|
This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost. | |||
23 October 2006
[Federal Register: October 23, 2006 (Volume 71, Number 204)]
[Notices]
[Page 62130-62136]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr23oc06-87]
=======================================================================
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
[EA-06-224]
In the Matter of USEC Inc. (American Centrifuge Plant) and All
Other Persons Who Seek or Obtain Access to Safeguards Information
Described Herein; Order Imposing Requirements for the Protection of and
Access to Safeguards Information (Effective Immediately)
I
USEC Inc. (USEC or the Applicant) applied for a license, to be
issued in accordance with the Atomic Energy Act (AEA) of 1954, by the
U.S. Nuclear Regulatory Commission (NRC or Commission) authorizing it
to construct and operate a uranium enrichment facility, known as the
American Centrifuge Plant, in Piketon, Ohio. NRC plans to provide USEC,
for its information, copies of Orders issued to Category III facilities
on interim measures to enhance physical security at those facilities.
Those Orders will contain Safeguards Information.\1\ In addition, in
the future, the Commission may issue the Applicant additional Orders
that require compliance with specific additional security measures to
enhance security at the facility. These Orders are also expected to
contain Safeguards Information, which cannot be released to the public
and must be protected from unauthorized disclosure. Therefore, the
Commission is imposing the requirements, as set forth in Attachments A,
B, and C of this Order, so that the Applicant can receive these
documents. This Order also imposes requirements for the protection of
Safeguards Information in the hands of any person,\2\ whether or not a
Applicant of the Commission, who produces, receives, or acquires
Safeguards Information.
---------------------------------------------------------------------------
\1\ Safeguards Information is a form of sensitive, unclassified,
security-related information that the Commission has the authority
to designate and protect under section 147 of the AEA.
\2\ Person means: (1) Any individual, corporation, partnership,
firm, association, trust, estate, public or private institution,
group, government agency other than the Commission or the Department
of Energy, except that the Department of Energy shall be considered
a person with respect to those facilities of the Department
specified in section 202 of the Energy Reorganization Act of 1974
(88 Stat. 1244), any State or any political subdivision of, or any
political entity within a State, any foreign government or nation or
any political subdivision of any such government or nation, or other
entity; and (2) any legal successor, representative, agent, or
agency of the foregoing.
---------------------------------------------------------------------------
On August 8, 2005, the Energy Policy Act of 2005 (EPAct) was
enacted. Section 652 of the EPAct amended Section 149 of the AEA to
require fingerprinting and a Federal Bureau of Investigation (FBI)
identification and criminal history records check of any person who is
to be permitted to have access to Safeguards Information. The NRC's
implementation of this requirement cannot await the completion of the
Safeguards Information rulemaking, which is underway, because the EPAct
fingerprinting and criminal history check requirements for access to
Safeguards Information were immediately effective upon enactment of the
EPAct. Although the EPAct permits the Commission by rule to except
certain categories of individuals from the fingerprinting requirement,
which the Commission has done (See 10 CFR 73.59, 71 FR 33,989 (June 13,
2006)), it is unlikely that many Applicant employees are excepted from
the fingerprinting requirement by the ``fingerprinting relief'' rule.
Individuals relieved from the fingerprinting and criminal history
checks under the relief rule include Federal, State, and local
officials and law enforcement personnel; Agreement State inspectors,
who conduct security inspections on behalf of the NRC; members of
Congress and certain employees of members of Congress or Congressional
Committees; representatives of the International Atomic Energy Agency
or certain foreign government organizations. In addition, individuals
who have a favorably-decided U.S. Government criminal history check
within the last five (5) years, and individuals who have active Federal
security clearances (provided in either case that they make available
the appropriate documentation), have satisfied the EPAct fingerprinting
requirement and need not be fingerprinted again. Therefore, in
accordance with Section 149 of the AEA, as amended by the EPAct, the
Commission is imposing additional requirements, as set forth by this
Order, for access to Safeguards Information so that affected Applicant
can obtain and grant access to Safeguards Information. This Order also
imposes requirements for access to Safeguards Information by any
person, from any person, whether or not a Licensee, Applicant, or
Certificate Holder of the Commission or Agreement States.
Subsequent to the terrorist events of September 11, 2001, the NRC
issued Orders requiring certain entities to implement Additional
Security Measures (ASM) or Compensatory Measures (CM) for certain
radioactive materials. The requirements imposed by these Orders, and
certain measures
[[Page 62131]]
licensees have developed to comply with the Orders, were designated by
the NRC as Safeguards Information. For some materials licensees, the
storage and handling requirements for the Safeguards Information have
been modified from the existing 10 CFR Part 73 Safeguards Information
requirements for reactors and fuel cycle facilities that require a
higher level of protection; such Safeguards Information is designated
as Safeguards Information--Modified Handling (SGI-M). However, the
information subject to the SGI-M handling and protection requirements
is Safeguards Information, and licensees, applicants, and other persons
who seek or obtain access to such Safeguards Information are subject to
this Order.
