[Federal Register Volume 74, Number 47 (Thursday, March 12, 2009)] [Notices] [Pages 10786-10790] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: E9-5296] ----------------------------------------------------------------------- NUCLEAR REGULATORY COMMISSION [NRC-2009-0106] Proposed Generic Communications; Protection of Safeguards Information AGENCY: Nuclear Regulatory Commission. ACTION: Notice of opportunity for public comment. ----------------------------------------------------------------------- SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing to issue a regulatory issue summary (RIS) to remind all stakeholders of the significant changes to Title 10 of the Code of Federal Regulations 10 CFR 73.21, 73.22 and 73.23. Previously, many licensees, applicants, certificate holders, or other persons were issued Orders in the aftermath of the terrorist attacks of September 11, 2001, that required them to protect certain detailed information designated as SGI or SGI- M. Further Orders were issued by the NRC after the enactment of the Energy Policy Act of 2005 (EPAct), which expanded the NRC's fingerprinting authority with respect to access to SGI. This RIS provides clarifying information of the impact of the new rule (effective date February 23, 2009). This Federal Register notice is available through the NRC's Agencywide Documents Access and Management System (ADAMS) under accession number ML090630662. DATES: Comment period expires April 13, 2009. Comments submitted after this date will be considered if it is practical to do so, but assurance of consideration cannot be given except for comments received on or before this date. ADDRESSES: Submit written comments to the Chief, Rulemaking, Directives and Editing Branch, Division of Administrative Services, Office of Administration, U.S. Nuclear Regulatory Commission, Mail Stop TWB 5B01M, Washington, DC 20555-0001, and cite the publication date and page number of this Federal Register notice. FOR FURTHER INFORMATION CONTACT: Robert Norman, at 301-415-2278 or by e-mail at [email protected]. SUPPLEMENTARY INFORMATION: NRC Regulatory Issue Summary 2009-XX Implementation of New Final Rule, Protection of Safeguards Information Addressees Each NRC licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information. [[Page 10787]] Intent The U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS) to remind all stakeholders of the significant changes to Title 10 of the Code of Federal Regulations 10 CFR 73.21, 73.22 and 73.23. This RIS provides clarifying information of the impact of the new rule (effective date February 23, 2009). This RIS requires no action or written response on the part of an addressee. Background Previously, many licensees, applicants, certificate holders, or other persons were issued Orders in the aftermath of the terrorist attacks of September 11, 2001, that required them to protect certain detailed information designated as SGI or SGI-M. Further Orders were issued by the NRC after the enactment of the Energy Policy Act of 2005 (EPAct), which expanded the NRC's fingerprinting authority with respect to access to SGI. SGI, which includes both SGI and SGI-M, is a special category of sensitive unclassified information that licensees must protect from unauthorized disclosure under Section 147 of the Atomic Energy Act of 1954 (AEA), as amended. Section 147 of the AEA gives the Commission authority to designate, by regulation or order, other types of information as SGI. For example, Section 147.a.(2) of the AEA allows the Commission to designate as SGI a licensee's or applicant's detailed security measures (including security plans, procedures, and equipment) for the physical protection of source material or byproduct material in quantities that the Commission determines to be significant to the public health and safety or the common defense and security. Prior to the events of September 11, the Commission implemented its Section 147 authority through regulations in 10 CFR sections 73.21 and 73.57. These requirements generally applied to security information associated with nuclear power plants, formula quantities of strategic special nuclear materials, and the transportation of irradiated fuel. However, changes in the threat environment after September 11, have resulted in the need to protect, as SGI, additional types of security related information held by a broader group of persons, including licensees, applicants, vendors, and certificate holders. Subsequently, orders were issued that increased the number of licensees whose security measures would be protected as SGI and added types of security related information that would be considered SGI. For example, EA-04-190, issued to certain NRC byproduct materials licensees on November 4, 2004 (69 Federal Register (FR) 65470, November 12, 2004). The Commission determined the unauthorized release of this information could harm the public health and safety and the Nation's common defense and security and damage the Nation's critical infrastructure, including nuclear power plants and other facilities and materials licensed and regulated by the NRC or Agreement States. Subsequently, Congress enacted the EPAct (Pub. L. 109-58, 119 Stat. 594). Section 652 of the EPAct amended Section 149 of the AEA to require the fingerprinting of a broader class of persons for the purpose of checking criminal history records. Before the EPAct, the NRC's fingerprinting authority was limited to requiring licensees and applicants for a license to operate a nuclear power reactor under 10 CFR part 50, ``Domestic Licensing of Production and Utilization Facilities,'' to fingerprint individuals before granting them access to SGI. The EPAct expanded the NRC's