ML19134A287

From kanterella
Jump to navigation Jump to search
Enclosure - Request for Additional Information Regarding Request for Approval of Safeguards Information Handling and Protection Plan, Oklo, Inc., Project No. 99902046
ML19134A287
Person / Time
Site: 99902046
Issue date: 05/30/2019
From: Mazza J
Office of New Reactors
To:
Mazza J, NRO/DAR/ARLB,415-0498
Shared Package
ML19134A268 List:
References
Download: ML19134A287 (13)
v  d  e


Text

OFFICE OF NEW REACTORS REQUEST FOR ADDITIONAL INFORMATION REGARDING REQUEST FOR NRC APPROVAL OF SAFEGUARDS INFORMATION HANDLING AND PROTECTION PLAN OKLO, INC.

PROJECT NO. 99902046 The following requests for additional information are based on the U.S. Nuclear Regulatory Commission (NRC) staffs review of Oklo, Inc.s (Oklos) Safeguards Information (SGI) Handling and Protection Plan (Plan). This requested information is necessary to demonstrate Oklos compliance with Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Physical Protection of Plants and Materials, and 10 CFR Part 50, Domestic Licensing of Production and Utilization Facilities. The response to these requests will inform the NRCs determination on the effectiveness of Oklos Plan.

RAI-1 The NRC gives the general performance requirements for protecting SGI from unauthorized disclosure in 10 CFR 73.21, Protection of Safeguards Information:

Performance Requirements. To meet these general performance requirements, those subject to 10 CFR 73.21 are to establish, implement, and maintain an information protection system that includes the applicable measures for SGI specified in 10 CFR 73.22, Protection of Safeguards Information: Specific Requirements, or 10 CFR 73.23, Protection of Safeguards InformationModified Handling: Specific Requirements:

  • In 10 CFR 73.22, the NRC mandates the protection of SGI in the hands of any person subject to the requirements of 10 CFR 73.21(a)(1)(i) and related to power reactors; a formula quantity of strategic special nuclear material; transportation of or delivery to a carrier for transportation of a formula quantity of strategic special nuclear material or more than 100 grams of irradiated reactor fuel; uranium hexafluoride production or conversion facilities, fuel fabrication facilities, and uranium enrichment facilities; independent spent fuel storage installations; and geologic repository operations areas.
  • If 10 CFR 73.21(a)(1)(i) or (a)(1)(ii) does not describe the information to be protected, the information shall be protected in accordance with the requirements of 10 CFR 73.22.

Throughout the Plan, Oklo references meeting the performance requirements of both 10 CFR 73.22 and 10 CFR 73.23. However, it is unclear to the NRC staff whether Oklo intends to follow the SGI protection requirements in 10 CFR 73.22 or 1

10 CFR 73.23. This information is necessary for the NRC staff to determine whether Oklo will be able to adequately establish, implement, and maintain an information protection system that includes the applicable measures for SGI.

Clarify whether Oklo will establish, implement, and maintain an information protection system that includes the applicable measures for SGI specified in 10 CFR 73.22 or 10 CFR 73.23, as required by 10 CFR 73.21(a). As necessary, update the Plan to reflect this clarification.

RAI-2 In 10 CFR 73.57(c), the NRC describes prohibitions on basing final determinations to deny an individual unescorted access to a nuclear power facility, a nonpower reactor facility, or access to SGI.

Section 5.1.2 (page 9) of the Plan states that [t]he NRC has not established or endorsed any specific disqualifying criteria for the FBI criminal history records check nor for the information gleaned from the other elements of the background check. It is unclear to the NRC staff whether Oklo will consider the prohibitions contained in 10 CFR 73.57(c) in making access determinations based on information received from the Federal Bureau of Investigation (FBI). This information is necessary for the NRC staff to determine whether Oklo will appropriately consider information received from the FBI when making final determinations to deny access to individuals.

Clarify whether Oklo intends to consider the prohibitions contained in 10 CFR 73.57(c) in making access determinations based on information received from the FBI. Update the Plan to reflect any consideration of disqualifying criteria used to make access determinations based on the NRCs regulations.

RAI-3 In 10 CFR 73.2, Definitions, the NRC defines background check in part as a check that must be sufficient to support the trustworthiness and reliability determination so that the person performing the check and the Commission have assurance that granting individuals access to Safeguards Information does not constitute an unreasonable risk to the public health and safety or the common defense and security.

