See also: RIS 2003-08

Text

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS

WASHINGTON, DC 20555-0001

April 30, 2003

NRC REGULATORY ISSUE SUMMARY 2003-08

PROTECTION OF SAFEGUARDS INFORMATION

FROM UNAUTHORIZED DISCLOSURE

ADDRESSEES

All holders of operating licenses for nuclear power reactors, decommissioning reactor facilities,

independent spent fuel storage installations, research and test reactors, large panoramic and

underwater irradiators, and fuel cycle facilities.

INTENT

The U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS)

and the attached Summary of Safeguards Information Requirements to inform addressees of

the importance of protecting Safeguards Information from inadvertent release and unauthorized

disclosure. The need to protect sensitive security information from inadvertent release and

unauthorized disclosure which might compromise the security of nuclear facilities is heightened

since the events of September 11, 2001. Addressees, including all cognizant personnel, have a

continuing obligation to be mindful of their responsibilities in protecting such security

information. Although many addressees have extensive experience in complying with

applicable regulations related to handling and protection of Safeguards Information, additional

licensees and individuals with limited or no experience in this area may now or soon will be

covered by these requirements. This RIS is intended to serve as a consolidated source of

information to reinforce the overall knowledge of Safeguards Information requirements as well

as to highlight the serious consequences for failure to control and protect it.

Licensees are encouraged to broadly disseminate this information to affected employees and to

post the attached Summary of Safeguards Information Requirements in areas where

employees who handle Safeguards Information are located.

BACKGROUND

Several recent events involving published articles or comments to the media demonstrate the

need for the NRC to reemphasize the importance of protecting Safeguards Information from

inadvertent release and unauthorized disclosure. The release of this information, for example,

could result in harm to the public health and safety and the Nation's common defense and

security, as well as damage to the Nation's critical infrastructure, including nuclear power plants

and other facilities licensed and regulated by the NRC.

RIS 2003-08

Page 2 of 4

SUMMARY OF ISSUE

Safeguards Information is a special category of sensitive unclassified information authorized by

Section 147 of the Atomic Energy Act of 1954, as amended (the Act), to be protected. While

Safeguards Information is considered sensitive unclassified information, it is handled and

protected more like classified confidential information than like other sensitive unclassified

information (e.g., privacy and proprietary information). Access to Safeguards Information is

controlled by a valid need-to-know and an indication of trustworthiness normally obtained

through a background check. The criteria for designating special nuclear material and power

reactor information as Safeguards Information and associated restrictions on access to and

protection of Safeguards Information are codified in Section 73.21 of Title 10 of the Code of

Federal Regulations (10 CFR 73.21). Part 73 applies to licensees of operating power reactors,

research and test reactors, decommissioning facilities, facilities transporting irradiated reactor

fuel, fuel cycle facilities, and spent fuel storage installations. Examples of the types of

information designated as Safeguards Information include the physical security plan for a

nuclear facility or site possessing special nuclear material, the design features of the physical

protection system, operational procedures for the security organization, improvements or

upgrades to the security system, and vulnerabilities or weaknesses not yet corrected, and such

other information as the Commission may designate by order. An example of additional

information designated by order is the January 7, 2003 order to operating power reactor

licensees concerning access authorization programs. That order made the details of NRC's

enhanced access authorization requirements and licensee response to these requirements

Safeguards Information. Another example is the April 29, 2003 order to operating power

reactor licensees concerning security force training requirements.

In addition to the licensees subject to the Safeguards Information requirements of Part 73, and

the types of information designated as Safeguards Information under those regulations, the

Commission has authority under Section 147 to designate, by regulation or order, other types of

information as Safeguards Information. For example, Section 147 allows the Commission to

designate

... a licensee's or applicant's detailed ... security measures (including security plans,

procedures and equipment) for the physical protection of source material or byproduct

material, by whomever possessed, whether in transit or at fixed sites, in quantities

determined by the Commission to be significant to the public health and safety or the

common defense and security...

to be Safeguards Information. The Commission also may, by order, impose Safeguards

Information handling requirements on these other licensees. An example of this type of order is

the March 25, 2002 order to Honeywell International, a uranium conversion facility. Violations

of Safeguards Information handling requirements, whether those of Part 73 or those imposed

by order, are equally subject to the applicable civil and criminal sanctions, as discussed below

and in the attached Summary of Safeguards Information Requirements.

