Text

NRC Staff Responses to Public Comments on Draft Protective Order Templates for ITAAC Hearings On September 4, 2018 (83 Fed. Reg. 44,925), the NRC staff requested comment on two draft protective order templates for use in hearings associated with closure of inspections, tests, analyses, and acceptance criteria (ITAAC). One draft template was for Sensitive Unclassified Non-Safeguards Information (SUNSI) (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML18239A329). The other draft template was for Safeguards Information (SGI) (ADAMS Accession No. ML18239A322).

The NRC staff received one comment submission (ADAMS Accession No. ML18298A267), which came from Southern Nuclear Operating Company. The NRC staffs responses to comments on the draft SUNSI template are in Table 1, and the NRC staffs responses to comments on the draft SGI template are in Table 2. The final SUNSI template is available at ADAMS Accession No. ML19036A727, and the final SGI template is available at ADAMS Accession No. ML19036A718.

Table 1 - NRC Staff Responses to Public Comments on Draft SUNSI Protective Order Template Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 1 (¶ 2.c)

Comment: Paragraph 2.c does not require legal counsels staff to execute the Non-Disclosure Declaration. The other provisions describing Authorized Recipients in paragraphs 2.a and 2.b require execution of the Non-Disclosure Declaration prior to receipt of SUNSI, which we interpret to include the legal counsel itself. Given the sensitivity of the information that may be transferred under the SUNSI protective order, Paragraph 2.c should be deleted, consistent with the SGI template. This would require legal counsel staff to execute Non-Disclosure Declarations. The benefit of this increased focus and sensitivity to protection of the information transferred under the SUNSI protective order outweighs any increased administrative burden.

Proposed Resolution: Delete paragraph 2.c.

The NRC staff adopts the suggestion to require staff for petitioners legal counsel to execute Non-Disclosure Declarations to ensure they understand the specific protection requirements in the order and their obligation to protect SUNSI. Also, completing and filing the Non-Disclosure Declarations would be minimally burdensome, particularly since notarization is not required.

However, the final template retains language requiring petitioners legal counsel to take steps to ensure that persons under their supervision or control comply with the protective order. This provision has commonly been included in past SUNSI protective orders. Also, the NRC staff is adding this provision to the final SGI template.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response Finally, the NRC staff has modified the provision in paragraph 2.b on authorization for additional or substitute persons necessary for preparation of the petitioners case to receive SUNSI. As modified, persons under the direct supervision of petitioners legal counsel may receive SUNSI upon execution and filing of Non-Disclosure Declarations without having to obtain express permission from the presiding officer or the relevant hearing participant.

Permission would undoubtedly be granted in these situations, so requiring express permission is unnecessary.

2 (¶ 4)

Comment: Paragraph 4 states that the filing requirements are the only part of the order to which NRC personnel are subject. However, the need for this broad carve-out for activities conducted to support the ITAAC hearing is unclear and could create future confusion, particularly as to the marking requirements in paragraph 7 and the transmittal requirements in paragraph 9.

Proposed Resolution: Add references to the marking requirements in paragraph 7 and the transmittal requirements in paragraph 9 to paragraph 4 or, alternatively, delete paragraph 4 entirely.

Paragraph 4 of the draft template excluded NRC personnel from the orders requirements except those for filing documents and, as applicable, initially providing SUNSI to the petitioner.

Numerous SUNSI protective orders in the last ten years have similar exclusions, and the NRC staff is not aware of any confusion having arisen as a result. The exclusion exists because NRC personnel are already subject to laws, regulations, and policies governing the protection of SUNSI, including marking and transmission requirements.

The protective order provisions are largely redundant to these existing requirements, which are sometimes more stringent than the protective order (e.g., transmission requirements). Thus, the NRC staff is retaining the exclusion in the final template without modification.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 3 (¶ 8)

Comment: Paragraph 8.a states that Authorized Recipients must establish a controlled environment to protect SUNSI. 8.c states that the SUNSI must be kept under the Authorized Recipients direct control or stored in a secure location. It is unclear whether the parameters described in paragraph 8.c establish a controlled environment.