II
The Commission has broad statutory authority to protect Safeguards
Information and prohibit its unauthorized disclosure. Section 147 of
the AEA, as amended, grants the Commission explicit authority to ``* *
* issue such orders, as necessary to prohibit the unauthorized
disclosure of safeguards information. * * *'' Furthermore, Section 652
of the EPAct amended Section 149 of the AEA to require fingerprinting
and an FBI identification and a criminal history records check of each
individual who seeks access to Safeguards Information. In addition, no
person may have access to Safeguards Information unless the person has
an established need-to-know and satisfies the trustworthy and
reliability requirements of those Orders.
Licensees, applicants, and all persons who produce, receive, or
acquire Safeguards Information must ensure proper handling and
protection of Safeguards Information, to avoid unauthorized disclosure,
in accordance with the specific requirements for the protection of
Safeguards Information contained in Attachments A, B, and C. The
Commission hereby provides notice that it intends to treat violations
of the requirements contained in Attachments A, B, and C, applicable to
the handling and unauthorized disclosure of Safeguards Information, as
serious breaches of adequate protection of the public health and safety
and the common defense and security of the United States. Access to
Safeguards Information is limited to those persons who have established
a need-to-know the information, and are considered to be trustworthy
and reliable, and who satisfy the fingerprinting and criminal history
records check required by the EPAct and this Order. A ``need-to-know''
means a determination by a person having responsibility for protecting
Safeguards Information that a proposed recipient's access to Safeguards
Information is necessary in the performance of official, contractual,
or Applicant duties of employment. The Applicant and all other persons
who obtain Safeguards Information must ensure that they develop,
maintain, and implement strict policies and procedures for the proper
handling of Safeguards Information, to prevent unauthorized disclosure,
in accordance with the requirements in Attachments A, B, and C. The
Applicant must ensure that all contractors whose employees may have
access to Safeguards Information either adhere to the Applicant's
policies and procedures on Safeguards Information or develop, maintain,
and implement their own acceptable policies and procedures. The
Applicant remains responsible for the conduct of its contractors. The
policies and procedures necessary to ensure compliance with applicable
requirements contained in Attachments A, B, and C must address, at a
minimum, the following: (1) The general performance requirement that
each person who produces, receives, or acquires Safeguards Information
shall ensure that Safeguards Information is protected against
unauthorized disclosure; (2) protection of Safeguards Information at
fixed sites, in use and in storage, and while in transit; (3)
correspondence containing Safeguards Information; (4) access to
Safeguards Information; (5) preparation, marking, reproduction, and
destruction of documents; (6) external transmission of documents; (7)
use of automatic data processing systems; and (8) removal of the
Safeguards Information category.
To provide assurance that the Applicant is implementing appropriate
measures to achieve a consistent level of protection to prohibit the
unauthorized disclosure of Safeguards Information, the Applicant shall
implement the requirements for access to Safeguards Information in this
Order, including the requirements in Attachments A, B, and C of this
Order. In addition, pursuant to 10 CFR 2.202, I find that in light of
the common defense and security matters identified above, which warrant
the issuance of this Order, the public health, safety, and interest
require that this Order be effective immediately.
III
Accordingly, pursuant to Sections 53, 62, 63, 81, 147, 149, 161b,
161i, 161o, 182, and 186 of the Atomic Energy Act of 1954, as amended,
and the Commission's regulations in 10 CFR 2.202, 10 CFR Part 30, 10
CFR Part 40, and 10 CFR Part 70, It is hereby ordered, Effective
Immediately, that the applicant and all other persons who produce,
receive, or acquire the additional security measures identified above
(whether draft or final), or who seek or obtain access to Safeguards
Information, shall comply with the requirements set forth in this
order, including the requirements in Attachments A, B, and C.
A. 1. No person may have access to Safeguards Information unless
that person has a need-to-know the Safeguards Information, has been
fingerprinted or who has a favorably decided FBI identification and
criminal history records check, and satisfies all other applicable
requirements for access to Safeguards Information. Fingerprinting and
the FBI identification and criminal history records check are not
required, however, for any person who is relieved from that requirement
by 10 CFR 73.59 (71 FR 33,989 (June 13, 2006)) or who has a favorably-
decided U.S. Government criminal history check within the last five (5)
years, or who has an active Federal security clearance, provided in
each case that the appropriate documentation is made available to the
Applicant's NRC-approved reviewing official.
