Text

PR-025,095 - 61FR40555 - Access to and Protection of Classified Information
	ML23151A590
Person / Time
Issue date:	05/05/1996
From:	Taylor J; NRC/EDO
To:	;
References
	PR-025, PR-095, 61FR40555
	Download: ML23151A590 (1)
	v • d • e

ADAMS Template: SECY-067 DOCUMENT DATE: 08/05/1996 TITLE: PR-025, 095 - 61 FR40555 - ACCESS TO AND PROTECTION OF CLASSIFIED INFORMATION CASE

REFERENCE:

PR-025, 095 61FR40555 KEYWORD: RULEMAKING COMMENTS Document Sensitivity: Non-sensitive - SUNSI Review Complete

STATUS OF RULEMAKING PROPOSED RULE: PR-025 , 095 OPEN ITEM (Y/N) N RULE NAME: ACCESS TO AND PROTECTION OF CLASSIFIED INFORMATION PROPOSED RULE FED REG CITE: 61FR40555 PROPOSED RULE PUBLICATION DATE: 08 / 05 / 96 NUMBER OF COMMENTS: 3 ORIGINAL DATE FOR COMMENTS: 10 / 04 / 96 EXTENSION DATE : I I FINAL RULE FED. REG . CITE: 62FR17683 FINAL RULE PUBLICATION DATE: 04 /11/ 97 NOTES ON: AMENDING REGS TO ENSURE THAT CLASSIFIED INFORMATION HELD BY NRC LI STATUS CENSEES & OTHERS UNDER NRC'S REG. REQUIREMENTS IS PROTECTED IN ACC F RULE : ORDANCE W/ CURRENT NATIONAL POLICY. / S/ 'D BY EDO. FILE ON P-1 .

HISTORY OF THE RULE PART AFFECTED: PR - 025, 095 RULE TITLE: ACCESS TO AND PROTECTION OF CLASSIFIED INFORMATION PROPOSED RULE PROPOSED RULE DATE PROPOSED RULE SECY PAPER: SRM DATE: I I SIGNED BY SECRETARY: 07 /2 6/ 96 FINAL RULE FINAL RULE DATE FINAL RULE SECY PAPER: SRM DATE: I I SIGNED BY SECRETARY: 03 /2 6/ 97 STAFF CONTACTS ON THE RULE CONTACTl : DUANE G. KIDD MAIL STOP: T-6E46 PHONE: 415 -7 403 CONTACT2: CAROL GALLAGHER MAIL STOP: T-9F29 PHONE: 415 - 5905

DOCKET NO. PR-025, 095 (61FR40555)

In the Matter of ACCESS TO AND PROTECTION OF CLASSIFIED INFORMATION DATE .DATE OF TITLE OR DOCKETED DOCUMENT DESCRIPTION OF DOCUMENT

- 08/01/96 07/26/96 FEDERAL REGISTER NOTICE - PROPOSED RULE 10/07/96 10/02/96 COMMENT OF GEORGIA POWER COMPANY (C. K. MCCOY, V.P.) ( 1) 10/22/96 10/16/96 COMMENT OF DEPARTMENT OF ENERGY (EDWARD J. MCCALLUM) ( 2) 04/01/97 03/31/97 COMMENT OF UNITED STATES ENRICHMENT CORPORATION (ROBERT L. WOOLLEY) ( 3) 04/02/97 03/26/97 FEDERAL REGISTER NOTICE - FINAL RULE

DOCKET NUMBER DOCKETED PROPOSED RULE PR ~5 J- q 5 US NRC (7590-01-P)

( {p / rR ti 0565

°97 APR -2 AS :01 NUCLEAR REGULATORY COMMISSION OFFICE OF SECRETARY OOCK ETINlJ & SF., \'l CE 10 CFR PARTS 25, 50, 54 AND 95 8. /\NCH RIN 3150-AF37 Access to And Protection of Classified Information AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule.

SUMMARY

The Nuclear Regulatory Commission (NRC) is amending its regulations to conform the requirements for the protection of and access to classified information to new national security policy documents. This final rule is necessary to ensure that classified information in the possession of NRC licensees and others under the NRC's regulatory requirements is protected in accordance with current national policies.

i.,,yYt ~ I ~1 I '1 "I '1 .

EFFECTIVE DATE: (30 ~iy& fF81R Elate ef publ1cetfon i-fl the Fede1el Register)

- FOR FURTHER INFORMATION CONTACT: Dua ne G. Kidd, Division of Security, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, tel ep hone (301) 415-7403, Email DGK@NRC .GOV.

SUPP LEMENTARY INFORMATION:

I. Background On August 5, 1996 (61 FR 40555 ) , the NRC published a proposed rule in the Federal Register to amend 10 CFR Parts 25 and 95 pertaining to the protection of Restricted Data and classified Nation~l Security Information at licensee, certificate holder and other facilities. The proposed amendments were intended to conform NRC regulations to new national requ i rements for the protection of and access to classified National Security Information that

were revised by the issuance of the National Industrial Security Program Operating Manual (NISPOM), Executive Order (E.0.) 12958, "Classified National Security Information," dated April 17, 1995, and E.O. 12968, "Access to Classified Information," dated August 2, 1995 The requirements of 10 CFR Parts 25 and 95, and the sections of Parts 50 and 54 that contain requirements for access to Restricted Data, were substantially based on E.O. 12356, dated April 6, 1982, which was superseded by E.O. 12958 and supplemented by the NISPOM.

The final rule amends the provisic1s of 10 CFR Parts 25, 50, 54, and 95 that deal with requirements for access to and protection of classified information that have been changed or added by the NISPOM or the Executive Orders with the exception of those requirements related to personnel security clearance for access to Secret Restricted Data.

The proposed rule would have permitted, in*§§25.15 and 95.35, access to most Secret Restricted Data, other than that defined as Critical Secret Restricted Data in the NISPOM and its supplement, with an "L" clearance based on a National Agency Check with Inquiries and Credit Check (NACIC). The Department of Energy (DOE) objected to this change in their formal comments on the proposed rule. DOE believes that, pending completion of the Joint DOE/DoD Nuclear w~apons Access Authorization Revi~w Group determination of ,what constitutes the most sensitive Restricted Data, the subsequent review of all classification guidance to determin~ if the guidance contains this type of information, and the upgrading of this information to Top Secret, all personnel with access to Secret Restricted Data must have a "Q" clearance based on a Single Scope Background Investigation (SSBI). Given DOE's special statutory authorities in establishing contrc~s for Restricted Data, their views deserve special consideration. However, because this requirement may 2

exceed the reqLlirements of applicable National Policy (i.e., the NISPOM), and result in additional costs to licensees and certificate holders, the NRC has decided to withdraw the changes to §§25.15 and 95.35 in this final rulemaking and to republish them separately for additional public comment. This will provide interested parties an equal opportunity to address the issues and provide supporting rationale for their recommendations and comments.

Other aspects of the proposed rule were generally acceptable to_?ll commenters. Those changes included revised and added definitions such as Cognizant Security Agency, Classified NationJl Security Information, Classified Information, Facility Security Clearance, Foreign Ownership, Control, or Influence as well as numerous amendments to reflect the fact that the NRC may permit another Cognizant Security Agency (DOE, DoD, or CIA) to assume some or all of the security oversight functions at an NRC facility under the requirements of 10 CFR Parts 25 and/or 95 when that agency also ha~

a significant security interest at the facility (§§25.13, 25.17, 25.19, 25.21, 25.23, 25.25, 25.27, 25.29, 25.33, 95.17, 95.18, 95.19, 95.25, 95.27, 95.29, 95.31, 95.33, 95.37, 95.39, 95.43, 95.47, 95.49, 95.51, 95.53, 95.57 and 95.59). The final rule addresses the intent of E.0. 12829, "National Industrial Security Program,* to reduce wasteful and inefficient duplicative oversight of private facilities which h~ve classifi~d interests from more than one government agency.

The final rule also adopts new requirements in areas where the

..,/

Executive Orders or the NISPOM, mandate specific requirements not included in the previous versions of the rules. These new requirements include:

Requiring that key management personnel have access authorizations as well as those employees with access to classified information (§§95.17 and 95.18);*

3

Permitting reinstatement of an access authorization up to 24 months after termination instead of the previous 6 months(§25.29):

Permitting facili~y security officers to issue visit authorization letters directly rather than processing authorization requests through the NRC Division of Security (§25.35):

Requiring a finding that a facility is not under foreign ownership, control or influence (§§95.15 and 95.17);

Requiring facility security officers to have specific training related to 4t their position (§95.33):

Permitting the use of reinforced steel filing cabinets with lockbars and key locks for classified information (provided appropriate supplemental protection is in place during non-working hours) (§95.25);

Changing the security classification markings to conform to E.O. 12958

(§95.37);

Reducing the accountability requirements for Secret documents (§95.41):

Defining procedures for challenging classification decisions that one believes to be in error (§95.37):

Allowing for additional methods of transmitting ~lass1fied information

(§95.39);

Changi~d 10 CFR Parts 50 and 54 to re:er tu current procedures 1n 10 CFR Parts 25 and/or 95 for access to classi ed information (§§50.37 and 54. ):

and Imposing fewer limitations on a facility's authority to reproduce classified information when operationally necessary (§95.43).

II. Comments on the Proposed Rule The Commission received two letters commenting on the proposed rule. one 4

from Georgia Power Company and one from the DOE. Copies of the letters are available for public inspection and copying for a fee at the Commission's 0 ublic DocYment Room, located at 2120 L Street, NW. (Lower Level), Washington, DC. Both comments support the rulemaking, but provide recommendations for clarifications and improvements. The Georgia Power Company recommends that the NRC:

(1) Provide a procedure for the designation of the Cognizant Security Agency (CSA) for a facility; (2) Address the Commission's role in ensuring compliance with the rules of other CSA's; (3) Reconcile Restricted Data requirements ~n 10 CFR Parts 50 and 54 of the Commission's regulations with the proposed changes to 10 CFR Parts 25 and 95; and, (4) Define when a facility clearance from the Commission is required.

The DOE recommends that the NRC:

(1) Use either "access authorization" throughout the rule or indicate that "personnel security clearance" is a synonym for "access authorization;"

(2) Eliminate the use of,th2 term *cr:tical Secret Restricted Data" and require all Secret Restricted Data to be protected at the level required by the February 1995 NISPOM Supplement; (3) Clarify ~he definition of "access authorization" in §25.5; (4) Clarify the requirements for review of the SF-86 in J25.17(e);

(5) Clarify the scope of information to be protected in §95.3; (6) Change the term "survey" to "review" in §95.17(a)(2);

(7) Clarify the level of access authorization required for senior management in §95.18; (8) Raise the level of protection f?r Secret Restricted Data in §95.25 5 .

to the requirements of the NISPOM Supplement; (9) Eliminate the requirements in §95.25(c)(2)(v) to change security c6ntainer combir.ations once every 1~ months which exceeds the NISPOM requirements; (10) Require that documents indicating "multiple sources" as the basis for classification have those sources identified on the record copy of the document; and, (11) Require that "person" not be referred to as able to possess a

- facility clearance in §95.57.

Comments From Georgia Powe;:

Comment: The commenter stated that " ... the proposed rule does not explain which of these agencies i, +he ~ppropriJt2 CSA in a given situation or for a given facility, or Jho makes that determination. Conceivably, more than one of the agencies could be the CSA." Georgia Power recommended that the final rule include a more precise definition of CSA or a procedure for designating a CSA in a given situation.

Response: The definition of a CSA in 10 CFR Parts 25 and 95 has been changed to reflect that the CSA is the agency that exercises primary authority for the protection of the classified information at the facility and is the agency with which the facility interacts in these matters. The NRC agreement with the DoD and DOE implementing the National Industrial Security Program clearly indicates that one agency, the one with the greater security interest as determined between the agencies, would serve as the CSA and would be the agent of the other for matters relating to the protection of classified information. The facility would normally deal directly with the CSA on all issues related to the pro~ection of class~fied information at that facility and the CSA would inform the other agency of issues related to its security 6

interest.

Comment: With respect to the issue of the Commission's role of ensuring compliance with the rules of other CSAs, the commenter's concern was " ... how the Commission will be notified regarding access authorizations requested from another agency. Does an NRC licensee have an obligation to notify the Commission if it applies to another CSA for an access authorization?"

Response: Section 25.17 has been revised to require a facility, with a CSA other than NRC, to advise the NRC when it submits an individual for an access authorization for access to NRC classified information. The NRC does not need to be notified when the facility submits access authorization r~quests for access to classified information of the other agency. In keeping with the comment t.hat the process should be simple, the change merely requires a letter of request for access to NRC classified information. The NRC must be involved when access to NRC classified information is requested since the NRC must make the need-to-know determination. The NRC will handle any necessary

coordination between itself and the CSA .

Comment: The commenter noted an apparent conflict between §§50.37 and 54.l?(g) and other Commission regulations.

Response: The NRC has revised those paragraphs to resolve the conflict.

The NRC has clarified that compliance with 10 CFR Parts 25 and/or 95 satisfies the requi~ements of §§50.37 and 54.l?(g) as they relate to the protection of classified information.

Comment: The commenter indicated that §95.15 was unclear on whether a facility clearance was required under certain circumstances for licensee activities at other facilities. Specificclly, the commenter stated, "As revised by the proposed rule, it is unclear whether 10 CFR 95.15 requires an 7

NRC licensee to obtain a facility clearance from the Commission in order for employees of that licensee to 'use' or 'handle' classified information which is located at a completely different fJcility, including facilities subject to the oversight of another agency. For example, does 10 CFR 95.15 require a facility clearance from the Commission in order for employees of an NRC licensed facility to use or handle classified information which is maintained at a DOE facility? Conversely, does !O CFR 95.15 require the NRC to clear the non-NRC licensed facility? Although it does not appear to be the Commission's intent to require a facility clearance in either situation, an affirmative statement in this regard would assist in the implementation of the rule."

Response: Section 95.15 has been modified to clarify that an NRC facility clearance is only required for the use or possession of NRC classified information at the facility. A licensee or other facility whose personnel are cleared by another agency for access to that agency's information at another facility, does not require a facility clearance under

§95.15, nor would NRC clear the other facility. However, it should be clear

that if a licensee or other facility has a facility clearance for NRC cl~ssified information and they wish another facility (e.g., one of their contractors), to have access to the NRC classified information at their (the contractor's) facility, that contractor would require an NRC facility clearance.

Comments from DOE:

Comment: DOE had two comments relating to "ac9ess authorization" (1) While "access authorization" ~as the commonly used term ... "The introduction to the proposed rule references 'personnel security clearance' and some of the language in the text contains variations, such as 'personnel access authorization'. A common term should be used throughout, or the fact 8

that a personnel security clearance is a synonym for access authorization established."

(2) "The definition for 'access authorization' is confusing, stating that it means an individual 1s eligible for "secur1ty clearance for access to classified information.*

Response: The term "personnel security clearance" 1n the Supplementary section cf the final rule, which is an explanatory section rather than a portion of the rule, has been changed to "access authorization." The other changes have not been adopted since this is a recommendation for an editorial change and, in each case where the terms are used the meaning is clear. The definition of "access authorization" has been used within the NRC industrial security program since the early 1980's, including at sites with joint DOE security interests, and within the NRC internal program since the inception of the agency, without confusion. The only change to the definition in this rule is to include certif;cate holders within its scope.

Comment: The commenter noted that the proposed rule contains the term "Critical Restricted Data." They state that this term has not been adopted by any agency and that the level of protection for Secret Restricted Data was not adequate. Specifically the commenter stated, "The draft regulation uses the term 'Critical Secret Restricted Data.' This term has not be (sic) implemented by any agency. A review group was formed to review this issue and has decided not to use this term. Instead, information wi11 be appropriately upgraded to Top Secret. It is strongly recommended that NRC not use the term

°Critical Secret Restricted Data* in this regulation. Instead we suggest that all Secret Restricted Data continue to be protected at the NISPOM supplement level until the critical information has been upgraded to Top Secret." The commenter further states "The storage requirements for Secret contained in 9

th1s(sic) sections are not consistent with the storage requirements for Secret Restricted Data in the NISPOM supplement."

Response: Because of DOE's statutory responsibilities for the protection of Restricted Data, the potential economic 1mpact on licensees and certificate holders and possible discrepancies with the requirements of the NISPOM, NRC 1s withdrawing the changes to §§25.15 and 95.35 which deal with the level of clearance/type of background investigation required for access to Secret Restricted Data and will republish those c~anges separately for public comment. Additionally, although the term *critical Secret Restricted Data" is defined in and the security requirements for it are specified in Chapter 9, "Restricted Data," of the NISPOM Supplement, dated February 1995, the Supplement also indicates that a Joint DOE/DoD Nuclear Weapons Access Authorization Group is reviewing this issue and that there are ongoing efforts by the DOE and DoD to revise the requirements reflected in the Supplement.