authority to require fingerprinting of individuals associated with other types of activities before granting them access to SGI. The EPAct preserved the Commission's authority in Section 149 of the AEA to relieve, by rule, certain persons from the fingerprinting, identification, and criminal history records checks required for access to SGI. The Commission exercised that authority to relieve, by rule, certain categories of persons from the fingerprint identification and criminal history records check along with other elements of the background check requirement. Categories of individuals relieved from the background check are described in 10 CFR 73.59. In addition to the orders mentioned above, the NRC issued a second round of orders to licensees to impose the fingerprinting requirements mandated by the EPAct. Those orders were issued to the same persons who had previously received SGI protection orders, and required fingerprinting for an FBI identification and criminal history record check for any person with access to SGI. One significant aspect of the SGI fingerprinting orders was the requirement that the recipients designate a ``reviewing official'' who needed access to SGI, and who would be required to be approved by the NRC as ``trustworthy and reliable'' based on the NRC's review of his or her fingerprint-based criminal history records (e.g., Order EA-06-155; 71 FR 51861, 51862, August 31, 2006, Paragraph C.2). The orders specified that only the NRC-approved reviewing official could make determinations of access to SGI for the licensee. In addition, the SGI fingerprinting orders also did not require the fingerprinting of a licensee employee who ``has a favorably-decided U.S. Government criminal history records check within the last five (5) years, or has an active federal security clearance'' id. (Paragraph A.3). All of the orders issued by the NRC contained a relaxation clause that generally permitted the order issuing official (NRC Office Director) to ``in writing, relax or rescind any of the above conditions upon demonstration of good cause by the licensee.'' The cumulative efforts of the staff to increase the protection requirements associated with SGI and SGI-M, culminated in a final rulemaking. The final rule, Protection of Safeguards Information, was published in the Federal Register on October 24, 2008, (73 FR 63546). As stated in the final rule, the purpose of the rulemaking was, in part, to ``implement generally applicable requirements for SGI that are similar to requirements imposed by the orders.'' Discussion Since publication of the final rule in October 2008, licensees and other stakeholders who routinely use SGI have raised a number of questions with the NRC staff regarding implementation of the final SGI rule, which was effective February 23, 2009. All persons subject to the rule's requirements (meaning any person, including licensees, vendors, industry groups, etc. who are currently in possession of SGI) were required to be in compliance with the rule by that date. Based upon stakeholder questions and comments with implementation of the rule, the NRC is issuing this RIS to review rule requirements and articulate the staff's position on several implementation issues. Stakeholders are advised to closely examine the final rule itself to ensure that they are in compliance with all requirements.
Continuing Effect of the Orders A common question from stakeholders has been whether the final rule supersedes the existing SGI Orders. It is the Commission's intent for all SGI order requirements to be codified in regulations. However, the final rule does not automatically supersede the SGI orders. Those orders will remain in effect until further notice and administrative action is taken. As the Commission noted in the revised [[Page 10788]] proposed rule, ``the final rule would, on its effective date, supersede all SGI orders and advisory letters issued prior to that effective date. The Commission will, however, take administrative action to withdraw all previously issued [sic] orders where appropriate'' (71 FR 64004, 64009 (October 31, 2006)). The Commission will ultimately have to decide when and by what means it will relax the SGI orders. The NRC staff is currently examining this issue as well as the need for additional SGI rulemaking. As noted earlier, the orders contain several provisions, such as the requirement for a ``reviewing official,'' that were not included in the final rule that the NRC staff continues to view as an essential part of the NRC's SGI protection requirements.\1\ --------------------------------------------------------------------------- \1\ The NRC staff notes that the Commission has also expressed its concern with the continuing effectiveness of the reviewing official provision in that only last year, the Commission asked Congress for an amendment to Section 149 that would permit the NRC to collect fingerprints from persons responsible for making decisions regarding a person's trustworthiness and reliability. See Letter to the Honorable Nancy Pelosi from Chairman Dale E. Klein, dated June 9, 2008 (Legislative Proposal Package, ADAMS Accession Number ML0815505691). --------------------------------------------------------------------------- The NRC staff also notes that to the extent there may be a conflict between the orders and the rule, the more stringent of the requirements would apply. For example, the background check requirements of the rule would be imposed as a prerequisite for access to SGI. Additionally, order recipients would still be obligated to maintain an NRC-approved reviewing official as required by the order. Grandfathering of Persons With Current Access to SGI Some licensees have