2. No person may have access to any Safeguards Information if the
NRC has determined, based on fingerprinting and an FBI identification
and criminal history records check, that the person may not have access
to Safeguards Information.
B. No person may provide Safeguards Information to any other person
except in accordance with condition III.A above. Prior to providing
Safeguards Information to any person, a copy of this Order shall be
provided to that person.
C. The Applicant shall comply with the following requirements:
1. The Applicant shall, within twenty (20) days of the date of this
Order, establish and maintain a fingerprinting program that meets the
requirements of Attachment C to this Order.
2. The Applicant shall, within twenty (20) days of the date of this
Order, submit the fingerprints of one (1) individual who needs access
to Safeguards Information and who the Applicant nominates as the
``reviewing official'' for determining access to Safeguards Information
by other individuals. The NRC will determine whether this individual
(or any subsequent reviewing official) may have access to Safeguards
Information and, therefore, will be permitted to serve as
[[Page 62132]]
the Applicant's reviewing official.\3\ The Applicant may, at the same
time or later, submit the fingerprints of other individuals to whom the
Applicant seeks to grant access to Safeguards Information. Fingerprints
shall be submitted and reviewed in accordance with the procedures
described in Attachment C of this Order.
---------------------------------------------------------------------------
\3\ The NRC's determination of this individual's access to
Safeguards Information in accordance with the process described in
Enclosure 3 to the transmittal letter of this Order is an
administrative determination that is outside the scope of this
Order.
---------------------------------------------------------------------------
3. The Applicant shall, in writing, within twenty (20) days of the
date of this Order, notify the Commission, (1) If it is unable to
comply with any of the requirements described in the Order, including
Attachments A, B, and C, or (2) if compliance with any of the
requirements is unnecessary in its specific circumstances. The
notification shall provide the Applicant's justification for seeking
relief from or variation of any specific requirement.
Applicant responses to C.1., C.2., and C.3. above shall be
submitted to the Director, Office of Nuclear Material Safety and
Safeguards, U.S. Nuclear Regulatory Commission, Washington, DC 20555.
In addition, Applicant responses shall be marked as ``Security-Related
Information--Withhold Under 10 CFR 2.390.'' The Director, Office of
Nuclear Material Safety and Safeguards, may, in writing, relax or
rescind any of the above conditions, on demonstration of good cause by
the Applicant.
IV
In accordance with 10 CFR 2.202, the Applicant must, and any other
person adversely affected by this Order may, submit an answer to this
Order, and may request a hearing on this Order, within twenty (20) days
of the date of this Order. Where good cause is shown, consideration
will be given to extending the time to request a hearing. A request for
extension of time in which to submit an answer or request a hearing
must be made in writing to the Director, Office of Nuclear Material
Safety and Safeguards, U.S. Nuclear Regulatory Commission, Washington,
DC 20555, and include a statement of good cause for the extension. The
answer may consent to this Order. Unless the answer consents to this
Order, the answer shall, in writing and under oath or affirmation,
specifically set forth the matters of fact and law on which the
Applicant or other person adversely affected relies, and the reasons as
to why the Order should not have been issued. Any answer or request for
a hearing shall be submitted to the Secretary, Office of the Secretary,
U.S. Nuclear Regulatory Commission, ATTN: Rulemakings and Adjudications
Staff, Washington, DC 20555. Copies also shall be sent to the Director,
Office of Nuclear Material Safety and Safeguards, U.S. Nuclear
Regulatory Commission, Washington, DC 20555; to the Assistant General
Counsel for Materials Litigation and Enforcement, at the same address;
and to the Applicant, if the answer or hearing request is by a person
other than the Applicant. Because of possible delays in delivery of
mail to United States Government offices, it is requested that answers
and requests for hearing be transmitted to the Secretary of the
Commission, either by means of facsimile transmission, to 301-415-1101,
or by e-mail, to hearingdocket@nrc.gov; and also to the Office of the
General Counsel, either by means of facsimile transmission, to 301-415-
3725, or by e-mail, to OGCMailCenter@nrc.gov. If a person other than
the Applicant requests a hearing, that person shall set forth with
particularity the manner in which their interest is adversely affected
by this Order and shall address the criteria set forth in 10 CFR 2.309.
If a hearing is requested by the Applicant or a person whose
interest is adversely affected, the Commission will issue an Order
designating the time and place of any hearing. If a hearing is held,
the issue to be considered at such hearing shall be whether this Order
should be sustained.