Because that group has decided not to use the term "Critical Restricted Data,"

it has been removed from §95.3l(b) and a description of the information it was intended to protect has been substituted. However, because the level of physical protection required for Secret Restricted Data in the proposed rule is essentially the same as the requirementi of the current, lor9 standing Part 95, and those requirements appear to meet the requirements of the NISPOM. it 1s difficult for the NRC to justify increasing its physical security requirements for all Secret Restricted Data, at increased financial and administrative burden to licensees and certificate holders at this time.

However, if new policies for Restricted Data are approved and issued the NRC, at that time, will consider revising its ~eg_lations tci reflect the new policies.

10

Comment: The commenter questioned whether §25.17(e) requires a 11censee/contractor to review Part 2 of the SF-86.

Response: It is not the intent of th1s section that personnel at a licensee, certificate holder, or other facility review Part 2 of the SF-86, nor has it been NRC practice that this occur. The NRC's instructions for completing the SF-86 explicitly state that Part 2 of the SF-86 is to be placed in a sealed envelope by the individual completing the form and that the

- envelope is to be forwarded to the NRC uno~ened. Section 25.17(d)(l)(i) has been clarified to ensure that these requirements are clear.

Comment: The commenfer is concerned that §95.3 does not include Formerly Restricted Data.

Response: While Formerly Restricted Data (fRD), information related primarily to the military use of atomic weapons, is rare in the NRC program, the NRC agrees that its regulations should clearly address all forms of classified information. Section 95.3 has been revised accordingly.

Comment: The commenter is concerned that the term "security survey" is used in 10 CFR Part 95 insteai of the NISPOM t~rm "security review."

)

Response: The term "survey" in §§95.17(a)(2) and 95.59 has been changed to "review."

Comment: The commenter is concerned that §95.18 is not sufficiently clear about the level of access authorizations required for senior management.

Specifically, the commenter states, "Senior management cannot be cleared to the "level of the facility" by NRC, as NRC can only grant "Q" and "L" access authorizations, and facilities are classified as Secret, Top Secret, etc.

Perhaps senicr management could be cleared to a level commensurate with that of the facility clearance."

11

Response: Section 95.18 has been revised to reflect that senior management will be cleared to a level commensurate with that of the facility clearance.

Comment: The commenter is concerned that the requirement to change securfry container combinations once every 12 months exceeds the requirements of the NISPOM.

Response: Section 95,25(c)(2)(v) has been deleted, eliminating this requirement.

Comment: The commenter is concerned that documents classified from multiple sources will not have an adequate record of what those sources were.

Specifically, the commenter states, "Suggest a sentence be added to indicate that on a document marked 'multiple sources' that the multiple sources must be identified in the records copy of the document."

Response: The suggested revision is already contained in

§95.37(c)(l)(iv).

Comment: The commenter is concerned about the use of the term "person" in association with a facility clearance and that the definition of facility clearance should be more detailed.

Response: It is clear from the definitions and the context that any possessor of a facility clearance is obligated to immediately report certain types of information. The definition "facility (security) clearance" is a verbatim extract from the NISPOM and the definition of "person" used in Part 95 is similarly defined throughout 10 CFR and has been used for many years without confusion as to its meaning.

III. The Final Rule With the exception of the items addressed under "Comments on the 12

Proposed Rulew and a slight change to the def1nit1on of "Visit Authorization Letterff in §25.5, the final rule is the same as the proposed rule. ~he soecific changes from the proposed rule are--

The proposed revisions to §§25.15 and 95.35 have been withdrawn; The definition of "CSA" in 10 CFR Parts 25 and 95 has been revised to reflect that the CSA is the agency which exercises primary authority for the protection of the classified information at the facility and is the agency with which the facility interacts in these matters; The*definition of *visit Authorization letter" in §25.5 has been revised to clarify that such a letter is only required for information specifically related to the license, certificate, or other NRC ~rogram at the facility; Section 25.17 has been amended to require a facility, with a CSA other than NRC, to advise the NRC when it submits an individual for an atcess authorization for access to NRC classified information, but not when the facility submits access authorization requests for access to the classified information of the other agency; Section 95.3l(b) has been revised to delete the term "Critical Secret Restricted Data- and replace it with a generic description of the type of data it was intended to protect; Section 25.17(d)(l)(i) has been modified to clarify that facility security personnel are not to review Part 2 of the SF-86; Sections 50.37 and 54.17(g) have been amended to clarify that compliance with 10 CFR Parts 25 and/or 95 satisfies the requirements of 10 CFR Parts 50 and 54; Section 95.3 has been modified to include Formerly Restricted Data within its scope; Section 95.15 has been modified to clarify that an NRC facility 13

(

clearance is only required for the use or possession of NRC classified information at the fJcility; Sections 95.17(a)(2) and 95.59 ,ave been revised to change "survey" to

review";

Section 95.18 has been revised to reflect that senior management will be cleared to a level commensurate with the facility clearance rather than "to the level of* the facility clearance; and, Section 95.25 has been revised to eliminate the requirement for changing security container combinations once every twelve months.

Small Business Regulatory Enforcement Fairness Act In accordance with the Small Rusiness Regulatory Enforcement Fairness Act of 1996, the NRC has determined that this action,is not a major rule and has verified this determination with the Office of Information and Regulatory Affairs of 0MB.

Environmental Impact: Categorical Exclusion I

The NRC has determined that this final rule is the type of action described in categorical exclusion 10 CFR 51.22(c)(2). Therefore, neither an environmental impact statement nor an environmental assess~ent has been prepared for this final rule.

14

Paperwork Reduction Act Statement This final rule amends information collection requirements that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501, et seq.).

These requirements were approved by the Office of Management and Budget, approval numbers 3150-0046, 3150-0047, and 3150-0050.

The public reporting burden for this collection of information is estimated to average .5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the

- data needed, and completing and reviewing the collection of information.

Send comments on any aspect of this collection of information, including suggestions for reducing the burden, to the Information and Records Management Branch (T-6 F33), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by Internet electronic mail at BJSl@NRC.GOV; and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB 10202, (3150-0046,

'-0047 and -0050), Office of Management and Budget, Washington, DC 20503.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid 0MB control number.

Regulatory Analysis The Commission has prepared a regulatory analysis for this final regulation. The analysis examines the costs and benefits of the alternatives considered by the Commission. Interested persons may examine a copy of the regulatory analysis at the NRC Public Document Room, 2120 L Street, NW.

15

(Lower Level). Washington, DC. Single copies of the analysis may be obtained from Duane G. Kidd, Division of Security, Office of Administration, U. S.

Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone (301) 415-7403.

Regulatory Flexibility Certification As required by the Regulatory F~exibility Act of 1980 (5 U.S.C. 605(b));

the Commission certifies that this rule does not have a significant economic impact upon a substantial number of small entities. The NRC carefully considered the effect on small entities in developing this final rule on the protection of classified information and has determined that none of the facilities affected by this rule would qualify as a small entity under the NRC's size standards (10 CFR 2.810).

,Backfit Analysis The NRC has determined that the backfit rule, 10 CFR 50.109, applies to this rulemaking initiative because it falls within the criteria of 10 CFR Part 50.109(a)(l), but that a backfit analysis is not required because this rulemaking qualifies for exemption under 10 CFR 50.109(a)(4)(iii) that reads "That the regulatory action involves . . . redefining what level of protection to the . . . common defense and security should be regarded as adequate."

List of Subjects 10 CFR Part 25 Classified information, Criminal penalties, Investigations, Reporting and recordkeeping requirements, Security measures.

16

10 CFR Part 50 Antitrust~ Classified information, Criminal penalties, Fire protection, Intergovernmental relations, Nuclear power plants and reactors, Radiation.

protection, Reactor siting criteria, Reporting and recordkeeping requirements 10 CFR Part 54 Ad@inistr~tive practice and procedure, Aging management review, Backfitting, Classified information, Criminal penalties, Nuclear power plants and reactors, Reporting and recordkee~ing requirements 10 CFR Part 95 Classified information, Criminal penalties, Reporting and recordkeeping requirements, Sscurity measures.

For the reas011~ set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended, the Energy Reorganization Act of 1974, as amended, and 5 U.S.C. 552 and 553, the NRC is adopting the following amendments to 10 CFR Parts 25, 50, 54 and 95.

PART 25 -- ACCESS AUTHORIZATION FOR LICENSEE PERSONNEL

1. The authority citation for Part 25 is revised to read as follows:

AUTHORITY: Secs. 145, 161, 68 Stat. 942, 948, as amended {42 U.S.C.

2165, 2201); sec. 201, 88 Stat. 1242, as amended (42 U.S.C. 5841); E.0.

10865, as amended, 3 CFR 1959 1963 COMP., p. 398 (50 U.S.C. 401, note);

E.O. 12829, 3 CFR, 1993 Comp., p. 570; E.O. 12958, 3 CFR, 1995 Comp., p.333; E.O. 12968, 3 CFR, 1995 Comp., p.396.

17

Appendix A also issued under 96 Stat. 1051 (31 U.S.C. 9701).

2. Section 25.1 is revised to read as follows:

~ 25.l Purpose.

The regulations in this part establish procedures for granting, reinstating, extending, transferring, and terminating access authorizations of licensee perso~nel, licensee contractors or agents, and other persons (e.g., individuals involved 1n adjudicatory procedures as set forth in 10 CFR Pprt 2, subpart I) who may require acc?ss to classified information.

3. Section 25.3 is revised to read as follows:

§ 25,3 Scope.

The regulations in this part apply to licensees and others who may require access to classified information related to a license or an application for a license.

4. Section 25.5 is amended by revising the definitions Access authorization and Need-to-know and by adding the definitions of Certificate holder, Classified information, Classified National Security Information, Cognizant Security Agency. and Visit auth6rization letters in a~phabetical order to read as follows:

§ 25,5 Definitions.

Access authorization means an administrative determination that an individual (including a consultant) who is employed by or an applicant for employment with the NRC, NRC contractors, a£!nts, licensees and certificate holders, or other person designated by the Executive Director for 18

Operations, is eligible for a security clearance for access to classified information.

Certificate holder means a facility operating under the provisions of Parts 71 or 76 of this chapter.

Classified information means either classified National Security Information, Restricted Data, or Formerly Restricted Data or any one of them. It is the generic term for information requiring protection in the interest of National Security whether clasj1fied under an Executive Order or the Atomic Energy Act.

Classified National Security Information means information that has been determined pursuant to E.O. 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

Cognizant Securitv Agency (CSA) means agencies of the Executive Branch that have been authorizeq by E.O. 12829 to establish an industrial security program for the purpose of safeguarding classified information under the jurisdiction of those agencies when disclosed or released to U.S. industry.

These agencies are the Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission. A facility has a single CSA which exercises primary authority for the, protection of classified information at the facility. The CSA for the facility provides security representation for other government agencies with security interests at the facility. The Secretary of Defense has been des1gnated as Executive Agent for the National Industrial Security Program.

Need-ta-know means a determination L1ade by an authorized holder of classified information that a prospective recipient requires access to 19

\

specific classified information to perform or assist in a lawful and authorized governmental function under the cognizance of the Commission.

Vjsjt author1zatjon letters (VAL) means a letter, generated by a licensee, certificate holder or other organization under the requirements of

)

10 CFR Parts 25 and/or 95, verifying the r.eed-to-know and access authorization of an individual from that organization who needs to visit another authorized facility for the purpose of exchanging or acquiring classified information related to the license.

5. In§ 25.8, paragraphs (a) and (b) are revised to read as follows:.

§ 25.8 Information collection requirements: 0MB approval.

(a) The Nuclear Regulatory Commission has submitted the information collection requirements contained in this part to the Office of Management and Budget (0MB) for approval as required by the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The NRC may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid 0MB control numcer. 0MB has approved the information collection requirements contained in this part under control number 3150 -

004u.

(b) The approved information collection requirements contained in this part appear in§§ 25.11, 25.17, 25.21, 25.23, 25.25, 25.27, 25.29, 25.31, 25.33, and 25.35.

6. In §25.13, paragraph (a) is revised to read as follows:

20

§ 25.13 Maintenance of records.

(a) Each licensee or organization employing individuals approv~d for personnel security access authorization under this part, shall maintain records as prescribed within the part. These records are subject to review and inspection by CSA representatives during security reviews.

7. Section 25.17 is revised to read as follows:

§ 25.17 Approval for processing applicants for access authorization, (a) Access authorizations must be requested for licensee employees or other persons (e.g., 10 CFR Part 2, subpart,!) who need access to classified information in connection with activities under 10 CFR parts 50, 52, 54, 70,.

72, or 76.

(b) The request must be submitted to the facility CSA. If the NRC is the CSA, the procedures in §25.l?(c) and (d) will be followed. If the NRC is not the CSA, the request will be submitted to the CSA in accordance with procedures established by the CSA. The NRC will be notified of the request by a letter that includes the name, Social Security number and level of access authorization.

r (c) The request must include a completed personnel security packet I

(see§ 25.l?(d)) and request form (NRC Form 237) signed by a licensee, licensee contractor official, or other authorized person.

(d)(l) Each personnel security packet submitted must include the following completed forms:

(i) Questionnaire for National Security Positions (SF - 86, Parts 1 and 2) (Part 2 is to be completed by the applicant and placed in a sealed envelope which is to be forwarded to NRC ,-unopened. No licensee, licensee 21

contractor official, or.other person at a facility is permitted to review Part 2 information);

{ii) Two standard fingerprint ~ards (FD - 258);

(iii) Security Acknowledgment (NRC Form 176); and (iv) Other related forms where specified in accompanying instructions (NRC Form 254).

{2) Only a Security Acknowledgment (NRC Form 176) need be completed by any person possessing an active access authorization, or who is being

- processed for an access authorization, by another Federal agency. The active or pending access authorization must be at an equivalent level to that required by the NRC and be based on an adequate investigation not more than five years old.

(~) To avoid delays in processing ~equests for access authorizations, each security packet should be reviewed for completeness and correctness (including legibility of response on_the forms) before* submittal.

(f) Applications for access authorization or access authorization renewal processing that are submitted to the NRC for processing must be accompanied by a check or money order, payable to the United States Nuclear Regulatory Commission, representing the ctrrent cost for the processing of each Q and L access authorization, or ren~wal request. Access authorization and access authorization renewal fees will be published each time the Office of Personnel Management notifies the NRC of a change in the rates it charges the NRC for the conduct of investigations. Any changed access authorization or access authorization renewal fees will be applicable to each access authorization or access authorization renewal request received upon or after th2 date of publication. Applications from individuals having current Federal access authorizations may be processed 22

more expeditiously and at less cost, since the Commission may accept the certification of access authorization and investigative data from other Federal Government agencies that grant personnel access authorizations.

8. Section 25.19 is revised to read as follows:*

§ 25,19 Processing applications.

Each application for access authorization or access authorization renewal must be submitted to the CSA. If the NRC is the CSA, the application and its accompanying fee must be submitted to the NRC Division of Security. If necessary, the NRC Division of Security may obtain approval from the appropriate Commission office exercising licensing or regulatory authority before processing the access authorization or access authorization renewal request .. If the applicant is disapproved for processing, the NRC Division of Security shall notify the submitter in writing and return the original _appl\cation (security packet) and its accompanying fee.

9. Section 25.21 is revised_to read as follows:

§ 25.21 Determination of initial and continued e]igibilitv for access a~thorization.

(a) Following receipt by the CSA of the reports of the personnel security investigations, the record will be reviewed to determine that granting an access authorization or renewal of access authorization will not endanger the common defense and security and is clearly consistent with the national interest. If this determination is made, access authorization will be granted or renewed. If the NRC is the CSA, questions as to initial or continued eligibility will be determined in accordance with Part 10 of Chapter I. If another agency is the CSA, that agency will, under the 23

requirements of the NISPOM, have established procedures at the facility to resolve questions as to initial or continued eligibility for access authorization. These questions will ue determined in accordance wi~h established CSA procedures already in effect for the facility.

(b) The CSA must be promptly notified of developments that bear on continued eligibility for access authorization throughout the period for which the authorization is active (e.g., persons who marry subsequent to the completion of a personnel security packet must report this change by submitting a completed NRC form 354, **oata Report on Spouse or equivalent CSA form).

