Protection of WMD Safeguards Information

This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

13 October 2006

Two notices.

[Federal Register: October 13, 2006 (Volume 71, Number 198)]

[Notices]

[Page 60583-60587]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr13oc06-110]

-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[EA-06-241]

In the Matter of All Licensees Who Possess Radioactive Material

in Quantities of Concern and All Other Persons Who Obtain Safeguards

Information Described Herein; Order Imposing Requirements for the

Protection of Certain Safeguards Information (Effective Immediately)

The Licensees, identified in Attachment 1 \1\ to this Order, hold

licenses issued in accordance with the Atomic Energy Act of 1954, by

the U.S. Nuclear Regulatory Commission (NRC or Commission) or an

Agreement State, authorizing them to possess and transfer items

containing radioactive material quantities of concern. The NRC intends

to issue security Orders to these licensees in the near future. Orders

will be issued to both NRC and Agreement State materials licensees who

may transport radioactive material quantities of concern. The Orders

will require compliance with specific Additional Security Measures to

enhance the security for transport of certain radioactive material

quantities of concern. The NRC will issue Orders to both NRC and

Agreement State licensees under its authority to protect the common

defense and security, which has not been relinquished to the Agreement

States. The Commission has determined that these documents will contain

Safeguards Information, will not be released to the public, and must be

protected from unauthorized disclosure. Therefore, the Commission is

imposing the requirements, as set forth in Attachments 2 and 3 to this

Order and in Order EA-06-242, so that affected Licensees can receive

these documents. This Order also imposes requirements for the

protection of Safeguards

[[Page 60584]]

Information in the hands of any person,\2\ whether or not a licensee of

the Commission, who produces, receives, or acquires Safeguards

Information.

---------------------------------------------------------------------------

\1\ Attachment 1 contains sensitive information and will not be

released to the public.

\2\ Person means (1) any individual, corporation, partnership,

firm, association, trust, estate, public or private institution,

group, government agency other than the Commission or the

Department, except that the Department shall be considered a person

with respect to those facilities of the Department specified in

section 202 of the Energy Reorganization Act of 1974 (88 Stat.

1244), any State or any political subdivision of, or any political

entity within a State, any foreign government or nation or any

political subdivision of any such government or nation, or other

entity; and (2) any legal successor, representative, agent, or

agency of the foregoing.

---------------------------------------------------------------------------

The Commission has broad statutory authority to protect and

prohibit the unauthorized disclosure of Safeguards Information. Section

147 of the Atomic Energy Act of 1954, as amended, grants the Commission

explicit authority to ``* * * issue such orders, as necessary to

prohibit the unauthorized disclosure of safeguards information * * *''

This authority extends to information concerning transfer of special

nuclear material, source material, and byproduct material. Licensees

and all persons who produce, receive, or acquire Safeguards Information

must ensure proper handling and protection of Safeguards Information to

avoid unauthorized disclosure in accordance with the specific

requirements for the protection of Safeguards Information contained in

Attachments 2 and 3 to this Order. The Commission hereby provides

notice that it intends to treat violations of the requirements

contained in Attachments 2 and 3 to this Order applicable to the

handling and unauthorized disclosure of Safeguards Information as

serious breaches of adequate protection of the public health and safety

and the common defense and security of the United States. Access to

Safeguards Information is limited to those persons who have established

the need-to-know the information, are considered to be trustworthy and

reliable, and meet the requirements of Order EA-06-242. A need-to-know

means a determination by a person having responsibility for protecting

Safeguards Information that a proposed recipient's access to Safeguards

Information is necessary in the performance of official, contractual,

or licensee duties of employment. Licensees and all other persons who

obtain Safeguards Information must ensure that they develop, maintain

and implement strict policies and procedures for the proper handling of

Safeguards Information to prevent unauthorized disclosure, in

accordance with the requirements in Attachments 2 and 3 to this Order.