Section 5.1.2 of the Plan (page 10) states that Oklo Inc. will use its best judgment and experience in determining which individuals are trustworthy and reliable and therefore suitable for access to SGI. The standards for determining trustworthiness and reliability are consistent and sufficiently prohibitive to be capable of supporting an individual trustworthiness and reliability determination. However, Oklo does not describe the process it will use to conduct a sufficient background check to support trustworthiness and reliability determinations. This information is necessary so that the NRC staff has assurance that granting an individual access to SGI does not constitute an unreasonable risk to public health and safety or the common defense and security.

Describe the process Oklo will use to conduct a background check sufficient to support making trustworthiness and reliability determinations. As necessary, update the Plan to include this process.

RAI-4 As described in 10 CFR 73.59, Relief from Fingerprinting, Identification and Criminal History Records Checks and Other Elements of Background Checks for Designated Categories of Individuals, fingerprinting is not required for certain individuals before 2

granting access to SGI, including for Tribal officials, the Tribal officials designated representatives, and Tribal law enforcement personnel (paragraph (l)).

Section 5.2, Individuals Exempt from Background Check Elements, of the Plan (page 10) lists individuals that would not have to undergo fingerprinting, a criminal history records check, and other elements of the background check before being granted access to SGI, consistent with 10 CFR 73.59. However, this list excludes Tribal officials or the Tribal officials designated representatives, and Tribal law enforcement personnel.

Explain why Section 5.2 of the Plan excluded Tribal officials or the Tribal officials designated representatives, and Tribal law enforcement personnel from the list of individuals exempt from fingerprinting and other elements of the background check.

As necessary, update the Plan to be consistent with 10 CFR 73.59.

RAI-5 In relevant part, 10 CFR 73.59(f) states: who the Commission approves for access (emphasis added).

Item 6 of Section 5.2 of the Plan (page 11) uses the word that rather than the. In relevant part, this section of the Plan states: whom that Commission has approved access (emphasis added).

Revise the text of Item 6 of Section 5.2 of the Plan to be consistent with 10 CFR 73.59(f).

RAI-6 Section 149, Fingerprinting for Criminal History Record Checks, of the Atomic Energy Act, as amended (AEA), states, in part: The Commission shall require to be fingerprinted any individual who (i) is permitted unescorted access to (I) a utilization facility; or (II) radioactive material or other property subject to regulation by the Commission that the Commission determines to be of such significance to the public health and safety or the common defense and security as to warrant fingerprinting and background checks; or (ii) is permitted access to safeguards information under section 147. (emphasis added).

Section 5.3, Reviewing Official, of the Plan (page 11) uses the word unauthorized instead of unescorted. In relevant part, this section of the Plan states: Section 149 of AEA, as amended, requires that the Commission fingerprint any individual who is permitted unauthorized access to a utilization facility, or certain radioactive material subject to regulation by the commission, or access to SGI. (emphasis added).

Modify the Plan to be consistent with Section 149 of the AEA.

RAI-7 The regulation at 10 CFR 73.22(b)(1) states: Except as the Commission may otherwise authorize, no person may have access to Safeguards Information unless the person has an established need to know for the information and has undergone a Federal Bureau of Investigation (FBI) criminal history records check using the procedures set forth in § 73.57.

Additionally, 10 CFR 73.57(a)(2) states: Each applicant for a license to engage in an activity subject to regulation by the Commission, as well as each entity who has provided written notice to the Commission of intent to file an application for licensing, 3

certification, permitting, or approval of a product subject to regulation by the Commission shall submit fingerprints for those individuals who will have access to Safeguards Information.

Section 5.3 of the Plan (page 11) states, in part: The NRC does not have authority to fingerprint any other classes of individuals. The purpose of this statement is unclear to the NRC staff. Additional information is necessary for the NRC staff to understand Oklos interpretation of what individuals require fingerprinting in accordance with NRC regulations.

Clarify the meaning of this statement and update the Plan as necessary.