(c)(l) Except as provided in paragraph (c)(2) of this section, NRC "Ott and "L"~access authorizations must be renewed every five years from the date of issuance. An application for renewal must be submitted at least 120 days before the expiration of the five year period, and must include:

(i) A statement by the licensee or other person that the individual continues to require access to classified National Security Information or Restricted Data; and (ii) A personnel security packet as described in §25.l?(d).

(2) Renewal applications and the required paperwork are not required for individuals who have a current and active access authorization from another Federal agency and who are subject to a reinvestigation program by that agency that is determined by the NRC to meet the NRC's requirements.-

(The DOE ReinYestigation Program has been determined to meet the NRC's requirements). For these individuals, the submission of the SF-86 by the licensee or other person to the other government agency pursuant to their r-einvestigation requirements will satisfy the NRC renewal submission and paperwork requirements, even if less than five years has passed since the 24

date of issuance or renewal of the NRC "Q" or "L" access authorization. Any NRC access authorization continued in response to the provisions of this paragraph -will, thereafter, not be due for renewal until the date set by the other government agency for the next reinvestigation of* the individual pursuant to the other agency's reinvestigation program. However, the period of time for the initial and each subsequent NRC "Q" or NRC "L" renewal application to the NRCi may not exceed seven years. Any individual who is subject to the reinvestigation program requirements of another Federal agency but, for administrative or other reasons, does not submit reinvestigation forms to that agency within seven years of the previous submission, shall submit a renewal application to the NRC using the forms prescribed in§ 25.17(d) before the expiration of the seven-year period.

(3) If the NRC is not the CSA~ reinvestigation program procedures and requirements will be set by the CSA.

10. Section 25.23 is revised to read as follows:

§ 25.23 Notification of grant of access authorization

The determination to grant or renew access authorization will be furnished in writing to the licensee or organization that initiated the request. Upon receipt of the notification of original grant of access authorization, the licensee or organization shall obtain, as a condition for grant of access authorization and access to classifted information, an I

executed "Classified Information Nondisclosure Agreement" (SF 312) from the affected individual. The SF-312 is an agreement between the United States and an individual who is cleared for access to classified information. An employee issued an initial access authorization shall execute a SF-312 before being granted access to classified information. The licensee or other 25

organization shall forward the executed SF-312 to the CSA for retention. If the employee refuses to execute the SF-312, the licensee or other

organization shall deny the employee access to classified information and submit a report to the CSA. The SF-312 must be'signed and dated by the employee and witnessed. The employee's and witness' signatures must bear the same date. The individual shall also be given a security orientation briefing in accordance with §95.33 of this chapter. Records of access authorization grant and renewal notification must be maintained by the licensee or other organization for three years after the access authorization has been terminated by the CSA. This information may also be furnished to other representatives of the Commission, to licensees, contractors, or other Federal agencies. Notifications of access authorization will not be given in writing to the affected individual except:

(a) In those cases in which the determination was made as a result of a Personnel Security Hearing or by Personnel Security Review Examiners; or (b) When the individual also is the official designated by the licensee or other organization to whom written NRC notifications are forwarded.

11. Section 25.25 is revised to read as follows:

§ 25,25 Cancellation of requests for access authorization.

When a request foF an individual's access authorization or renewal of access authorization is withdrawn or canceled, the requestor shall notify the CSA immediately by telephone so that the full field investigation, National Agency Check with Credit Investigation, or other personnel security action may be discontinued. The requestor shall identify the full name and 26

date of birth of the individual, the date of request, and the type of access authorization or access authorization renewal requested. The requestor shall confirm each telephone notification promptly in writing.

12. Section 25.27 is revised to read as follows:

§ 25.27 Reopening of cases in which requests for access authorizations are canceled.

(a) In conjunction with a new request for access authorization (NRC Form 237 or CSA equivalent) for individuals whose cases were previously canceled, new fingerprint cards (FD 257) in duplicate and a new Security Acknowledgment (NRC Form 176), or CSA equivalents, must be furnished to the CSA along with the request.

(b) Additionally, if 90 days or more have elapsed since the date of the last Que~tionnaire for Sensitive Positions (SF - 86), or CSA equivalent, the individual must complete a personnel security packet (see §25.17(d)).

The CSA, based on investigat'ive or other needs, may require a complete personnel security packet in other cases as weil. A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by the NRC is required.

13. Section 25.29 is revised to read as follows:

§ 25.29 Reinstatement of access authorization.

(a) An access authorization can be reinstated provided that:

(1) No more than 24 months has lapsed since the date of termination of the clearance; (2) There has been no break in emplJyment with the employer since the date of termination of the clearance; 27

(3) There is no known adverse information; (4) The most recent investigation must not exceed 5 years (Top Secret, Q) or 10 years (Secret, L); and (5) The most recent investigation must meet or exceed the scope of the investigation required for the level of access authorization that is to be reinstated or granted.

(b) An access authorization can be reinstated at the same, or lower, level by submission of a CSA-designated form to the CSA. The employee may not have access to classified information until receipt of written confirmation of reinstatement and an up-to-date personnel security packet will be furnished with the request for reinstatement of an access authorization. A new Security Acknowledgment will be obtained in all cases.

Where personnel security packets are not required, a request for reinstatement must state the level of access authorization to be reinstated and the full name and date of birth of the individual to establish positive identification. A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by the NRC is required.

14. In §25.31, paragraphs (a) and (c) are revised to read as follows:

§ 25.31 Extensions and transfers of access authorizations.

(a) The NRC Division of Security may, on request, extend the authorization of an individual who possesses an access authorization in connection with a particular employer or activity, to permit access to classified information in connection with an assignment with another employer or activity.

28

(c) Requests for extension or transfer of access authorization must state the full name of the person, his date* of birth and level of access authorization. The Director, Division of Security, may require a new personnel security packet (see§ 25.17(c)) to be completed by the applicant.

A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by the NRC is required.

15. Section 25.33 is revised to read as follows:

§ 25.33 Termjnatjon of access authorizations.

(a) Access authorizations will be terminated when:

(1) Access authorization is no longer required; (2) An individual is separated from the employment or the activity for which ~e obtained an access authorization for a period of 90 days or more; or (3) An individual, pursuant to 10 CFR part 10 or other CSA approved adjudicatory standards, is no longer eligible for access authorization.

Cb) A representative of the licensee or other organization that employs the individual whose access autho,'ization will be terminated shall immediately notify the CSA.when the circumstances noted in paragraph (a)(l) or .Ca)(2) of this section exist; inform the indivfdual that his access authorization is being terminated, and the reason; and that he will be considered for reinstatement of access authorization if he resumes work requiring it.

{c) When an access authorization is to be terminated, a representative of the licensee or other organization shall conduct a security termination briefing of the individual involved, explain the s~curity Termination Statement (NRC Form 136 or CSA approved form) and have the individual 29

complete the form. The representative shall promptly forward the original copy of the completed Security Termination Statement to CSA.

16. Section 25.35 is revised to read as follows:

§ 25.35 Classified visits.

(a) The number of classified visits must be held to a minimum. The licensee, certificate holder, or other facility shall determine that the visit is necessary and that the purpose of the visit cannot be achieved without access to, or disclosure of, classified information. All classified visits require advance notification to, and approval of, the organization to be visited. In urgent cases, visit information may be furnished by telephone and confirmed in writin~.

(b) Representatives of the Federal Government, when acting in their official capacities as inspectors, investigators, or auditors, may visit a licensee, certificate holder or other's facility without furnishing advanced notification, provided these representatives present appropriate government credentials upon arrival. Normally, however, Federal representatives will provide advance notification in the form of an NRC Form 277, "Request for Visit or Access Approval," with the "need-to know" certified- by the appropriate NRC office exercising licensing or regulatory authority and verification of NRC access author.ization by the Division of Security.

(c) The licensee, certificate holder, or others shall include the following information in all Visit Authorization Letters (VAL) which they prepare.

(1) Visitor's name, address, and telephone number and certification of the level of the facility security clearance; (2) Name, date and place of birth, and citizenship of the individual 30

1ntending to visit;

{3) Cert1fication of the proposed visitor's personnel clearance and any special access authorizations required for the visit; (4) Name of person(s) to be visited; (5) Purpose and sufficient justification for the visit to allow for a determinatio~ of the necessity of the visit; and

{6) Date or period during which the VAL is to be valid.

(d) Classified visits may be arranged for a 12 month period. The request1ng facility shall notify all places honoring these visit arrangements of any change in the individual's status that will cause the visit request to be canceled before its normal termination date.

(e) The responsibility for determining need to-know in connection with a classified visit rests with the individual who will disclose classified information during the visit. The licensee, certificate holder or other facility shall establish procedures to ensure positive identification of visitors before the disclosure of any classified information .

PART 50 DOMESTIC LICENSING OF PRODUCTION AND UTILIZATION FACILITIES

17. The authority citation for Pa~t 50 is revised to read as follows:

AUTHORITY: Secs. 102, 103, 104, 105, 161, 182, 183, 186, 189, 68 Stat.

936, 937, 938, 948, 953, 954, 955, 956, as amended, sec. 234, 83 Stat. 1244, as amended (42 U.S.C. 2132, 2133, 2134, 2135, 2201, 2232, 2233, 2236, 2239, 2282); secs. 201, as amended, 202, 206, 88 Stat. 1242, as amended, 1244, 1246 (42 U.S.C. 5841, 5842, 5846), E.O. 12829, 3 CFR, 1993 Comp., p. 570; E.O. 12958, as amended, 3 CFR, 1995 Comp., p.333; E.O. 12968, 3 CFR, 1995 Comp., p. 391.

31

Section 50.'7 also issued under Pub. L.95-601, sec. 10, 92 Stat. 2951 (42 U.S.C. 5851). Section 50.10 also issued under secs. 101, 185, 68 Stat. 955 as amenued (42 U.S.C. 2131, 2235), sec. 102, Pub. L.91-190, 83 Stat. 853 (42 U.S.C. 4332). Sections 50.13, 50.54(dd), and 50.103 also issued under sec. 108, 68 Stat. 939, as amended (42 U.S.C. 2138). Sections 50.23, 50.35, 50.55, and 50.56 also issued under sec. 185, 68 Stat. 955 (42 U.S.C. 2235). Sections 50.33a, 50.55a and Appendix.a also issued under sec. 102, Pub. L.91-190, 83 Stat. 853 (42 U.S.C. 4332). Sections 50.34 and 50.54

- also issued under sec. 204, 88 Stat. 1245 (42 U.S.C. 5844). Sections 50.58, 50.91, and 50.92 also issued under Pub. L. 97 415, 96'Stat. 2073 (42 U.S.C.

2239). Section 50.78 also issued under sec. 122, 68 Stat. 939 (42 U.S.C.

2152). Sections 50.80 - 50.81 also issued under sec. 184, 68 Stat. 954, as amended (42 U.S.C. 2234). Appendix Falso issued under sec. 187, 68 Stat.

955 (42 u.s.c 2237).

18. Section 50.37 is revised to read as follows:

§ 50.37 Agreement limiting access to ~Jassified Information As part of its application and in any event before the receipt of

~ Restricted Data or classified National Security Information or the issuance of a license or construction permit, the applicant shall agree in writing that it will not permit any individual to have access to or any facility to possess Restricted Data or*classified National Security Information until the individual and/or facility has been approved for such access under the provisions of 10 CFR Parts 25 and/or. 95. The agreement of the applicant in this regard shall be deemed part of the license or construction permit, whether so stated therein or not.

32

PART 54 -- REQUIREMENTS FOR RENEWAL OF OPERATING LICENSES FOR NUCLEAR POWER PLANTS

19. The authority citation for Part 54 1s revised to read as follows:

Authority: Secs. 102, 103, 104, 161, 181, 182, 183, 186, 189, 68 Stat.

936, 937, 938, 948, 953, 954, 955, as amended, sec. 234, 83 Stat. 1244, as amended (42 U.S.C. 2132, 2133, 2134, 2135, 2201, 2232, 2233, 2236, 2239, 2282); secs 201, 202, 206, 88 Stat. 1242, 1244, as amended (42 U.S.C. 5841,

- 5842), E.O. 12829, 3 CFR, 1993 Comp., p. 570; E.0. 12958, as amended, 3 CFR, 1995 Comp., p.333; E.0. 12968, 3 CFR, 1995 Comp., p. 391.

20. In §54.17~ paragraph (g) is revised to read as follows:

§ 54.17 Filing of application.

(g) As part of its application, and in any event before the receipt of Restricted Data or classified National Security Information or the issuance

of a renewed license, the applicant shall agree in writing that it will not permit any individual to have access to or any facility to possess Restricted Data or classified National Security Information until the individual ,and/or facility has been apprpved for.such access under the provisions of 10 CFR Parts 25 and/or 95. The agreement of the applicant in this regard shall be deemed part of the renewed license, whether so stated therein or not.

PART 95--SECURITY FACILITY APPROVAL AND SAFEGUARDING OF NATIONAL SECURITY INFORMATION AND RESTRICTED DATA 33

21. The authority citation for Part 95 is revised to read as follows:

AUTHORITY: Secs. 145, 161, 193, 68 Stat. 942, 948, as amended (42 U.S.C.

2165. 2201); sec. 201, 88 Stat. 124L, as amended (42 U.S.C. 5841); E.O. 10865, as amended, 3 CFR 1959-1963 COMP., p. 398 (50 U.S.C. 401, note); E.O. 12829, 3 CFR. 1993 Comp .*. p. 570_; E.O. 12958, as amended, 3 CF,R, 1995 Comp., p. 333; E.O. 12968,---3 CFR, 1995 Comp., p.391.

22. Section 95.1 is revised to read as follows:

§ 95.1 Purpose, The regulations in this part establish procedures for obtaining security facility approval and for safegua(din~ Secret and Confidential National Security Information and Restricted Data received or developed in conjunction with activities licensed, certified or regulated by the Commission. This part does not apply to Top Secret information because Top Secret infdrmation may not be forwarded to licensees, certificate holders, or others within the scope of an NRC license or certificate.

23. Section 95.3 is revised to read a' follows:

§ 95.3 Scope.

The regulations in this part apply to licensees, certificate holders and others regulated by the Commission who may require access to classified National Security Information and/or Restricted Data and/or Formerly Restricted Data (FRD) that is used, processed, stored, reproduced, transmitted, transported, or handled in connection with a license or certificate or an application for a license or certificate.

34

24. In §95.5, the definitions for Authorized classjfier, National Securjty Information. NRC access authorization. Security facility approval, and Security survey are removed and the definitions Classifjed mail address, Infraction. and Need-to-know are revised and the definitions Access authorization, Classified National Security Information. Classified shipping address. Closed area. Cognizant Security Agency, Facility (Security) clearance, Forejgn ownership control or influence. Restricted area, Security reviews. Supplemental Protection and Violation are added in alphabetical order

- to read as follows:

§ 95.5 Definitions, Access authorization means an administrative determination that an individual (including a consultant) who is employed by or an applicant for employment with the NRC, NRC contractors, agents, licensees and certificate holders, or other person designated by the Executive Director for Operations, is eligible for a security clearance for access to classified information.

Classified mail address means a mail address established for each facility approved by the NRC, to which all classified information for the facility is to be sent.

Classified National Security Information means information that has been determined pursuant to E.O. 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

Classified shjpping address means an, address established for a facility, approved by the NRC to which classified material 'that cannot be transmitted as normal mail is to be sent.

35

Closed area means an area that meets the requirements of the CSA, for the purpose of safeguarding classified material that, because of its size, nature, or operational necessity, cannot be adequately protected by the normal safeguards or stored during nonworking hours in approved containers.

Cognizant Security Agency (CSA) means agencies of the Executive Branch that have been authorized by E.O. 12829 to establish an industrial security program for the purpose of safeguardi*ng classified information under the jurisdiction of those agencies when disclosed or released to U.S. industry.

- These agencies are the Department of Cefense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission. A facility has a single CSA which exercises primary authority for the protection of classified information at the facility. The CSA for the facility provides security representation for other government agencies with security interests at the facility. The Secretary of Defense has ,been designated as Executive Agent for the National Industrial Security Program.

Facility (Security) Clearance (FCL) means an administrative determination that, from a security viewpoint, a facility is eligible for access to classified information of a certain category (and all lower categories).

Foreign ow~ership. control. or influence (FOCI) means a foreign interest has the power, direct or indirect, whether or not exercised, and whether or not exercisable through the ownership of a U.S. company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in

unauthorized access to classified information or may affect adversely the performance of classified contracts.

Infraction means any knowing, willful. or negligent action contrary to the 36

requirements of E.0. 12958, or its implementing directives, that does not comprise a "violation," as defined in this section.

Need-to-know means a determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authoriz~d governmental function under the cognizance of the Commission.