Proposed Resolution: Combine paragraphs 8.a and 8.c.

Paragraph 8.a of the draft template reflected the requirement for controlled environments in the Controlled Unclassified Information (CUI) rule. 32 C.F.R. §§ 2002.4(f), 2002.14(c). This requirement exists because Authorized Recipients must consider the space in which they will use or store SUNSI to ensure that SUNSI will be appropriately protected in accordance with paragraphs 8.b to 8.d of the draft template. For example, use of SUNSI on a computer in a space where unauthorized persons can view the computer screen would not be a controlled environment and would not satisfy paragraph 8.b. The NRC staff has modified paragraph 8.a to show the relationship between this paragraph and paragraphs 8.b to 8.d. and to give examples illustrating the controlled environment requirement. Consistent with these examples, the staff has modified the footnote in paragraph 9.a.iii to specify that if facsimile transmission is allowed, the protective order should prohibit use of facsimile machines whose memories may be accessed by unauthorized individuals.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 4A (¶ 9.a)

Comment: This paragraph generally requires electronic transmittal of SUNSI to be encrypted (e.g.,

password-protected PDF file). However, if the sender determines that encryption is not available, they may satisfy the protection requirement by merely double-checking the email address. This broad exception essentially eviscerates the encryption requirement and exposes electronically transmitted SUNSI to higher risk of unauthorized disclosure.

Proposed Resolution: Delete the phrase if available in the first sentence of paragraph 9.a and all of the following sentence. Delete all of paragraph 9.a.i.

The draft templates requirement to use encryption if available came from NRC Regulatory Issue Summary (RIS) 2005-26, Control of Sensitive Unclassified Nonsafeguards Information Related to Nuclear Power Reactors (ADAMS Accession No. ML051430228), dated November 7, 2005. RIS 2005-26 is the currently applicable NRC guidance and is specifically directed at protection of security-related information for power reactors.

The draft templates encryption requirement was also applied to proprietary information because RIS 2005-26 states that security-related information is protected in much the same way as commercial or financial information. RIS 2005-26, at 4. Even so, most protective orders for proprietary information in the last ten years have not had any encryption requirement.

Moreover, the NRC staff disagrees that conditioning use of encryption on its availability eviscerates the requirement. The draft and final templates encourage the hearing participants to discuss the availability of encryption. To the extent encrypted transmission is available, the proposed protective order may specify the permitted forms of encrypted transmission and disallow other forms of unencrypted transmission, as practical.

For the reasons stated above, the encryption requirement in the final template is the same as the requirement in the draft template.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 4B (¶ 9.a)

Comment: Paragraph 9.a.iii. allows fax transmission if no other form of electronic transmission is available.

Fax transmission should not be allowed under any circumstances due to the same security risks discussed in the paragraph above [Comment 4A].

Proposed Resolution: Delete the phrase unless no other form of electronic transmission is available in paragraph 9.a.iii.

The NRC staff adopts the commenters suggested deletion because experience suggests facsimile transmission is no longer necessary or practical in adjudicatory proceedings, as stated in the draft template. However, the NRC staff is retaining instructions on measures for facsimile transmission in the unlikely case that facsimile transmission is deemed to be necessary.

5 (¶ 12)

Comment: Paragraph 12 requires the Petitioner to maintain a log of all copies of SUNSI materials within its possession or control. However, disclosure of SUNSI may extend beyond Petitioner to other Authorized Recipients, including Petitioners experts, consultants and legal counsel. All Authorized Recipients should be required to comply with paragraph 12 in order to maintain adequate SUNSI recordkeeping.

Proposed Resolution: Paragraph 12 should be revised to state: All Authorized Recipients shall maintain a log of all copies of materials containing SUNSI within its possession or control.