RAI-8 The NRC issues regulatory guides to (1) describe to the public methods that the staff considers acceptable for use in implementing specific parts of the agencys regulations, (2) explain techniques that the staff uses in evaluating specific problems or postulated events, and (3) provide guidance to applicants. Regulatory guides are not substitutes for regulations and compliance with them is not required. However, compliance with the NRCs applicable rules and regulations is required. Compliance with NRC regulations is denoted by using the words shall or must. As described below, in several instances in the Plan, Oklo uses the term should to refer to compliance with regulatory requirements instead of shall or must. The examples below are not a comprehensive list of these instances. Oklo should review the Plan for other instances and make the appropriate corrections as described below.

a. Consistent with 10 CFR 73.21(a)(1), revise the following from Section 6.1, In-Use Protection, of the Plan (page 13) to replace the term should with shall or must, as appropriate: Care should still be taken so that individuals, absent SGI access authority and a need-to-know, not gain access to the SGI.
b. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(c), revise the following from Section 6.1 of the Plan (page 13) to replace the term should with shall or must, as appropriate: Oklo Inc. will also ensure that rooms with walls that serve as barriers to exterior portions of the facility or to the discussion area itself are checked for sound attenuation, and if it is determined that the sound travels beyond the confines of the room, either the sound emanations should be mitigated, or the SGI discussion should not take place.
c. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(e), revise the following from Section 8, Reproduction, of the Plan (page 17) to replace the term should with shall or must, as appropriate: Copier machines that have e-mail, fax, or remote diagnostic capabilities should not be used to reproduce SGI, nor should facsimile machines be used to reproduce SGI.
d. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(e), revise the following from Section 8 of the Plan (page 17) to replace the term should with shall or must, as appropriate: Some copiers have memory capability, and, for that reason, only designated copiers should be used to reproduce SGI.
e. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(e), revise the following from Section 8 of the Plan (page 17) to replace the term should with shall or must, as appropriate: Copiers that have been designated for the reproduction 4

of SGI must be clearly identified. When reproducing SGI, personnel should immediately clear paper jams and properly destroy unwanted documents.

f. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(f)(3), revise the following from Section 9.1, Telephone Discussions, of the Plan (page 18) to replace the term should with shall or must, as appropriate: Those involved with the telecommunication should ensure that the SGI is protected from unauthorized disclosure by sound attenuation from within the discussion area, as well as from the area(s) immediately adjacent to the room or the area where the discussion is taking place.
g. Consistent with 10 CFR 73.21(a)(1) and 10 CFR 73.22(d), revise the following from Section 7, Preparation and Marking, of the Plan (page 15) to replace the term should with shall or must, as appropriate: Only designated and trained individuals should have authority to designate a document as SGI. The first page of SGI documents must contain the following information, in accordance with 10 CFR 73.22(d)

RAI-9 The regulation at 10 CFR 73.22(c)(2) states: While unattended, Safeguards Information must be stored in a locked security storage container. The container shall not identify the contents of the matter contained and must preclude access by individuals not authorized access in accordance with the provisions of this section.

Knowledge of lock combinations protecting Safeguards Information must be limited to a minimum number of personnel for operating purposes who have a need to know and are otherwise authorized access to Safeguards Information in accordance with the provisions of this Part. Access to lock combinations must be strictly controlled to prevent disclosure to an individual not authorized access to Safeguards Information.

Section 6.2 of the Plan (page 14) identifies four examples of adequate storage containers, however it is unclear whether Oklo will use any or all the listed security storage containers. This information is needed for the NRC staff to determine whether unattended SGI will be properly stored.

Clarify which, if any, of these storage containers Oklo will use. Update the Plan, as necessary.

RAI-10 The regulation at 10 CFR 73.22(d)(1) states: Each document or other matter that contains Safeguards Information as described in § 73.21(a)(1)(i) and this section must be marked to indicate the presence of such information in a conspicuous manner on the top and bottom of each page. The first page of the document or other matter must also contain: (i) The name, title, and organization of the individual authorized to make a Safeguards Information determination, and who has determined that the document or other matter contains Safeguards Information; (ii) The date the determination was made; and (iii) An indication that unauthorized disclosure will be subject to civil and criminal sanctions.

Section 7 of the Plan (page 15) states: Oklo Inc. is not expected to mark specific pages or paragraphs in documents if a cover sheet was used for the required information instead of the first page of the document, as prescribed in 10 CFR 73.22(d)(1) and 10 CFR 73.23(d)(1). However, from this statement, it is 5

unclear whether Oklo will comply with the requirements for marking each page of a document containing SGI.

Modify the Plan to clarify whether Oklo will mark each page of documents containing SGI in accordance with 10 CFR 73.22(d)(1) (or 10 CFR 73.23(d)(1), as applicable).

Otherwise, explain why this change is unnecessary.