Restricted area means a controllej access area established to safeguard cl.assified material, that because of its size or nature, cannot be adequately protected during working hours by the usual safeguards, but that is capable of I

being stored during non-working hours in an approved repository or secured by other methods approved by the CSA.

Security reviews means aperiodic security reviews of cleared facilities conducted to ensure that safeguards employed by licensees and others are adequate for the protection of classified information.

Supplemental Protection mea~s additional security procedures such as intrusion detection systems, security guards, and access control systems.

Violation means any knowing, will~ul, or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information or any knowing, willful, or negligent action to classify or continue the classification of information contrary to the requirements of E.O. 12958 or its implementing directives.

25. Section 95.8 is revised to read as follows:

37

§ 95.8 Information collection reguirements: 0MB approval.

'(a) The Nuclear Regulatory Commission has submitted the information collection requirements contained in this part to the Office of Management and Budget (0MB) for approval as required by the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The NRC may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid 0MB control number. 0MB has approved the information

- collection requirements contained in this part under control number 3150 0047.

(b) The approved information collection requirements contained in this part appear in §§95.11, 95.15, 95.18, 95.19, 95.21, 95.25, 95.29, 95.33, 95.36, 95.37, 95.39, 95.41, 95.43, 95.45, 95.47, 95.53, 95.57.

26. In §95.13, paragraph (a) is revised to read as follows:

§ 95.13 Maintenance of records.

(a) Each licensee, certificate holder or other person granted facility clearance under this part shall maintain *~e~ords as prescribed within the part. These records are subject to review and inspection by CSA representatives during security reviews.

27. In §95.15, paragraphs (a) end (b) ar~ revised to read as follows:

38

§ 95,15 Appro~al for processing licensees and others for facility clearance,

{a) A licensee, certificate holder or other person who has a need to use, process, store, reproduce, transmit, transport, or handle NRC classified information at any location in connection with Commission related activities shall promptly request an NRC facility clearance. This specifically includes situations where a licensee, certificate holder or other person needs a contractor or consultant to have access to NRC classified information.

However it is not necessary for a licenseE, certificate holder or oth~r person to request an NRC facility clearance for access to another agency's classified information at that agency's facilities or to store that agency's classified information at their facility, provided no NRC classified information is involved and they meet the security requirements of the other agency. If NRC

.classified information is involved the requirements of §95.17 apply.

(b) The request must include the name of the facility, the location of the facility and an identification of any facility clearance issued by another government agency. If there is no e~isting facility clearance, the request must include a security Standard Practice Procedures Plan that outlines the facility's proposed security procedures and*controls for the protection of classified information, a floor plan of the area in which the matter is to be used, processed, stored, reproduced, transmitted, transported or handled; and Foreign Ownership, Control or Influence information.

28. Section 95.17 is revised to read as follows:

39

§ 95,17 Process1ng facil1tv clearance, (a) Following the receipt of an acceptable request for facility clearance, the NRC will either accept an existing facility clearance granted by a current CSA and authorize possession of license or certificate related classified information or process the facility for a facility clearance. Processing will include -

(1) A determination based on review and approval of a Standard Practice Procedure Plan that granting of the Facility Clearance would not be inconsistent with the national interest, including a finding that the facility is not under foreign ownership, control, or influence to such a degree that a determination could not be made; (2) An acceptable security review conducted by the NRC; (3) Submitting key management personnel for personnel clearances (PCLs); and (4) Appointing a U.S. citizen employee as the facility security

~ officer.

(b) An interim Facility Clearance may be granted by the CSA on a temporary basis pending completion of the full investigative requirements.

29. §§ 95.18 and 95.19 [Redesignated] §§95.19 and 95.20.

30. A new §95.18 is added to read as follows:

40

§ 95.18 Key personnel, The senior management official and the Facility Security Officer must 3lways be cleared to a level commensurate with the Facility Clearance.

Other key management officials, as determined by the CSA, must be granted an access authorization or be excluded from classified access. When formal exclusion action is required, the organization's board of directors or similar executive body shall affirm the following, as appropriate.

(a) Officers, directors, partners, regents, or trustees (designated by

- name) that are excluded may not require, may not have, and can be effectively excluded from access to all classified information disclosed to the organization. These individuals also may not occupy positions that would enable them to adversely affect the organization's policies or practices in the performance of activities involving classified information. This action will be made a matter of record by the organization's executive body. A copy of the resolution must be furnished to the CSA.

(b) Officers, directors, partners, regents, or trustees (designated by name) ~hat are excluded may not require, may not have, and can be effectively denied access to higher-level classified information (specify which higher level (s)). These individuals may not occupy positions that would enable them to adversely affect the organization's policies or practices in the protection of classified information. This action will be made a matter of record by the organization's executive body. A copy of the resolution must be furnished to the CSA.

31. In the newly redesignated §95.19, the introductory text of paragraphs (a) and (b) are revised to read as follows:

41

§ 95.19 Changes to security practices and procedures.

(a) Except as specified in para~raph (b) of this section, each licensee, certificate holder or other person shall obtain prior CSA approval for any proposed change to the name, location, security procedures and controls, or floor plan of the approved fac~lity. A written description of the proposed change must be furnished to the CSA with copies to the Director, Division of Security, Office of Administration, NRC, Washington, DC 20555-0001 (if NRC is

- not the CSA), and the NRC Regional Administrator of the cognizant Regional Office listed in appendix A of part 73. The CSA shall, promptly respond in writing to all such proposals. Some examples of substantive changes requiring prior CSA approval include -

(b) A licensee or other person may effect a minor, non-substantive change to an approved Standard Practice Procedures Plan for the safeguarding of classified information without receiving prior CSA approval, provided prompt notiffcation of such minor change is furnished to the addressees noted in paragraph (a) of this section, and the change do~s not decrease the effectiveness of the Standard Practice Procedures Plan. Some examples of minor, non substantive* changes to the Standard .P~actice Procedures Plan include--

32. The newly 1 redesignated §95.20 is revised to read as follows:

§ 95.20 Grant, denial or*termination of facility clearance, /

The Division of Security shall provide notification in writing (or orally*

42

with written confirmation) to the licensee or other organization of the Commission's grant, acceptance of another agency's Facility Clearance, denial, or termination of faci1ity clearance. This information must also be furnished to representatives of the NRC, NRC licensees, NRC certificate holders, NRC contractors, or other Federal agencies having a need to transmit classified information to the licensee or other person.

33. Section 95.21 is revised to read as follows:

§ 95.21 Withdrawal of reguests for facility clearance.

When a request for facility clearance is to be withdrawn or canceled, the requester shall notify the NRC Division of Security immediately by telephone

\

so that processing for this approval may be terminated. The notificatio~ must identify the full name of the individual requesting discontinuance, his position with the facility, and the full identification of the facility. The requestor shall confirm the telephone notification promptly in writing.

34. Section 95.23 is revised to read as follows:

§ 95.23 Termination of facility clearance.

(a) Facility clearance will be terminated when--

(1) There is no longer a need to use, process, store, reproduce, transmit,

(

transport or handle classified matter at the facility; or (2) The Commission makes a determination that continued facility clearance is not in the interest of national security.

43

(b) When facility clearance is terminated, the licensee or other person will be notified in writing of the determination and the procedures outlined \

in §95.53 apply.

35. In §95.25, paragraphs (a), (~). {c), (d), (g), (h), and (i) are revised and paragraph (j) is added to read as follows:

§ 95.25 Protection of classified information jn storage.

(a) Secret documents, whi:e unattended or not in actual use, must be stored in--

Cl) A safe, steel file cabinet, or safe-type steei file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours; or (2) Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock.

The keepers of the rigid metal lock bar must be secured to the cabinet by welding*, rivets, or bolts, so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container must be held securely, so their contents cannot be removed without forcing open the drawer.

This type cabinet will be accorded supplemental protection during non working hours.

(b) Confidential matter while unattended or not in use must be stored in the same manner as SECRET matter except that no supplemental protection is required.

44

(c) Classified lock combinations.

(1) A minimum number of authorized persons may know the combinations to authorized storage containers. Security containers, vaults, cabinets, and other authorized storage containers must be kept locked when not under the direct supervision of an authorized person entrusted with the contents.

(2) Combinations must be changed by a person authorized access to the contents of the container, or by the Facility Security Officer or his or her designee. Combinations must be changed upon -

- (i) The initial use of an approv~d container or lock for the protection of classified material; (ii) The termination of employment of any person having knowledge of the combination, or when the clearance granted to any such person has been withdrawn, suspended, or revoked; (iii) The compromise or suspected compromise of a container or its combination, or discovery of a container left unlocked and unattended; or (iv) At other times when considered necessary by the Facility Security Officer or CSA.

(d) Records of combinations. If a record is made of a combination. the record must be marked with the highest classification of material authorized for storage in the container. Superseded combinations must be destroyed.

(g) Posted information. Containers may not bear external markings indicating the level of classified material authorized for storage. A record of the names of persons having kDowledge of the combination must be posted 45

inside the container.

(h) End of day security checks.

(1) Facilities that store classified material shall establish a system of security checks at the close of each working day to ensure that all classified material and security repositories have been appropriately secured.

(2) Facilities operating with multiple work shifts shall perform the security checks at the end of the last working shift in which classified material had been removed from storage for use. The checks are not required

- during continuous 24 hour2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months operations.

(i) Unattended security container found opened. If an unattended security container housing classified matter is found unlocked, the custodian or an alternate must be notified immediately. The container must be secured by protective personnel and the contents inventoried as soon as possible but not later than the next workday. A report reflecting all actions taken must be submitted to the responsible Regional Office (see appendix A, 10 CFR part 73 for addresses) with an information copy to the NRC Division of Security. The licensee shall retain records pertaining to these matters for three years after completion of final corrective action.

(j) Supervision of keys and padlocks. Use of key-operated padlocks are subject to the following requirements:

(1) A key and lock custodian shall be appointed to ensure proper custody and hand1ing of keys and locks used for protection of classified material; (2) A key and lock control register must be maintained to identify keys for each lock and their current location and custody; (3) Keys and locks must be audited each month; (4) Keys must be inventoried with each change of custody; (5) Keys must not be removed from the premises; 46

(6) Keys and spare locks must be protected equivalent to the level of classified material involved; (7) Locks must be changed or rotated at least annually, and must be replaced after loss or compromise of their operable keys; and (8) Master keys may not be made.

36. Section 95.27 is revised to read as follows:

§ 95.27 Protection while in use.

While in use, matter containing classified information must be under the direct control of an authorized individual to preclude physical, audio, and visual access by persons who do not have the prescribed access authorization or other written CSA disclosure authorization (see §95.36 for additional information concerning disclosure authorizations).

37. Section 95.29 is revised to read as follows:

§ 95.29 Establishment of Restricted or Closed areas.

(a) If, because of its nature, sensitivity or importance, matter containing classified information cannot otherwise be effectively controlled in accordance with the provisions of§§ 95.25 and 95.27, a Restricted or Closed area must be established to protect such matter.

(b) The following measures apply to Restricted Areas:

(1) Restricted areas must be separated from adjacent areas by a physical barrier designed to prevent unauthorized access (physical, audio, and visual) 47

into these areas4

{2) Controls must be established to prevent unauthorized access to and removal of classified matter.

{3) Access to classified matter must be limited to persons who possess appropriate access authorization or other written CSA disclosure authorization and who require access in the performance of their official duties or regulatory obligations.

(4) Persons without appropriate access authorization for the area visited

- must be escorted by an appropriate CSA access authorized person at all times while within Restricted or Closed areas.

(5) Each individual authorized to enter a Restricte4 or Closed area must be issued a distinctive form of identification (e.g., badge) when the number of employees assigned to the area exceeds thirty per shift.

(6) During nonworking hours, admittance must be controlled by protective

personnel. Protective personnel shall conduct patrols during nonworking hours at least every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and more frequently if necessary to maintain a

commensurate level of protection. Entrances must be continuously monitored by protective personnel or by an app~oved alarm system.

(c) Due to the size and nature of the classified material, or operational

~ necessity, it may be necessary to construct Closed Areas for storage because GSA-approved containers or vaults are unsuitable or impractical. Closed Areas must be approved by the CSA. The following measures apply to Closed Areas:

(1) Access to Closed Areas must be controlled to preclude unauthorized access. This may be accomplished through the use of a cleared employee or by a CSA approved access control device or system.

(2) Access must be limited to authorized persons who have an appropriate security clearance and a need to-know for the classified material/information 48

with1n the area. Persons without the appropriate level of clearance and/or need-to-know must be escorted at all times by an authorized person where 1nadverte~t or unauthorized exposure to classified information cannot otherwise be effectively p'revented.

(3) The Closed Area must be accorded supplemental protection during non-working hours. During these hours, admittance to the area must be controlled by locked entrances and exits secured by either an approved built-in combination lock or an approved combination or key-operated padlock.

9 However, doors secured from the inside with a panic bolt (for example, actuated by a panic bar), a dead bolt, a ,igid wood or metal bar, or other means approved by the CSA, do not require additjonal locking devices.

{4) Open shelf or bin storage of classified documents in Closed Areas requires CSA approval. Only areas protected by an approved intrusion detection system will qualify for approval.

38. Section 95.31 is revised to read as follows:

§ 95.31 Protective personnel, Whenever protective personnel are used to protect classified information they shall:

{a) Possess an L access authorization (or CSA equivalent) if the licensee or other person possesses information classified Confidential National Security Information, Confidential Restricted Data or Secret National Security Information.

(b) Possess a **a** access authorization (or CSA equivalent) if the licensee or other person possesses Secre+ Restricted Data related to nuclear 49

weapons design, manufacturing and vulnerability .information: and certain particularly sensitive Naval Nuclear Propulsion Program information (e.g.,

fuel manufacturing technology) and vne protective personnel require access as part of their regular duties.

39. Section 95.33 is revised to read as follows:

§ 95.33 Security education, All cleared employees must be provided with security training and briefings commensurate with their involvement with classified information.

The facility may obtain defensiv~ ~ecur*ity, threat awareness, and other education and training information and material from their CSA or other sources.

(a) Facility Security Officer Training. Licensees and others are responsible for ensuring that the Facility Security Officer, and others performing security duties, complete security training deemed appropriate by the CSA. Training requirements must be. based on the facility's involvement with classified information and may inclu1e a Facility Security Officer orientation course and, for Facility Security Of+icers at facilities with safeguarding capability, a Facility Security Officer Program Management Course. Training, if required,,should be completed within 1 year of appointment to ~he position of Facility Security Officer.

(b) Government-Provided Briefings. The CSA is responsible for providing initial security briefings to the Facility Security Officer, and for ensuring that other briefings reqLired for special categories of information are provided.

50

(c) Temporary Help Suppliers. A temporary help supplier, or other contractor who employs cleared individuals solely for dispatch elsewhere, is responsible for ensuring that required briefings are provided to their cleared personnel. The temporary help supplier or the using licensee or other facility may conduct these briefings.

(d) Classified Information Nondisclosure Agreement (SF-312). The SF-312 is an agreement between the United States and an individual who is cleared for access to classified i~formation. An employee issued an initial access

- authorization must, in accordance with the requirements of §25.23 of this chapter, execute an SF-312 before heing granted access to classified information. The Facility Security Officer shall forward the executed SF-312 to the CSA for retention. If the employee refuses to execute the SF-312, the licensee or other facility shall d~ny the employee access to classified information and submit a report to the CSA. The SF 312 must be signed and dated by the employee and witnessed. The employe~*s and witness' signatures must bear the same date.

{e) Initial Security Briefings. Before being granted access to classified information, an employee shall receive an initial security briefing Lhat includes the following topics:

(1) A Threat Awareness Briefing.

(2) A Defensfve Security Briefing.

(3) An overview of the security classification system.

(4) Employee reporting obligations and requirements.

(5) Security procedures and duties applicable to the employee's job.

(f) Refresher Briefings. The licensee or other facility shall conduct periodic refresher briefings for all cleared employees. As a minimum, the refresher briefing must reinforce the information provided during the initial 51

briefing and inform employees of appropriate changes in security regulations.

This requirement may be satisfied by use of audio/video materials and by issuing written materials on a regular basis.

(g) Debriefings. Licensee and other facilities shall debrief cleared employees at the time of termination of employment (discharge, resignation, or retirement); when an employee's access authorization is terminated, suspended, or revoke~; and upon termination of the Facility Clearance.

(h) Records reflecting an individual's initial and refresher security orientations and security termination must be maintained for three years after termination of the individual's access authorization.

40. Section 95.36 is revised to read as follows:

§ 95.36 Access by representatives of the International Atomic Energy Agency or by participants in other international agreements.

