Y OMB SUPPORTING STATEMENT FOR j 10 CFR 95 Security Facility- Approval and Safeguarding of l National Security Information and Restricted Data 4

Description of Information Collection

! The reporting requirements of 10 CFR Part 95 affect approximately 12 licensees 1-and other organizations (5 fuel cycle facilities. 3 transportation companies, 1 power reactor and 3 other organizations). The licensees or other organiza-tions make the reports available at their place of business or send the reports to NRC at its Headquarters or Regional Offices. Reports or applications are only required as occasioned by the occurrence of specific events such as the i request for a security facility approval, an exemption request, a cancellation or termination of security facility approval, or a report of possible loss or 6

compromise of classified information. Other requirements for recordkeeping are necessary for checking the licensees'_ and other organizations' procedures for maintaining acceptable security education, facility and classification /declas-sification programs. The limited amount of personal information submitted in connection with security facility approval requests, classification /declassifi-cation actions and other areas within these requirements is handled and protected in accordance with NRC directives and the provisions of the Privacy Act of 1974. Other inforration submitted to NRC in response to the application, recordkeeping and reporting requirements is available for public inspection in accordance with 10 CFR Part 9.

}

l A. JUSTIFICATION l 1. Need for Collection of Information. 10 CFR Part 95 contains numerous reporting, recordkeeping and application requirements, including re-quirements for submittal of information, ADP and telecomunications security plans, security recordkeeping requirements for compliance purposes and security reporting and notification procedures for com-liance and response purposes. In all cases, the requirements are necessary to help ensure that an adequate level of protection is provided for information determined to be classified by the NRC Clas-ification-Guide for Safeguards Information (Appendix A to Part 95).

Essentially, all of the reporting, recordkeeping and application requirements are necessary for one of the reasons listed below:

a. To obtain essential descriptive data concerning the content and planned operation of the licensee's or_ other organization's information security program which is necessary for NRC to determine the adequacy of planned methods and procedures for safeguarding classified information and material while in use, transmission or storage.

b. To obtain essential' data describing the licensee's or other organization's planned program for ensuring employee indoctrina-tion and continued awareness of their security responsibilities Y

so as to prevent unauthorized disclosure of classified informa-tion or material and to ensure the licensee's or other organization's compliance with E.0. 12356. ,

c. To obtain essential data to permit NRC review and appraisal of the licensee's or other organization's classification procedures and compliance with regulatory requirements for classification; procedures concerning release of classified information to IAEA representatives; and application of the Classification Guide for Safeguards Information (Appendix A to Part 95).

The currently effective information collection requbements of 10 CFR Part 95 are identified and explained below:

95.11 Exemption Requests. The information and justification required by this section are used to determine whether an exemption can be granted. The submittal is necessary fro:n any licensee who possesses nonself-protecting formula quantities of strategic special nuclear material (SSNM), but which feels it ought to be exempted from the requirements of Part 95. The recordkeeping requirement (2 years beyond period covered by the exemption) permits necessary review of exemption material and approval documentation during annual NRC surveys.

95.15(a)&(b) Security Facility Approval Recuest. A facility which needs to use, process, store, transmit or hancle classified informa-tion under Part 95 must request approval from NRC. The request for approval and accompanying security plan provide pertinent data which enables the NRC Division of Security to assess the licensee's or other organization's eligibility for such approval. Licensees and other organizations are inspected to ensure their compliance with the procedures outlined in this security plan and the requirements contained within the Part.

95.lu(a) & (b) Changes to Security Practices and Procedures.

' This section requires the reporting of proposed major changes to a security plan prior to implementation and requires the reporting of minor changes promptly after the change has been adopted by the licensee.

95.21 Cancellation of Facility Approval Request. The information required by this section is necessary each time a licensee or other organization wishes to withdraw or cancel a security facility approval request. This information will be used by the NRC Division of Security as a basis for discontinuing further processing of the application and if no access to classified information or material is needed, would indicate that pending personnel security access authorization requests should also be cancelled.

95.25(a)(3) Security Container Check Records. This information and one year recordkeeping requirement help ensure that required physical checks of security containers are made ani that records of these checks are available for review during periodic NRC ,j inspections.

OMB SUPPORTING STATEMENT 10 CFR 95 '

I 95.25(c)(1) Lock Combinations (Personnel Authorized). This information and recordkeeping requirement permit NRC review of these records to ensure that combinations to containers used to store classified information are given only to properly cleared and authorized individuals.

95.25(d) Records of Combinations. This information and record-keeping requirement help ensure that written lock combinations are properly classified and safeguarded in accordance with provisions of E.0. 12356 and its Implementing Directives.

