Text

REQUEST FOR ADDITIONAL INFORMATION REGARDING THE SAFEGUARDS INFORMATION PROTECTION PLAN FOR EDEN RADIOISOTOPES, LLC DOCUMENT UI# SGIPP-SMP-2020-001, REVISION 1 The following requests for additional information are based on the U.S. Nuclear Regulatory Commission (NRC) staffs review of Eden Radioisotopes LLC (Eden) Safeguards Information Protection Plan (SGIPP) Revision 1, dated July 23, 2020. This information is necessary to continue the review of Edens SGIPP for compliance with the regulatory requirements contained in Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Physical Protection of Plants and Materials. The response to this request will inform the NRCs determination on the effectiveness of Edens SGIPP, also referred to as the Plan.

General Comment - 1: Section 1.2, page 4, Scope and Applicability, and other sections within the Eden SGIPP, make reference to classify with respect to documents that contain Safeguards Information (SGI).

As defined in 10 CFR 73.2, Definitions, SGI means information not classified as National Security Information or Restricted Data. Consistent with the aforementioned definition for SGI, 10 CFR 73.22, Protection of Safeguards Information: Specific Requirements, paragraph (d)

Preparation and marking of documents or other matter, informs the reader that SGI is designated.

To prevent confusion in the use of regulatory terms and definitions, the NRC suggests use of a word other than classified in the definition of material to avoid confusion with terminology associated with National Security Information or Restricted Data. Appropriate alternatives could include determined or designated.

RAI-1: Section 2, page 2, Roles and Responsibilities, does not make it clear who is responsible for creating and/or maintaining a record for those personnel that request access to SGI and are subsequently denied an affirmative trustworthiness and reliability determination for access to SGI.

Under 10 CFR 73.57, Requirements for criminal history records checks of individuals granted unescorted access to a nuclear power facility, a non-power reactor, or access to Safeguards Information, paragraph (f)(5) requires that licensees retain all fingerprint and criminal history records received from the [Federal Bureau of Investigation] FBI, or a copy if the individual's file has been transferred, on an individual (including data indicating no record) for one year after termination or denial of unescorted access to the nuclear power facility, the non-power reactor facility, or access to Safeguards Information.

Clarify that records of denial for unescorted access to SGI will be maintained per 10 CFR 73.57(f)(5) and identify the position(s) that will be tasked with maintaining these records.

RAI-2: Section 2, page 2, Roles and Responsibilities, identify several job positions that serve a role either with the conduct or review of audits that are conducted. The Plan, however, does not identify who has the responsibility for ensuring that problematic issues discovered, during the audit, are corrected in a timely fashion.

As required by 10 CFR 73.21, Protection of Safeguards Information: Performance Requirements, paragraph (a)(1)(i), an SGI program must be established, implemented, and maintained by each licensee who produces, receives, or acquires SGI. A complete audit process is considered part of an SGI program.

Clarify, within the Plan, who has the responsibility for ensuring that corrective actions are completed when information security concerns, and/or lack of Plan compliance is discovered during an audit.

RAI-3: Section 3.9, page 15, Processing SGI on Electronic Systems, state that the Facility Information Security Manager (FISM) approves laptops for the electronic transmission of SGI.

As prescribed by 10 CFR 73.22(f)(3) a licensee will seek NRC approval prior to using software to encrypt SGI for electronic transmission.

Clarify why the responsibility to approve laptops for electronic transmission is not stated within Section 2, Roles and Responsibilities for the FISM, and why there is no statement, within the Plan, that Eden will seek NRC approval prior to using software to encrypt SGI for electronic transmission.

RAI-4: Section 2, page 6, Safeguards Information (SGI) Custodians, states that the SGI Custodian has the responsibility for marking SGI documents.

As stated in 10 CFR 73.22(d)(1) [e]ach document or other matter that contains Safeguards Information as described in § 73.21(a)(1)(i) and this section must be marked to indicate the presence of such information in a conspicuous manner on the top and bottom of each page.

As written, the NRC staff believes the language is more restrictive than typically seen. Please clarify whether or not other Eden employees and Contractors will also be permitted to mark documents, to include working papers, containing SGI, or if the SGI Custodians have sole authority for marking SGI documents.

RAI-5: Section 2, page 6, Safeguards Information (SGI) Custodians, within the section that addresses SGI Access Authorization Process, identifies 10 CFR 73.21 and 10 CFR 73.57 as the prescribing guidance documents for requiring a completed Background Check for those that seek access to SGI.

As per 10 CFR 73.21(a)(1)(iii) a licensee must [p]rotect the information in accordance with the requirements of § 73.22 if the Safeguards Information is not described in paragraphs (a)(1)(i) and (a)(1)(ii) of this section.

Revise the reference to 10 CFR 73.21 to the appropriate regulation found in 10 CFR 73.22(b) regarding background checks.

RAI-6: Section 2, page 6, Safeguards Information (SGI) Custodians, within the section that addresses SGI Access Authorization Process, and throughout the Plan, reference is made to a

FBI Background Investigation, contrary to the required FBI Criminal History Records Check.

As stated in 10 CFR 73.22(b)(1) no person may have access to Safeguards Informationand has undergone a Federal Bureau of Investigation (FBI) criminal history records check using the procedures set forth in § 73.57.

Clarify the approach that Eden will take to satisfy the regulatory requirement prescribed for SGI access regulations.

RAI-7: Section 2, page 6, Safeguards Information (SGI) Custodians, within the section that addresses SGI Access Authorization Process, makes reference to itself as the licensee in contrast to previous references to itself, employees and contractors. Within this section, the Plan states that the SGI Information Custodians will conduct a reevaluation if the licensee learns of information that would call into question someones trustworthiness and reliability.