RAI-11 The regulation at 10 CFR 73.22(e) states: Safeguards Information may be reproduced to the minimum extent necessary consistent with need without permission of the originator. Equipment used to reproduce Safeguards Information must be evaluated to ensure that unauthorized individuals cannot access Safeguards Information (e.g., unauthorized individuals cannot access Safeguards Information by gaining access to retained memory or network connectivity).

a. Section 8 of the Plan (page 17) states: When memory-capable copiers are used to reproduce SGI, Oklo Inc. will take steps to prevent unauthorized personnel (including copier maintenance personnel) from gaining access to SGI through retained memory, network connectivity, or remote diagnostics in accordance with 10 CFR 73.22(e) and 10 CFR 73.23(e). However, it is unclear what steps Oklo will take to prevent unauthorized personnel from gaining access to SGI. This information is needed for the NRC staff to ensure that unauthorized individuals do not gain access to SGI.

Modify the Plan to clarify the steps that Oklo will take to prevent unauthorized access, when employees use memory-capable copiers to reproduce SGI or state a declarative prohibition against the use of such equipment.

b. Section 8 of the Plan (page 17) states: Copiers that have been designated for the reproduction of SGI must be clearly identified. When reproducing SGI, personnel should immediately clear paper jams and properly destroy unwanted documents. It is unclear to NRC staff how Oklo employees will know that a copier is designated for the reproduction of SGI. This information is needed for NRC staff to ensure that unauthorized individuals do not gain access to SGI.

Modify the Plan to clarify how Oklo will clearly identify to employees that a copier has been approved for the reproduction of SGI. Otherwise, explain why this change is unnecessary.

RAI-12 The regulation at 10 CFR 73.22(c) states: (1) While in use, matter containing Safeguards Information must be under the control of an individual authorized access to Safeguards Information. This requirement is satisfied if the Safeguards Information is attended by such an individual even though the information is in fact not constantly being used. Safeguards Information within alarm stations, or rooms continuously occupied by authorized individuals need not be stored in a locked security storage container. (2) While unattended, Safeguards Information must be stored in a locked security storage container. The container shall not identify the contents of the matter contained and must preclude access by individuals not authorized access in accordance with the provisions of this section. Knowledge of lock combinations protecting Safeguards Information must be limited to a minimum number of personnel for operating purposes who have a need to know and are otherwise authorized access to Safeguards Information in accordance with the provisions of this Part.

6

Access to lock combinations must be strictly controlled to prevent disclosure to an individual not authorized access to Safeguards Information.

The regulation at 10 CFR 73.22(g)(2) states: Each computer not located within an approved and lockable security storage container that is used to process Safeguards Information must have a removable storage medium with a bootable operating system.

The bootable operating system must be used to load and initialize the computer. The removable storage medium must also contain the software application programs. Data may be saved on either the removable storage medium that is used to boot the operating system, or on a different removable storage medium. The removable storage medium must be secured in a locked security storage container when not in use.

The regulation at 10 CFR 73.22(g)(3) states: A mobile device (such as a laptop computer) may also be used for the processing of Safeguards Information provided the device is secured in a locked security storage container when not in use. Other systems may be used if approved for security by the appropriate NRC office.

The regulation at 10 CFR 73.22(g)(4) states: Any electronic system that has been used for storage, processing or production of Safeguards Information must be free of recoverable Safeguards Information prior to being returned to nonexclusive use.

a. Section 10, Processing Safeguards Information on Electronic Systems, of the Plan (page 21) states: Oklo Inc. may store, process, or produce SGI on a server in which the network is isolated from personnel without SGI authorization. However, Oklo does not specify when the server will be attended to satisfy the protection requirements for unattended SGI in 10 CFR 73.22(c).

Clarify whether or not the server will always be attended. If the server will not always be attended, describe what procedures will be implemented to meet the protection requirements for unattended SGI in 10 CFR 73.22(c). Update the Plan, as necessary.

b. Section 10 of the Plan (page 21) states: Devices used to connect to SGI must have access to the server which is protected by device authentication as well as username and password. However, Oklo has not specified who will have the access to the server and connected devices, including the processes for approving devices to connect to the server. Oklo has also not described how electronic devices or systems will be sanitized prior to being returned to nonexclusive use. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.
i. Clarify who will have access to the SGI server and be able to, successfully or unsuccessfully, connect a device as stated in 10 CFR 73.22(g)(2) and (g)(3). Update the Plan, as necessary.

ii. Clarify the approval process for devices that are connected to the server and identify who determines who may connect devices to the server and the disposition of the device after the connectivity has been 7

terminated as stated in 10 CFR 73.22(g)(4). Update the Plan, as necessary.

iii. Clarify the process Oklo will use to sanitize an electronic device or system that has been used to store, process, or produce SGI before being returned to nonexclusive use as required by 10 CFR 73.22(g)(4).