All licensees must ensure that all contractors whose employees may have

access to Safeguards Information either adhere to the licensee's

policies and procedures on Safeguards Information or develop, maintain

and implement their own acceptable policies and procedures. The

licensees remain responsible for the conduct of their contractors. The

policies and procedures necessary to ensure compliance with applicable

requirements contained in Attachments 2 and 3 to this Order must

address, at a minimum, the following: the general performance

requirement that each person who produces, receives, or acquires

Safeguards Information shall ensure that Safeguards Information is

protected against unauthorized disclosure; protection of Safeguards

Information at fixed sites, in use and in storage, and while in

transit; correspondence containing Safeguards Information; access to

Safeguards Information; preparation, marking, reproduction and

destruction of documents; external transmission of documents; use of

automatic data processing systems; removal of the Safeguards

Information category; the need-to-know the information; and background

checks to determine access to the information.

In order to provide assurance that the licensees are implementing

prudent measures to achieve a consistent level of protection to

prohibit the unauthorized disclosure of Safeguards Information, all

licensees who hold licenses issued by the U.S. Nuclear Regulatory

Commission or an Agreement State authorizing them to possess and who

may transport items containing radioactive material quantities of

concern shall implement the requirements identified in Attachments 2

and 3 to this Order. The Commission recognizes that licensees may have

already initiated many of the measures set forth in Attachments 2 and 3

to this Order for handling of Safeguards Information in conjunction

with current NRC license requirements or previous NRC Orders.

Additional measures set forth in Attachments 2 and 3 to this Order

should be incorporated into the licensee's current program for

Safeguards Information. In addition, pursuant to 10 CFR Part 2.202, I

find that in light of the common defense and security matters

identified above, which warrant the issuance of this Order, the public

health, safety and interest require that this Order be effective

immediately.

III

Accordingly, pursuant to Sections 81, 147, 161b, 161i, 161o, 182

and 186 of the Atomic Energy Act of 1954, as amended, and the

Commission's regulations in 10 CFR 2.202, 10 CFR Part 30, 10 CFR Part

32, 10 CFR Part 35, and 10 CFR Part 70, It is hereby ordered, effective

immediately, that all licensees identified in Attachment 1 to this

order and all other persons who produce, receive, or acquire the

additional security measures identified above (whether draft or final)

or any related safeguards information shall comply with the

requirements of Attachments 2 and 3 to this order.

The Director, Office of Federal and State Materials and

Environmental Management Programs, may, in writing, relax or rescind

any of the above conditions upon demonstration of good cause by the

licensee.

In accordance with 10 CFR 2.202, the Licensee must, and any other

person adversely affected by this Order may, submit an answer to this

Order, and may request a hearing on this Order, within twenty (20) days

of the date of this Order. Where good cause is shown, consideration

will be given to extending the time to request a hearing. A request for

extension of time in which to submit an answer or request a hearing

must be made in writing to the Director, Office of Federal and State

Materials and Environmental Management Programs, U.S. Nuclear

Regulatory Commission, Washington, DC 20555, and include a statement of

good cause for the extension. The answer may consent to this Order.

Unless the answer consents to this Order, the answer shall, in writing

and under oath or affirmation, specifically set forth the matters of

fact and law on which the Licensee or other person adversely affected

relies and the reasons as to why the Order should not have been issued.

Any answer or request for a hearing shall be submitted to the

Secretary, Office of the Secretary of the Commission, U.S. Nuclear

Regulatory Commission, ATTN: Rulemakings and Adjudications Staff,

Washington, DC 20555. Copies also shall be sent to the Director, Office

of Nuclear Material Safety and Safeguards, U.S. Nuclear Regulatory

Commission, Washington, DC 20555, to the Assistant General Counsel for

Materials Litigation and Enforcement at the same address, and to the

Licensee if the answer or hearing request is by a person other than the

Licensee. Because of possible delays in delivery of mail to United

States Government offices, it is requested that

[[Page 60585]]

answers and requests for hearing be transmitted to the Secretary of the

Commission either by means of facsimile transmission to 301-415-1101 or

by e-mail to hearingdocket@nrc.gov and also to the Office of the

General Counsel either by means of facsimile transmission to 301-415-

3725 or by e-mail to OGCMailCenter@nrc.gov. If a person other than the

Licensee requests a hearing, that person shall set forth with

particularity the manner in which his interest is adversely affected by

this Order and shall address the criteria set forth in 10 CFR 2.309.