The NRC staff agrees that all Authorized Recipients should track the SUNSI in their possession or control to ensure it is properly protected. The template has been modified accordingly.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 6 (¶ 15)

Comment: Paragraph 15 requires Authorized Recipients to destroy or return all SUNSI materials within 60 days of the Access Termination Date (e.g.,

termination of the proceeding), and to certify compliance with this requirement to the NRC and the licensee. However, no enforcement mechanism is contemplated. The presiding officer loses jurisdiction once it terminates the proceeding; and, if the Petitioner decides to ignore this requirement and keep the documents, the procedural next step for the licensee is unclear.

Proposed Resolution: Include a specific enforcement mechanism, like a request to the Commission, in paragraph 15.

The NRC staff does not agree that there is a lack of clarity regarding jurisdiction over filings on protective orders that are made after termination of the proceeding. See CB&I AREVA MOX Servs.,

LLC (Mixed Oxide Fuel Fabrication Facility Possession and Use License), CLI-16-14, 84 NRC 11 (2016) (The Commission granted a motion filed after termination of the proceeding to amend a protective order issued by a licensing board).

Therefore, the NRC staff is not adopting the commenters suggestion.

7 (¶ 18)

Comment: Paragraph 18 allows the presiding officer to impose sanctions for violation of the protective order or Non-Disclosure Declaration. However, presiding officers rarely, if ever, actually impose sanctions that would help prevent unauthorized disclosures. If the order explicitly included some examples of possible sanctions, their imposition may be more readily available to the presiding officer. It is important that sanctions remain a plausible possibility in cases where the protective order is violated in order to deter unauthorized disclosures of SUNSI.

Proposed Resolution: Revise paragraph 18 to include specific examples of sanctions, such as termination of the proceeding, a permanent ban from participation in future proceedings, or a permanent ban from obtaining SUNSI.

The NRC staff has added to the final template a reference to Commission policy on the imposition of sanctions in adjudicatory proceedings, which includes examples of possible sanctions. See Statement of Policy on Conduct of Licensing Proceedings, CLI-81-8, 13 NRC 452, 454 (1981).

Consistent with this policy, the imposition of sanctions is a fact-dependent exercise.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 8 (¶ 19)

Comment: Paragraph 19 requires the licensee or NRC to provide SUNSI documents to the Petitioner within 2 days of receiving the executed Non-Disclosure Declarations. In a typical proceeding, a licensee would provide a disclosure log of proprietary documents, the petitioner would request certain (or all) documents, a protective order would be issued, and the documents provided. The template language makes sense, assuming the petitioner has already identified which documents it seeks to obtain; however, it does not contemplate the scenario in which the presiding officer issues the protective order early in the proceeding before such requests are made, or later SUNSI documents become available.

In order to ensure the SUNSI is properly identified and requested prior to disclosure, the trigger for the two-day timeline for providing the documents should be the later of (1) the filing of the Non-Disclosure Declarations and (2) Petitioners request for SUNSI.

Also, the requirement to provide the copies to the Petitioner within 2 days introduces some ambiguity as to whether the Petitioner must, in fact, receive the copies in that time frame. The language should be revised to make it clear that mailing time is not calculated in the 2-day limit.

The NRC staff does not anticipate that a protective order would be issued before a request for access to SUNSI. ITAAC proceedings are narrowly focused and of short duration, and the need for a protective order would become clear in response to a petitioners specific request for documents.

Moreover, access to SUNSI may not be granted until a specific request is made. The template is premised on such a request being received and granted. In drafting the template, the NRC staff consciously avoided accounting for unlikely scenarios for simplicity. Thus, the NRC staff is not modifying the template.

The NRC staff agrees, however, that the word provide is ambiguous. Therefore, the final template uses the word transmit as suggested by the commenter. But mailing SUNSI would cause unnecessary delay, which should be avoided given the accelerated ITAAC hearing schedule. Thus, the final template states a requirement for this transmission to be made by email.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response Proposed Resolution: Paragraph 19 should be revised as follows: Within two (2) business days after the later of (1) the filing of the executed Non-Disclosure Declarations and (2) Petitioners request for SUNSI the [Licensee OR NRC Staff] shall transmit to the Petitioners representative a copy of the following information: [identify that SUNSI for which the Petitioners need has been determined].