95.25(g) Custodian / Monitor and Combination Change Records. (1)This posting requirement ensures that the proper individuals can be noti-fied in the event of an infraction or other event requiring their attention. The posting requirement also permits a method for NRC to verify that custodians and alternates possess the proper level of access authorization. (2) The combination change record permits NRC to verify that combination changes have occurred as prescribed by E.0. 12356 and its Implementing Directives. (3) The monitor sheet record and its retention ensure that each security container is locked and checked so as to prevent unauthorized disclosures of classified information, particularly after normal working hours.

95.25(h) Unattended Security Container Found Open. This infonna-tion collection and recordkeeping requirement assures (1) that the licensee or other organization complies with the Information Security Oversight Office (IS00) directive to report the loss or possible compromise of classified information, and (2) that the NRC may evaluate such occurrences and corrective actions which have been taken. The recordkeeping requirement permits inspection by NRC of records relating to these occurrences.

95.25(i) Key and Lock Accountability Records. This recordkeeping requirement permits the NRC inspection and review of lock and key accountability records to determine that proper key and lock issuance procedures are maintained and that only individuals with the appropriate level of access authorization are issued keys and locks to security areas.

95.33 Security Education. This recordkeeping requirement permits verification through NRC inspection that individuals granted access authorizations are appropriately indoctrinated as to their individual security responsibilities and duties relative to the protection of classified information.

95.36(d) IAEA Visit Records. This recordkeeping requirement and its inspectability through NRC surveys ensures that licensees maintain the proper procedures and controls over the release of classified information to IAEA representatives in accordance with the disclosure authorization granted by the NRC Division of Security.

95.37(c) & 95.45(b) Marking Requirements. These marking and labeling requirements, which require an authorized classifier to place the appropriate classification markings on the document and CMB SUPPORTING STATEMENT 10 CFR 95

sign his/her name,will be used whenever an NRC licensee or contractor authorized classifier originates a classified document or the classification of an existing document is to be changed (e.g.,

declassified or downgraded). These requirements provide assurance

, that: (1) only those officials delegated classification authority are classifying documents, (2) documents are not downgraded or de-classified without proper authority, and (3) there is accountability for future classification, downgrading and declassification actions.

95.37(i) Improperly Classified or Unmarked Classified Documents.

This is a required procedure for document custodians to assure that any questions regarding proper classification are referred to the originator and that appropriate steps to safeguard the document are taken. The recordkeeping requirement permits verification through NRC surveys of actions taken when unauthorized disclosures may have occurred.

95.41 Accountability for Secret Matter. This procedure and record-keeping requirement ensure that classified documents and material are controlled in accordance with E.0.12356 and its Implementing Directives. The retention period permits review and verification by NRC of disposition through periodic NRC surveys.

95.45(a) Changes in Classification. These procedures ensure that documents which may warrant downgrading or declassification are reviewed by the NRC Division of Security or are referred to the Department of Energy, as may be appropriate.

95.47 Destruction of Classified Matter. The record retention requirement prescribed by this section permits inspection by NRC of destruction and disposition records and helps to ensure the proper safeguarding of classified information and material.

95.53(a)&(b) Security Facility Approval Terminated. These procedures and notifications ensure that security facility approval is terminated, suspended or revoked when no longer needed or when continuation would endanger the common defense and security. The certificate of nonpossession provides assurance that all classified information and material has been returned to NRC or destroyed in accordance with NRC security requirements.

95.57(a) (b) & (C) Security / Classification Reports. The procedures in (a) and (b) are necessary to ensure that possible losses, compro-mises, violations of law and disclosures of classified information are investigated and assessed promptly. The monthly report required by (c) received via NRC Form 790, " Classification Record," (cleared under3150-0052) permits NRC to evaluate the classification /declassi-fication program under Part 95 and enables the NRC Division of Security to report these actions to IS00.

2. Agency Use of Information. The reports, security plans and other security information are submitted to the Division of Security.

The information is used to help determine whether a licensee or other organization is eligible to use, process, store, transmit or 0MB SUPPORTING STATEMENT 10 CFR 95

l l

handle NRC classified information. The information is also used for periodic reviews and inspections to ensure appropriate regulations are continuously followed. If the information collection was not conducted these determinations could not be made and the licensees or other organizations would not be permitted to maintain this classified information which is pertinent to their activities.

3. Reduction of Burden Through Information Technology. There are no information technology applications which would impact (e.g., reduce) the burden of these information collection requirements.

4. Effort to Identify Duplication. These information collection requirements do not duplicate information the affected licensee or organization must submit for other purposes since the nature of the information being requested is unique to NRC's activity at the facility.

5. Effort to Use Similar Information. There is no other information already available which can be used to obtain NRC security facility approv?F and for safeguarding NRC's National Security Information and Restricted Data.

6. Effort to Reduce Small Business Burden. None of the licensees affected qualify as small business enterprises or entities.

