[Federal Register Volume 74, Number 47 (Thursday, March 12, 2009)]
[Notices]
[Pages 10786-10790]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E9-5296]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[NRC-2009-0106]


Proposed Generic Communications; Protection of Safeguards 
Information

AGENCY: Nuclear Regulatory Commission.

ACTION: Notice of opportunity for public comment.

-----------------------------------------------------------------------

SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing to 
issue a regulatory issue summary (RIS) to remind all stakeholders of 
the significant changes to Title 10 of the Code of Federal Regulations 
10 CFR 73.21, 73.22 and 73.23. Previously, many licensees, applicants, 
certificate holders, or other persons were issued Orders in the 
aftermath of the terrorist attacks of September 11, 2001, that required 
them to protect certain detailed information designated as SGI or SGI-
M. Further Orders were issued by the NRC after the enactment of the 
Energy Policy Act of 2005 (EPAct), which expanded the NRC's 
fingerprinting authority with respect to access to SGI. This RIS 
provides clarifying information of the impact of the new rule 
(effective date February 23, 2009).
    This Federal Register notice is available through the NRC's 
Agencywide Documents Access and Management System (ADAMS) under 
accession number ML090630662.

DATES: Comment period expires April 13, 2009. Comments submitted after 
this date will be considered if it is practical to do so, but assurance 
of consideration cannot be given except for comments received on or 
before this date.

ADDRESSES: Submit written comments to the Chief, Rulemaking, Directives 
and Editing Branch, Division of Administrative Services, Office of 
Administration, U.S. Nuclear Regulatory Commission, Mail Stop TWB 
5B01M, Washington, DC 20555-0001, and cite the publication date and 
page number of this Federal Register notice.

FOR FURTHER INFORMATION CONTACT: Robert Norman, at 301-415-2278 or by 
e-mail at [email protected].

SUPPLEMENTARY INFORMATION:

NRC Regulatory Issue Summary 2009-XX

Implementation of New Final Rule, Protection of Safeguards Information

Addressees

    Each NRC licensee, certificate holder, applicant, or other person 
who produces, receives, or acquires Safeguards Information.

[[Page 10787]]

Intent

    The U.S. Nuclear Regulatory Commission (NRC) is issuing this 
regulatory issue summary (RIS) to remind all stakeholders of the 
significant changes to Title 10 of the Code of Federal Regulations 10 
CFR 73.21, 73.22 and 73.23. This RIS provides clarifying information of 
the impact of the new rule (effective date February 23, 2009). This RIS 
requires no action or written response on the part of an addressee.