(a) Based upon written disclosure authorization from the NRC Division of Security that an individual is an authorized representative of the International Atomic Energy Agency (IAEA) or other international organization and that the i~dividual is authorized to make visits or inspections in I

accordance with an established agreement with the United States Government, a licensee, certificate holder or other person subject to this part shall permit the individual (upon presentation of the credentials specified in §75.7 of this chapter and any other credentials identified in the disclosure authorization) to have access to matter which is classified National Security Information that is relevant to the conduct of a visit or inspection. A disclosure authorization under this section does not authorize a licensee, 52

certificate holder, or other person subject to this part to provide access to Restricted Data.

{b) For purposes of this section, classified National Security Information is relevant to the conduct of a visit or inspection if--

(1) In the case of a visit, this information is needed to verify information according to §75.13 of this chapter; or (2) In the case of an inspection, an inspector is entitled to have access to the information under §75.42 of this chapter.

(c) In accordance with the specific disclosure authorization provided by the Division of Security, licensees or other persons subject to this part are authorized to release (i.e., transfer possession of) copies of documents which contain classified National Security Information directly to IAEA inspectors and other representatives officially designated to request and receive classified National Security Information documents. These documents must be 1

marked specifically for release to IAEA or other international organizations in accordance with instructions contained in the NRC's disclosure authorization letter. Licensees and other persons subject to this part may also forw~rd these documents through the NRC to the international organization's headquarters in accordance with the NRC disclosure authorization. Licensees and other persons may not reproduce documents containing classified National Security Information except as provided in

§95.43.

(d) Records re~arding these visits and inspections must be maintained for five years beyond the date of the visit or inspection. These records must specifically identify each document which has been released to an authorized representative and indicate the date of the release. These records must also identify (in such detail as the Division of Security, by letter, may require)

I 53

the categories of documents that the authorized representative ~as had access and the date of this access. A licensee or other person subject to this part shall also retain Division of Security disclosure authorizations for five years beyond the date of any visit or inspection when access to classified information was permitted.

(e) Licensees or other persons subject to this part shall take such measures as may be necessary to preclude access to classified matter by participants of other international agreements unless specifically provided ti for under the terms of a specific agreement.

41. Section 95.37 is revised to read as follows:

§ 95.37 Classification and preparation of documents.

(a) Classification. Classified information generated or possessed by a licensee or other person must be appropriately marked. Classified material which is not conducive to markings {e.g., equipment) may be exempt from this requirement. T~ese exemptions are subject to the approval of the CSA on a case-by case basis. If a person or facility generates or possesses information that is believed to be classified based on guidance provided by the NRC or by derivation from classified documents, but which no authorized c,assifier has determined to be classified, the information must be protected and marked with the appropriate classification markings pending review and signature of an NRC authorized classifier. This information shall be protected as classified information pending final determination.

(b) Classification consistent with content. Each document containing classified information shall be classified Sacret or Confidential according to its content. NRC licensees or others subject to the requirements of 10 CFR 54

Part 95 may not make original classification decisions.

(c) Markings required on face of documents.

(1) For derivative classification of classified National Security Information:

(i) Derivative classifications of classified National Security Information must contain the identity of the source document or the classification guide, including the agency and office of origin, on the "Derived From" line and its classification date. If more than one source is

- cited, the "Derived From" line should ind;cate "Multiple Sources."

(ii) Declassification instructions. When marking derivatively classified documents, the "DECLASSIFY ON" line must carry forward the declassification instructions as reflected in the original document. If multiple sources are used, the instructions will carry forward the longest duration.

(iii) If the source document used for derivative classification contains the declassification instruction, "Originating Agency's Determination Required" (OADR), the new document should reflect the date of the original cl~ssification of the information as contained in the source document or classification guide. An example of the stamp might be as follows:

Derived From

(source)

Reason---,-,::--,,...-----------,--=---,,,---.,..,.

Declassify On: source Marked "OADR 11 Date of Source:

Classifier: ---

(Name/Title/Number)

(iv) The derivative classifier shall maintain the identification of each source with the file or record copy of the derivatively classified document.

(2) For Restricted Data documents:

55

(i) Identity of the classifier. The identity of the classifier must be shown by completion of the Derivative Classifier line. The Derivative Classifier line must show the name of the person classifying the document and the basis for the classification. Dates for downgrading or declassification do not apply.

(ii) Classification designation (e.g., Secret, Confidential) and Restricted Data. NOTE: No "Declassification" instructions will be placed on documents containing Restricted Data.

(d) Placement of markings. The highes~ classification marking assigned to a document must be placed in a conspicuous fashion in letters at the top and bottom of the o~side of the front covers and title pages, if any, and first and last pages on which text appears, on both bound and unbound documents, and on the outside of back covers of bound documents. The balance of the pages must be marked at the top and bottom with:

(1) The overall classification marking assigned to the document; (2) The highest classification marking required by content of the page; or (3) The marking UNCLASSIFIED if they have no classified content.

Ce) Additional markings.

(1) If the document contains any form of Restricted D~ta, it must bear the

~ appropriate marking on the fir.st page of :text, on the front cover and title page, ff any. For example: "This document contains Restricted Data as defined in the Atomic Energy Act of 1954. Unauthorized disclosure subject to Administrative and Criminal Sanctions."

(2) Limitation on reproduction or dissemination. If the originator or classifier determines that reproduction or further dissemination of a document should be restricted, the following additional worJing may be placed on the face of the document:

56

Reproduction or Further Dissemination Requires Approval of I

If any po*t1on of this additional marking does not apply, it should be cro~sed out.

(f) Portion markings. In addition to the information required on the face of the document, each classified document is required, by marking or other means, to 1nd1cate clearly which portions are classified (e.g .* paragraphs or

- pages) and which portions are not classified. The symbols (S) for Secret, (C) for Confidential, (U) for Unclassified, or (RD) for Restricted Data may be used immediately preceding or following the text to which it applies, except that the designation must follow titles or subjects. (Portion marking of paragraphs is not required for documents cont~ining Restricted Data.) If this type of portion marking is not practicable, the document must contain a description sufficient to identify the classified information and the unclassified information.

Example Pages 1-3 Secret Pages 4-19 Unclassified Pages 20-26 Secret Pages 27-32 Confidential (g) Transmittal document~ If a document transmitting classified information contains no classified information or the classification level of the transmittal document is not as high?~ the highest classification level of 57

its enclosures, then the document must be marked at the top and bottom with a classification at least as high as its highest classified enclosure. The classification may bJ higher if the enclosures, when combined, warrant a higher classification than any individual enclosure. When the contents of the transmittal document warrants a lower classification than the highest classified enclosure(s) or combination of enclosures or requires no classification, a stamp or marking such as the following must also be used on the transmittal document:

UPON REMOVAL OF ATTACHMENTS THIS DOCUMENT IS:

(Classification level of transmittal document standing alone or the word

UNCLASSIFIED if the transmittal document contains no classified information.)

(h) Classification challenges. Persons in authorized possession of classified National Security Information who in good faith believe that the information's classification status (i.e. that the document), is classified at ejther too high a level for its content (overclassification) or too low for its content (underclassification) are ex~~cted to challenge its classification status. Persons who wish to challenge a classifi~ation status shal~ --

(i) Refer the document or information to the originator or to an authQrized NRC classifier for review. The authorized classifier shall review the document and render a written classification decision to the holder of the information.

(ii) In the event of a question regarding classification review, the holder of the informatior1 or the authorized 9lassifier shall consult the NRC Division of Security, Information Security Branch, for assistance.

58

(iii) Persons who challenge classification decisions have the right to appeal the classification decision to the Interagency Security Classification Appeals Panel.

(iv) Persons seeking to challenge the classification of information will not be the subject of retribution.

(1) Files, folders or group of documents. Files, folders, binders, or groups of physically connected documents must be marked at least as high as the highest classified document which they contain.

(j) Drafts and working papers. Drafts of documents and working papers which contain, or which are believed to contain, classified information must be marked as classified information. "-

(k) Classification guidance. Licensees, certificate holders, or other persons subject to this part shall classify and mark classified matter as National Security Information or Restricted Data, as appropriate, in accordance with classification guidance provided by the NRC as part of the facility clearance process .

A2. Section 95.39 is revised to read as follows:

§ 95.39 External transmission of docume~ts and material.

(a) Restrictions. Documents and material containing classified information received or originated in connection with an NRC license or certificate must be transmitted only to CSA approved security facilities.

(b) Preparation of documents. Documents containing classified information must be prepared in accordance w;th the following when transmitted outside an individual installation.

59

(1) The documents must be enclosed in two sealed opaque envelopes or wrappers.

(2) The inner envelope or wrapper must contain the addressee's classified mail address and the name of the intended recipient. The appropriate classification must be placed on both sides of the envelope (top and bottom) and the additional markings, as appropriate, referred to in §95.37(e) must be placed on the side bearing the address.

(3) The outer envelope or wrapper must contain the addressee's classified

- mail address. The outer envelope or wrapper may not contain any classification, additional marking or other notation that indicates that the enclosed document contains classified information.

(4) A receipt that contains an unclassified description of the document, the document number, if any, date of the document, classification, the date of transfer, the recipient and the person transferring the document must be enclosed within the inner envelope containing the document and be signed by the recipient and returned to the sender whenever the custody of a Secret document is transferred. This receipt process is at the option of the sender for Confidential information.

(c) Methods of transportation.

' matter may be transportP.d only by one of the following methods (1) -secret within and directly between the U.S., Puerto Rico, or a U.S. possession or trust territory:

(i) U.S. Postal Service Express Mail and U.S. Postal Service Registered Mail. NOTE: The "Waiver of Signature and Indemnity" block on the U.S. Postal Service Express Mail Label 11-B may not be executed and the use of external (street side) express mail collection boxes is prohibited.

(ii) A cleared "Commercial Carrier."

60

(11i) A cleared commercial messenger service engaged in the intrac1tyllocal area delivery (same day delivery only) of classified material.

(iv) A commercial delivery company, approved by the CSA, that provides nationwide, overnight service with computer tracing and reporting features.

These companies need not be security cleared.

(v) Other methods as directed, in writing, by the CSA.

(2) Confidential matter may be transported by one of the methods set forth

- in paragraph (c)(l) of this section, uy U.S. first class, express or certified mail. First class, express, or certified mail may be used in transmission of Confidential documents to Puerto Rico or any United States territory or possession.

Cd) Telecommunication of classified information. Classified information may not qe telecommunicated unless the telecommunication system has been approved by the CSA. Licensees, certificate holders or other persons who may I

I require a secure telecommunication system shall submit a telecommunication plan as p~rt of their request for facility clearance, as outlined in §95.15, or as an amendment to their existing Standard Practice Procedures Plan for the protection of classified information.

(e) Security of classified information in transit. Classified matter that. because of its nature, cannot be transported in accordance with

§95.39(c), may only be transported in accordance with procedures approved by the CSA. Procedures for transporting classified matter are based on a satisfactory transportation plan submitted as part of the licensee's, certificate holder, or other person's request for facility clearance or 61

submitted as an amendment to its existing Standard Practice Procedures Plan~

43. Section 95.41 is revised to read as follows:

§ 95.41 External receipt and dispatch records, Each licensee, certificate holder or other person possessing classified information shall maintain a record that reflects:

(a) The date of the material; (b) The date of receipt or dispatch; (c) The classification; (d) An unclassified description of the material; and (e) The identity of the sender from which the material was received or recipient to which the material was dispatched. Receipt and dispatch records must be retained for 2 years.

44. Section 95.43 is revised to read as follows:

§ 95,43 Authority to reproduce.

(a) Each licensee or other person possessing classified information shall establish a reproduction control system to ensure that reproduction of classified material is held to the minimum consistent with operational requirements. Classified reproduction must be accomplished by authorized employees knowledgeable of the procedures for classified reproduction. The use of t~chnology that prevents, disco~rages, 01 detects the unauthorized reproduction of classified documents is er,couraged.

62

(b) Unless restricted by the CSA, Secret and Confidential documents may be reproduce~. Reproduced copies of classif1ed documents are subject to the same protection as the original documents.

(c) All repr~ductions of classified material must be conspicuously marked with the same classification markings as the material being reproduced. Copies of classified material must be reviewed after the reproduction process to ensure that these markings are visible.

45. Section 95.45 is revised to read as follows:

§ 95.45 Changes in classification.

(a) Documents containing classified National Secu~ity Information must be downgraded or declassified as authorized by the NRC classification guides or as determined by the NRC. Requests for downgrading or declassifying any NRC classified information should be forwarded to the NRC Division of Security, Office of Administration, Washington, DC 20555-0001. Requests for downgrading or declassifying of. Restricted Data will be forwarded to the NRC Division of Security for coordination with the Department of Energy.

{b) If a change of classification o~ declassification is approved, the previous classification marking must be canceled and the following statement, properly *'completed, must be placed on the first page of the document:

Classification canceled (or changed to)

(Insert appropriate classification) by authority of 63

(Person authorizing change in classification) by (Signature of person making change and date thereof)

(c) New markings reflectinQ the current classification status of the document will be applied in accordance with the requirements of §95.37.

(d) Any persons making a change in classification or receiving notice of such a change shall forward notice of the change in classification to holders of all copies as shown on their records.

46. Section 95.47 is revised to read as follows:

§ 95,47 Destruction of matter containing classified information.

Documents containing classified information may be destroyed by burning, pulping, or another method that ensures complete destruction of the information that they contain. The methoq of destruction must preclude recognition or reconstruction of the classified information. Any doubts on methods should be referred to the CSA. If the document contains Secret information, a record of the subject or title, document number, if any, originator, its date of origination and the date of destruction must be signed by the person destroying the document and must be maintained in the office of the custodian at the time of destruction. These destruction records must be retained for two years after destruction.

64

47. Section 95.49 is revised to read as follows:

§ 95.49 Security of automatic data processing (ADP) systems, Classified data or information may not be processed or produced on an ADP system unless the system and procedures to protect the classified data or information have been approved by the CSA. Approval of the ADP system and procedures is based on a satisfactory ADP security proposal submitted as part

- of the licensee's or other person's request for facility clearance outlined in

§95.15 or submitted as an amendment to it~ existing Standard Practice Procedures Plan for the protection of classified information.

48. Section 95.51 is revised to read as follows:

§ 95.51 Retrieval of classified matter following suspension or revocation of access authorization, In any case where the access duthorizat1on of an individual is suspended or revoked in accordance with the procedures set forth in Part 25 of this chapter, or, other relevant CSA procedures, the licensee, certificate holder or other organization shall, upon due notice from the Commission of such suspension or revocation, retrieve all classified information possessed by the individual and take the action necessary to preclude that individual having further access to the information.

49. Section 95.53 is revised to read as follows:

65

§ 95,53 Termjnation of fa*cj)ity clearance.

(a) If the need to use, process, store, reproduce, transmit, transport, or handle classified matter no longer exists, the facility clearance will be terminated. The facility may deliver all documents and materials containing classified information to the Commission or to a person authorized to receive them or destroy all such documents and materials. In either case, the facility shall submit a certification of nonpossession of classified information to the NRC Division of Security.

(b) In any instarce where facility clearance. has been terminated based on a determination of the CSA that further possession of classified matter by the facility would not be in the int2(ast uf the national security, the facility shall, upon notice from the CSA, immediately deliver all classified documents and materials to the Commission along with a certificate of nonpossession of classified information.

50. Section 95.55 is revised to read as follows:

§ 95,55 Continued applicability of the regulations in this part.

The suspension, revocation or other termination of access authorization or the termination of facility clearance does not relieve any person from compliance with the regulations in this part.

51. Section 95.57 is revised to read as follows:

§ 95,57 Reports.

66

Each licensee or other person having a facility clearance shall immediately report to the CSA and the Regional Administrator of the appropriate NRC Regional Office listed in appendix A, 10 CFR part 73:

(a) Any alleged or suspected violation of the Atomic Energy Act, Espionage Act, or other Federal statutes related to classified information.

(b) Any infractions, losses, compromises or possible compromise of classified information or classified documents not falling within paragraph (a) of this section.

(c) In addition, an authorized classifier of a licensee, certificate holder or other organization $Ubject to this Part shall complete an NRC Form 790, "Classification Record," whenever matter containing classified information is generated, its classification changed or it is declassified.

Notification of declassification is not required for any document or material which has an automatic declassification date. Completed NRC Form 790 must be submitted to the NRC Division of Security, Washington, DC 20555-0001, on a monthly basis.

67

52. Section 95.59 is revised to read as follows:

§ 95.59 Inspections, The Commission shall make inspections and reviews of the premises, act)vities, records and procedures of any person subject to the regulations in this part as the Commission and CSA aeem necessary to effect the purposes of the Act, E.O. 12958 and/or NRC rules.