If a hearing is requested by the Licensee or a person whose

interest is adversely affected, the Commission will issue an Order

designating the time and place of any hearing. If a hearing is held,

the issue to be considered at such hearing shall be whether this Order

should be sustained.

Pursuant to 10 CFR 2.202(c)(2)(i), the Licensee may, in addition to

demanding a hearing, at the time the answer is filed or sooner, move

the presiding officer to set aside the immediate effectiveness of the

Order on the ground that the Order, including the need for immediate

effectiveness, is not based on adequate evidence but on mere suspicion,

unfounded allegations, or error. In the absence of any request for

hearing, or written approval of an extension of time in which to

request a hearing, the provisions specified in Section III above shall

be final twenty (20) days from the date of this Order without further

order or proceedings. If an extension of time for requesting a hearing

has been approved, the provisions specified in Section III shall be

final when the extension expires if a hearing request has not been

received.

An answer or a request for hearing shall not stay the immediate

effectiveness of this order.

Dated this 4th day of October 2006.

For the Nuclear Regulatory Commission.

Charles L. Miller,

Director, Office of Federal and State Materials and Environmental

Management Programs.

Attachment 1--List of Applicable Materials Licensees

Redacted

Attachment 2--Modified Handling Requirements for the Protection of

Certain Safeguards Information (SGI-M)

Modified Handling Requirements for the Protection of Certain Safeguards

Information (SGI-M)

General Requirement

Information and material that the U.S. Nuclear Regulatory

Commission (NRC) determines are safeguards information must be

protected from unauthorized disclosure. In order to distinguish

information needing modified protection requirements from the

safeguards information for reactors and fuel cycle facilities that

require a higher level of protection, the term ``Safeguards

Information-Modified Handling'' (SGI-M) is being used as the

distinguishing marking for certain materials licensees. Each person

who produces, receives, or acquires SGI-M shall ensure that it is

protected against unauthorized disclosure. To meet this requirement,

licensees and persons shall establish and maintain an information

protection system that includes the measures specified below.

Information protection procedures employed by state and local police

forces are deemed to meet these requirements.

Persons Subject to These Requirements

Any person, whether or not a licensee of the NRC, who produces,

receives, or acquires SGI-M is subject to the requirements (and

sanctions) of this document. Firms and their employees that supply

services or equipment to materials licensees would fall under this

requirement if they possess facility SGI-M. A licensee must inform

contractors and suppliers of the existence of these requirements and

the need for proper protection. (See more under Conditions for

Access)

State or local police units who have access to SGI-M are also

subject to these requirements. However, these organizations are

deemed to have adequate information protection systems. The

conditions for transfer of information to a third party, i.e., need-

to-know, would still apply to the police organization as would

sanctions for unlawful disclosure. Again, it would be prudent for

licensees who have arrangements with local police to advise them of

the existence of these requirements.

Criminal and Civil Sanctions

The Atomic Energy Act of 1954, as amended, explicitly provides

that any person, ``whether or not a licensee of the Commission, who

violates any regulations adopted under this section shall be subject

to the civil monetary penalties of section 234 of this Act.''

Furthermore, willful violation of any regulation or order governing

safeguards information is a felony subject to criminal penalties in

the form of fines or imprisonment, or both. See sections 147b. and

223 of the Act.

Conditions for Access

Access to SGI-M beyond the initial recipients of the order will

be governed by the background check requirements imposed by the

order. Access to SGI-M by licensee employees, agents, or contractors

must include both an appropriate need-to-know determination by the

licensee, as well as a determination concerning the trustworthiness

of individuals having access to the information. Employees of an

organization affiliated with the licensee's company, e.g., a parent

company, may be considered as employees of the licensee for access

purposes.