asked if the access requirements set forth in the final SGI rule are applicable to all current and future persons subject to the rule's requirements. Persons who have not been subjected to the rule's background check requirement (i.e., the employment history, education history and personal references check), must complete such checks and be found to be trustworthy and reliable by the responsible party before they are permitted access to any SGI. This does not mean that individuals who have recently been subject to an equivalent background check (such as for unescorted access or for access to national security information), will have to re-accomplish a background check simply for access to SGI. The final rule requirements are intended to apply to those individuals to whom these requirements have not been applied or have not otherwise been applied in a reasonably recent time period. Expanded Applicability of the Rule An important change to SGI requirements reflected in the final rule is the expansion of applicability of the rule to all persons who use SGI. Under the previous version of the rule, section 73.21(a), the only person subject to the SGI protection requirements by regulations were licensees who possessed formula quantities of strategic special nuclear material, who were authorized to operate a nuclear power reactor, who transported a formula quantity of strategic special nuclear material or more than 100 grams of irradiated reactor fuel, or to persons who dealt with SGI through a relationship with any of these categories of licensees. Under the new rule, 10 CFR 73.21(a)(1), that limitation has been eliminated, so that the rule applies broadly to ``Each licensee, certificate holder, applicant or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking: Safeguards Information-Modified Handling) shall ensure that it is protected against unauthorized disclosure.'' Elimination of Categories of Persons Permitted Access to SGI Under the previous SGI rule, only categories of persons specifically identified in paragraphs 73.21(c)(1)(i) through (iv), or specifically approved by the Commission on a case by case basis, were permitted access to Safeguards Information. This often resulted in a lengthy approval process when certain persons sought access to SGI who were not included within one of the listed categories. The rule no longer contains this restriction. In essence, any person who has a need to know and who has been determined by the possessor of the SGI to be trustworthy and reliable based on meeting all elements of a background check, may have access to SGI. Validity of Active Federal Security Clearances Several licensees have asked the NRC whether personnel with active Federal security clearances (e.g., ``Q'' or ``L'' clearances) would be required to have additional fingerprinting and background checks for purposes of access to SGI. These stakeholders noted that, although the orders essentially relieved these individuals from being fingerprinted for access to SGI (e.g., Order EA-06-155; 71 FR 51861, 51862, August 31, 2006, Paragraph A.3), the new SGI rule did not contain provisions for continuing this practice. It is the NRC Staff's view that the SGI rule does not require additional fingerprinting and background checks for persons with active Federal security clearances, provided that sufficient documentation of the active security clearance can be obtained by the adjudicating official. Rather than being ``relieved'' from the fingerprinting and background check requirement, such individuals are considered to have satisfied the requirements through other means, namely, the completion of their national security clearance investigations. This reflects a long-standing practice of the Commission as reflected in the hundreds of SGI fingerprinting orders that it has issued. Relief From Fingerprinting In response to licensee questions of ``relief from fingerprinting'' requirements, the staff provides the following clarification. As noted in the previous section, persons with active Federal security clearances are not ``relieved'' from being fingerprinted, but rather may continue to have access to SGI based on the fingerprinting for their national security clearance investigation and their meeting all other access requirements. However, 10 CFR 73.59 does identify categories of person assigned or occupying certain positions that are categorically relieved from fingerprinting by virtue of their occupational status. These categories of personnel were originally published in an Immediately Effective Final Rulemaking that created 10 CFR 73.59 (71 FR 33989, June 13, 2006). The final SGI rule maintained the majority of those relief provisions, with several modifications and additions. Most notably, 10 CFR 73.59 relieves from fingerprinting ``any agent, contractor, or consultant of the aforementioned persons who has undergone equivalent criminal history records checks to those required by 10 CFR 73.22(b) or 10 CFR 73.23(b).'' It is important to note that personnel relieved from the fingerprinting and other elements of the background check requirement by 10 CFR 73.59 are still required to possess a valid need to know prior to obtaining access to SGI or SGI-M. Storage of SGI or SGI-M Some licensees raised questions concerning the storage of Safeguards Information. The section that addresses the protection of SGI while in use and storage was modified by the final rule, sections 73.22(c)(1) and 73.23(c)(1), to recognize that SGI can be considered [[Page 10789]] ``under the control of an individual authorized access to SGI'' when it is attended by such a person though not constantly being used. Safeguards Information within alarm stations, or rooms continuously