Pursuant to 10 CFR 2.202(c)(2)(i), the Applicant may, in addition
to demanding a hearing, at the time the answer is filed or sooner, move
the presiding officer to set aside the immediate effectiveness of the
Order on the grounds that the Order, including the need for immediate
effectiveness, is not based on adequate evidence, but on mere
suspicion, unfounded allegations, or error. In the absence of any
request for hearing, or written approval of an extension of time in
which to request a hearing, the provisions specified in Section III
above shall be final twenty (20) days from the date of this Order,
without further order or proceedings. If an extension of time for
requesting a hearing has been approved, the provisions specified in
Section III shall be final when the extension expires, if a hearing
request has not been received. An answer or a request for hearing shall
not stay the immediate effectiveness of this order.
Dated this 4th day of October 2006.
For The Nuclear Regulatory Commission.
Jack R. Strosnider,
Director, Office of Nuclear Material Safety and Safeguards.
Attachment A--Modified Handling Requirements for the Protection of
Certain Safeguards Information (SGI-M)
General Requirement
Information and material that the U.S. Nuclear Regulatory
Commission (NRC) determines are safeguards information must be
protected from unauthorized disclosure. In order to distinguish
information needing modified protection requirements from the
safeguards information for reactors and fuel cycle facilities that
require a higher level of protection, the term ``Safeguards
Information--Modified Handling'' (SGI-M) is being used as the
distinguishing marking for certain materials licensees. Each person who
produces, receives, or acquires SGI-M shall ensure that it is protected
against unauthorized disclosure. To meet this requirement, applicants,
licensees, and persons shall establish and maintain an information
protection system that includes the measures specified below.
Information protection procedures employed by State and local police
forces are deemed to meet these requirements.
Persons Subject to These Requirements
Any person, whether or not an applicant or licensee of the NRC, who
produces, receives, or acquires SGI-M is subject to the requirements
(and sanctions) of this document. Firms and their employees that supply
services or equipment to materials licensees fall under this
requirement if they possess SGI-M. An applicant or licensee must inform
contractors and suppliers of the existence of these requirements and
the need for proper protection. (See more under Conditions for Access)
State or local police units who have access to SGI-M are also subject
to these requirements. However, these organizations are deemed to have
adequate information protection systems. The conditions for transfer of
information to a third party, i.e., need-to-know, would still apply to
the police organization as would sanctions for unlawful disclosure.
Again, it would be prudent for applicants and licensees who have
arrangements with local police to advise them of the existence of SGI-M
requirements.
Criminal and Civil Sanctions
The Atomic Energy Act of 1954, as amended, explicitly provides that
any person, ``whether or not a licensee of the
[[Page 62133]]
Commission, who violates any regulations adopted under this section
shall be subject to the civil monetary penalties of section 234 of this
Act.'' Furthermore, willful violation of any regulation or order
governing safeguards information is a felony subject to criminal
penalties in the form of fines or imprisonment, or both. See sections
147b. and 223 of the Act.
Conditions for Access
Access to SGI-M beyond the initial recipients of the order will be
governed by the background check requirements imposed by the order.
Access to SGI-M by applicant or licensee employees, agents, or
contractors must include both an appropriate need-to-know determination
by the applicant or licensee, as well as a determination concerning the
trustworthiness of individuals having access to the information.
Employees of an organization affiliated with the applicant's or
licensee's company, e.g., a parent company, may be considered as
employees of the applicant or licensee for access purposes.
Need-To-Know
Need-to-know is defined as a determination by a person having
responsibility for protecting SGI-M that a proposed recipient's access
to SGI-M is necessary in the performance of official, contractual, or
applicant or licensee duties of employment. The recipient must be made
aware that the information is SGI-M and those having access to it are
subject to these requirements as well as criminal and civil sanctions
for mishandling the information.
Occupational Groups
Dissemination of SGI-M is limited to individuals who have an
established need-to-know and who are members of certain occupational
groups. These occupational groups are:
1. An employee, agent, or contractor of an applicant, a licensee,
the Commission, or the United States Government;
2. A member of a duly authorized committee of the Congress;
3. The Governor of a State or his designated representative;
4. A representative of the International Atomic Energy Agency
(IAEA) engaged in activities associated with the U.S./IAEA Safeguards
Agreement who has been certified by the NRC;
5. A member of a state or local law enforcement authority that is
responsible for responding to requests for assistance during safeguards
emergencies;
6. A person to whom disclosure is ordered pursuant to Section
2.744(e) of Part 2 of part 10 of the Code of Federal Regulations; or
7. State Radiation Control Program Directors (and State Homeland
Security Directors) or their designees.