Update the Plan, as necessary.

RAI-13 The regulation at 10 CFR 73.22(f)(3) states: Except under emergency or extraordinary conditions, Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, such as facsimiles or telephone devices, provided that transmitters and receivers implement processes that will provide high assurance that Safeguards Information is protected before and after the transmission or electronic mail through the internet, provided that the information is encrypted by a method (Federal Information Processing Standard [FIPS] 140-2 or later) approved by the appropriate NRC Office; the information is produced by a self contained secure automatic data process system; and transmitters and receivers implement the information handling processes that will provide high assurance that Safeguards Information is protected before and after transmission. Physical security events required to be reported pursuant to § 73.71 are considered to be extraordinary conditions. Cyber security event notifications required to be reported pursuant to § 73.77 are considered to be extraordinary conditions.

Section 10 of the Plan (page 21) states that SGI files will be stored on a server with an encryption level satisfying FIPS 140-2. However, it is unclear whether Oklo will seek NRC approval of encryption software. This information is necessary to confirm that Oklo will have the necessary approval to transmit information outside an unauthorized place of use or storage.

Clarify the process Oklo will use to seek NRC approval for software that will be used to meet the FIPS, as required by 10 CFR 73.22(f)(3). Update the Plan, as necessary.

RAI-14 The regulation at 10 CFR 73.22 (i) states: Documents or other matter containing Safeguards Information shall be destroyed when no longer needed. The information can be destroyed by burning, shredding or any other method that precludes reconstruction by means available to the public at large. Piece sizes no wider than one quarter inch composed of several pages or documents and thoroughly mixed are considered completely destroyed.

Section 12, Destruction of Matter Containing Safeguards Information, of the Plan (page 23) states: If neither of these options is available, the media should be destroyed. It is unclear whether Oklo will use any or all the listed destruction methods.

This information is needed for the NRC staff to determine whether SGI contained in electronic media will be properly destroyed.

Clarify the method(s) that will be used to destroy electronic media and who has the authority to do so. Clarify whether Oklo will use all the destruction methods referenced within the Plan. Update the Plan, as necessary.

RAI-15 The regulation at 10 CFR 73.22(i) states: Documents or other matter containing Safeguards Information shall be destroyed when no longer needed. The information 8

can be destroyed by burning, shredding or any other method that precludes reconstruction by means available to the public at large. Piece sizes no wider than one quarter inch composed of several pages or documents and thoroughly mixed are considered completely destroyed.

a. Section 12.2, Destruction of Nonelectronic Media, of the Plan (page 23) states: When the information is no longer needed, Oklo Inc. must destroy documents or other nonelectronic matter containing SGI by burning, shredding, or any other method that precludes reconstruction by the public at large.

Pieces no wider that 1/4 inch, composed of several pages or documents and thoroughly mixed, are considered completely destroyed, as prescribed by 10 CFR 73.22(i) and 10 CFR 73.23(i). The pieces must not exceed 1/4 inch either vertically or horizontally. However, it is unclear whether Oklo will use any or all the listed destruction methods. This information is needed for the NRC staff to determine whether SGI will be properly destroyed.

Clarify which of these destruction methods will Oklo rely on to destroy nonelectronic SGI. Update the Plan, as necessary.

b. Section 12.2 of the Plan (page 24) states: The methods employed by commercial shredding companies are acceptable for the destruction of SGI documents, provided that a member of Oklo Inc. is present when the destruction occurs. It is unclear whether the commercial shredding company selected by Oklo has the means to destroy SGI in accordance with the regulatory requirements in 10 CFR 73.22(i). This information is needed for the NRC staff to determine whether SGI will be properly destroyed.

Clarify whether Oklo intends to rely upon the service of a commercial shredding company instead of having destruction equipment on site. If so, describe how Oklo will ensure that the commercial shredding company selected by Oklo has the means to destroy SGI in accordance with the regulatory requirements in 10 CFR 73.22(i). Update the Plan, as necessary.

