in the revised
[[Page 10788]]
proposed rule, ``the final rule would, on its effective date, supersede
all SGI orders and advisory letters issued prior to that effective
date. The Commission will, however, take administrative action to
withdraw all previously issued [sic] orders where appropriate'' (71 FR
64004, 64009 (October 31, 2006)). The Commission will ultimately have
to decide when and by what means it will relax the SGI orders. The NRC
staff is currently examining this issue as well as the need for
additional SGI rulemaking. As noted earlier, the orders contain several
provisions, such as the requirement for a ``reviewing official,'' that
were not included in the final rule that the NRC staff continues to
view as an essential part of the NRC's SGI protection requirements.\1\
---------------------------------------------------------------------------
\1\ The NRC staff notes that the Commission has also expressed
its concern with the continuing effectiveness of the reviewing
official provision in that only last year, the Commission asked
Congress for an amendment to Section 149 that would permit the NRC
to collect fingerprints from persons responsible for making
decisions regarding a person's trustworthiness and reliability. See
Letter to the Honorable Nancy Pelosi from Chairman Dale E. Klein,
dated June 9, 2008 (Legislative Proposal Package, ADAMS Accession
Number ML0815505691).
---------------------------------------------------------------------------
The NRC staff also notes that to the extent there may be a conflict
between the orders and the rule, the more stringent of the requirements
would apply. For example, the background check requirements of the rule
would be imposed as a prerequisite for access to SGI. Additionally,
order recipients would still be obligated to maintain an NRC-approved
reviewing official as required by the order.
Grandfathering of Persons With Current Access to SGI
Some licensees have asked if the access requirements set forth in
the final SGI rule are applicable to all current and future persons
subject to the rule's requirements. Persons who have not been subjected
to the rule's background check requirement (i.e., the employment
history, education history and personal references check), must
complete such checks and be found to be trustworthy and reliable by the
responsible party before they are permitted access to any SGI. This
does not mean that individuals who have recently been subject to an
equivalent background check (such as for unescorted access or for
access to national security information), will have to re-accomplish a
background check simply for access to SGI. The final rule requirements
are intended to apply to those individuals to whom these requirements
have not been applied or have not otherwise been applied in a
reasonably recent time period.
Expanded Applicability of the Rule
An important change to SGI requirements reflected in the final rule
is the expansion of applicability of the rule to all persons who use
SGI. Under the previous version of the rule, section 73.21(a), the only
person subject to the SGI protection requirements by regulations were
licensees who possessed formula quantities of strategic special nuclear
material, who were authorized to operate a nuclear power reactor, who
transported a formula quantity of strategic special nuclear material or
more than 100 grams of irradiated reactor fuel, or to persons who dealt
with SGI through a relationship with any of these categories of
licensees. Under the new rule, 10 CFR 73.21(a)(1), that limitation has
been eliminated, so that the rule applies broadly to ``Each licensee,
certificate holder, applicant or other person who produces, receives,
or acquires Safeguards Information (including Safeguards Information
with the designation or marking: Safeguards Information-Modified
Handling) shall ensure that it is protected against unauthorized
disclosure.''
Elimination of Categories of Persons Permitted Access to SGI
Under the previous SGI rule, only categories of persons
specifically identified in paragraphs 73.21(c)(1)(i) through (iv), or
specifically approved by the Commission on a case by case basis, were
permitted access to Safeguards Information. This often resulted in a
lengthy approval process when certain persons sought access to SGI who
were not included within one of the listed categories. The rule no
longer contains this restriction. In essence, any person who has a need
to know and who has been determined by the possessor of the SGI to be
trustworthy and reliable based on meeting all elements of a background
check, may have access to SGI.