Background

    Previously, many licensees, applicants, certificate holders, or 
other persons were issued Orders in the aftermath of the terrorist 
attacks of September 11, 2001, that required them to protect certain 
detailed information designated as SGI or SGI-M. Further Orders were 
issued by the NRC after the enactment of the Energy Policy Act of 2005 
(EPAct), which expanded the NRC's fingerprinting authority with respect 
to access to SGI.
    SGI, which includes both SGI and SGI-M, is a special category of 
sensitive unclassified information that licensees must protect from 
unauthorized disclosure under Section 147 of the Atomic Energy Act of 
1954 (AEA), as amended. Section 147 of the AEA gives the Commission 
authority to designate, by regulation or order, other types of 
information as SGI. For example, Section 147.a.(2) of the AEA allows 
the Commission to designate as SGI a licensee's or applicant's detailed 
security measures (including security plans, procedures, and equipment) 
for the physical protection of source material or byproduct material in 
quantities that the Commission determines to be significant to the 
public health and safety or the common defense and security. Prior to 
the events of September 11, the Commission implemented its Section 147 
authority through regulations in 10 CFR sections 73.21 and 73.57. These 
requirements generally applied to security information associated with 
nuclear power plants, formula quantities of strategic special nuclear 
materials, and the transportation of irradiated fuel. However, changes 
in the threat environment after September 11, have resulted in the need 
to protect, as SGI, additional types of security related information 
held by a broader group of persons, including licensees, applicants, 
vendors, and certificate holders. Subsequently, orders were issued that 
increased the number of licensees whose security measures would be 
protected as SGI and added types of security related information that 
would be considered SGI. For example, EA-04-190, issued to certain NRC 
byproduct materials licensees on November 4, 2004 (69 Federal Register 
(FR) 65470, November 12, 2004). The Commission determined the 
unauthorized release of this information could harm the public health 
and safety and the Nation's common defense and security and damage the 
Nation's critical infrastructure, including nuclear power plants and 
other facilities and materials licensed and regulated by the NRC or 
Agreement States.
    Subsequently, Congress enacted the EPAct (Pub. L. 109-58, 119 Stat. 
594). Section 652 of the EPAct amended Section 149 of the AEA to 
require the fingerprinting of a broader class of persons for the 
purpose of checking criminal history records. Before the EPAct, the 
NRC's fingerprinting authority was limited to requiring licensees and 
applicants for a license to operate a nuclear power reactor under 10 
CFR part 50, ``Domestic Licensing of Production and Utilization 
Facilities,'' to fingerprint individuals before granting them access to 
SGI. The EPAct expanded the NRC's authority to require fingerprinting 
of individuals associated with other types of activities before 
granting them access to SGI. The EPAct preserved the Commission's 
authority in Section 149 of the AEA to relieve, by rule, certain 
persons from the fingerprinting, identification, and criminal history 
records checks required for access to SGI. The Commission exercised 
that authority to relieve, by rule, certain categories of persons from 
the fingerprint identification and criminal history records check along 
with other elements of the background check requirement. Categories of 
individuals relieved from the background check are described in 10 CFR 
73.59.
    In addition to the orders mentioned above, the NRC issued a second 
round of orders to licensees to impose the fingerprinting requirements 
mandated by the EPAct. Those orders were issued to the same persons who 
had previously received SGI protection orders, and required 
fingerprinting for an FBI identification and criminal history record 
check for any person with access to SGI. One significant aspect of the 
SGI fingerprinting orders was the requirement that the recipients 
designate a ``reviewing official'' who needed access to SGI, and who 
would be required to be approved by the NRC as ``trustworthy and 
reliable'' based on the NRC's review of his or her fingerprint-based 
criminal history records (e.g., Order EA-06-155; 71 FR 51861, 51862, 
August 31, 2006, Paragraph C.2). The orders specified that only the 
NRC-approved reviewing official could make determinations of access to 
SGI for the licensee. In addition, the SGI fingerprinting orders also 
did not require the fingerprinting of a licensee employee who ``has a 
favorably-decided U.S. Government criminal history records check within 
the last five (5) years, or has an active federal security clearance'' 
id. (Paragraph A.3).
    All of the orders issued by the NRC contained a relaxation clause 
that generally permitted the order issuing official (NRC Office 
Director) to ``in writing, relax or rescind any of the above conditions 
upon demonstration of good cause by the licensee.'' The cumulative 
efforts of the staff to increase the protection requirements associated 
with SGI and SGI-M, culminated in a final rulemaking. The final rule, 
Protection of Safeguards Information, was published in the Federal 
Register on October 24, 2008, (73 FR 63546). As stated in the final 
rule, the purpose of the rulemaking was, in part, to ``implement 
generally applicable requirements for SGI that are similar to 
requirements imposed by the orders.''

Discussion

    Since publication of the final rule in October 2008, licensees and 
other stakeholders who routinely use SGI have raised a number of 
questions with the NRC staff regarding implementation of the final SGI 
rule, which was effective February 23, 2009. All persons subject to the 
rule's requirements (meaning any person, including licensees, vendors, 
industry groups, etc. who are currently in possession of SGI) were 
required to be in compliance with the rule by that date. Based upon 
stakeholder questions and comments with implementation of the rule, the 
NRC is issuing this RIS to review rule requirements and articulate the 
staff's position on several implementation issues. Stakeholders are 
advised to closely examine the final rule itself to ensure that they 
are in compliance with all requirements.