RAI-16 The regulation at 10 CFR 73.22(i) states: Documents or other matter containing Safeguards Information shall be destroyed when no longer needed. The information can be destroyed by burning, shredding or any other method that precludes reconstruction by means available to the public at large. Piece sizes no wider than one quarter inch composed of several pages or documents and thoroughly mixed are considered completely destroyed.

The regulation at 10 CFR 95.47, Destruction of matter containing classified information, states: Documents containing classified information may be destroyed by burning, pulping, or another method that ensures complete destruction of the information that they contain. The method of destruction must preclude recognition or reconstruction of the classified information. Any doubts on methods should be referred to the CSA.

Section 12.2 of the Plan (page 24) states: Destruction methods that have been approved for classified information are also acceptable means for the destruction of SGI. However, it is unclear whether Oklo will have classified information on-site. This 9

information is necessary to determine whether Oklo is properly destroying documents containing SGI and classified information.

Clarify whether Oklo will rely on destruction equipment that has been approved for the destruction of classified information and whether Oklo will have classified information on site. Update the Plan, as necessary.

RAI-17 The regulation at 10 CFR 73.21(a)(1) states: Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking: Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure. Further, 10 CFR 73.22(c) provides the requirements for protecting SGI while in use or in storage.

Section 3, Performance Requirements, of the Plan (page 7) states: Additionally, the possessor should initiate an inquiry if the information in question is believed to have been viewed or otherwise obtained by personnel not authorized access to SGI.

It is unclear what an inquiry would entail or who in Oklo would be responsible for conducting an inquiry. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place if it is believed that SGI was accessed by unauthorized personnel.

Clarify what immediate actions, if any, Oklo employees must take if or when they discover SGI unattended. Describe what steps are involved and who is responsible for conducting an inquiry into the suspected unauthorized disclosure of sensitive information. Update the Plan, as necessary.

RAI-18 The regulation at 10 CFR 73.21(a)(1) states, in part, that Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking:

Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure.

The regulation at 10 CFR 73.22(c)(2) states, in part, that Knowledge of lock combinations protecting Safeguards Information must be limited to a minimum number of personnel for operating purposes who have a need to know and are otherwise authorized access to Safeguards Information in accordance with the provisions of this Part. Access to lock combinations must be strictly controlled so as to prevent disclosure to an individual not authorized access to Safeguards Information.

a. Section 6.2 of the Plan (page 14) states: Combinations will always be changed within 1 business day of an individuals loss of need-to-know or loss of access to SGI to help reduce the risk of inadvertent or unauthorized disclosure of SGI. However, it is unclear who will be responsible for changing combinations. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify who will be responsible for changing the combination of a security storage container or for ensuring that the combination is changed. Update the Plan, as necessary.

10

b. Section 6.2 of the Plan (page 14) states: The Standard Form 702 will be used to keep a record of opening and closing of security containers. When fellow employees or guard force members conduct security container checks, the record becomes a valuable tool for determining how long a security storage container may have been left open or unattended. However, it is unclear who will be responsible for conducting the security container check or ensuring the security check is conducted. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify who will be responsible for conducting the security container check or for ensuring that the check is conducted. Update the Plan, as necessary.

RAI-19 The regulation at 10 CFR 73.21(a)(1) states, in part, that Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking:

Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure.

10 CFR 73.22(d) provides the requirements for marking SGI documents.

Section 7 of the Plan (page 15) states: Historical documents that are in storage need not be removed solely for the purpose of meeting the marking requirement. As those documents are removed from storage for use (i.e., transmittal, modification, or use as an attachment), they must be marked as required by the rule. However, it is unclear who will be responsible for determining whether a document or group of documents warrant a historical designation. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify who will be responsible for determining whether a document or group of documents warrant a historical designation or for ensuring that this is done. Because Oklo is a newly formed entity, it is unclear whether it possesses historical documents requiring SGI markings. Clarify whether the statement is forward looking. Update the Plan, as necessary.

RAI-20 The regulation at 10 CFR 73.22 (f)(3) states: Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, provided that transmitters and receivers implement processes that will provide high assurance that Safeguards Information is protected before and after the transmission or electronic mail through the internet, provided that the information is encrypted by a method approved by the appropriate NRC Office; the information is produced by a self-contained secure automatic data process system; and transmitters and receivers implement the information handling processes that will provide high assurance that Safeguards Information is protected before and after transmission.