Validity of Active Federal Security Clearances
Several licensees have asked the NRC whether personnel with active
Federal security clearances (e.g., ``Q'' or ``L'' clearances) would be
required to have additional fingerprinting and background checks for
purposes of access to SGI. These stakeholders noted that, although the
orders essentially relieved these individuals from being fingerprinted
for access to SGI (e.g., Order EA-06-155; 71 FR 51861, 51862, August
31, 2006, Paragraph A.3), the new SGI rule did not contain provisions
for continuing this practice.
It is the NRC Staff's view that the SGI rule does not require
additional fingerprinting and background checks for persons with active
Federal security clearances, provided that sufficient documentation of
the active security clearance can be obtained by the adjudicating
official. Rather than being ``relieved'' from the fingerprinting and
background check requirement, such individuals are considered to have
satisfied the requirements through other means, namely, the completion
of their national security clearance investigations. This reflects a
long-standing practice of the Commission as reflected in the hundreds
of SGI fingerprinting orders that it has issued.
Relief From Fingerprinting
In response to licensee questions of ``relief from fingerprinting''
requirements, the staff provides the following clarification. As noted
in the previous section, persons with active Federal security
clearances are not ``relieved'' from being fingerprinted, but rather
may continue to have access to SGI based on the fingerprinting for
their national security clearance investigation and their meeting all
other access requirements. However, 10 CFR 73.59 does identify
categories of person assigned or occupying certain positions that are
categorically relieved from fingerprinting by virtue of their
occupational status. These categories of personnel were originally
published in an Immediately Effective Final Rulemaking that created 10
CFR 73.59 (71 FR 33989, June 13, 2006). The final SGI rule maintained
the majority of those relief provisions, with several modifications and
additions. Most notably, 10 CFR 73.59 relieves from fingerprinting
``any agent, contractor, or consultant of the aforementioned persons
who has undergone equivalent criminal history records checks to those
required by 10 CFR 73.22(b) or 10 CFR 73.23(b).''
It is important to note that personnel relieved from the
fingerprinting and other elements of the background check requirement
by 10 CFR 73.59 are still required to possess a valid need to know
prior to obtaining access to SGI or SGI-M.
Storage of SGI or SGI-M
Some licensees raised questions concerning the storage of
Safeguards Information. The section that addresses the protection of
SGI while in use and storage was modified by the final rule, sections
73.22(c)(1) and 73.23(c)(1), to recognize that SGI can be considered
[[Page 10789]]
``under the control of an individual authorized access to SGI'' when it
is attended by such a person though not constantly being used.
Safeguards Information within alarm stations, or rooms continuously
occupied by authorized individuals need not be stored in a locked
security container. As has always been the case, SGI must be stored in
a locked security storage container when unattended. In contrast, SGI
controlled as SGI-M need only be stored in a locked file drawer or
cabinet. In either case, the rule requires that the container where SGI
or SGI-M is stored not bare markings that identify the contents.
Marking, Reproduction, and Transmittal of SGI or SGI-M
In response to questions concerning the marking, reproduction and
transmittal of Safeguards Information, the staff provided responses, as
summarized here. The SGI document marking requirements were changed to
assist the reader with the identification of the document's designator
and the date that the document or material was designated as SGI. The
first page of SGI documents or other matter must now contain the name,
title, and organization of the individual authorized to make a SGI
determination and who has determined that the document or other matter
contains SGI. The document or other matter must also indicate the date
that the determination was made, and indicate that unauthorized
disclosure will be subject to civil and criminal sanctions. Additional
instructions were provided to aid those tasked with creating
transmittal letters or memorandum to the NRC that do not in themselves
contain SGI, but is associated with an attachment or enclosure that
does.