occupied by authorized individuals need not be stored in a locked security container. As has always been the case, SGI must be stored in a locked security storage container when unattended. In contrast, SGI controlled as SGI-M need only be stored in a locked file drawer or cabinet. In either case, the rule requires that the container where SGI or SGI-M is stored not bare markings that identify the contents. Marking, Reproduction, and Transmittal of SGI or SGI-M In response to questions concerning the marking, reproduction and transmittal of Safeguards Information, the staff provided responses, as summarized here. The SGI document marking requirements were changed to assist the reader with the identification of the document's designator and the date that the document or material was designated as SGI. The first page of SGI documents or other matter must now contain the name, title, and organization of the individual authorized to make a SGI determination and who has determined that the document or other matter contains SGI. The document or other matter must also indicate the date that the determination was made, and indicate that unauthorized disclosure will be subject to civil and criminal sanctions. Additional instructions were provided to aid those tasked with creating transmittal letters or memorandum to the NRC that do not in themselves contain SGI, but is associated with an attachment or enclosure that does. When transmittal letters or memorandum to the NRC include enclosures that contain SGI but do not themselves contain SGI or any other form of sensitive unclassified information, the transmittal letter or memorandum shall be conspicuously marked, on the top and bottom, with the words Safeguards Information. In addition to the SGI marking at the top and bottom of the transmittal letter or memorandum, the bottom of the transmittal letter or memorandum shall be marked with text to inform the reader that the document is decontrolled when separated from SGI enclosure(s). Correspondence to the NRC containing SGI and non-SGI must be portion marked (i.e., cover letters, but not the attachments) to allow the recipient to identify and distinguish those sections of the correspondence or transmittal document containing SGI from those that do not. The portion marking requirement is no longer applicable to guard qualification and training plans. The new rule has also removed the guidance that allowed documents and other matter containing SGI in the hands of contractors and agents of licensees that were produced more than one year prior to the effective date of the old rule to go unmarked as SGI documents as long as they remained in storage containers and were not removed for use. Those documents and other matter, whether or not removed from storage containers for use, must now be properly marked as SGI documents. It is important to note however, that the rule does not require current possessors of SGI to retroactively mark SGI documents that were produced prior to the effective date of the rule. As noted by the Commission in the final rule, ``the Commission does not expect that licensees or applicants must go back and mark documents for which a cover sheet was used for the required information instead of the first page of the document, as set forth in 10 CFR 73.22(d)(1)'' (73 FR 63557). Safeguards Information may continue to be reproduced to the minimum extent necessary consistent with need without permission of the originator. Equipment used to reproduce SGI however, must be evaluated to ensure that unauthorized individuals cannot obtain SGI by gaining access to retained memory or through network connectivity. The new rule no longer speaks in generalities to the packaging requirement for SGI that is transmitted outside an authorized place of use or storage. The rule, sections 73.22(f) and 73.23(f), now states that SGI or SGI-M, when transmitted outside an authorized place of use or storage, must be packaged in two sealed envelopes or wrappers to preclude disclosure of the presence of protected information. The inner envelope or wrapper must contain the name and address of the intended recipient and be marked on both sides, top and bottom, with the words ``Safeguards Information'' or ``Safeguards Information-Modified Handling,'' as applicable. The outer envelope or wrapper must be opaque, addressed to the intended recipient, must contain the address of the sender, and may not bare any markings or indication that the document or other matter contains SGI or SGI-M. The new rule no longer makes reference to the use of ``messenger-couriers'' for the transportation of SGI. It now states that SGI or SGI-M may be transported by any commercial delivery company that provides service with computer tracking features. It also authorizes the continued use of U.S. first class, registered, express, or certified mail for the transportation of SGI. Individuals authorized access to SGI or SGI-M may also transport SGI or SGI-M outside of an authorized place of use or storage. The NRC continues to allow for exceptions when SGI is transmitted under emergency or extraordinary conditions. Additionally, a requirement was added to change what was stated as ``protected telecommunications circuits approved by the NRC'' to ``NRC approved secure electronic devices, such as facsimiles or telephone devices.'' The authorized use of those NRC-approved devices is conditional and based upon the transmitter and receivers compliance with information security prerequisites. To meet the requirements, the transmitter and receiver must implement processes that will provide high assurance that SGI is protected before and after the transmission. Electronic mail, through the internet, is