Additionally, 10 CFR 73.22(f)(3) provides the requirements for NRC approval of telecommunication meeting the FIPS.

11

Section 9.1 of the Plan (page 18) states: Those involved with the telecommunication should ensure that the SGI is protected from unauthorized disclosure by sound attenuation from within the discussion area, as well as from the area(s) immediately adjacent to the room or the area where the discussion is taking place. However, it is unclear who will be responsible for ensuring that SGI is not disclosed by sound attenuation. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify who will have the authority to determine whether a room or area meets the sound attenuation criteria for discussions involving SGI, and how employees will be assured that the equipment used during telecommunication has been approved by the NRC as meeting the FIPS. Update the Plan, as necessary.

RAI-21 The regulations at 10 CFR 73.21(a)(1), 10 CFR 73.22(c) and 10 CFR 73.22(f) provide the requirements for establishing an SGI protection plan, protecting SGI while in use or storage, and externally transmitting SGI.

Section 9.2,Transportable Safeguards Information Outside of the Facility, of the Plan (page 18) states: When Oklo Inc. grants authorization for SGI, either in hard copy or locally stored electronic media, to be taken to a home or private residence for the purpose of accommodating business travel to or from the official storage location, Oklo Inc. will emphasize that the NRCs regulations on storage of SGI continue to apply and that the authorization is limited. However, Oklo has not described the procedures it will use to emphasize [ ] the NRCs regulations for protecting SGI during travel. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify what guidance will be provided to employees for obtaining authorization to take SGI home or to a private residence and the protection requirements that must be followed after approval is granted to remove SGI from the Oklo facility. Update the Plan, as necessary.

RAI-22 The regulation at 10 CFR 73.21(a)(1) provides the requirements for establishing a SGI protection plan. The regulation at 10 CFR 73.22(b)(5) states: Except as the Commission may otherwise authorize, no person may disclose Safeguards Information to any other person except as set forth in this section.

a. Section 9.3, Discussions Involving Safeguards Information, of the Plan (page
18) states: Oklo Inc. will hold hearings, conferences, and discussions involving SGI within controlled areas, if practicable, and preferably at locations controlled by Oklo Inc. or other NRC licensees. The use of if practicable implies that places other than controlled areas may be used for hearings and conferences.

As such, additional information is necessary for the NRC staff to determine that Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify the process that will be used in those instances when hearings, conferences, and discussions involving SGI are held in places other than controlled areas to prevent the unauthorized disclosure of SGI. Update the Plan, as necessary.

12

b. Section 9.2 of the Plan (page 18) states: Individuals who arrange or participate in public hearings, conferences, or discussions involving SGI must do the following: 1. Ensure before a hearing, conference, or discussion that participating personnel are identified and are authorized to have access to the information to be discussed. However, it is unclear who will be responsible for ensuring that meeting participants are identified and authorized to have access to the information to be discussed. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify the process that employees must follow when arranging hearings, conferences, or discussions involving SGI, including who within Oklo will be responsible for verifying that participants have been approved for access to SGI.

Update the Plan, as necessary.

RAI-23 The regulation at 10 CFR 73.21(a)(1) states, in part, that Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking:

Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure.

The regulation at 10 CFR 73.22(d)(4) states: Marking of documents or other matter containing or transmitting Safeguards Information shall, at a minimum include the words Safeguards Information to ensure identification of protected information for the protection of facilities and material covered by § 73.22.

Section 9.3 of the Plan (page 18) states: Transcripts of hearings and meetings minutes that contain SGI must be marked and protected, in accordance with 10 CFR 73.22(d)(4) and 10 CFR 73.23(d)(4). However, it is unclear who will be responsible for marking transcripts of hearings and meeting minutes. This information is necessary for the NRC staff to determine that Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify who will be responsible for marking documents that contain SGI or for ensuring that those documents are properly marked. Update the Plan, as necessary.

RAI-24 The requirement 10 CFR 73.22(f) establishes the requirements for external transmission of SGI documents and material. 10 CFR 73.22(b)(1) states: Except as the Commission may otherwise authorize, no person may have access to Safeguards Information unless the person has an established need to know for the information and has undergone a Federal Bureau of Investigation (FBI) criminal history records check using the procedures set forth in § 73.57.

Section 9.4, Transmission of Safeguards Information, of the Plan (page 19) states:

In every case, before SGI is transmitted, the sender must verify that the intended recipient is someone that is authorized to access SGI and has a need-to-know.