When transmittal letters or memorandum to the NRC include
enclosures that contain SGI but do not themselves contain SGI or any
other form of sensitive unclassified information, the transmittal
letter or memorandum shall be conspicuously marked, on the top and
bottom, with the words Safeguards Information. In addition to the SGI
marking at the top and bottom of the transmittal letter or memorandum,
the bottom of the transmittal letter or memorandum shall be marked with
text to inform the reader that the document is decontrolled when
separated from SGI enclosure(s). Correspondence to the NRC containing
SGI and non-SGI must be portion marked (i.e., cover letters, but not
the attachments) to allow the recipient to identify and distinguish
those sections of the correspondence or transmittal document containing
SGI from those that do not. The portion marking requirement is no
longer applicable to guard qualification and training plans. The new
rule has also removed the guidance that allowed documents and other
matter containing SGI in the hands of contractors and agents of
licensees that were produced more than one year prior to the effective
date of the old rule to go unmarked as SGI documents as long as they
remained in storage containers and were not removed for use. Those
documents and other matter, whether or not removed from storage
containers for use, must now be properly marked as SGI documents.
It is important to note however, that the rule does not require
current possessors of SGI to retroactively mark SGI documents that were
produced prior to the effective date of the rule. As noted by the
Commission in the final rule, ``the Commission does not expect that
licensees or applicants must go back and mark documents for which a
cover sheet was used for the required information instead of the first
page of the document, as set forth in 10 CFR 73.22(d)(1)'' (73 FR
63557).
Safeguards Information may continue to be reproduced to the minimum
extent necessary consistent with need without permission of the
originator. Equipment used to reproduce SGI however, must be evaluated
to ensure that unauthorized individuals cannot obtain SGI by gaining
access to retained memory or through network connectivity.
The new rule no longer speaks in generalities to the packaging
requirement for SGI that is transmitted outside an authorized place of
use or storage. The rule, sections 73.22(f) and 73.23(f), now states
that SGI or SGI-M, when transmitted outside an authorized place of use
or storage, must be packaged in two sealed envelopes or wrappers to
preclude disclosure of the presence of protected information. The inner
envelope or wrapper must contain the name and address of the intended
recipient and be marked on both sides, top and bottom, with the words
``Safeguards Information'' or ``Safeguards Information-Modified
Handling,'' as applicable. The outer envelope or wrapper must be
opaque, addressed to the intended recipient, must contain the address
of the sender, and may not bare any markings or indication that the
document or other matter contains SGI or SGI-M. The new rule no longer
makes reference to the use of ``messenger-couriers'' for the
transportation of SGI. It now states that SGI or SGI-M may be
transported by any commercial delivery company that provides service
with computer tracking features. It also authorizes the continued use
of U.S. first class, registered, express, or certified mail for the
transportation of SGI. Individuals authorized access to SGI or SGI-M
may also transport SGI or SGI-M outside of an authorized place of use
or storage.
The NRC continues to allow for exceptions when SGI is transmitted
under emergency or extraordinary conditions. Additionally, a
requirement was added to change what was stated as ``protected
telecommunications circuits approved by the NRC'' to ``NRC approved
secure electronic devices, such as facsimiles or telephone devices.''
The authorized use of those NRC-approved devices is conditional and
based upon the transmitter and receivers compliance with information
security prerequisites. To meet the requirements, the transmitter and
receiver must implement processes that will provide high assurance that
SGI is protected before and after the transmission. Electronic mail,
through the internet, is permitted provided that the information is
encrypted by a method (Federal Information Processing Standard [FIPS]
140-2 or later) approved by the appropriate NRC office. The information
must be produced by a self contained secure automatic data process
system; and transmitters and receivers implement the information
handling processes that will provide high assurance that SGI is
protected before and after transmission.
Electronic Processing of SGI or SGI-M
The requirements for processing SGI on automatic data processing
systems have not been significantly revised by the new SGI rule.
However, there are noticeable differences between the requirements for
processing SGI and SGI-M on computers. For SGI, automatic data
processing systems used to process or produce SGI must continue to be
isolated in that they can not be connected to a network accessible by
users who are not authorized access to SGI. The requirement that an
entry code be used to access the stored information has been deleted.
Each computer however, used to process SGI that is not located within
an approved and lockable security storage container, must have a
removable storage medium with a bootable operating system. The bootable
operating system must be used to load and initialize the computer. The
removable storage medium must also contain the software application
programs, and be secured in a locked security storage container when
not in use.