permitted provided that the information is encrypted by a method (Federal Information Processing Standard [FIPS] 140-2 or later) approved by the appropriate NRC office. The information must be produced by a self contained secure automatic data process system; and transmitters and receivers implement the information handling processes that will provide high assurance that SGI is protected before and after transmission. Electronic Processing of SGI or SGI-M The requirements for processing SGI on automatic data processing systems have not been significantly revised by the new SGI rule. However, there are noticeable differences between the requirements for processing SGI and SGI-M on computers. For SGI, automatic data processing systems used to process or produce SGI must continue to be isolated in that they can not be connected to a network accessible by users who are not authorized access to SGI. The requirement that an entry code be used to access the stored information has been deleted. Each computer however, used to process SGI that is not located within an approved and lockable security storage container, must have a removable storage medium with a bootable operating system. The bootable operating system must be used to load and initialize the computer. The removable storage medium must also contain the software application programs, and be secured in a locked security storage container when not in use. [[Page 10790]] A mobile device, such as a laptop, may be used for processing SGI provided the device is secured in a locked security storage container when not in use. Where previously not addressed in the old rule, the new rule makes allowance for electronic systems that have been used for storage, processing or production of SGI to migrate to non-SGI exclusive use. Any electronic system that has been used for storage, processing or production of SGI must be free of recoverable SGI prior to being returned to nonexclusive use. However, SGI-M need not be processed on a stand-alone computer. The rule permits SGI-M to be stored, processed or produced on a computer or computer system, provided that the system is assigned to the licensee's or contractor's facility. SGI-M files must be protected, either by a password or encryption. Word processors such as typewriters are not subject to these requirements as long as they do not transmit information offsite. Removal From SGI or SGI-M Category When documents or other matter are removed from the SGI category, because the information no longer meets the criteria, care must be exercised to ensure that any document or other matter decontrolled not disclose SGI in some other form or be combined with other unprotected information to disclose SGI. The authority to determine that a document or other matter may be decontrolled will only be exercised by the NRC, with the NRC approval, or in consultation with the individual or organization that made the original SGI determination. Destruction of Matter Containing SGI or SGI-M The final rule now states that SGI and SGI-M shall be destroyed when no longer needed. The information can be destroyed by burning, shredding or any other method that precludes reconstruction by means available to the public at large. Of particular note in the new rule it is stated one-quarter inch dimension size for pieces that are considered destroyed when thoroughly mixed with several pages or documents. The NRC will continue to evaluate its requirements, policies and guidance concerning the protection and unauthorized disclosure of SGI. Licensees, certificate holders, applicants and other persons who produce, receive, or acquire SGI will be informed of proposed revisions or clarifications. Backfit Discussion This RIS does not represent a new or different staff position regarding the implementation of 10 CFR 73.21, 10 CFR 73.22 or 10 CFR 73.23. It requires no action or written response. Any action by addressees to implement changes to their safeguards information protection system, or procedures in accordance with the information in this RIS ensures compliance with 10 CFR part 73 and existing orders, is strictly voluntary and therefore, is not a backfit under 10 CFR 50.109, ``Backfitting.'' Consequently, the NRC staff did not perform a backfit analysis. Federal Register Notification To be done after the public comments periods. Congressional Review Act This RIS is not a rule as designated by the Congressional Review Act (5 U.S.C. 801-886) and therefore, is not subject to the Act. Paperwork Reduction Act Statement This RIS does not contain any information collections and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) Contact Please direct any questions about this matter to Robert Norman, at 301-415-2278 or by e-mail at [email protected]. End of Draft Regulatory Issue Summary Documents may be examined, and/or copied for a fee, at the NRC's Public Document Room at One White Flint North, 11555 Rockville Pike (first floor), Rockville, Maryland. Publicly available records will be accessible electronically from the Agencywide Documents Access and Management System (ADAMS) Public Electronic Reading Room on the Internet at the NRC Web site, http://www.nrc.gov/NRC/ADAMS/index.html. If you do not have access to ADAMS or if you have problems in accessing the documents in ADAMS, contact the NRC Public Document Room (PDR) reference staff at 1-800-397-4209 or 301-415-4737 or by e-mail to [email protected]. Dated at Rockville, Maryland, this 4th day of March 2009. For The Nuclear Regulatory Commission, Martin C. Murphy, Chief, Generic Communications Branch, Division of Policy and Rulemaking, Office of Nuclear Reactor Regulation. [FR Doc. E9-5296 Filed 3-11-09; 8:45 am] BILLING CODE 7590-01-P