 Continuing Effect of the Orders

    A common question from stakeholders has been whether the final rule 
supersedes the existing SGI Orders. It is the Commission's intent for 
all SGI order requirements to be codified in regulations. However, the 
final rule does not automatically supersede the SGI orders. Those 
orders will remain in effect until further notice and administrative 
action is taken. As the Commission noted in the revised

[[Page 10788]]

proposed rule, ``the final rule would, on its effective date, supersede 
all SGI orders and advisory letters issued prior to that effective 
date. The Commission will, however, take administrative action to 
withdraw all previously issued [sic] orders where appropriate'' (71 FR 
64004, 64009 (October 31, 2006)). The Commission will ultimately have 
to decide when and by what means it will relax the SGI orders. The NRC 
staff is currently examining this issue as well as the need for 
additional SGI rulemaking. As noted earlier, the orders contain several 
provisions, such as the requirement for a ``reviewing official,'' that 
were not included in the final rule that the NRC staff continues to 
view as an essential part of the NRC's SGI protection requirements.\1\
---------------------------------------------------------------------------

    \1\ The NRC staff notes that the Commission has also expressed 
its concern with the continuing effectiveness of the reviewing 
official provision in that only last year, the Commission asked 
Congress for an amendment to Section 149 that would permit the NRC 
to collect fingerprints from persons responsible for making 
decisions regarding a person's trustworthiness and reliability. See 
Letter to the Honorable Nancy Pelosi from Chairman Dale E. Klein, 
dated June 9, 2008 (Legislative Proposal Package, ADAMS Accession 
Number ML0815505691).
---------------------------------------------------------------------------

    The NRC staff also notes that to the extent there may be a conflict 
between the orders and the rule, the more stringent of the requirements 
would apply. For example, the background check requirements of the rule 
would be imposed as a prerequisite for access to SGI. Additionally, 
order recipients would still be obligated to maintain an NRC-approved 
reviewing official as required by the order.

 Grandfathering of Persons With Current Access to SGI

    Some licensees have asked if the access requirements set forth in 
the final SGI rule are applicable to all current and future persons 
subject to the rule's requirements. Persons who have not been subjected 
to the rule's background check requirement (i.e., the employment 
history, education history and personal references check), must 
complete such checks and be found to be trustworthy and reliable by the 
responsible party before they are permitted access to any SGI. This 
does not mean that individuals who have recently been subject to an 
equivalent background check (such as for unescorted access or for 
access to national security information), will have to re-accomplish a 
background check simply for access to SGI. The final rule requirements 
are intended to apply to those individuals to whom these requirements 
have not been applied or have not otherwise been applied in a 
reasonably recent time period.

 Expanded Applicability of the Rule

    An important change to SGI requirements reflected in the final rule 
is the expansion of applicability of the rule to all persons who use 
SGI. Under the previous version of the rule, section 73.21(a), the only 
person subject to the SGI protection requirements by regulations were 
licensees who possessed formula quantities of strategic special nuclear 
material, who were authorized to operate a nuclear power reactor, who 
transported a formula quantity of strategic special nuclear material or 
more than 100 grams of irradiated reactor fuel, or to persons who dealt 
with SGI through a relationship with any of these categories of 
licensees. Under the new rule, 10 CFR 73.21(a)(1), that limitation has 
been eliminated, so that the rule applies broadly to ``Each licensee, 
certificate holder, applicant or other person who produces, receives, 
or acquires Safeguards Information (including Safeguards Information 
with the designation or marking: Safeguards Information-Modified 
Handling) shall ensure that it is protected against unauthorized 
disclosure.''

 Elimination of Categories of Persons Permitted Access to SGI

    Under the previous SGI rule, only categories of persons 
specifically identified in paragraphs 73.21(c)(1)(i) through (iv), or 
specifically approved by the Commission on a case by case basis, were 
permitted access to Safeguards Information. This often resulted in a 
lengthy approval process when certain persons sought access to SGI who 
were not included within one of the listed categories. The rule no 
longer contains this restriction. In essence, any person who has a need 
to know and who has been determined by the possessor of the SGI to be 
trustworthy and reliable based on meeting all elements of a background 
check, may have access to SGI.