Employees, past or present, and all persons who have had access to Safeguards Information'

have a continuing obligation to protect Safeguards Information against inadvertent release and

unauthorized disclosure. The NRC staff and licensees have discovered several cases where

Safeguards Information was inadvertently included in uncontrolled plant documents and

documents intended for distribution to the public. Documents or other forms of communication

RIS 2003-08

Page 3 of 4

that include discussions about plant security should be reviewed carefullyto ensure that

Safeguards Information is not physically included or that plant security is not otherwise being.

compromised. Attachment 1 to this RIS further explains licensee and individual responsibilities

under current regulations, issued Orders, and future Orders regarding the protection of

Safeguards Information, and addresses penalties forinadequate protection and unauthorized

disclosure.

Licensees are reminded that information designated as Safeguards Information must be

withheld from public disclosure and must be physically controlled and protected. Physical

protection requirements include (1) secure storage, (2) document marking, (3) access restricted

to authorized individuals, (4) limited reproduction, (5) protected transmission, and (6) enhanced

automatic data processing system controls. Changes are being proposed to NRC regulations

applicable to Safeguards Information as a result of ongoing evaluations. Personnel security

controls, including background checks and other means, are in effect for individuals authorized

access to Safeguards Information, as is the strict adherence to the need-to-know principle.

Inadequate protection of Safeguards Information, including inadvertent release and

unauthorized disclosure, may result in civil and/or criminal penalties. The Act explicitly provides

in Section 147a that any person, whether or not a licensee of the Commission, who violates any

regulations adopted under this section shall be subject to the civil monetary penalties of

Section 234 of the Act. Furthermore, willful violation of any regulation or order governing

Safeguards Information is a felony subject to criminal penalties in the form of fines or

imprisonment, or both, as prescribed in Section 223 of the Act. The specific penalties

associated with such violations will be determined by the staff in its implementation of the NRC

Enforcement Policy, and the discretion of the Commission based on the details and significance

of any violation. Statutory maximum penalties are addressed in Attachment 1.

The NRC will continue to evaluate its requirements, policies and guidance concerning the

protection and unauthorized disclosure of Safeguards Information. Licensees and other

stakeholders will be informed of proposed revisions or clarifications.

BACKFIT DISCUSSION

The RIS and the attachment do not request any action or written response; therefore, the staff

did not perform a backfit analysis.

FEDERAL REGISTER NOTIFICATION

A notice of opportunity for public comment on this RIS was not published in the Federal

Register.

RIS 2003-08

Page 4 of 4

PAPERWORK REDUCTION ACT STATEMENT

This RIS does not 'request any information collection and, therefore, is not subject to the

Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).

If you have any questions about this matter, please contact the person listed below.

IRA/ IRA/

Charles L. Miller, Director William D. Beckner, Program Director

Division of Industrial and Operating Reactor Improvements Program

Medical Nuclear Safety Division of Regulatory Improvement Programs

Office of Nuclear Materials Safety Office of Nuclear Reactor Regulation

and Safeguards

Contact: Bernard Stapleton, NSIR

(301) 415-2432

E-mail: bws2(c*nrc.aov

Attachments: 1. Summary of Safeguards Information Requirements

2. List of Recently Issued NRC Regulatory Issue Summaries

Attachment 1

RIS 2003-08

Page 1 of 4

SUMMARY OF SAFEGUARDS INFORMATION REQUIREMENTS

I. AUTHORITY

The Atomic Energy Act of 1954, as amended, 42 U.S.C. §§ 2011 et seq. (Act), grants the

Nuclear Regulatory Commission broad and unique authority to prohibit the unauthorized

disclosure of Safeguards Information upon a determination that the unauthorized disclosure of

such information could reasonably be expected to have a significant adverse effect on the

health and safety of the public or the common defense and security by significantly increasing

the likelihood of theft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction.

Section 147 of the Act, 42 U.S.C. § 2167.