Need-To-Know

Need-to-know is defined as a determination by a person having

responsibility for protecting SGI-M that a proposed recipient's

access to SGI-M is necessary in the performance of official,

contractual, or licensee duties of employment. The recipient should

be made aware that the information is SGI-M and those having access

to it are subject to these requirements as well as criminal and

civil sanctions for mishandling the information.

Occupational Groups

Dissemination of SGI-M is limited to individuals who have an

established need-to-know and who are members of certain occupational

groups. These occupational groups are:

A. An employee, agent, or contractor of an applicant, a

licensee, the Commission, or the United States Government;

B. member of a duly authorized committee of the Congress;

C. The Governor of a State or his designated representative;

D. A representative of the International Atomic Energy Agency

(IAEA) engaged in activities associated with the U.S./IAEA

Safeguards Agreement who has been certified by the NRC;

E. A member of a state or local law enforcement authority that

is responsible for responding to requests for assistance during

safeguards emergencies; or

F. A person to whom disclosure is ordered pursuant to Section

2.744(e) of Part 2 of part 10 of the Code of Federal Regulations.

G. State Radiation Control Program Directors (and State Homeland

Security Directors) or their designees.

In a generic sense, the individuals described above in (A)

through (G) are considered to be trustworthy by virtue of their

employment status. For non-governmental individuals in group (A)

above, a determination of reliability and trustworthiness is

required. Discretion must be exercised in granting access to these

individuals. If there is any indication that the recipient would be

unwilling or unable to provide proper protection for the SGI-M, they

are not authorized to receive SGI-M.

Information Considered for Safeguards Information Designation

Information deemed SGI-M is information the disclosure of which

could reasonably be expected to have a significant adverse effect on

the health and safety of the public or the common defense and

security by significantly increasing the likelihood of theft,

diversion, or sabotage of materials or facilities subject to NRC

jurisdiction.

SGI-M identifies safeguards information which is subject to

these requirements. These requirements are necessary in order to

protect quantities of nuclear material significant to the health and

safety of the public or common defense and security.

The overall measure for consideration of SGI-M is the usefulness

of the information (security or otherwise) to an adversary in

planning or attempting a malevolent act. The specificity of the

information increases the likelihood that it will be useful to an

adversary.

[[Page 60586]]

Protection While in Use

While in use, SGI-M shall be under the control of an authorized

individual. This requirement is satisfied if the SGI-M is attended

by an authorized individual even though the information is in fact

not constantly being used. SGI-M, therefore, within alarm stations,

continuously manned guard posts or ready rooms need not be locked in

file drawers or storage containers.

Under certain conditions the general control exercised over

security zones or areas would be considered to meet this

requirement. The primary consideration is limiting access to those

who have a need-to-know. Some examples would be:

Alarm stations, guard posts and guard ready rooms;

Engineering or drafting areas if visitors are escorted and

information is not clearly visible;

Plant maintenance areas if access is restricted and information

is not clearly visible;

Administrative offices (e.g., central records or purchasing) if

visitors are escorted and information is not clearly visible;

Protection While in Storage

While unattended, SGI-M shall be stored in a locked file drawer

or container. Knowledge of lock combinations or access to keys

protecting SGI-M shall be limited to a minimum number of personnel

for operating purposes who have a ``need-to-know'' and are otherwise

authorized access to SGI-M in accordance with these requirements.

Access to lock combinations or keys shall be strictly controlled so

as to prevent disclosure to an unauthorized individual.

Transportation of Documents and Other Matter

Documents containing SGI-M when transmitted outside an

authorized place of use or storage shall be enclosed in two sealed

envelopes or wrappers. The inner envelope or wrapper shall contain

the name and address of the intended recipient, and be marked on

both sides, top and bottom with the words ``Safeguards Information--

Modified Handling.'' The outer envelope or wrapper must be addressed

to the intended recipient, must contain the address of the sender,

and must not bear any markings or indication that the document

contains SGI-M.