Dated at Rockville, Maryland, this 1hj!day of tJJ 1997.

For the Nuclear Regulatory Commission.

L. Joseph allan, E x e c u ~ : : : : Operations.

68

REGULATORY ANALYSIS

1. Statement of Prob] em .

On October 31, 1994. the Deputy Secretary of Defense, acting as the Executive Agent for the National Industrial Security Program (NISP),

approved the NISP Operating Manual (NISPOM) establishin§ government-wide requirements for the protection of classified National Security Information and Restricted Data at industrial facilities, including NRC contractors, and, to the extent feasible within regulatory requirements, NRC licensees and certificate holders. On April 17, 1995 aPd August 2, 1995, the President signed Executive Orders 12958, "Classified National Security Information,* and 12968, "Access to Classified Information,"

respectively which revised requirements for handling, protecting and accessing classified information. The requirements of these new national security policy documents are applicable to licensees, certificate holders, and others regulated by the NRC. The effect of the new Executive Orders and the NISPOM is that 10 CFR Part 25, "Access Authorization for Licensee Personnel," 10 CFR Part 50, *Domestic Licensing of Production and Utilization Facilities," 10 CFR Part 54, "Requirements for Renewal of Operating Licenses for Nuclear Power Plants," and 10 CFR Part 95,.

"Security Facility Approval and Safeguarding of National Security Information and Restricted Data," are no longer consistent with national security policies and directives.

2. Objective The objective of this regulatory initiative is to conform the NRC's regulations for the protection of classified information at licensee, certificate holder and other NRC regulated facilities possessing or having employees with access to classified information, with national policies for the protection of such information.

3. A1ternat i yes There is no reasonable alternativE to the revision of these regulations that ~ould achieve the desired result.

4. Consequences There are approximately 10 affected entities licensed or otherwise regulated by the NRC. Each licensee, certificate holder or other entity who requires access to National Security Information or Restricted Data to conduct official business related to an NRC regulated activity must have a facility clearance under the provisions of Part 95 and individuals, other than USEC personnel who are cleared by DOE, who have access to classified information must have a access authorization granted to them under Part 25 or, under §50.37 or §54.17(g), " ... The Commission shall have determined that permitting such person to have access to Restricted Data will not endanger the common defense and security."

These entities will be required to comp,y with the requirements of 10 CFR Parts 25, 50, 54 and 95, which will involve costs to these entities. The

costs, however, should be no higher than under the current regulations and are likely to be lower since a number of requirements have been reduced (e.g., lesser requirements for accountability of secret information, reduction of requirements for GSA approved security containers and reduction of administrative requirements for classified visits). These changes will not have an impact on other NRC programs or requirements at these facilities.

5. Decision Rationale The only available method of imposing these requirements on selected licensees and others is to revise 10 CFR Parts 25, 50, 54 and 95. Other avenues would lack the requisite formality and\legality necessary to require all affected NRC licensees to adhere to the changes in requirements for the protection of classified information.

6. Implementation The Division of Security intends to publish the final rule amending 10 CFR Parts 25, 50, 54 and 95 by March 31, 1997.

United States

@)

Enrichment Corporation us United States AP r - 1 1997 DOC 'ETJNGa

~\ SERVICE BRAt-'CH

-5/ , SECY-NRC 2 Democracy Center 6903 Rockledge Drive Bethesda. MD 20817 Tel: (301) 564-3200 Fax: (301) 564-3201 Vii,' ;----,,-r--r \

Enrichment Corporation March 31, 1997

'<1----- 1 1. v 1

DOCKET NUMBER PROPOSED RULE ,25' ,1- q,s-( lo l FRA- 0555)

VIA FACSIMILE AND FEDERAL EXPRESS Secretary SERIAL: GDP 97-0046 US Nuclear Regulatory Commission Washington, D.C. 20555-0001 Attention: Docketing and Service Branch Paducah Gaseous Diffusion Plant (PGDP)

Portsmouth Gaseous Diffusion Plant (PORTS)

Docket Nos. 70-7001 and 70-7002 USEC Comments on NRC Proposed Rule, "Access to and Protection of Classified Information" 61 Fed. Reg. 40555

Dear Sir:

On behalf of the United States Enrichment Corporation (USEC), I am pleased to provide comments on the NRC's Proposed Rule, "Access to and Protection of Classified Information."

We apologize for the late submittal of these comments. It was only after conversations with NRC security personnel in early 1997 that USEC fully understood the need for review and comment of the proposed rule revision. Not withstanding their untimeliness, we believe the enclosed comments are significant and will contribute to the industry's consistent implementation and understanding of the regulation. For this reason we believe they warrant review by the Commission.

We would be pleased to discuss these comments with you. Please contact me at (301) 564-3413 or Ms. Lisamarie Jarriel at (301) 564-3247.

Sincerely, Qµ w~ Robert L. Woolley Nuclear Regulatory Assurance and Policy Manager APR - 3 1992

.f\cknowledged by card ......... ,.,., ..........~,

Offices in Paducah, Kentucky Portsmouth, Ohio Washington, DC

J.S. NUCLEAR REGULATORY COMM1S~10r, DOCKETING & SERVICE SECTION OFFICE OF THE SECRETARY OF THE COMMISSION Document Statistics Postmark Date J/3 t / q1 ,* -ky J °" 3/1 ,/ 1 q

Copies Received / '

,\dd'I Copies-9eproduced ,___..,..,.f_ __

Special Distribution ki dd, Ga/{~her, 112~ 1<11>5 -

UNITED STATES ENRICHMENT CORPORATION Comments on NRC Proposed Rulemaking, 10 CFR Parts 25 and 95 Access to and Protection of Classified Information

1. §25 .17 Approval for processing applications for access authorization and

§25 .19 Processing Applications

§25.17(/) Applications for access authorization or access authorization renewal processing that are submitted to NRC for processing must be accompanied by a check or money order, 11

§25.19 11* *

the application and its accompanying fee must be submitted to the NRC Division of Security. 11 As described in §25. l 7(t), and §25.19, applications for access authorization or access authorization renewal processing must be accompanied by a check or money order. The United States Enrichment Corporation (USEC) has over 4,500 individuals working at its facilities, most of whom have clearances. On the average, USEC processes such applications 1200 times a year, or approximately 5 times a day. To facilitate this process, therefore, USEC requests that the regulation allow for payment on a quarterly basis and the rule language be modified as follows:

§25. 17(/) Applications for access authorization or access authorization renewal processing that are submitted to NRC for processing mrtSt be aeeewtptW1ied /Jy a cheek er meney 0ffier, [J6}'tlhle lfJ #le United States NNelem Regwlate,y Ce11fmi9Si611 lf.~#'i,JJ.a!:f.e

.l~ilitllill.iI:lfei:rllBlflll, representing the cu"ent cost for the processing. . ;;

§25. 19 11* *

the application and its tlCC6Wlp61'lying fee must be submitted to the NRC Division of Security. "

2. §25.21 Determination of initial and continued eligibility for access authorization.

§25.2l(c)(l} 11* *

access authorizations must be renewed every five years from the date of issuance. An application for renewal must be submitted at least 120 days before the expiration of the five year period. . . 11 It is not clear who is responsible for assuring timely notice of expiration and the need for renewal; the authorizing agency or the organization employing the individual seeking renewal. Currently, USEC is notified by DOE when a reinvestigation is required and when an application for renewal must be received. It is not clear that the NRC provides such notification, and if so, to whom. In a similar manner, it is not clear that the NRC provides timely notification that an individual's access authorization has expired.

3. §25.5 Definitions and §25.35 Classified visits .

§25. 5 "Visit authorization letters (VAL) means a letter, generated by a licensee, certificate holder or other organization under the requirements of 10 CFR parts 25 and/or 95, verifying the need to know and access authorization of an individual from that organization who needs to visit another authorizedfacility for the purpose of exchanging or acquiring classified information. "

§25.35(c) Licensee, certificate holder or others shall include the following information in all Visit Authorization Letters (VAL) which they prepare: ... "

As defined in§ 25.5 and described in§ 25.35(c), it appears that the regulations permit the licensee or certificate holder to verify the "need-to-know" and access authorization of an individual wishing to visit another facility for the purpose of acquiring classified information. Verification is documented by the issuance of V ALs by the licensee or certificate holder, rather than by the issuance of a NRC Form 277 by the NRC's Division of Security. Without access to the NRC's database, it is not clear how the organization to be visited would verify information in the VAL; such as, the authorization of the Facility Security Officer signing the VAL, or the Foreign Ownership Control or Influence (FOCI) authorization for the requesting organization.

It appears at a minimum, that the licensees and certificate holders should:

use a standardized form in conjunction with the VAL documenting information required by Parts 25 and 95, and have access to an authorized list of Facility Security Officers.

4. §95 .25 Protection of classified information in storage.

§95.25(c)(2)(v) "(Classified lock combinations . .. must be changed) ... at least once every 12 months."

It is USEC's belief that the National Industrial Security Program Operating Manual requires combinations to be changed only when merited by an employee termination/resignation or a recognized compromise. Therefore, USEC requests that the rule language be modified as follows:

§95.25(c)(2) ...

"(iv) At other times when considered necessary by the Facility Security Officer or CSA-:--e,-

"(¥) l-n t:f1'fJ>' e*;ent at least enee e*;e,y }2 m<::Htths."

5. §95.25 Protection of classified information in storage.

§95.25(b) "Confidential matter while unattended or not in use must be stored in the same manner as SECRET matter except that no supplemental protection is required. "

§95.5 "... Supplemental protection means additional security procedures such as intrusion detection systems, security guards, and access control systems. "

§95.25(i) "... If an unattended security container housing classified matter is found unlocked, ... (t)he container must be secured by protective personnel and the contents inventoried . .. "

There appears to be an inconsistency between §95.25(b) and §95.25(i). §95.25(b) stipulates that supplemental protection (including the use of protective personnel) is not required for stored, unattended, confidential material. However, §95.25(i) requires that the same container of material, if found unlocked, be secured by protective personnel.

§95 .25(i) also requires that the contents of an unattended container, if found unlocked, be inventoried. Unless the contents of the container are inventoried when initially stored, which is not required, compromise of the material will be indeterminate. Even if an initial inventory is made, inventory of the contents will not detect if the contents were photo-copied, or similarly compromised. USEC believes that an effort should be made to determine if the material has been compromised, however, contends that this can not be effectively accomplished with an inventory.

Therefore, USEC requests that the rule language be modified as follows:

§95.25{i) "... If an unattended security container housing classified matter is found unlocked, the custodian or an alternate must be notified immediately. The container must

~,iiii~i,Miiiii1im:::;::::;:::~~ '11:~pp::::,JI41.i~~:i::::i

Department of Energy Germantown , MD 20874-1290 OCT 1 6 1996 *96 OCT 22 A8 :46 DOCKET NUMBER PROPOSED RULE~---

PR :J_~ J-- °I> Ii

,, I

( 6 I F~ L/OSSS)

Secretary of the Commission U .S. Nuclear Regulatory Commission ATTN: Docketing and Regulatory Services Branch Washington, DC 20555-0001

Dear Sir:

Attached are comments from the Department of Energy on the Nuclear Regulatory Commission proposed rules 10 CFR Parts 25 and 95, "Access to and Protection of Classified Information." I hope you find these comments useful in the finalization of these rules.

If you have any questions about the attached comments, please contact Cathy Tullis on 301-903-4805 .

1/4:___ ward . all ,

Office eguards and Security Attachment

~owl d d JAN O 7 1997 e ge by cara ..............."""'..'"~~

@ Printed with soy ink on recycled paper

NO!~S'.tf';G~ 3;~1 ,')

AHVBtJ:)33 ~.dl _:) :l-*!30 NOl1~3S 3~M d33 *: *,, JJ :.?>;:)1:~1 "101ssivmo'.) .:,w, ,...-, ... - * ***--.*. r-i *s*r*

Comments to Proposed NRC Rule General Comment. The draft regulation refers to "access authorization" throughout. The introduction to the proposed rule references "personnel security clearance" and some of the language in the text contains variations, such as "personnel access authorization." A common term should be used throughout, or the fact that a personnel security clearance is a synonym for access authorization established.

General.Comment. The draft regulation uses the term "Critical Secret Restricted Data." This term has not be implemented by any agency. A review group was formed to review this issue and has decided not to use this term. Instead information will be appropriately upgraded to Top Secret. It is strongly recommended that NRC not use the term "Critical Secret Restricted Data" in this regulation. Instead we suggest that all Secret Restricted Data continue to be protected at the NISPOM supplement level until the critical information has been upgraded to Top Secret.

§25 .5: The definition for "access authorization" is confusing, stating that it means an individual is eligible for "security clearance for access to classified information." Suggest the following :

"Access authorization means an administrative determination that an individual is eligible for access to classified information." *

§25 .17(e): This section requires the licensee/contractor to review the SF-86, including Part 2, for completeness and correctness. As the changes to the rule are largely being made to comply with new Executive Order and the NISPOM, this section should more carefully address the terms under which this information can be reviewed by a third party. The NISPOM restricts this type of reVIew.

§95 .3: It is not clear why the scope is not written to include all classified information, especially Formerly Restricted Data.

§95 . l 7(a)(2): To ensure consistency with the NISPOM it is suggested that the term "survey be changed to "review."

§95 .18 : A NISPOM transposition requiring some clarification. Senior management cannot be cleared to the "level of the facility" by NRC, as NRC can only grant "Q" and "L" access authorizations and facilities are classified as Secret, Top Secret, etc. Perhaps senior management could be cleared to a level commensurate with that of the facility clearance.

§95 .25 : The storage requirements for Secret contained in this sections are not consistent with the storage ,i:equirements foF.Secret Restricted Data in the NISPOM supplement.

§95.25(c)(2)(v) : The requirement to change combinations once every 12 months is above and beyond the requirements contained in the NISPOM. Suggest this requirement be eliminated.

§95 .37(c)(l)(i): Suggest a sentence be added to indicate that on a document marked "multiple

sources" that the multiple sources must be identified in the records copy of the document.

§95 .57 : This seems to be the first reference to a "person" having a facility clearance. The definition of facility clearance needs to be more detailed as to what constitutes a facility under this rule.

Georgia Power Com-.iany IJOCKET NUMBER PB ..J_ S"'

40 Inverness Center .Parkway Post Office Box 1295 Birmingham , Alabama 35201 J>RQPQSED RULE (6 J FR. ~OS'r ("")

([)

Telephone 205 877-7122 .:, .J_,,/

DOCKETED C. K. McCoy us~ r.c

.96 0 T _7 Al l :41 Georgia Power

,\

Vice President, Nuclear Vogtle Pro1ect the southern electnc system Of : ,C1 ' . .,-

T.

October 2 CG96 , 1

I Docket Nos. 50-424 LCV-0866 50-425 The Secretary of the Commission U. S. Nuclear Regulatory Commission

- Washington, D. C. 20555-0001 ATTN.: Docketing and Service Branch Comments on proposed rule "Access to and Protection of Classified Information" (61 Federal Register 40555 dated August 5, 1996)

Dear Sir:

Georgia Power Company has reviewed the proposed rulemaking "Access to and Protection of Classified Information," which would revise 10 CFR Parts 25 and 95, and was published in the Federal Register on August 5, 1996. Georgia Power Company supports the policy behind the proposed rulemaking and the NRC' s effort to reduce or eliminate duplicative oversight of private facilities which have classified interests from more than one governmental agency. However, Georgia Power Company is concerned that a number of the provisions proposed by the NRC are unclear and may be difficult to apply. Accordingly, Georgia Power Company provides the attached comments which identify these concerns and provide general suggestions for the final rule.

Should you have any questions, please advise.

Respectfully submitted, C. K. McCoy CKM/JMG Attachment

,S. ,,v. * . /I\ v0Mwtl::i:::i1UI' DQCKi

t!~-.. ~- ~-,i:fWICE SECTION OfFICE. OF fHE SECRETARY OF THE COMMISSION Postmark Dat'3 _,_-=-._._.._._'9 ~ 6____

Coi/t>s Rcc~i* y :: _ _ _ / -.-_ _ __

7

Georgia Power .,,\

U.S. Nuclear Regulatory Commission Page2 cc: Georgia Power Company Mr. J. B. Beasley Mr. M. Sheibani NORMS U. S. Nuclear Regulatory Commission Mr. S. D. Ebneter, Regional Administrator Mr. L. L. Wheeler, Licensing Project Manager-Vogtle, NRR Mr. C.R. Ogle, Senior Resident Inspector - Vogtle LCV-0866

Comments on the Proposed Rule:

"Access to and Protection of Classified Information" 61 FR 40555 (Aug. 5, 1996)

The Commission has proposed amendments to the provisions of 10 CFR Parts 25 and 95 regarding security of classified information. According to the preamble to the proposed rule, the amendments would permit another "Cognizant Security Agency" (e.g., DOE, DoD, or CIA) to assume some or all of the security oversight functions at a facility licensed by the Commission or for employees of NRC licensees. Georgia Power Company (Georgia Power) supports the policy behind the Commission's proposal. Eliminating the need for an NRC licensee to seek security clearances from both the Commission and DOE, for example, is appropriate. Georgia Power agrees that the Commission should pursue this end in keeping with the National Industrial Security Program.