In a generic sense, the individuals described above in (A) through
(G) are considered to be trustworthy by virtue of their employment
status. For non-governmental individuals in group (A) above, a
determination of reliability and trustworthiness is required.
Discretion must be exercised in granting access to the individuals in
group (A). If there is any indication that the recipient would be
unwilling or unable to provide proper protection for the SGI-M, they
are not authorized to receive SGI-M.
Information Considered for Safeguards Information Designation
Information deemed SGI-M is information the disclosure of which
could reasonably be expected to have a significant adverse effect on
the health and safety of the public or the common defense and security
by significantly increasing the likelihood of theft, diversion, or
sabotage of materials or facilities subject to NRC jurisdiction.
SGI-M identifies safeguards information which is subject to these
requirements. These requirements are necessary in order to protect
quantities of nuclear material significant to the health and safety of
the public or common defense and security.
The overall measure for consideration of SGI-M is the usefulness of
the information (security or otherwise) to an adversary in planning or
attempting a malevolent act. The specificity of the information
increases the likelihood that it will be useful to an adversary.
Protection While in Use
While in use, SGI-M shall be under the control of an authorized
individual. This requirement is satisfied if the SGI-M is attended by
an authorized individual even though the information is in fact not
constantly being used. SGI-M, therefore, within alarm stations,
continuously manned guard posts or ready rooms need not be locked in
file drawers or storage containers.
Under certain conditions the general control exercised over
security zones or areas would be considered to meet this requirement.
The primary consideration is limiting access to those who have a need-
to-know. Some examples would be:
Alarm stations, guard posts and guard ready rooms;
Engineering or drafting areas if visitors are escorted and
information is not clearly visible;
Plant maintenance areas if access is restricted and information is
not clearly visible;
Administrative offices (e.g., central records or purchasing) if
visitors are escorted and information is not clearly visible.
Protection While in Storage
While unattended, SGI-M shall be stored in a locked file drawer or
container. Knowledge of lock combinations or access to keys protecting
SGI-M shall be limited to a minimum number of personnel for operating
purposes who have a ``need-to-know'' and are otherwise authorized
access to SGI-M in accordance with these requirements. Access to lock
combinations or keys shall be strictly controlled so as to prevent
disclosure to an unauthorized individual.
Transportation of Documents and Other Matter
Documents containing SGI-M when transmitted outside an authorized
place of use or storage shall be enclosed in two sealed envelopes or
wrappers. The inner envelope or wrapper shall contain the name and
address of the intended recipient, and be marked both sides, top and
bottom with the words ``Safeguards Information--Modified Handling.''
The outer envelope or wrapper must be addressed to the intended
recipient, must contain the address of the sender, and must not bear
any markings or indication that the document contains SGI-M.
SGI-M may be transported by any commercial delivery company that
provides nationwide overnight service with computer tracking features,
U.S. first class, registered, express, or certified mail, or by any
individual authorized access pursuant to these requirements.
Within a facility, SGI-M may be transmitted using a single opaque
envelope. It may also be transmitted within a facility without single
or double wrapping, provided adequate measures are taken to protect the
material against unauthorized disclosure. Individuals transporting SGI-
M should retain the documents in their personal possession at all times
or ensure that the information is appropriately wrapped and also
secured to preclude compromise by an unauthorized individual.
Preparation and Marking of Documents
While the NRC is the sole authority for determining what specific
[[Page 62134]]
information may be designated as ``SGI-M,'' originators of documents
are responsible for determining whether those documents contain such
information. Each document or other matter that contains SGI-M shall be
marked ``Safeguards Information--Modified Handling'' in a conspicuous
manner on the top and bottom of the first page to indicate the presence
of protected information. The first page of the document must also
contain (i) The name, title, and organization of the individual
authorized to make a SGI-M determination, and who has determined that
the document contains SGI-M, (ii) the date the document was originated
or the determination made, (iii) an indication that the document
contains SGI-M, and (iv) an indication that unauthorized disclosure
would be subject to civil and criminal sanctions. Each additional page
shall be marked in a conspicuous fashion at the top and bottom with
letters denoting ``Safeguards Information--Modified Handling.''
In additional to the ``Safeguards Information--Modified Handling''
markings at the top and bottom of page, transmittal letters or
memoranda which do not in themselves contain SGI-M shall be marked to
indicate that attachments or enclosures contain SGI-M but that the
transmittal does not (e.g., ``When separated from SGI-M enclosure(s),
this document is decontrolled'').
In addition to the information required on the face of the
document, each item of correspondence that contains SGI-M shall, by
marking or other means, clearly indicate which portions (e.g.,
paragraphs, pages, or appendices) contain SGI-M and which do not.