Table 2 - NRC Staff Responses to Public Comments on Draft SGI Protective Order Template Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 1 (¶ 1)

Comment: Paragraph 1 presents presiding officer findings that the Authorized SGI Recipients are qualified to possess SGI. However, it is silent as to their means of protecting SGI, such as availability of security storage containers and security electronic equipment satisfying Part 73 requirements, or alternative means such as using another entitys SGI-compliant equipment. This should be a required finding to ensure that Authorized SGI Recipients can adequately protect the SGI.

Proposed Resolution: Paragraph 1 should be revised as follows: As described in the Joint Motion, certain identified person(s) are qualified for access to the SGI described in the Joint Motion by (1) having a need to know the SGI described therein, as defined by 10 C.F.R. § 73.2; (2) having previously undergone a Federal Bureau of Investigation (FBI) criminal history records check, as appropriate; (3) having been determined to be trustworthy and reliable, based upon a background check or other means approved by the Commission, as prescribed by 10 C.F.R.

§ 73.22(b)(2); and (4) having been determined to possess materials and equipment necessary to protect SGI in accordance with 10 C.F.R. Part 73, which shall include possession of a Security Storage Container, or access to an approved SGI storage location, and appropriate security electronic equipment.

The NRC staff revised the template consistent with the commenters suggestions, as discussed below.

The findings in paragraph 1 of the draft template reflect the determinations on access to SGI that in most circumstances would be made by the NRC staff. The presiding officer would become involved only if there is a dispute over the NRC staffs determinations.

The draft template directly addressed the concerns raised by the commenter regarding protection of SGI. Paragraph 6 of the draft template explicitly required all Authorized SGI Recipients to certify whether they have compliant security storage containers and electronic equipment. Paragraph 6 also (1) discussed alternative means of using and protecting SGI if compliant storage containers or electronic equipment are not available and (2) encouraged the hearing participants to discuss these issues prior to filing a proposed protective order.

Further, paragraph 6 discussed the NRC staffs opportunity to inspect the petitioners SGI protection system. This discussion was revised in the final template to better reflect a similar provision contained in Final Template A: Notice of Intended Operation and Associated Orders (ADAMS Accession No. ML16167A469), issued as part of the ITAAC Hearing Procedures (July 1, 2016) (81 Fed.

Reg. 43,266). Final Template A states, Prior to

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response providing SGI to the requestor, the NRC staff will conduct (as necessary) an inspection to confirm that the recipients information protection system is sufficient to satisfy the requirements of 10 CFR 73.22. Final Template A, at 49. Any inspection would take place before a motion proposing a protective order. Id. at 55-56. This provision was taken from the Procedures to Allow Potential Intervenors to Gain Access to Relevant Records that Contain Sensitive Unclassified Non-Safeguards Information or Safeguards Information (SUNSI-SGI Access Procedures) (ADAMS Accession No. ML080380626). SUNSI-SGI Access Procedures, Attach. 1, at 5, 6-7.

Thus, the concerns raised in the comment should be addressed by the hearing participants before they file a motion requesting a proposed protective order. Since the SGI protective order template assumes the filing of a joint motion, the template assumes there is agreement that the petitioner has the means of complying with 10 C.F.R. § 73.22.

The NRC staff has revised paragraph 1 of the template to reflect this assumption and to reference the discussion in paragraph 6 on the measures to be taken by the hearing participants to confirm the petitioners means of compliance.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 2 (¶ 2.a)

Comment: This paragraph mentions the requirements for Authorized SGI Recipients. It makes reference to two of the three necessary conditions for access, as set forth in paragraph 1; however, it does not make reference to the required FBI criminal history records check. Language should be added to make paragraph 2.a consistent with the requirements in paragraph 1.