However, Georgia Power is concerned that a number of the provisions contained in the proposed rule are unclear, may be difficult to apply, or would create conflicts with other Commission regulations. Specifically, (i) the proposed rule does not provide a procedure for the designation of the "Cognizant Security Agency (CSA)"; (ii) the proposed rule does not address the Commission's role in ensuring compliance with the rules of other CSAs; (iii) the proposed rule does not reconcile restricted data requirements in Parts 50 and 54 of the Commission's regulations with the proposed changes to 10 CFR Parts 25 and 95, and (iv) the proposal does not clearly define when a facility clearance from the Commission is required. The following comments address each of these concerns.

Cognizant Security Agency The proposed changes to Part 25 would allow licensees to request access authorizations for employees from "the facility CSA" instead of from the Commission. According to the proposed rule, CSA stands for "Cognizant Security Agency" and is defined as DoD, DOE, CIA and the Commission. However, the proposed rule does not explain which of these agencies is the appropriate CSA in a given situation or for a given facility, or who makes that determination. Conceivably, more than one of the agencies could be the CSA.

The final rule should include a more precise definition of CSA or a procedure for designating a CSA in a given situation. For instance, the CSA definition could be modified to indicate that it is the agency which exercises primary authority and control over the classified information to which access is initially sought. In this way, conflicts between two or more agencies asserting jurisdiction as CSA can be avoided.

10 CFR 95 also includes references to the CSA. For the reasons outlined above, the proposed changes to Part 95 should also include a more precise definition of "Cognizant Security Agency" in the final rule.

Comments on Proposed Rule (61 FR 40555)

Page2 Continued Obligations to the Commission The proposed rule does not establish whether and how the Commission will be notified regarding access authorizations requested from another agency. Does an NRC licensee have an obligation to notify the Commission if it applies to another CSA for an access authorization?

If the Commission intends to require such notification from its licensees, then the final rule should clarify the scope of that requirement. Further, in keeping with the efficiency goals of the rule, any such required notification should be very simple. For example, the Commission should make clear that its licensee's may apply to another CSA without permission from the Commission.

Conflicting Responsibilities Under Other Commission Regulations 10 CFR 50.37 prohibits commercial nuclear reactor licensees from permitting an employee access to Restricted Data until the Civil Service Commission has reported to the Commission on the fitness of the individual employee to receive such information. The proposed rule does not amend this section of 10 CFR and does not otherwise link the requirements of Part 25 to this section.

The proposed rule should be clarified in order to reflect whether compliance with the new Part 25 will satisfy 10 CFR 50.37. The interface of the proposed rule with 10 CFR 54.17(g), which concerns license renewals, should be clarified in similar fashion in the final rule.

Licensee Activities at Other Facilities As revised by the propqsed rule, it is unclear whether 10 CFR 95 .15 requires an NRC licensee to obtain a facility clearance from the Commission in order for employees of that licensee to "use" or "handle" classified information which is located at a completely different facility, including facilities subject to the oversight of another agency. For example, does 10 CFR 95.15 require a facility clearance from the Commission in order for employees of an NRC licensed facility to use or handle classified information which is maintained at a DOE facility? Conversely, does 10 CFR 95 .15 require the NRC to clear the non-NRC licensed facility? Although it does not appear to be the Commission's intent to require a facility clearance in either situation, an affirmative statement in this regard would assist in the implementation of the rule. The Commission should clarify whether facility approvals are required under Part 95 in such a situation.

Comments on Proposed Rule (61 FR 40555)

Page3 Conclusion Georgia Power believes the proposed rule will, subject to the comments above, improve the Commission's regulations regarding security matters. Incorporating these comments into the final rule will help to clarify the responsibilities of the regulated community and will result in more efficient protection for classified information.

DOCKET NUMBER PROPOSED RULE PR J- 5 J- q S

( 6 J FR J./tJGS~) DOCKETED US N 759 0-01-PJ NUCLEAR REGULATORY COMMISSION "96 AUG -1 P5 :20 10 CFR PARTS 25 AND 95 OFF!C l - s ::::r ~E r' R' DO C E1 I. ...

RIN 3150- AF37 t3 r< r,( *1 ACCESS TO AND PROTECTION OF CLASSIFIED INFORMATION AGENCY: Nuclear Regulatory Commission.

ACTION: Proposed rule.

SUMMARY

The Nuclear Regulatory Commission is amending its regulations to conform the requirements for the protection of and access to classified information to new national security policy documents. This proposed rule is necessary to ensure that classified information in the possession of NRC licensees and others under the NRC's regulatory requirements is protected in accordance with current national policies.

/ o/4 {q.£ DATES: The comment period expires (60 days from date of pu lication in the Federal Register). Comments received after this date will be considered if it is practical to do so, but the Commission is able to assure consideration only for comments received on or before this date. Comments may be submitted either electronically or in written form. For written comments submit to:

The Secretary of the Commission, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, Attention: Docketing and Service Branch. Copies of comments received may be examined at the NRC Public Document Room, 2120 L Street NW. (Lower Level), Washington, DC.

Electronic comments may be submitted, in either ASCII text or WordPerfect format (version 5.1 or later), by calling the NRC El ectronic Bulletin Board (BBS) on FedWorld. The bulletin board may be accessed using a personal

computer, a modem, and one of the commonly available communications software packages, or directly via Interne~. Background documents on the rulemaking are also available, as practical, for downloading and viewing on the bulletin board.

If using a personal computer and modem, the NRC rulemaking subsystem on FedWorld can be accessed directly by dialing the toll free number (800) 303-9672. Communication software parameters should be set as follows: parity to none, data bits to 8, and stop bits to 1 (N,8,1). Using ANSI or VT-100 terminal emulation, the NRC rulemaking subsystem can then be accessed by selecting the "Rules Menu" option from the "NRC Main Menu." Users will find the "FedWorld Online User's Guides" particularly helpful. Many NRC subsystems and data bases also have a "Help/Information Center" option that is tailored to the particular subsystem.

The NRC subsystem on FedWorld can also be accessed by a direct dial phone number for the main FedWorld BBS, (703) 321-3339, or by using Telnet via Internet: fedworld.gov. If using (703) 321-3339 to contact FedWorld, the NRC subsystem will be accessed from the main FedWorld menu by selecting the "Regulatory, Government Administration and State Systems," then selecting "Regulatory Information Mall." At that point, a menu will be displayed that has an option "U.S. Nuclear Regulatory Commission" that will take you to the NRC Online main menu. The NRC Online area also can be accessed directly by typing "/go nrc" at a FedWorld command line. If you access NRC from FedWorld's main menu, you may return to FedWorld by selecting the "Return to FedWorld" option from the NRC Online Main Menu. However, if you access NRC at FedWorld by using NRC's toll-free number, you will have full access to all NRC systems, but you will not have access to the main FedWorld system.

If you contact FedWorld using Telnet, you will see the NRC area and 2

menus, including the Rules Menu. Although you will be able to download documents and leave messages, you will not be able to write comments or upload files (comments). If you contact FedWorld using FTP, all files can be accessed and downloaded but uploads are not allowed; all you will see is a list of files without descriptions (normal Gopher look). An index file listing all files within a subdirectory, with descriptions, is available.

There is a 15-minute time limit for FTP access.

Although FedWorld also can be accessed through the World Wide Web, like FTP that mode only provides access for downloading files and does not display the NRC Rules Menu.

For more information on NRC bulletin boards call Mr. Arthur Davis, Systems Integration and Development Branch, NRC, Washington, DC 20555, telephone (301) 415-5780; email AXD3@nrc.gov.

Single copies of this proposed rulemaking may be obtained by written request or telefax ((301) 415-2260) from: Distribution Services, Printing and Mail Services Branch, Office of Administration, U.S. Nuclear Regulatory Commission, Washington DC 20555. Certain documents related to this

- rulemaking, including comments received, may be examined at the NRC Public Document Room, 2120 L Street NW. (Lower level), Washington, DC. These same documents may also be viewed and downloaded electronically via the Electronic Bulletin Board established by NRC for this rulemaking as indicated above.

FOR FURTHER INFORMATION CONTACT: Duane G. Kidd, Division of Security, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001 telephone (301) 415-7403, Email DGK@NRC.GOV.

3

SUPPLEMENTARY INFORMATION:

Background

The national requirements for the protection of and access to Classified National Security Information have been revised by the issuance of the National Industrial Security Program Operating Manual (NISPOM), Executive Order 12958, "Classified National Security Information,"dated April 17, 1995, and Executive Order 12968, "Access to Classified Information," dated August 4, 1995 In order to conform to these new national security policy documents, the NRC must revise its regulations for the protection of classified information.

The requirements of 10 CFR Parts 25 and 95 are substantially based on Executive Order 12356, dated April 6, 1982, which was superseded by Executive Order 12958.

The proposed rule would amend the provisions of 10 CFR Parts 25 and 95 that deal with requirements for access to and protection of classified information that have been changed or added by the NISPOM or the Executive Orders. Specifically, changes include revised and added definitions such as

- Cognizant Security Agency, Classified National Security Information, Classified Information, Facility Security Clearance, Foreign Ownership, Control, or Influence and numerous amendments to reflect the fact that the NRC may permit another Cognizant Security Agency (DOE, DoD, or CIA) to assume some or all of the security oversight functions at an NRC facility under the requirements of 10 CFR Parts 25 and/or 95 when that agency also has a significant security interest at the facility. The proposed rule addresses the intent of Executive Order 12829, "National Industrial Security Program,"

to reduce wasteful and inefficient duplicative oversight of private facilities which have classified interests from more than one government agency.

4

The proposed rule would also adopt new requirements in areas where the Executive Orders or the NISPOM mandate specific requirements not included in the previous versions of the rules. These new requirements include:

Requiring that key management personnel have personnel security clearances as well as those employees with access to classified information; Permitting reinstatement of a personnel security clearance up to 24 months after termination instead of the previous 6 months; Permitting facility security officers to issue visit authorization letters directly rather than through the NRC Division of Security; Requiring a finding that a facility is not under foreign ownership, control or influence; Requiring facility security officers to have specific training related to their position; Permitting the use of reinforced steel filing cabinets with lockbars and key locks for classified information (provided appropriate supplemental protection is in place during non-working hours); Changing the security classification markings to conform to Executive Order 12958; Reducing the accountability requirements for Secret documents; Defining procedures for challenging classification decisions that one believes to be in error; Allowing for additional methods of transmitting

- classified information; and imposing fewer limitations on a facilities authority to reproduce classified information when operationally necessary.

Environmental Impact: Categorical_ Exclusion The NRC has determined that this proposed rule is the type of action described in categorical exclusion 10 CFR 51.22(c)(2). Therefore, neither an environmental impact statement nor an environmental assessment has been prepared for this proposed rule.

5

Paperwork Reduction Act Statement This proposed rule amends information collection requ~rements that are subject to the Paperwork Reduction Act (44 U.S.C. 3501, et seq.). This rule has been submitted to the Office of Management and Budget for review and approval of the information collection requirements.

The public reporting burden for this collection of information is estimated to average .5 hours5.787037e-5 days 0.00139 hours 8.267196e-6 weeks 1.9025e-6 months per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. The U.S. Nuclear Regulatory Commission is seeking public comment on the potential impact of the collection of information contained in the proposed rule and on the following issues:

1. Is the proposed collection of information necessary for the proper performance of the functions of the NRC, including whether the information will have practical utility?

2. Is the estimate of burden accurate?

3. Is there a way to enhance the quality, utility, and clarity of the information to be collected?

4. How can the burden of the information collection be minimized, including the use of automated collection techniques?

Send comments on any aspect of this proposed collection of information, including suggestions for reducing the burden, to the Information and Records Management Branch (T-6 F33), U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, or by Internet electronic mail at BJSl@NRC.GOV; and to the Desk Officer, Office of Information and Regulatory Affairs, NEOB-10202, (3150-0046,

-0047, 3150-0051), Office of Management and Budget, Washington, DC 20503.

6

Comments to 0MB on the collect1ons of 1nformation or on the above issues should be submitted by (insert date 30 days after publication in the Federal Register). Comments received after this date will be considered if it is practical to do so, but assurance of consideration cannot be given to comments received after this date.

Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid 0MB

control number .

Regulatory Analysis The Commission has prepared a regulatory analysis for this proposed regulation. The analysis examines the costs and benefits of the alternatives considered by the Commission. The analysis is available for inspection in the NRC Public Document Room, 2120 L Street, NW. (Lower Level), Washington, DC.

Single copies of the analysis may be obtained from Duane G. Kidd, Division of Security, Office of Administration, U. S. Nuclear Regulatory Commission, Washington, DC 20555, telephone: (301) 415-7403 Regulatory Flexibility Certification As required by the Regulatory Flexibility Act of 1980, 5 U.S.C. 605(b),

the Commission certifies that this rule, if adopted, will not have a significant economic impact upon a substantial number of small entities. The NRC carefully considered the effect on small entities in developing this proposed rule on the protection of classified information and have determined that none of the facilities affected by this rule would qualify as a small entity under the NRC's size standards (10 CFR 2.810).

7

Backfit Analysis The NRC has determined that the backfit rule, 10 CFR 50.109, applies to this rulemaking initiative because it falls within the criteria of 10 CFR Part 50.109(a)(l), but that a backfit analysis is not required because this rulemaking qualifies for exemption under 10 CFR 50.109(a)(4)(iii) that reads "That the regulatory action involves . . . redefining what level of protection to the . . . common defense and security should be regarded as adequate."

List of Subjects 10 CFR Part 25 Classified information, Criminal penalties, Investigations, Reporting and recordkeeping requirements, Security measures.

10 CFR Part 95 Classified information, Criminal penalties, Reporting and recordkeeping requirements, Security measures.

For the reasons set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended, the Energy Reorganization Act of 1974, as amended, and 5 U.S.C. 553, the NRC proposes to adopt the following amendments to 10 CFR Parts 25 and 95.

PART 25 -- ACCESS AUTHORIZATION FOR LICENSEE PERSONNEL

1. The authority citation for Part 25 is revised to read as follows:

AUTHORITY: Secs. 145, 161, 68 Stat. 942, 948, as amended (42 U.S.C.

8

2165, 2201); sec. 201, 88 Stat. 1242, as amended (42 U.S.C. 5841); E.O.

10865, as amended, 3 CFR 1959 - 1963 COMP., p. 398 (50 U.S.C. 401, note);

E.O. 12829; E.O. 12958; E.O. 12968 Appendix A also issued under 96 Stat. 1051 (31 U.S.C. 9701).

2. Section 25.1 is revised to read as follows:

§ 25.1 Purpose.

The regulations in this part establish procedures for granting, reinstating, extending, transferring, and terminating access authorizations of licensee personnel, licensee contractors or agents, and other persons (e.g., individuals involved in adjudicatory procedures as set forth in 10 CFR part 2, subpart I) who may require access to classified information.

3. Section 25.3 is revised to read as follows:

§ 25.3 Scope.

The regulations in this part apply to licensees and others who may require access to classified information related to a license or an

- application for a license.

4. Section 25.5 is amended by revising the definitions Access authorization and Need to know and by adding the definitions of Certificate holder, Classified information, Classified National Security Information, Cognizant Security Agency, and Visit authorization letters in alphabetical order to read as follows:

§ 25.5 Definitions.

Access authorization means an administrative determination that an 9

individual (including a consultant) who is employed by or an applicant for employment with the NRC, NRC contractors, agents, licensees and certificate holders, or other person designated by the Executive Director for Operations, is eligible for a security clearance for access to classified information.

Certifjcate holder means a facility operating under the provisions of Part 71 or 76 of this Chapter.

Classified information means either Classified National Security Information, Restricted Data, or Formerly Restricted Data or any one of them. It is the generic term for information requiring protection in the interest of National Security whether classified under an Executive Order or the Atomic Energy Act.

Classified National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form.

4I Cognizant Security Agency (CSA) means agencies of the Executive Branch that have been authorized by E.O. 12829 to establish an industrial security program for the purpose of safeguarding classified information under the jurisdiction of those agencies when disclosed or released to U.S. Industry.