SGI-M may be transported by any commercial delivery company that

provides nationwide overnight service with computer tracking

features, U.S. first class, registered, express, or certified mail,

or by any individual authorized access pursuant to these

requirements.

Within a facility, SGI-M may be transmitted using a single

opague envelope. It may also be transmitted within a facility

without single or double wrapping, provided adequate measures are

taken to protect the material against unauthorized disclosure.

Individuals transporting SGI-M should retain the documents in their

personal possession at all times or ensure that the information is

appropriately wrapped and also secured to preclude compromise by an

unauthorized individual.

Preparation and Marking of Documents

While the NRC is the sole authority for determining what

specific information may be designated as ``SGI-M,'' originators of

documents are responsible for determining whether those documents

contain such information. Each document or other matter that

contains SGI-M shall be marked ``Safeguards Information--Modified

Handling'' in a conspicuous manner on the top and bottom of the

first page to indicate the presence of protected information. The

first page of the document must also contain (i) the name, title,

and organization of the individual authorized to make a SGI-M

determination, and who has determined that the document contains

SGI-M, (ii) the date the document was originated or the

determination made, (iii) an indication that the document contains

SGI-M, and (iv) an indication that unauthorized disclosure would be

subject to civil and criminal sanctions. Each additional page shall

be marked in a conspicuous fashion at the top and bottom with

letters denoting ``Safeguards Information--Modified Handling.''

In additional to the ``Safeguards Information--Modified

Handling'' markings at the top and bottom of each page, transmittal

letters or memoranda which do not in themselves contain SGI-M shall

be marked to indicate that attachments or enclosures contain SGI-M

but that the transmittal does not (e.g., ``When separated from SGI-M

enclosure(s), this document is decontrolled'').

In addition to the information required on the face of the

document, each item of correspondence that contains SGI-M shall, by

marking or other means, clearly indicate which portions (e.g.,

paragraphs, pages, or appendices) contain SGI-M and which do not.

Portion marking is not required for physical security and safeguards

contingency plans.

All documents or other matter containing SGI-M in use or storage

shall be marked in accordance with these requirements. A specific

exception is provided for documents in the possession of contractors

and agents of licensees that were produced more than one year prior

to the effective date of the order. Such documents need not be

marked unless they are removed from file drawers or containers. The

same exception applies to old documents stored away from the

facility in central files or corporation headquarters.

Since information protection procedures employed by state and

local police forces are deemed to meet NRC requirements, documents

in the possession of these agencies need not be marked as set forth

in this document.

Removal From SGI-M Category

Documents containing SGI-M shall be removed from the SGI-M

category (decontrolled) only after the NRC determines that the

information no longer meets the criteria of SGI-M. Licensees have

the authority to make determinations that specific documents which

they created no longer contain SGI-M information and may be

decontrolled. Consideration must be exercised to ensure that any

document decontrolled shall not disclose SGI-M in some other form or

be combined with other unprotected information to disclose SGI-M.

The authority to determine that a document may be decontrolled

may be exercised only by, or with the permission of, the individual

(or office) who made the original determination. The document shall

indicate the name and organization of the individual removing the

document from the SGI-M category and the date of the removal. Other

persons who have the document in their possession should be notified

of the decontrolling of the document.

Reproduction of Matter Containing SGI-M

SGI-M may be reproduced to the minimum extent necessary

consistent with need without permission of the originator. Newer

digital copiers which scan and retain images of documents represent

a potential security concern. If the copier is retaining SGI-M

information in memory, the copier cannot be connected to a network.

It should also be placed in a location that is cleared and

controlled for the authorized processing of SGI-M information.

Different copiers have different capabilities, including some which

come with features that allow the memory to be erased. Each copier

would have to be examined from a physical security perspective.