 Validity of Active Federal Security Clearances

    Several licensees have asked the NRC whether personnel with active 
Federal security clearances (e.g., ``Q'' or ``L'' clearances) would be 
required to have additional fingerprinting and background checks for 
purposes of access to SGI. These stakeholders noted that, although the 
orders essentially relieved these individuals from being fingerprinted 
for access to SGI (e.g., Order EA-06-155; 71 FR 51861, 51862, August 
31, 2006, Paragraph A.3), the new SGI rule did not contain provisions 
for continuing this practice.
    It is the NRC Staff's view that the SGI rule does not require 
additional fingerprinting and background checks for persons with active 
Federal security clearances, provided that sufficient documentation of 
the active security clearance can be obtained by the adjudicating 
official. Rather than being ``relieved'' from the fingerprinting and 
background check requirement, such individuals are considered to have 
satisfied the requirements through other means, namely, the completion 
of their national security clearance investigations. This reflects a 
long-standing practice of the Commission as reflected in the hundreds 
of SGI fingerprinting orders that it has issued.

 Relief From Fingerprinting

    In response to licensee questions of ``relief from fingerprinting'' 
requirements, the staff provides the following clarification. As noted 
in the previous section, persons with active Federal security 
clearances are not ``relieved'' from being fingerprinted, but rather 
may continue to have access to SGI based on the fingerprinting for 
their national security clearance investigation and their meeting all 
other access requirements. However, 10 CFR 73.59 does identify 
categories of person assigned or occupying certain positions that are 
categorically relieved from fingerprinting by virtue of their 
occupational status. These categories of personnel were originally 
published in an Immediately Effective Final Rulemaking that created 10 
CFR 73.59 (71 FR 33989, June 13, 2006). The final SGI rule maintained 
the majority of those relief provisions, with several modifications and 
additions. Most notably, 10 CFR 73.59 relieves from fingerprinting 
``any agent, contractor, or consultant of the aforementioned persons 
who has undergone equivalent criminal history records checks to those 
required by 10 CFR 73.22(b) or 10 CFR 73.23(b).''
    It is important to note that personnel relieved from the 
fingerprinting and other elements of the background check requirement 
by 10 CFR 73.59 are still required to possess a valid need to know 
prior to obtaining access to SGI or SGI-M.

 Storage of SGI or SGI-M

    Some licensees raised questions concerning the storage of 
Safeguards Information. The section that addresses the protection of 
SGI while in use and storage was modified by the final rule, sections 
73.22(c)(1) and 73.23(c)(1), to recognize that SGI can be considered

[[Page 10789]]

``under the control of an individual authorized access to SGI'' when it 
is attended by such a person though not constantly being used. 
Safeguards Information within alarm stations, or rooms continuously 
occupied by authorized individuals need not be stored in a locked 
security container. As has always been the case, SGI must be stored in 
a locked security storage container when unattended. In contrast, SGI 
controlled as SGI-M need only be stored in a locked file drawer or 
cabinet. In either case, the rule requires that the container where SGI 
or SGI-M is stored not bare markings that identify the contents.