[[Page 10790]]
A mobile device, such as a laptop, may be used for processing SGI
provided the device is secured in a locked security storage container
when not in use. Where previously not addressed in the old rule, the
new rule makes allowance for electronic systems that have been used for
storage, processing or production of SGI to migrate to non-SGI
exclusive use. Any electronic system that has been used for storage,
processing or production of SGI must be free of recoverable SGI prior
to being returned to nonexclusive use. However, SGI-M need not be
processed on a stand-alone computer. The rule permits SGI-M to be
stored, processed or produced on a computer or computer system,
provided that the system is assigned to the licensee's or contractor's
facility. SGI-M files must be protected, either by a password or
encryption. Word processors such as typewriters are not subject to
these requirements as long as they do not transmit information offsite.
Removal From SGI or SGI-M Category
When documents or other matter are removed from the SGI category,
because the information no longer meets the criteria, care must be
exercised to ensure that any document or other matter decontrolled not
disclose SGI in some other form or be combined with other unprotected
information to disclose SGI. The authority to determine that a document
or other matter may be decontrolled will only be exercised by the NRC,
with the NRC approval, or in consultation with the individual or
organization that made the original SGI determination.
Destruction of Matter Containing SGI or SGI-M
The final rule now states that SGI and SGI-M shall be destroyed
when no longer needed. The information can be destroyed by burning,
shredding or any other method that precludes reconstruction by means
available to the public at large. Of particular note in the new rule it
is stated one-quarter inch dimension size for pieces that are
considered destroyed when thoroughly mixed with several pages or
documents.
The NRC will continue to evaluate its requirements, policies and
guidance concerning the protection and unauthorized disclosure of SGI.
Licensees, certificate holders, applicants and other persons who
produce, receive, or acquire SGI will be informed of proposed revisions
or clarifications.
Backfit Discussion
This RIS does not represent a new or different staff position
regarding the implementation of 10 CFR 73.21, 10 CFR 73.22 or 10 CFR
73.23. It requires no action or written response. Any action by
addressees to implement changes to their safeguards information
protection system, or procedures in accordance with the information in
this RIS ensures compliance with 10 CFR part 73 and existing orders, is
strictly voluntary and therefore, is not a backfit under 10 CFR 50.109,
``Backfitting.'' Consequently, the NRC staff did not perform a backfit
analysis.
Federal Register Notification
To be done after the public comments periods.
Congressional Review Act
This RIS is not a rule as designated by the Congressional Review
Act (5 U.S.C. 801-886) and therefore, is not subject to the Act.
Paperwork Reduction Act Statement
This RIS does not contain any information collections and,
therefore, is not subject to the requirements of the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501 et seq.)
Contact
Please direct any questions about this matter to Robert Norman, at
301-415-2278 or by e-mail at robert.norman@nrc.gov.
End of Draft Regulatory Issue Summary
Documents may be examined, and/or copied for a fee, at the NRC's
Public Document Room at One White Flint North, 11555 Rockville Pike
(first floor), Rockville, Maryland. Publicly available records will be
accessible electronically from the Agencywide Documents Access and
Management System (ADAMS) Public Electronic Reading Room on the
Internet at the NRC Web site, http://www.nrc.gov/NRC/ADAMS/index.html.
If you do not have access to ADAMS or if you have problems in accessing
the documents in ADAMS, contact the NRC Public Document Room (PDR)
reference staff at 1-800-397-4209 or 301-415-4737 or by e-mail to
pdr@nrc.gov.
Dated at Rockville, Maryland, this 4th day of March 2009.
For The Nuclear Regulatory Commission,
Martin C. Murphy,
Chief, Generic Communications Branch, Division of Policy and
Rulemaking, Office of Nuclear Reactor Regulation.
[FR Doc. E9-5296 Filed 3-11-09; 8:45 am]
BILLING CODE 7590-01-P
|