Use of Automatic Data Processing (ADP) Systems

SGI-M may be processed or produced on an ADP system provided

that the system is assigned to the licensee's or contractor's

facility and requires the use of an entry code/password for access

to stored information. Licensees are encouraged to process this

information in a computing environment that has adequate computer

security controls in place to prevent unauthorized access to the

information. An ADP system is defined here as a data processing

system having the capability of long term storage of SGI-M. Word

processors such as typewriters are not subject to the requirements

as long as they do not transmit information off-site. (Note: If SGI-

M is produced on a typewriter, the ribbon must be removed and stored

in the same manner as other SGI-M information or media.) The basic

objective of these restrictions is to prevent access and retrieval

of stored SGI-M by unauthorized individuals, particularly from

remote terminals. Specific files containing SGI-M will be password-

protected to preclude access by an unauthorized individual. The

National Institute of Standards and Technology (NIST) maintains a

listing of all validated encryption systems at http://csrc.nist.gov/cryptval/140-1/1401val.htm.

SGI-M files may be transmitted over a

network if the file is encrypted. In such cases, the licensee will

select a commercially available encryption system that NIST has

validated as conforming to Federal Information Processing Standards

(FIPS). SGI-M files shall be properly labeled as ``Safeguards

Information--Modified Handling'' and saved to removable media and

stored in a locked file drawer or cabinet.

Telecommunications

SGI-M may not be transmitted by unprotected telecommunications

circuits

[[Page 60587]]

except under emergency or extraordinary conditions. For the purpose

of this requirement, emergency or extraordinary conditions are

defined as any circumstances that require immediate communications

in order to report, summon assistance for, or respond to a security

event (or an event that has potential security significance).

This restriction applies to telephone, telegraph, teletype,

facsimile circuits, and to radio. Routine telephone or radio

transmission between site security personnel, or between the site

and local police, should be limited to message formats or codes that

do not disclose facility security features or response procedures.

Similarly, call-ins during transport should not disclose information

useful to a potential adversary. Infrequent or non-repetitive

telephone conversations regarding a physical security plan or

program are permitted provided that the discussion is general in

nature.

Individuals should use care when discussing SGI-M at meetings or

in the presence of others to ensure that the conversation is not

overheard by persons not authorized access. Transcripts, tapes or

minutes of meetings or hearings that contain SGI-M shall be marked

and protected in accordance with these requirements.

Destruction

Documents containing SGI-M should be destroyed when no longer

needed. They may be destroyed by tearing into small pieces, burning,

shredding or any other method that precludes reconstruction by means

available to the public at large. Piece sizes one half inch or

smaller composed of several pages or documents and thoroughly mixed

would be considered completely destroyed.

Attachment 3--Trustworthiness and Reliability Requirements for

Individuals Handling Safeguards Information

Trustworthiness and Reliability Requirements for Individuals Handling

Safeguards Information

In order to ensure the safe handling, use, and control of

information designated as Safeguards Information, each licensee

shall control and limit access to the information to only those

individuals who have established the need-to-know the information,

and are considered to be trustworthy and reliable. Licensees shall

document the basis for concluding that there is reasonable assurance

that individuals granted access to Safeguards Information are

trustworthy and reliable, and do not constitute an unreasonable risk

for malevolent use of the information.

The Licensee shall comply with the requirements of this

attachment:

1. The trustworthiness and reliability of an individual shall be

determined based on a background investigation:

(a) The background investigation shall address at least the past

three (3) years, and, at a minimum, include verification of

employment, education, and personal references. The licensee shall

also, to the extent possible, obtain independent information to

corroborate that provided by the employee (i.e., seeking references

not supplied by the individual).

(b) If an individual's employment has been less than the

required three (3) year period, educational references may be used

in lieu of employment history.

The licensee's background investigation requirements may be

satisfied for an individual that has an active Federal security

clearance.

2. The licensee shall retain documentation regarding the

trustworthiness and reliability of individual employees for three

years after the individual's employment ends.