7. Consequences of Lass Frequent Collection. Required reports and infor-mation are collected and evaluated on a continuing basis as events occur. Applications for new security facility approvals may be submitted at any time. If not submitted, approval to store NRC classified information will not be processed. Other information collection requirements ensure that once placed at the facility, that information continues to receive the required protection. Less fre-quent collection of this information may impact negatively on NRC's responsibility to ensure proper protection and may endanger the U. S.

common defensive and national security.

8. Circumstances Which Justify Variation from OMB Guidelines. There is no variation from OMB Guidelines in this collection of information.

9. Consultation Outside the NRC. No official outside consultations were held regarding the information collection requirements, however, when originally conceived, these requirements were subject to public comment. Any changes to information collection requirements will also be subject to public comment. NRC's requirements and procedures are similar to those of other government agencies involved with pro-grams requiring the protection of National Security information.

10. Confidentiality of Information. The information collected is used for (1) granting licensees and others security facility approval; and (2) ensuring the proper protection classification and accountability of NRC classified information. The limited amount of personal informa-tion is protected from public disclosure under the Privacy Act of 1974 and is handled in accordance with routine uses specified in the Privacy Act Statement on each form.

OMB SUPPORTING STATEMENT 10 CFR 95

\

l

11. Justification for Sensitive Questions. No sensitive information is I requested under these regulations.

12. Estimated Annual Cost to the Federal Government. The estimated annual cost to the Federal Government in administering the program and procedures contained in these requirements is:

Annual Cost - professional effort (1,331 hrs. X $60/hr.) = $79,860 Annual Cost - clerical effort (235 hrs. X $20/hr.) = $ 4,700 Annual Cost - record holding requirement for ongoing program (i cubic ft. X $209/ cubic ft.) =

$100 Total Annual Cost = $84,660 The annual cost to the respondents is reflected on Attachment A. The cost of $60.00/hr. was used.

13. Estimate of Burden. Please see Attachment A for a breakdown of burden estimates by Section.

14. Reasons for Change in Burden. The burden estimated in Sections 95.37(c) and 95.45(b) represents a decrease of 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> and $1,440 over the annual cost to respondents estimated under the current OMB clearance. The decrease results from the requirements now being im-posed on only 12 NRC licensees. The burden astimate is even further reduced since previously, some burden was counted twice, once for a form itself and again as part of the requirements for Part 95.

15. Publication for Statistical Use. There is no application of statistics in the information collected. There is no publication of this information.

t OMB SUPPORTING STATEMENT 10 CFR 95 L _I

ATTACHMENT A 10 CFR 95 BURDEN ESTIMATE Total No. of Annual Total Hours Per Burden Cost To Section- Requirement Rspndnts Responses Responses Responses Hours Rspndnt Reporting 95.11 Exemption Request 2 1 2 1.8 3.6 216 95.15(a) & (b)/ Security Facility Approval Requests 2 1 2 35.0 70.0 4,200 95.49 95.18(a) & (b) Changes to Security Practices and 12 2 24 4.0 96.0 5,760 Procedures 95.21 Cancellation of Facility Approval 2 1 2 1.0 2.0 120 Requests 95.25(h) Unattended Security Container Found 6 2 12 15.0 180.0 10,800 Open 95.45(a) Changes in Classification 5 1 5 2.0 10.0 600 95.53(a) & (b) Security Facility Approval 4 1 4 3.0 12.0 720 Terminated 95.57(a) & (b) Security Classification Reports 12 1 12 3.0 36.0 2,160 95.57(c) Security Classification Report Form cleared under OMB control number 3150-0052.

Completion of NRC Form 790 Totals 409.6 24,576 E

9

ATTACHMENT A 10 CFR 95 BURDEN ESTIMATE Annual Total No. of Hours Per Rcrdkpng Cost to Section Reqcirement Rcrdkprs Rcrdkprs Hours Respondent Recordkeeping 95.11 Exemption Request (2 yrs)' 2 .2 .4 $ 24 95.25(a)(3) Security Container Check Review (1 yr) 12 2.0 24.0 1,440 95.25(c)(1) Lock Combinations (Personnel Auth.) 12 1.0 12.0 720 95.25(d) Records of Combination 12 1.0 12.0 720 95.25(g) Custodian / Monitor & Combination Records 12 0.5 6.0 360 95.25(h) Unattended Security Container Found Open 6 .2 1.2 72 95.25(i) Key and Lock Accountability Records 12 2.0 24.0 1,440 95.33 Security Education 12 20.0 240.0 14,400 95.36(d) IAEA Visit Records (5 yrs) 2 5.0 10.0 600 95.37(c)/95.45(b) Marking Requirements 12 .25 36.0 2,160 95.37(i) Improperly Classified or Unmarked 5 1.0 5.0 300 Classified Documents (2 yrs) 95.41 Accountability for Secret Matter (2 yrs) 12 .5 60.0 3,600 95.47 Destruction of Classified Matter (2 yrs) 12 5.0 60.0 3,600 Totals- 494.6 $29,676 4