 Marking, Reproduction, and Transmittal of SGI or SGI-M

    In response to questions concerning the marking, reproduction and 
transmittal of Safeguards Information, the staff provided responses, as 
summarized here. The SGI document marking requirements were changed to 
assist the reader with the identification of the document's designator 
and the date that the document or material was designated as SGI. The 
first page of SGI documents or other matter must now contain the name, 
title, and organization of the individual authorized to make a SGI 
determination and who has determined that the document or other matter 
contains SGI. The document or other matter must also indicate the date 
that the determination was made, and indicate that unauthorized 
disclosure will be subject to civil and criminal sanctions. Additional 
instructions were provided to aid those tasked with creating 
transmittal letters or memorandum to the NRC that do not in themselves 
contain SGI, but is associated with an attachment or enclosure that 
does.
    When transmittal letters or memorandum to the NRC include 
enclosures that contain SGI but do not themselves contain SGI or any 
other form of sensitive unclassified information, the transmittal 
letter or memorandum shall be conspicuously marked, on the top and 
bottom, with the words Safeguards Information. In addition to the SGI 
marking at the top and bottom of the transmittal letter or memorandum, 
the bottom of the transmittal letter or memorandum shall be marked with 
text to inform the reader that the document is decontrolled when 
separated from SGI enclosure(s). Correspondence to the NRC containing 
SGI and non-SGI must be portion marked (i.e., cover letters, but not 
the attachments) to allow the recipient to identify and distinguish 
those sections of the correspondence or transmittal document containing 
SGI from those that do not. The portion marking requirement is no 
longer applicable to guard qualification and training plans. The new 
rule has also removed the guidance that allowed documents and other 
matter containing SGI in the hands of contractors and agents of 
licensees that were produced more than one year prior to the effective 
date of the old rule to go unmarked as SGI documents as long as they 
remained in storage containers and were not removed for use. Those 
documents and other matter, whether or not removed from storage 
containers for use, must now be properly marked as SGI documents.
    It is important to note however, that the rule does not require 
current possessors of SGI to retroactively mark SGI documents that were 
produced prior to the effective date of the rule. As noted by the 
Commission in the final rule, ``the Commission does not expect that 
licensees or applicants must go back and mark documents for which a 
cover sheet was used for the required information instead of the first 
page of the document, as set forth in 10 CFR 73.22(d)(1)'' (73 FR 
63557).
    Safeguards Information may continue to be reproduced to the minimum 
extent necessary consistent with need without permission of the 
originator. Equipment used to reproduce SGI however, must be evaluated 
to ensure that unauthorized individuals cannot obtain SGI by gaining 
access to retained memory or through network connectivity.
    The new rule no longer speaks in generalities to the packaging 
requirement for SGI that is transmitted outside an authorized place of 
use or storage. The rule, sections 73.22(f) and 73.23(f), now states 
that SGI or SGI-M, when transmitted outside an authorized place of use 
or storage, must be packaged in two sealed envelopes or wrappers to 
preclude disclosure of the presence of protected information. The inner 
envelope or wrapper must contain the name and address of the intended 
recipient and be marked on both sides, top and bottom, with the words 
``Safeguards Information'' or ``Safeguards Information-Modified 
Handling,'' as applicable. The outer envelope or wrapper must be 
opaque, addressed to the intended recipient, must contain the address 
of the sender, and may not bare any markings or indication that the 
document or other matter contains SGI or SGI-M. The new rule no longer 
makes reference to the use of ``messenger-couriers'' for the 
transportation of SGI. It now states that SGI or SGI-M may be 
transported by any commercial delivery company that provides service 
with computer tracking features. It also authorizes the continued use 
of U.S. first class, registered, express, or certified mail for the 
transportation of SGI. Individuals authorized access to SGI or SGI-M 
may also transport SGI or SGI-M outside of an authorized place of use 
or storage.
    The NRC continues to allow for exceptions when SGI is transmitted 
under emergency or extraordinary conditions. Additionally, a 
requirement was added to change what was stated as ``protected 
telecommunications circuits approved by the NRC'' to ``NRC approved 
secure electronic devices, such as facsimiles or telephone devices.'' 
The authorized use of those NRC-approved devices is conditional and 
based upon the transmitter and receivers compliance with information 
security prerequisites. To meet the requirements, the transmitter and 
receiver must implement processes that will provide high assurance that 
SGI is protected before and after the transmission. Electronic mail, 
through the internet, is permitted provided that the information is 
encrypted by a method (Federal Information Processing Standard [FIPS] 
140-2 or later) approved by the appropriate NRC office. The information 
must be produced by a self contained secure automatic data process 
system; and transmitters and receivers implement the information 
handling processes that will provide high assurance that SGI is 
protected before and after transmission.

 Electronic Processing of SGI or SGI-M

    The requirements for processing SGI on automatic data processing 
systems have not been significantly revised by the new SGI rule. 
However, there are noticeable differences between the requirements for 
processing SGI and SGI-M on computers. For SGI, automatic data 
processing systems used to process or produce SGI must continue to be 
isolated in that they can not be connected to a network accessible by 
users who are not authorized access to SGI. The requirement that an 
entry code be used to access the stored information has been deleted. 
Each computer however, used to process SGI that is not located within 
an approved and lockable security storage container, must have a 
removable storage medium with a bootable operating system. The bootable 
operating system must be used to load and initialize the computer. The 
removable storage medium must also contain the software application 
programs, and be secured in a locked security storage container when 
not in use.