[FR Doc. E6-16995 Filed 10-12-06; 8:45 am]

BILLING CODE 7590-01-P

[Federal Register: October 13, 2006 (Volume 71, Number 198)]

[Notices]

[Page 60587-60590]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr13oc06-111]

-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[EA-06-242]

In the Matter of All Licensees Identified in Attachment 1 to

Order EA-06-241 and All Other Persons Who Seek or Obtain Access to

Safeguards Information Described Herein; Order Imposing Fingerprinting

and Criminal History Records Check Requirements for Access to

Safeguards Information (Effective Immediately)

The Licensees identified in Attachment 1 \1\ to Order EA-06-241

hold licenses issued in accordance with the Atomic Energy Act (AEA) of

1954, as amended, by the U.S. Nuclear Regulatory Commission (NRC or

Commission) or Agreement States, authorizing them to engage in an

activity subject to regulation by the Commission or Agreement States.

On August 8, 2005, the Energy Policy Act of 2005 (EPAct) was enacted.

Section 652 of the EPAct amended Section 149 of the AEA to require

fingerprinting and a Federal Bureau of Investigation (FBI)

identification and criminal history records check of any person who is

to be permitted to have access to Safeguards Information (SGI).\2\ The

NRC's implementation of this requirement cannot await the completion of

the SGI rulemaking, which is underway, because the EPAct fingerprinting

and criminal history records check requirements for access to SGI were

immediately effective upon enactment of the EPAct. Although the EPAct

permits the Commission by rule to except certain categories of

individuals from the fingerprinting requirement, which the Commission

has done (see 10 CFR Part 73.59, 71 FR 33,989 (June 13, 2006)), it is

unlikely that licensee employees or others are excepted from the

fingerprinting requirement by the ``fingerprinting relief'' rule.

Individuals relieved from fingerprinting and criminal history records

checks under the relief rule include Federal, State, and local

officials and law enforcement personnel; Agreement State inspectors who

conduct security inspections on behalf of the NRC; members of Congress

and certain employees of members of Congress or Congressional

Committees, and representatives of the International Atomic Energy

Agency (IAEA) or certain foreign government organizations. In addition,

individuals who have a favorably-decided U.S. Government criminal

history records check within the last five (5) years, or individuals

who have active Federal security clearances (provided in either case

that they make available the appropriate documentation), have satisfied

the EPAct fingerprinting requirement and need not be fingerprinted

again. Therefore, in accordance with Section 149 of the AEA, as amended

by the EPAct, the Commission is imposing additional requirements for

access to SGI, as set forth by this Order, so that affected licensees

can obtain and grant access to SGI. This Order also imposes

requirements for access to SGI by any person, from any person,\3\

whether or not a Licensee, Applicant, or Certificate Holder of the

Commission or Agreement States.

---------------------------------------------------------------------------

\1\ Attachment 1 to Order EA-06-241 contains sensitive

information and will not be released to the public.

\2\ Safeguards Information is a form of sensitive, unclassified,

security-related information that the Commission has the authority

to designate and protect under section 147 of the AEA.

\3\ Person means (1) any individual, corporation, partnership,

firm, association, trust, estate, public or private institution,

group, government agency other than the Commission or the Department

of Energy, except that the Department of Energy shall be considered

a person with respect to those facilities of the Department of

Energy specified in section 202 of the Energy Reorganization Act of

1974 (88 Stat. 1244), any State or any political subdivision of, or

any political entity within a State, any foreign government or

nation or any political subdivision of any such government or

nation, or other entity; and (2) any legal successor,

representative, agent, or agency of the foregoing.

---------------------------------------------------------------------------

The Commission has broad statutory authority to protect and

prohibit the unauthorized disclosure of SGI. Section 147 of the AEA

grants the Commission explicit authority to issue such Orders as

necessary to prohibit the unauthorized disclosure of SGI. Furthermore,

Section 652 of the EPAct amended Section 149 of the AEA to require

fingerprinting and an FBI identification and a criminal history records

check of each individual who seeks access to SGI. In addition, no

person may have access to SGI unless

[[Page 60588]]

the person has an established need-to-know the information and

satisfies the trustworthy and reliability requirements described in

Attachment 3 to Order EA-06-241.