Proposed Resolution: All of the requirements listed paragraph 1 should be added to the first sentence of paragraph 2a.

The NRC staff is adopting the commenters suggestion for consistency and completeness.

3 (¶ 4)

Comment: Paragraph 4 states that the filing requirements are the only part of the order to which NRC personnel are subject. However, the need for this broad carve-out for activities conducted to support the ITAAC hearing is unclear and could create future confusion, particularly as to the marking requirements in paragraph 6 and the transmittal requirements in paragraph 8.

Proposed Resolution: Add references to the marking requirements in paragraph 6 and the transmittal requirements in paragraph 8 to paragraph 4 or, alternatively, delete paragraph 4 entirely.

Paragraph 4 of the draft template excluded NRC personnel from the orders requirements except those for filing documents, updating the SGI access list, and, as applicable, initially providing SGI to the petitioner. Numerous SUNSI protective orders in the last ten years have similar exclusions, and the NRC staff is not aware of any confusion having arisen as a result. The NRC staff does not believe that a similar exclusion in an SGI protective order would cause confusion. The exclusion exists because NRC personnel are already subject to laws, regulations, and policies governing the protection of SGI, including marking and transmission requirements. The protective order provisions are largely redundant to these existing requirements. Thus, the NRC staff is retaining the exclusion in the final template without modification.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 4 (¶ 10)

Comment: Paragraph 10 requires the Petitioner to maintain a log of all copies of SGI materials within its possession or control. However, disclosure of SGI may extend beyond Petitioner to other Authorized SGI Recipients, including Petitioners experts, consultants and legal counsel. All Authorized Recipients should be required to comply with paragraph 10 in order to maintain adequate SGI recordkeeping.

Proposed Resolution: Paragraph 10 should be revised to state: All Authorized SGI Recipients shall maintain a log of all copies of materials containing SGI within its possession or control.

The NRC staff agrees that all Authorized SGI Recipients should track the SGI in their possession or control to ensure it is properly protected. The template has been modified accordingly.

5 (¶ 11)

Comment: Paragraph 11 requires notification of potential loss or unauthorized disclosure of SGI to be reported within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. However, in such situations time is of the essence. Requiring immediate notice allows the licensee to more effectively mitigate potential harm.

Proposed Resolution: Paragraph 11 should be revised to state: If the Petitioner has reason to believe that SGI may have been lost or misplaced, or that SGI has otherwise become available to unauthorized persons, the Petitioner shall immediately (but in no circumstances greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) notify the {Board OR Presiding Officer}, the Licensees counsel, and NRC Staff counsel regarding that belief and the reasons for that belief. If any Authorized SGI Recipient has reason to believe that SGI may have been lost or misplaced, or that SGI The NRC staff agrees and has adopted the commenters suggestion so that the NRC and the licensee can more effectively mitigate any harm from the potential loss or unauthorized disclosure of SGI.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response has otherwise become available to unauthorized persons, that Authorized SGI Recipient shall immediately (but in no circumstances greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) notify the Petitioners representative of that belief and the reasons for that belief so that the Petitioner may make the required notification.

6 (¶ 11b.)

Comment: Paragraph 11.b contemplates the notification of potential loss of unauthorized disclosure of SGI be sent via mail. As noted above, time is of the essence in such situations. It would be more beneficial if a quicker communication process is devised to allow the licensee to receive notice in a shorter time period.

Proposed Resolution: Devise a process to more quickly communicate situations of lost SGI or unauthorized disclosure, such as requiring the notification to be sent via overnight express.

The NRC staff agrees that notifications should be transmitted by prompt means and has modified paragraph 11.b to require use of overnight mail.

7 (¶ 13)

Comment: Paragraph 13 requires Authorized SGI Recipients to destroy or return all SGI materials within 60 days of the Access Termination Date (e.g.,

termination of the proceeding), and to certify compliance with this requirement to the NRC and the licensee. However, no enforcement mechanism is contemplated. The presiding officer loses jurisdiction once it terminates the proceeding; and, if the Petitioner decides to ignore this requirement and keep the documents, the procedural next step for the licensee is unclear.