For licensees and any other person, whether or not a licensee (primarily 10 C.F.R. Part 50

reactor licensees, 10 C.F.R. Part 70 licensees for special nuclear material, and their employees

and contractors) subject to the requirements in 10 C.F.R. Part 73, Safeguards Information is

defined by NRC regulation as follows:

Safeguards Information means information not otherwise classified as National

Security Information or Restricted Data which specifically identifies a licensee's

or applicant's detailed, (1) security measures for the physical protection of

special nuclear material, or (2) security measures for the physical protection and

location of certain plant equipment vital to the safety of production or utilization

facilities.

10 C.F.R. § 73.2.

Specific requirements for the protection of Safeguards Information are contained in

10 C.F.R. § 73.21. Access to Safeguards Information is limited as follows:

(c) Access to Safeguards Information. (1) Except as the Commission may

otherwise authorize, no person may have access to Safeguards Information

unless the person has an established "need to know" for the information and is:

(i) An employee, agent, or contractor of an applicant, a licensee, the

Commission, or the United States Government. However, an individual to be

authorized access to Safeguards Information by a nuclear power reactor

applicant or licensee must undergo a Federal Bureau of Investigation criminal

history check to the extent required by 10 CFR 73.57;

(ii) A member of a duly authorized committee of the Congress;

(iii) The, Governor of a State or designated representatives;

(iv) A representative of the International Atomic Energy Agency (IAEA) engaged

in activities associated with the U.S./IAEA Safeguards Agreement who has been

certified by the NRC;

Attachment 1

RIS 2003-08

Page 2 of 4

(v) A member of a state or local law enforcement authority that is responsible for

responding to requests for assistance during safeguards emergencies; or

(vi) An individual to whom disclosure is ordered pursuant to § 2.744(e) of this

chapter [10 CFR 2.744(e)].

(2) Except as the Commission may otherwise authorize, no person may disclose

Safeguards Information to any other person except as set forth in paragraph

(c)(1) of this section.

10 C.F.R, § 73.21(c).

The "need to know" requirement is specified by NRC regulation as follows:

Need to know means a determination by a person having responsibility for

protecting Safeguards Information that a proposed recipient's access to

Safeguards Information is necessary in the performance of official, contractual,

or licensee duties of employment.

10 C.F.R, § 73.2.

Thus, unless otherwise authorized by the Commission, NRC regulations limit access to

Safeguards Information to certain specified individuals who have been determined to have a

"need to know," i.e., specified individuals whose access has been determined to be necessary

in the performance of official,-contractual or licensee duties of employment.

Furthermore, except as otherwise authorized by the Commission, no person may disclose

Safeguards Information to any other person unless that other person is one of the specified

persons listed in 10 C.F.R. § 73.21(c)(1) and that person also has a "need to know."

10 C.F.R. § 73.21(c)(2). These regulations and prohibitions on unauthorized disclosure of

Safeguards Information are applicable to all licensees and all individuals:

This part [10 C.F.R. Part 73] prescribes requirements for the protection of

Safeguards Information in the hands of any person, whether or not a licensee of

the Commission, who produces, receives, or acquires Safeguards Information.

10 C.F.R. § 73.1(b)(7).

The Commission's statutory authority to protect and prohibit the unauthorized disclosure of

Safeguards Information is even broader than is reflected in these regulations. Section 147 of

the Act grants the Commission explicit authority to "issue such orders, as necessary to prohibit

the unauthorized disclosure of safeguards information . . . ." This authority extends to

information concerning special nuclear material, source material, and byproduct material, as

well as production and utilization facilities.

Attachment 1

RIS 2003-08

Page 3 of 4

The Act explicitly provides: "Any person, whether or not a licensee of the Commission, who

violates any regulations adopted under this section shall be subject to the civil monetary

penalties of Section 234 bf this Act." Section 147a of the Act. Section 234a of the Act

provides for a civil monetary penalty not to exceed $120,000 for each violation. See

10 C.F.R. § 2.2050) (2003). Furthermore, a willful violation of any regulation or order governing

Safeguards Information is a felony subject to criminal penalties in the form of fines or

imprisonment, or both. See Sections 147b and 223a of the Act.

The NRC Enforcement Policy outlines potential NRC actions against both licensees and

individuals for violations of the regulations and Orders using criteria that evaluate both the

details and severity of the violation.