As described in 10 CFR 50.9, Completeness and accuracy of information, paragraph (a),

information required by statute or by the Commissions regulations, orders, or license conditions to be maintained by the applicant or licensee shall be complete and accurate in all material respects.

Clarify if the licensee is synonymous with Eden insofar as its efforts to comply with SGI access requirements that are specified by 10 CFR 73.22(b)(2).

General Comment-2: Section 2, page 9, All Employees and Contractors, state that SGI should be properly marked in a way that it is immediately recognizable.

Consistent with 10 CFR 73.22(d)(1), each document must be marked to indicate the presence of SGI in a conspicuous manner on the top and bottom of each page.

Consider adding the following text to the referenced sentence e.g. marked in a conspicuous manner on the top and bottom of each page with the words Safeguards Information for referencing Section 3.6 of the Eden SGIPP Revision 1.

RAI-8: Section 3.4, page 12, Document Control While in Use, states that SGI use, takes place in the same secure room where the approved security container is located. It goes on to state that SGI, must be returned by the end of the workday. That seems to imply that SGI will be removed from the secure room.

In accordance with 10 CFR 73.22(c)(1) Safeguards Information must be under the control of an individual authorized access to Safeguards Information, at all times.

Clarify where SGI use will take place, be it within the secure room or within workspaces under the cognizance of Eden, such that the requirements of 10 CFR 73.22(c) are adhered to.

RAI-9: Section 3.9, page 15, Processing SGI on Electronic Systems, speaks to SGI laptop use. Unlike hard copies of SGI, as referenced in Section 3.4, there is no stated limitation on where the SGI laptop can be used.

The use of computers for SGI, as discussed in 10 CFR 73.22(g)(1), requires that access is limited to individuals authorized access. The security of these devices, as discussed in 10 CFR 73.22(g)(3) requires that the device is secured in a locked security storage container

when not in use. Clarify where a laptop that processes SGI will be used given that previously stated guidance within the Plan, for hard copy documents, limits SGI use to the secure room where the security container is located.

RAI-10: Section 3.4, page 12 Document Control While in Use, within the section that addresses SGI While in Use, there is a cross-reference to an outdated NRC Form 461 SGI Coversheet, as opposed to using a coversheet created by Eden.

As described in 10 CFR 50.9(a), information required by statute or by the Commissions regulations, orders, or license conditions to be maintained by the applicant or licensee shall be complete and accurate in all material respects.

Explain why Eden has elected to use the outdated NRC Form 461, as opposed to the current NRC Form 461, or the creation of its own SGI Coversheet that identifies applicable Federal regulations and established Eden policy. If the NRC Form 461 will be used by Eden, identify the degree with which NRC Management Directive 12.7, NRC Safeguards Information Security Program, guidance will be integrated into a revised Eden SGIPP.

RAI-11: Section 3.4, page 12, Document Control While In Use, within the section that addresses SGI Discussions, it states that discussions of SGI will occur in such a manner as to avoid overhearing by individuals not authorized, and that the policy includes ensuring that the walls and doors of rooms used for SGI discussions can prevent eavesdropping or being heard outside the room.

As stated in 10 CFR 73.22(b)(1) no person may have access to Safeguards Information unless the person has an established need to know for the information and has undergone a Federal Bureau of Investigation (FBI) criminal history records check using the procedures set forth in

§ 73.57.

Identify who has the authority for making the determination that an area or room meets the sound attenuation requirement for discussions involving SGI, such that SGI is protected from unauthorized disclosure as prescribed by the aforementioned regulations.

General Comment-3: Section 3.7, page 15, Printing and Reproduction of Documents, states that a single blank sheet is run through the copier, after SGI has been reproduced, to overwrite any images retained from the last use.

Consistent with the regulations in 10 CFR 73.22(b), 10 CFR 73.22(e) and 10 CFR 73.22(i) SGI must be protected from unauthorized disclosure during printing and reproduction.

Consider adding guidance that addresses the handling requirements or process to be followed for the final disposition for the blank sheet, that is run through the copier to capture retained images that may contain SGI.

RAI-12: Section 3.8, page 15, External Transmission of Documents, states that A commercial delivery company that computer tracking services.

The referenced sentence provides guidance that is incomplete. Revise the referenced sentence to insert the word provides before the word computer.

RAI-13: Section 3.13, page 18, Control of Security Containers, states that combinations to security containers must be changed within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> of the following events or conditions, then goes on to identify three events or conditions.

In accordance with 10 CFR 73.22(c)(2), [a]ccess to lock combinations must be strictly controlled so as to prevent disclosure to an individual not authorized access to Safeguards Information.

Explain why there is no stated plan to change the combination to the security container when an employee or contractor loses his/her need to know or is deemed to no longer be trustworthy and reliable but maintaining employment with Eden.

RAI-14: Appendix A, page 22, Definitions and Abbreviations, identifies the acronym Sensitive Unclassified Non-Safeguards Information SUNSI as meaning Sensitive Unclassified Nuclear Security Information. Yet this acronym is not used in the SGIPP.

As described in 10 CFR 50.9(a), information required by statute or by the Commissions regulations, orders, or license conditions to be maintained by the applicant or licensee shall be complete and accurate in all material respects.

Explain the purpose of including the SUNSI acronym within the Plan. If the inclusion is intended to familiarize Eden employees and contractors with an acronym that is routinely used by the NRC in its Management Directives, e.g. Management Directive 12.7, then the correct meaning of the acronym is Sensitive Unclassified Non-Safeguards Information.