[[Page 10790]]

    A mobile device, such as a laptop, may be used for processing SGI 
provided the device is secured in a locked security storage container 
when not in use. Where previously not addressed in the old rule, the 
new rule makes allowance for electronic systems that have been used for 
storage, processing or production of SGI to migrate to non-SGI 
exclusive use. Any electronic system that has been used for storage, 
processing or production of SGI must be free of recoverable SGI prior 
to being returned to nonexclusive use. However, SGI-M need not be 
processed on a stand-alone computer. The rule permits SGI-M to be 
stored, processed or produced on a computer or computer system, 
provided that the system is assigned to the licensee's or contractor's 
facility. SGI-M files must be protected, either by a password or 
encryption. Word processors such as typewriters are not subject to 
these requirements as long as they do not transmit information offsite.

 Removal From SGI or SGI-M Category

    When documents or other matter are removed from the SGI category, 
because the information no longer meets the criteria, care must be 
exercised to ensure that any document or other matter decontrolled not 
disclose SGI in some other form or be combined with other unprotected 
information to disclose SGI. The authority to determine that a document 
or other matter may be decontrolled will only be exercised by the NRC, 
with the NRC approval, or in consultation with the individual or 
organization that made the original SGI determination.

 Destruction of Matter Containing SGI or SGI-M

    The final rule now states that SGI and SGI-M shall be destroyed 
when no longer needed. The information can be destroyed by burning, 
shredding or any other method that precludes reconstruction by means 
available to the public at large. Of particular note in the new rule it 
is stated one-quarter inch dimension size for pieces that are 
considered destroyed when thoroughly mixed with several pages or 
documents.
    The NRC will continue to evaluate its requirements, policies and 
guidance concerning the protection and unauthorized disclosure of SGI. 
Licensees, certificate holders, applicants and other persons who 
produce, receive, or acquire SGI will be informed of proposed revisions 
or clarifications.

Backfit Discussion

    This RIS does not represent a new or different staff position 
regarding the implementation of 10 CFR 73.21, 10 CFR 73.22 or 10 CFR 
73.23. It requires no action or written response. Any action by 
addressees to implement changes to their safeguards information 
protection system, or procedures in accordance with the information in 
this RIS ensures compliance with 10 CFR part 73 and existing orders, is 
strictly voluntary and therefore, is not a backfit under 10 CFR 50.109, 
``Backfitting.'' Consequently, the NRC staff did not perform a backfit 
analysis.

Federal Register Notification

    To be done after the public comments periods.

Congressional Review Act

    This RIS is not a rule as designated by the Congressional Review 
Act (5 U.S.C. 801-886) and therefore, is not subject to the Act.

Paperwork Reduction Act Statement

    This RIS does not contain any information collections and, 
therefore, is not subject to the requirements of the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3501 et seq.)

Contact

    Please direct any questions about this matter to Robert Norman, at 
301-415-2278 or by e-mail at [email protected].

End of Draft Regulatory Issue Summary

    Documents may be examined, and/or copied for a fee, at the NRC's 
Public Document Room at One White Flint North, 11555 Rockville Pike 
(first floor), Rockville, Maryland. Publicly available records will be 
accessible electronically from the Agencywide Documents Access and 
Management System (ADAMS) Public Electronic Reading Room on the 
Internet at the NRC Web site, http://www.nrc.gov/NRC/ADAMS/index.html. 
If you do not have access to ADAMS or if you have problems in accessing 
the documents in ADAMS, contact the NRC Public Document Room (PDR) 
reference staff at 1-800-397-4209 or 301-415-4737 or by e-mail to 
[email protected].

    Dated at Rockville, Maryland, this 4th day of March 2009.

    For The Nuclear Regulatory Commission,
Martin C. Murphy,
Chief, Generic Communications Branch, Division of Policy and 
Rulemaking, Office of Nuclear Reactor Regulation.
 [FR Doc. E9-5296 Filed 3-11-09; 8:45 am]
BILLING CODE 7590-01-P