Portion marking is not required for physical security and safeguards
contingency plans.
All documents or other matter containing SGI-M in use or storage
shall be marked in accordance with these requirements. A specific
exception is provided for documents in the possession of contractors
and agents of applicants or licensees that were produced more than one
year prior to the effective date of the order. Such documents need not
be marked unless they are removed from file drawers or containers. The
same exception applies to old documents stored away from the facility
in central files or corporation headquarters.
Since information protection procedures employed by State and local
police forces are deemed to meet NRC requirements, documents in the
possession of these agencies need not be marked as set forth in this
document.
Removal from SGI-M Category
Documents containing SGI-M shall be removed from the SGI-M category
(decontrolled) only after the NRC determines that the information no
longer meets the criteria of SGI-M. Applicants and licensees have the
authority to make determinations that specific documents which they
created no longer contain SGI-M information and may be decontrolled.
Consideration must be exercised to ensure that any document
decontrolled shall not disclose SGI-M in some other form or be combined
with other unprotected information to disclose SGI-M.
The authority to determine that a document may be decontrolled may
be exercised only by, or with the permission of, the individual (or
office) who made the original determination. The document shall
indicate the name and organization of the individual removing the
document from the SGI-M category and the date of the removal. Other
persons who have the document in their possession should be notified of
the decontrolling of the document.
Reproduction of Matter Containing SGI-M
SGI-M may be reproduced to the minimum extent necessary consistent
with need without permission of the originator. Newer digital copiers
which scan and retain images of documents represent a potential
security concern. If the copier is retaining any information in memory,
the copier cannot be connected to a network. It should also be placed
in a location that is cleared and controlled for the authorized
processing of SGI-M information. Different copiers have different
capabilities, including some which come with features that allow the
memory to be erased. Each copier would have to be examined from a
physical security perspective.
Use of Automatic Data Processing (ADP) Systems
SGI-M may be processed or produced on an ADP system provided that
the system is assigned to the applicant's, licensee's, or contractor's
facility and requires the use of an entry code/password for access to
stored information. Applicants or licensees must process this
information in a computing environment that has adequate computer
security controls in place to prevent unauthorized access to the
information. An ADP system is defined here as a data processing system
having the capability of long term storage of information. Word
processors such as typewriters are not subject to the requirements as
long as they do not transmit information off-site. (Note: if SGI-M is
produced on a typewriter, the ribbon must be removed and stored in the
same manner as other SGI-M information or media.) The basic objective
of these restrictions is to prevent access and retrieval of stored SGI-
M by unauthorized individuals, particularly from remote terminals.
Specific files containing SGI-M will be password protected to preclude
access by an unauthorized individual. SGI-M files may be transmitted
over a network if the file is encrypted. In such cases, the applicant
or licensee will select a commercially available encryption system that
National Institute of Standards and Technology (NIST) has validated as
conforming to Federal Information Processing Standards (FIPS). SGI-M
files shall be properly labeled as ``Safeguards Information--Modified
Handling'' and saved to removable media and stored in a locked file
drawer or cabinet. The NIST maintains a listing of all validated
encryption systems at http://csrc.nist.gov/cryptval/140-1/1401val.htm.
Telecommunications
SGI-M may not be transmitted by unprotected telecommunications
circuits except under emergency or extraordinary conditions. For the
purpose of this requirement, emergency or extraordinary conditions are
defined as any circumstances that require immediate communications in
order to report, summon assistance for, or respond to a security event
(or an event that has potential security significance).
This restriction applies to telephone, telegraph, teletype,
facsimile circuits, and to radio. Routine telephone or radio
transmission between site security personnel, or between the site and
local police, should be limited to message formats or codes that do not
disclose facility security features or response procedures. Similarly,
call-ins during transport should not disclose information useful to a
potential adversary. Infrequent or non-repetitive telephone
conversations regarding a physical security plan or program are
permitted provided that the discussion is general in nature.
Individuals should use care when discussing SGI-M at meetings or in
the presence of others to ensure that the conversation is not overheard
by persons not authorized access. Transcripts, tapes or minutes of
meetings or hearings that contain SGI-M shall be marked and protected
in accordance with these requirements.
[[Page 62135]]
Destruction
Documents containing SGI-M must be destroyed when no longer needed.
They may be destroyed by tearing into small pieces, burning, shredding
or any other method that precludes reconstruction by means available to
the public at large. Piece sizes one half inch or smaller composed of
several pages or documents and thoroughly mixed are considered
completely destroyed.