However, it is unclear what process will be used to ensure that recipients of SGI are authorized to have access. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

13

Clarify the process that employees must follow to verify that the intended recipient of a transmission is authorized to access SGI. Update the Plan, as necessary.

RAI-25 The regulation at 10 CFR 73.21(a)(1) states, in part: Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking: Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure. Additionally, 10 CFR 10 CFR 73.22(f) establishes specific requirements for the external transmission of documents and material. Specifically, 10 CFR 73.22(f)(2) states: Safeguards Information may be transported by any commercial delivery company that provides service with computer tracking features, U.S. first class, registered, express, or certified mail, or by any individual authorized access pursuant to these requirements.

Section 9.3 of the Plan (page 19) states: Hand-carrying - Oklo Inc. will hand-carry SGI outside of the facility only as a last resort, when other means of transmitting the information have failed or are not practicable. However, it is unclear what process will be used to make a determination that hand-carrying is a last resort or when other means of transmitting are not practicable. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify the process that employees must follow to determine that hand-carry or a different mode of transmission is warranted. Update the Plan, as necessary.

RAI-26 The regulation at 10 CFR 73.22(f)(3) states: Except under emergency or extraordinary conditions, Safeguards Information shall be transmitted outside an authorized place of use or storage only by NRC approved secure electronic devices, such as facsimiles or telephone devices, provided that transmitters and receivers implement processes that will provide high assurance that Safeguards Information is protected before and after the transmission or electronic mail through the internet, provided that the information is encrypted by a method (Federal Information Processing Standard [FIPS] 140-2 or later) approved by the appropriate NRC Office; the information is produced by a self contained secure automatic data process system; and transmitters and receivers implement the information handling processes that will provide high assurance that Safeguards Information is protected before and after transmission. Physical security events required to be reported pursuant to § 73.71 are considered to be extraordinary conditions. Cyber security event notifications required to be reported pursuant to §73.77 are considered to be extraordinary conditions.

Section 9.4 of the Plan (page 20) states: Both the transmitter and the receive[r] must use information-handling processes to ensure protection of the SGI before and after transmission, as prescribed by 10 CFR 73.22(f)(3). However, it is unclear what is meant by information-handling processes. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Identify and describe the information-handling processes that are referenced in item 3.c. in Section 9.4 of the Plan. Update the Plan, as necessary.

14

RAI-27 The regulation at 10 CFR 73.22(g)(3) states: A mobile device (such as a laptop computer) may also be used for the processing of Safeguards Information provided the device is secured in a locked security storage container when not in use. Other systems may be used if approved for security by the appropriate NRC office.

Section 10 of the Plan (Page 21) states: Oklo, Inc. may use other mobile devices or systems if the NRC has approved their security in accordance with 10 CFR 73.22(g)(3) and 10 CFR 73.23(g)(3). However, it is unclear what processes will be used to ensure that the security for mobile devices has been approved. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Clarify the process that Oklo will use to verify whether other mobile devices or systems have been approved by the NRC, or how Oklo will seek NRC approval for such use of mobile devices. Update the Plan, as necessary.

RAI-28 The regulation at 10 CFR 73.21(a)(1) states in part: Each licensee, certificate holder, applicant, or other person who produces, receives, or acquires Safeguards Information (including Safeguards Information with the designation or marking: Safeguards Information Modified Handling) shall ensure that it is protected against unauthorized disclosure. Additionally, 10 CFR 73.22(h) states: The authority to determine that a document or other matter may be decontrolled will only be exercised by the NRC, with NRC approval, or in consultation with the individual or organization that made the original determination.

Section 11 of the Plan (page 22) states: Personnel should not remove the SGI designation from any document or material unless they themselves or their organization was responsible for the original SGI designation. In the instances where Oklo has designated a document as SGI, it is unclear who will have the authority to decontrol a document. This information is necessary for the NRC staff to determine whether Oklo has processes and procedures in place to prevent the unauthorized disclosure of SGI.

Explain whether there is guidance that either prohibits employees from independently electing to remove the SGI designation from a document or empowers each employee with the authority to independently remove the SGI designation from a document.

Further explain how employee decisions to remove the SGI designation from a document is coordinated within Oklo. Update the Plan, as necessary.

15

Retrieved from "https://kanterella.com/w/index.php?title=ML19134A287&oldid=1909338"