In order to provide assurance that the Licensees identified in

Attachment 1 to Order EA-06-241 are implementing appropriate measures

to comply with the fingerprinting and criminal history records check

requirements for access to SGI, all Licensees identified in Attachment

1 to Order EA-06-241 shall implement the requirements of this Order. In

addition, pursuant to 10 CFR 2.202, I find that in light of the common

defense and security matters identified above, which warrant the

issuance of this Order, the public health, safety and interest require

that this Order be effective immediately.

III

Accordingly, pursuant to Sections 81, 147, 149, 161b, 161i, 161o,

182 and 186 of the Atomic Energy Act of 1954, as amended, and the

Commission's regulations in 10 CFR 2.202, 10 CFR Parts 30 and 73, it is

hereby ordered, effective immediately, that all licensees identified in

attachment 1 to order EA-06-241 and all other Persons who seek or

obtain access to safeguards information, as described above, shall

comply with the requirements set forth in this order.

A. 1. No person may have access to SGI unless that person has a

need-to-know the SGI, has been fingerprinted or who has a favorably-

decided FBI identification and criminal history records check, and

satisfies all other applicable requirements for access to SGI.

Fingerprinting and the FBI identification and criminal history records

check are not required, however, for any person who is relieved from

that requirement by 10 CFR 73.59 (71 FR 33989 (June 13, 2006)), or who

has a favorably-decided U.S. Government criminal history records check

within the last five (5) years, or who has an active Federal security

clearance, provided in the latter two cases that the appropriate

documentation is made available to the Licensee's NRC-approved

reviewing official.

2. No person may have access to any SGI if the NRC has determined,

based on fingerprinting and an FBI identification and criminal history

records check, that the person may not have access to SGI.

B. No person may provide SGI to any other person except in

accordance with Condition III.A. above. Prior to providing SGI to any

person, a copy of this Order shall be provided to that person.

C. All Licensees identified in Attachment 1 to Order EA-06-241

shall comply with the following requirements:

1. The Licensee shall, within twenty (20) days of the date of this

Order, establish and maintain a fingerprinting program that meets the

requirements of Attachment 1 to this Order.

2. The Licensee shall, within twenty (20) days of the date of this

Order, submit the fingerprints of one (1) individual who (a) the

Licensee nominates as the ``reviewing official'' for determining access

to SGI by other individuals, and (b) has an established need-to-know

the information and has been determined to be trustworthy and reliable

in accordance with the requirements described in Attachment 3 to Order

EA-06-241. The NRC will determine whether this individual (or any

subsequent reviewing official) may have access to SGI and, therefore,

will be permitted to serve as the Licensee's reviewing official.\4\ The

Licensee may, at the same time or later, submit the fingerprints of

other individuals to whom the Licensee seeks to grant access to SGI.

Fingerprints shall be submitted and reviewed in accordance with the

procedures described in Attachment 1 of this Order.

---------------------------------------------------------------------------

\4\ The NRC's determination of this individual's access to SGI

in accordance with the process described in Enclosure 5 to the

transmittal letter of this Order is an administrative determination

that is outside the scope of this Order.

---------------------------------------------------------------------------

3. The Licensee shall, in writing, within twenty (20) days of the

date of this Order, notify the Commission, (1) if it is unable to

comply with any of the requirements described in this Order, including

Attachment 1 to this Order, or (2) if compliance with any of the

requirements is unnecessary in its specific circumstances. The

notification shall provide the Licensee's justification for seeking

relief from or variation of any specific requirement.

Licensee responses to C.1., C.2., and C.3. above shall be submitted

to the Director, Office of Federal and State Materials and

Environmental Management Programs, U.S. Nuclear Regulatory Commission,

Washington, DC 20555. In addition, Licensee responses shall be marked

as ``Security-Related Information--Withhold Under 10 CFR 2.390.''

The Director, Office of Federal and State Materials and

Environmental Management Programs, may, in writing, relax or rescind

any of the above conditions upon demonstration of good cause by the

Licensee.