Attachment B--Trustworthiness and Reliability Requirements for
Individuals Handling Safeguards Information
Applicants or licensees shall document the basis for concluding
that there is reasonable assurance that individuals granted access to
safeguards information are trustworthy and reliable, and do not
constitute an unreasonable risk for malevolent use of the regulated
material.
The trustworthiness, reliability, and verification of an
individual's true identity shall be determined based on a background
investigation. The background investigation shall address at least the
past three (3) years, and, as a minimum, include a Federal Bureau of
Investigation fingerprinting and criminal history check, verification
of employment history, education, employment eligibility, credit check,
and personal references. If an individual's employment has been less
than the required three (3) year period, educational references may be
used in lieu of employment history.
The applicant's or licensee's background investigation requirements
may be satisfied for an individual that has an active Federal security
clearance.
Attachment C--Requirements for Fingerprinting and Criminal History
Checks of Individuals When Applicant's or Licensee's Reviewing Official
is Determining Access to Safeguards Information
General Requirements
Applicants and licensees shall comply with the requirements of this
attachment.
1. a. Each applicant or licensee subject to the provisions of this
attachment shall fingerprint each individual who is seeking or
permitted access to Safeguards Information (SGI). The Applicant or
Licensee shall review and use the information received from the Federal
Bureau of Investigation (FBI) and ensure that the provisions contained
in the subject Order and this attachment are satisfied.
b. The Applicant or Licensee shall notify each affected individual
that the fingerprints will be used to secure a review of his/her
criminal history record and inform the individual of the procedures for
revising the record or including an explanation in the record, as
specified in the ``Right to Correct and Complete Information'' section
of this attachment.
c. Fingerprints need not be taken if an employed individual (e.g.,
an applicant or licensee employee, contractor, manufacturer, or
supplier) is relieved from the fingerprinting requirement by 10 CFR
73.59, has a favorably-decided U.S. Government criminal history check
within the last five (5) years, or has an active Federal security
clearance. Written confirmation from the Agency/employer which granted
the Federal security clearance or reviewed the criminal history check
must be provided. The Applicant or Licensee must retain this
documentation for a period of three (3) years from the date the
individual no longer requires access to SGI associated with the
Applicant's or Licensee's activities.
d. All fingerprints obtained by the Applicant or Licensee pursuant
to this Order must be submitted to the Commission for transmission to
the FBI.
e. The Applicant or Licensee shall review the information received
from the FBI and consider it, in conjunction with the trustworthy and
reliability requirements, in making a determination whether to grant
access to Safeguards Information to individuals who have a need-to-know
the SGI.
f. The Applicant or Licensee shall use any information obtained as
part of a criminal history records check solely for the purpose of
determining an individual's suitability for access to Safeguards
Information.
g. The Applicant or Licensee shall document the basis for its
determination whether to grant access to SGI.
2. The Applicant or Licensee shall notify the NRC of any desired
change in reviewing officials. The NRC will determine whether the
individual nominated as the new reviewing official may have access to
Safeguards Information based on a previously-obtained or new criminal
history check and, therefore, will be permitted to serve as the
Applicant's or Licensee's reviewing official.
Prohibitions
The Applicant or Licensee shall not base a final determination to
deny an individual access to Safeguards Information solely on the basis
of information received from the FBI involving: an arrest more than one
(1) year old for which there is no information of the disposition of
the case, or an arrest that resulted in dismissal of the charge or an
acquittal.
The Applicant or Licensee shall not use information received from a
criminal history check obtained pursuant to this Order in a manner that
would infringe upon the rights of any individual under the First
Amendment to the Constitution of the United States, nor shall the
Applicant or Licensee use the information in any way which would
discriminate among individuals on the basis of race, religion, national
origin, sex, or age.
Procedures for Processing Fingerprint Checks
For the purpose of complying with this Order, the Applicant or
Licensee shall, using an appropriate method listed in 10 CFR 73.4,
submit to the NRC's Division of Facilities and Security, Mail Stop T-
6E46, one completed, legible standard fingerprint card (Form FD-258,
ORIMDNRCOOOZ) or, where practicable, other fingerprint records for each
individual seeking access to Safeguards Information, to the Director of
the Division of Facilities and Security, marked for the attention of
the Division's Criminal History Check Section. Copies of these forms
may be obtained by writing the Office of Information Services, U.S.
Nuclear Regulatory Commission, Washington, DC 20555-0001, by calling
(301) 415-5877, or by e-mail to forms@nrc.gov. Practicable alternative
formats are set forth in 10 CFR 73.4. The Applicant or Licensee shall
establish procedures to ensure that the quality of the fingerprints
taken results in minimizing the rejection rate of fingerprint cards due
to illegible or incomplete cards.