The NRC staff does not agree that there is a lack of clarity regarding jurisdiction over filings on protective orders that are made after termination of the proceeding. See CB&I AREVA MOX Servs.,

LLC (Mixed Oxide Fuel Fabrication Facility Possession and Use License), CLI-16-14, 84 NRC 11 (2016) (The Commission granted a motion filed after termination of the proceeding to amend a protective order issued by a licensing board).

Therefore, the NRC staff is not adopting the commenters suggestion.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response Proposed Resolution: Include a specific enforcement mechanism, like a request to the Commission, in paragraph 13.

8 (¶ 16)

Comment: Paragraph 16 allows the presiding officer to impose sanctions for violation of the protective order or Non-Disclosure Declaration. However, presiding officers rarely, if ever, actually impose sanctions that would help prevent unauthorized disclosures. If the order explicitly included some examples of possible sanctions, their imposition may be more readily available to the presiding officer. It is important that sanctions remain a plausible possibility in cases where the protective order is violated in order to deter unauthorized disclosures of SGI.

Proposed Resolution: Revise paragraph 16 to include specific examples of sanctions, such as termination of the proceeding, a permanent ban from participation in future proceedings, or a permanent ban from obtaining SGI.

The NRC staff has added to the final template a reference to Commission policy on the imposition of sanctions in adjudicatory proceedings, which includes examples of possible sanctions. See Statement of Policy on Conduct of Licensing Proceedings, CLI-81-8, 13 NRC 452, 454 (1981).

Consistent with this policy, the imposition of sanctions is a fact-dependent exercise.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response 9 (¶ 17)

Comment: Paragraph 17 requires the licensee or NRC to provide SGI documents to the Petitioner within 2 days of receiving the executed Non-Disclosure Declarations. In a typical proceeding, a licensee would provide a disclosure log of protected documents, the petitioner would request certain (or all) documents, a protective order would be issued, and the documents provided. The template language makes sense, assuming the petitioner has already identified which documents it seeks to obtain; however, it does not contemplate the scenario in which the presiding officer issues the protective order early in the proceeding before such requests are made, or later SGI documents become available. In order to ensure the SGI is properly identified and requested prior to disclosure, the trigger for the two-day timeline for providing the documents should be the later of (1) the filing of the Non-Disclosure Declarations and (2) Petitioners request for SGI.

Also, the requirement to provide the copies to the Petitioner within 2 days introduces some ambiguity as to whether the Petitioner must, in fact, receive the copies in that time frame. The language should be revised to make it clear that mailing time is not calculated in the 2-day limit.

The NRC staff does not anticipate that a protective order would be issued before a request for access to SGI. ITAAC proceedings are narrowly focused and of short duration, and the need for a protective order would become clear in response to a petitioners specific request for documents.

Moreover, the petitioner would have to submit a specific request for SGI to show a need to know for it. The template is premised on a specific request for SGI having been received and granted. In drafting the template, the NRC staff consciously avoided accounting for unlikely scenarios for simplicity. Thus, the NRC staff is not modifying the template.

The NRC staff agrees, however, that the word provide is ambiguous. Therefore, the final template uses the word transmit as suggested by the commenter. Also, the final template requires this transmission to be made by overnight mail, consistent with the accelerated ITAAC hearing schedule and the filing requirement in paragraph 8 of the template.

Comment #

(¶ of Draft Template)

Comment and Proposed Resolution NRC Staff Response Proposed Resolution: Paragraph 17 should be revised as follows: Within two (2) business days after the later of (1) the filing of the executed Non-Disclosure Declarations and (2) Petitioners request for SGI the [Licensee OR NRC Staff] shall transmit to the Petitioners representative a copy of the following information: [identify that SGI for which the Petitioners need has been determined].