I1. DISCUSSION

All licensees and all other persons who now have, or in the future may have, access to

Safeguards Information must comply with all applicable requirements delineated in regulations

and Orders governing the handling and unauthorized disclosure of Safeguards Information. As

stipulated in 10 C.F.R. § 73.21(a), licensees and persons who produce, receive or acquire

Safeguards Information are required to ensure that Safeguards Information is protected against

unauthorized disclosure. To meet this requirement, licensees and persons subject to

10 C.F.R. § 73.21(a) shall establish and maintain an information protection system governing

the proper handling and unauthorized disclosure of Safeguards Information. All licensees

should be aware that since the requirements of 10 C.F.R. § 73.21(a) apply to all persons who

receive Safeguards Information, they apply to all contractors whose employees may have

access to Safeguards Information and they must either adhere to the licensee's policies and

procedures on Safeguards Information or develop, maintain and implement their own

information protection system, but the licensees remain responsible for the conduct of their

contractors. The elements of the required information protection system are specified in

10 C.F.R. § 73.21(b) through (i). The information protection system must address, at a

minimum, the following: the general performance requirement that each person who produces,

receives, or acquires Safeguards Information shall ensure that Safeguards Information is

protected against unauthorized disclosure; protection of Safeguards Information at fixed sites,

in use and in storage, and while in transit; inspections, audits and evaluations; correspondence

containing Safeguards Information; access to Safeguards Information; preparation, marking,

reproduction and destruction of documents; external transmission of documents; use of

automatic data processing systems; and removal of the Safeguards Information category.

As noted above, in addition to the responsibility of each licensee to ensure that all of its

employees, contractors and subcontractors, and their employees comply with applicable

requirements, all contractors, subcontractors, and individual employees also are individually

responsible for complying with applicable requirements and all are subject to civil and criminal

sanctions for failures to comply. The NRC considers that violations of the requirements

applicable to the handling of Safeguards Information are a serious breach of adequate

protection of the public health and safety and the common defense and security of the United

States.

Attachment 1

RIS 2003-08

Page 4 of 4

As a result, the staff intends to use the NRC Enforcement Policy, including the discretion to

increase penalties for violations, to determine appropriate sanctions against licensees and

individuals who violate these requirements. In addition, the Commission may use its discretion,

based on the severity of the violation, to further increase the penalty for any violation up to the

statutory maximum. Willful violations of these requirements will also be referred to the

Department of Justice for a determination of whether criminal penalties will be pursued.

Attachment 2

RIS 2003-08

Page 1 of 1

LIST OF RECENTLY ISSUED

NRC REGULATORY ISSUE SUMMARIES

Regulatory Issue Date of

Summary No. Subject Issuance Issued to

2003-07 Issuance of Regulations Revising 04/23/2003 . All U.S. Nuclear Reculatory

Filing Requirements for Advance Commission (NRC) power reactor

Notification of the Shipment of licensees, research and test

Spent Nuclear Fuel and Special reactor licensees, independent

Nuclear Material spent fuel storage installation

licensees, and special nuclear

material licensees who ship spent

nuclear fuel and special nuclear

material.

2003-06 High Security Protected and Vital 03/20/2003 All power reactor (including

Area Barrier/Equipment decommissioning reactor)

Penetration Manual licensees, independent spent fuel

storage installation licensees, the

conversion facility licensee,

gaseous diffusion plant licensees,

and Category I fuel cycle facility

licensees.

2003-05 Issuance of Orders Imposing 03/19/2003 All U.S. Nuclear Regulatory

Additional Physical Protection Commission (NRC) licensees.who

Measures For Independent Spent hold general licenses for

Fuel Storage Installations Using independent spent fuel storage

Dry Storage installations (ISFSIs) using dry

storage pursuant to 10 CFR Part

72 and all applicants for site-

specific licenses for ISFSls

pursuant to 10 CFR Part 72.

2003-04 Use of the Effective Dose 02/13/2003 All U.S. Nuclear Regulatory.

Equivalent in Place of the Deep Commission (NRC) licensees.

Dose Equivalent in Dose

Assessments

Note: NRC generic communications may be received in electronic format shortly after they are

issued by subscribing to the NRC listserver as follows:

To subscribe send an e-mail to <listproc(anrc.qov >, no subject, and the following

command in the message portion:

subscribe gc-nrr firstname lastname

OL = Operating License

CP = Construction Permit