The NRC will review submitted fingerprint cards for completeness.
Any Form FD-258 fingerprint record containing omissions or evident
errors will be returned to the Applicant for corrections. The fee for
processing fingerprint checks includes one re-submission if the initial
submission is returned by the FBI because the fingerprint impressions
cannot be classified. The one free re-submission must have the FBI
Transaction Control Number reflected on the re-submission. If
additional submissions are necessary, they will be treated as initial
submittals and will require a second payment of the processing fee.
Fees for processing fingerprint checks are due upon application.
Applicants or licensees shall submit payment with the application for
processing fingerprints by corporate check, certified check, cashier's
check, money order, or electronic payment, made payable to ``U.S.
NRC.'' [For guidance on making
[[Page 62136]]
electronic payments, contact the Facilities Security Branch, Division
of Facilities and Security, at (301) 415-7739]. Combined payment for
multiple applications is acceptable. The application fee (currently
$27) is the sum of the user fee charged by the FBI for each fingerprint
card or other fingerprint record submitted by the NRC on behalf of the
Applicant or Licensee, and an NRC processing fee, which covers
administrative costs associated with NRC handling of Applicant or
Licensee fingerprint submissions. The Commission will directly notify
applicants or licensees who are subject to this regulation of any fee
changes.
The Commission will forward to the submitting Applicant or Licensee
all data received from the FBI as a result of the Applicant's or
Licensee's application(s) for criminal history checks, including the
FBI fingerprint record.
Right To Correct and Complete Information
Prior to any final adverse determination, the Applicant or Licensee
shall make available to the individual the contents of any criminal
records obtained from the FBI for the purpose of assuring correct and
complete information. Written confirmation by the individual of receipt
of this notification must be maintained by the Applicant or Licensee
for a period of one (1) year from the date of the notification.
If, after reviewing the record, an individual believes that it is
incorrect or incomplete in any respect and wishes to change, correct,
or update the alleged deficiency, or to explain any matter in the
record, the individual may initiate challenge procedures. These
procedures include either direct application by the individual
challenging the record to the agency (i.e., law enforcement agency)
that contributed the questioned information, or direct challenge as to
the accuracy or completeness of any entry on the criminal history
record to the Assistant Director, Federal Bureau of Investigation
Identification Division, Washington, DC 20537-9700 (as set forth in 28
CFR 16.30 through 16.34). In the latter case, the FBI forwards the
challenge to the agency that submitted the data and requests that
agency to verify or correct the challenged entry. Upon receipt of an
official communication directly from the agency that contributed the
original information, the FBI Identification Division makes any changes
necessary in accordance with the information supplied by that agency.
The Applicant or Licensee must provide at least ten (10) days for an
individual to initiate an action challenging the results of an FBI
criminal history records check after the record is made available for
his/her review. The Applicant or Licensee may make a final SGI access
determination based upon the criminal history record only upon receipt
of the FBI's ultimate confirmation or correction of the record. Upon a
final adverse determination on access to SGI, the Applicant or Licensee
shall provide the individual its documented basis for denial. Access to
SGI shall not be granted to an individual during the review process.
Protection of Information
1. Each Applicant or Licensee who obtains a criminal history record
on an individual pursuant to this Order shall establish and maintain a
system of files and procedures for protecting the record and the
personal information from unauthorized disclosure.
2. The Applicant or Licensee may not disclose the record or
personal information collected and maintained to persons other than the
subject individual, his/her representative, or to those who have a need
to access the information in performing assigned duties in the process
of determining access to Safeguards Information. No individual
authorized to have access to the information may re-disseminate the
information to any other individual who does not have a need-to-know.
3. The personal information obtained on an individual from a
criminal history record check may be transferred to another Applicant
or Licensee if the Applicant or Licensee holding the criminal history
check record receives the individuals' written request to re-
disseminate the information contained in his/her file, and the gaining
Applicant or Licensee verifies information such as the individual's
name, date of birth, social security number, sex, and other applicable
physical characteristics for identification purposes.
4. The Applicant or Licensee shall make criminal history records,
obtained under this section, available for examination by an authorized
representative of the NRC to determine compliance with the regulations
and laws.
5. The Applicant or Licensee shall retain all fingerprint and
criminal history records received from the FBI, or a copy if the
individual's file has been transferred, for three (3) years after
termination of employment or denial of access to SGI. After the
required three (3) year period, these documents shall be destroyed by a
method that will prevent reconstruction of the information in whole or
in part.
[FR Doc. E6-17726 Filed 10-20-06; 8:45 am]
BILLING CODE 7590-01-P