These agencies are the Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission. The Secretary of Defense (SECDEF) has been designated as Executive Agent for the National Industrial Security Program (NISP).

Need-to-know means a determination made by an authorized holder of 10

classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function under the cognizance of the Commission.

Visit authorization letters (VAL) means a letter, generated by a licensee, certificate holder or other organization under the requirements of 10 CFR Parts 25 and/or 95, verifying the need to know and access authorization of an individual from that organization who needs to visit another authorized facility for the purpose of exchanging or acquiring classified information.

5. In§ 25.8, paragraphs (a) and (b) are revised to read as follows:

§ 25.8 Information collection requirements: 0MB approval.

(a) The Nuclear Regulatory Commission has submitted the information collection requirements contained in this part to the Office of Management and Budget (0MB) for approval as required by the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The NRC may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid 0MB control number. 0MB has approved the information collection requirements contained in this part under control number 3150 0046.

(b) The approved information collection requirements contained in this part appear in§§ 25.11, 25.17, 25.21, 25.23, 25.25, 25.27, 25.29, 25.31, 25.33, and 25.35.

6. In §25.13, paragraph (a) is revised to read as follows:

11

§ 25.13 Maintenance of records, (a) Each licensee or organization employing individuals approved for personnel security access authorization under this part, shall maintain records as prescribed within the part. These records are subject to review and inspection by CSA representatives during security reviews.

7. Section 25.15 is revised to read as follows:

§ 25.15 Access permitted under O, L or eguiyalent CSA access authorization.

(a) A Q or CSA equivalent access authorization permits an 1ndiv1dual access on a need-to know basis to Critical Secret Restricted Data and Secret and Confidential Classified National Security Information including intelligence information, CRYPTO (i.e., cryptographic information) or other classified communications security (COMSEC) information.

(b) An L or CSA equivalent access authorization permits an individual access on a need-to know basis to Secret and Confidential classified information other than the categories specifically included in paragraph (a) of this section. In addition, access to certain Confidential COMSEC information is permitted as authorized by a National Communications Security Committee waiver dated February 14, 1985.

{c) Each employee of the Commission is processed for one of the two levels of access authorization. Licensees and other persons will furnish classified information to a Commission or CSA employee on official business when the employee has the appropriate level of access authorization and need-to-know. Some individuals are permitted to begin NRC employment without an access authorization. However, no NRC or CSA employee is permitted access to any classified information until the appropriate level 12

of access authorization has been granted to that employee by NRC or the CSA.

8. Section 25.17 is revised to read as follows:

§ 25.17 Approval for processing applicants for access authorization, (a) Access authorizations must be requested for licensee employees or other persons (e.g., 10 CFR part 2, subpart I) who need access to classified information in connection with activities under parts 50, 70, 72, or 76.

(b) The request must be submitted to the facility CSA. If NRC is the

CSA, the procedures in §25.17(c) and (d) will be followed. If NRC is not the CSA, the request will be submitted to the CSA in accordance with procedures established by the CSA.

(c) The request must include a completed personnel security packet (see§ 25.17(d)) and request form (NRC Form 237) signed by a licensee, licensee contractor official or other authorized person.

(d)(l) Each personnel security packet submitted, must include the following completed forms:

(i) Questionnaire for National Security Positions (SF - 86, parts 1 and 2);

(ii) Two Standard fingerprint cards (FD - 258);

(iii) Security Acknowledgment (NRC Form 176); and (iv) Other related forms where specified in accompanying instructions (NRC Form 254).

(2) Only a Security Acknowledgment (NRC Form 176) need be completed by any person possessing an active access authorization, or who is being processed for an access authorization, by another Federal agency. The active or pending access authorization must be at an equivalent level to that required by the NRC and be based on an adequate investigation not more 13

than f1ve years old.

(e) To avoid delays in processing requests for access authorizations, each security packet should be reviewed for completeness and correctness (includi~g legibility of response on the forms) prior to submittal.

(f) Applications for access authorization or access authorization renewal processing that are submitted to NRC for processing must be accompanied by a check or money order, payable to the United States Nuclear Regulatory Commission, representing the current cost for the processing of

each Q and L access authorization, or renewal request. Access authorization and access authorization renewal fees will be published each time the Office of Personnel Management notifies NRC of a change in the rates it charges NRC for the conduct of investigations. Any changed access authorization or access authorization renewal fees will be applicable to each access authorization or access authorization renewal request received upon or after the date of publication. Applications from individuals having current Federal access authorizations may be processed more expeditiously and at less cost, since the Commission may accept the certification of access authorization and investigative data from other Federal Government agencies that grant personnel access authorizations.

9. Section 25.19 is revised to read as follows:

§ 25,19 Processing applications.

Each application for access authorization or access authorization renewal must be submitted to the CSA. If NRC is the CSA, the application and its accompanying fee must be submitted to the NRC Division of Security.

If necessary, the NRC Division of Security may obtain approval from the appropriate Commission office exercising licensing or regulatory authority 14

before processing the access authorization or access authorization renewal request. If the applicant is disapproved for processing, the NRC Division of Security shall notify the submitter in writing and return the original application (security packet) and its accompanying fee.

10. Section 25.21 is revised to read as follows:

§ 25.21 Determination of initial and continued eligibility for access authorization.

(a) Following receipt by the CSA of the reports of the personnel security investigations, the record will be reviewed to determine that granting an access authorization or renewal of access authorization will not endanger the common defense and security and is clearly consistent with the national interest. If this determination is made, access authorization will be granted or renewed. If NRC is the CSA, questions as to initial or continued eligibility will be determined in accordance with part 10 of Chapter I. If another agency is the CSA, that agency will, under the requirements of the NISP0M, have established procedures at the facility to resolve questions as to initial or continued eligibility for access authorization. Such questions will be determined in accordance with established CSA procedures already in effect for the facility.

(b) The CSA must be promptly notified of developments that bear on continued eligibility for access authorization throughout the period for which the authorization is active (e.g., persons who marry subsequent to the completion of a personnel security packet must report this change by submitting a completed NRC Form 354, Data Report on Spouse or equivalent CSA form).

{c)(l) Except as provided in paragraph (c)(2) of this section, NRC 15

"Q" and "L" access authorizations must be renewed every five years from the date of issuance. An application for renewal must be submitted at least 120 days before the expiration of the five year period, and must include:

(i) A statement by the licensee or other person that the individual continues to require access to Classified National Security Information or Restricted Data; and (ii) A personnel security packet as described in §25.17(d).

(2) Renewal applications and the required paperwork are not required for individuals who have a current and active access authorization from another Federal agency and who are subject to a reinvestigation program by that agency that is determined by NRC to meet NRC's requirements. (The DOE Reinvestigation Program has been determined to meet NRC's requirements).

For these individuals, the submission of the SF-86 by the licensee or other person to the other government agency pursuant to their reinvestigation requirements will satisfy the NRC renewal submission and paperwork requirements, even if less than five years has passed since the date of issuance or renewal of the NRC "Q" or "L" access authorization. Any NRC access authorization continued in response to the provisions of this paragraph will, thereafter, not be due for renewal until the date set by the other government agency for the next reinvestigation of the individual pursuant to the other agency's reinvestigation program. However, the period of time for the initial and each subsequent NRC "Q" or NRC "L" renewal application to NRC may not exceed seven years. Any individual who is subject to the reinvestigation program requirements of another Federal agency but, for administrative or other reasons, does not submit reinvestigation forms to that agency within seven years of the previous submission, shall submit a renewal application to NRC using the forms 16

prescribed in§ 25.17(d) before the expiration of the seven-year period.

(3) If NRC is not the CSA, reinvestigation program procedures and requirements will be set by the CSA.

11. Section 25.23 is revised to read as follows:

§ 25,23 Notification of grant of access authorization, The determination to grant or renew access authorization will be furnished in writing to the licensee or organization that initiated the request. Upon receipt of the notification of original grant of access authorization, the licensee or organization shall obtain, as a condition for grant of access authorization and access to classified information, an executed Classified Information Nondisclosure Agreement "(SF-312) from the affected individual. The SF-312 is an agreement between the United States and an individual who is cleared for access to classified information. An employee issued an initial access authorization shall execute a SF-312 prior to being granted access to classified information. The licensee or other organization shall forward the executed SF-312 to the CSA for retention. If the employee refuses to execute the SF-312, the licensee or other organization shall deny the employee access to classified information and submit a report to the CSA. The SF 312 must be signed and dated by the employee and witnessed. The employee's and witness' signatures must bear the same date. The individual shall also be given a security orientation briefing in accordance with Section 95.33 of this chapter. Records of access authorization grant and renewal notification must be maintained by the licensee or other organization for three years after the access authorization has been terminated by the CSA. Th1s information may also be furnished to other representatives of the Commission, to licensees, 17

contractors, or other Federal agencies. Notifications of access authorization will not be given in writing to the affected individual except:

(a) In those cases in which the determination was made as a result of a Personnel Security Hearing or by Personnel Security Review Examiners, or (b) When the individual also is the official designated by the licensee or other organization to whom written NRC notifications are forwarded.

12. Section 25.25 is revised to read as follows:

§ 25,25 Cancellation of reguests for access authorization.

When a request for an individual's access authorization or renewal of access authorization is withdrawn or canceled, the requestor shall notify the CSA immediately by telephone so that the full field investigation, National Agency Check with Credit Investigation, or other personnel security action may be discontinued. The requestor shall identify the full name and date of birth of the individual, the date of request, and the type of access authorization or access authorization renewal requested. The requester shall confirm each telephone notification promptly in writing.

13. Section 25.27 is revised to read as follows:

§ 25.27 Reopening of cases in which requests for access authorizations are canceled, (a) In conjunction with a new request for access authorization (NRC Form 237 or CSA equivalent) for individuals whose cases were previously canceled, new fingerprint cards (FD 257) in duplicate and a new Security Acknowledgment (NRC Form 176), or CSA equivalents, must be furnished to the 18

CSA along with the request.

(b) Additionally, if 90 days or more have elapsed since the date of the last Questionnaire for Sensitive Positions (SF - 86), or CSA equivalent, the individual must complete a personnel security packet (see Section 25.17(d)). The CSA, based on investigative or other needs. may require a complete personnel security packet in other cases as well. A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by NRC is required.

14. Section 25.29 is revised to read as follows:

§ 25.29 Reinstatement of access authorization.

(a) An access authorization can be reinstated provided that:

(1) No more than 24 months has lapsed since the date of termination of the clearance; (2) There has been no break in employment since the date of termination of the clearance; (3) There is no known adverse information; (4) The most recent investigation must not exceed 5 years (Top Secret, Q) or 10 years (Secret, L); and (5) Must meet or exceed the scope of the investigation required for the level of access authorization that is to be reinstated or granted.

(b) An access authorization can be reinstated at the same, or lower, level by submission of a CSA-designated form to the CSA. The employee may not have access to classified information until receipt of written confirmation of reinstatement and an up-to date personnel security packet will be furnished with the request for reinstatement of an access authorization. A new Security Acknowledgment will be obtained in all cases.

19

Where personnel security packets are not required, a request for reinstatement shall state the level of access authorization to be reinstated and the full name and date of birth of the individual in order to establish positive identification. A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by NRC is required.

15. In §25.31, paragraphs (a) and (c) are revised to read as follows:

§ 25,31 Extensions and transfers of access authorizations, (a) The NRC Division of Security may, on request, extend the authorization of an individual who possesses an access authorization in connection with a particular employer or activity, to permit access to classified information in connection with an assignment with another employer or activity.

(c) Requests for extension or transfer of access authorization shall state the full name of the person, his date of birth and level of access authorization. The Director, Division of Security, may require a new personnel security packet (see§ 25.l?(c)) to be completed by the applicant.

A fee, equal to the amount paid for an initial request, will be charged only if a new or updating investigation by NRC is required.

16. Section 25.33 is revised to read as follows:

§ 25,33 Termination of access authorizations.

(a) Access authorizations will be terminated when:

(1) Access authorization is no longer required, or (2) An individual is separated from the employment or the activity for 20

which he obtained an access authorization for a period of 90 days or more, or (3) An individual, pursuant to 10 CFR part 10 or other CSA approved adjudicatory standards, is no longer eligible for access authorization.

(b) A representative of the licensee or other organization which employs the individual whose access authorization will be terminated shall immediately notify the CSA when the circumstances noted in paragraph (a)(l) or (a)(2) of this section exist; inform the individual that his access authorization is being terminated, and the reason; and that he will be considered for reinstatement of access authorization if he resumes work requiring it.

(c) When an access authorization is to be terminated, a representative of the licensee or other organization shall conduct a security termination briefing of the individual involved, explain the Security Termination Statement (NRC Form 136 or CSA approved form) and have the individual complete the form. The representative shall promptly forward the original copy of the completed Security Termination Statement to CSA.

17. Section 25.35 is revised to read as follows:

§ 25.35 Classified visits.

(a) The number of classified visits must be held to a minimum. The licensee, certificate holder, or other facility shall determine that the visit is necessary and that the purpose of the visit cannot be achieved without access to, or disclosure of, classified information. All classified visits require advance notification to, and approval of, the organization to be visited. In urgent cases, visit information may be furnished by telephone and confirmed in writing.

21

(b) Representatives of the Federal Government, when acting in their I

official capacities as inspectors, investigators, or auditors, may visit a licensee, certificate holder or other's facility without furnishing advanced notification, provided these representatives present appropriate government credentials upon arrival. Normally, however, Federal representatives will provide advance notification in the form of an NRC Form 277, "Request for Visit or Access Approval," with the "need to know" certified by the appropriate NRC Office exercising licensing or regulatory authority and verification of NRC access authorization by the Division of Security.

(c) licensee, certificate holder or others shall include the following information in all Visit Authorization Letters (VAL) which they prepare.

(1) Visitor's name, address, and telephone number and certification of the level of the facility security clearance.

(2) Name, date and place of birth, and citizenship of the individual intending to visit; (3) Certification of the proposed visitor's personnel clearance and any special access authorizations required for the visit; (4) Name of person(s) to be visited; (5) Purpose and sufficient justification for the visit to allow for a determination of the necessity of the visit; and (6) Date or period during which the VAL is to be valid.

(d) Classified visits may be arranged for a 12 month period. The requesting facility shall notify all places honoring these visit arrangements of any change in the individual's status that will cause the visit request to be canceled prior to its normal termination date.

(e) The responsibility for determining need-to know in connection with a classified visit rests with the individual who will disclose classified 22

information during the visit. The licensee, certificate holder or other facility shall establish procedures to ensure positive identification of visitors prior to the disclosure of any classified information.

PART 95--SECURITY FACILITY APPROVAL AND SAFEGUARDING OF NATIONAL SECURITY INFORMATION AND RESTRICTED DATA

18. The authority citation for Part 95 is revised to read as follows:

AUTHORITY: Secs. 145, 161, 193 68 Stat. 942, 948, as amended (42 U.S.C.

2165, 2201); sec. 201, 88 Stat. 1242, as amended (42 U.S.C. 5841); E.O. 10865, as amended, 3 CFR 1959-1963 COMP., p. 398 (50 U.S.C. 401, note); E.O. 12958; E.O. 12968; E.O. 12829.

19. Se~tion 95.1 is revised to read as follows:

§ 95.1 Purpose.

The regulations in this part establish procedures for obtaining security facility approval and for safeguarding Secret and Confidential National

- Security Information and Restricted Data received or developed in conjunction with activities licensed, certified or regulated by the Commission. This part does not apply to Top Secret information because Top Secret information may not be forwarded to licensees, certificate holders, or others within the scope of an NRC license or certificate.

20. Section 95.3 is revised to read as follows:

23

§ 95.3 Scope.

The regulations in this part apply to licensees, certificate holders and others regulated by the Commission who may require access to Classified National Security Information and/or Restricted Data that is used, processed, stored, reproduced, transmitted, transported, or handled in connection with a license or certificate or an application for a license or certificate.

21. In §95.5, the definitions for Authorized classifier, National Securjty Information, NRC access authorization, Security facility approval, and Security survey are removed and the definitions Classified mail address.

Infraction, and Need to know are revised and the definitions Access authorizatjon. Classified National security Information, Classified shipping address. Closed area, Cognizant Security Agency. Facility (Security) clearance, Foreign ownership contr9l or influence, Restricted area. Security reviews. Supplemental Protection and Violation are added.

§ 95.5 Definitions.

Access authorization means an administrative determination that an individual (including a consultant) who is employed by or an applicant for employment with the NRC, NRC contractors, agents, licensees and certificate holders of the NRC, or other person designated by the Executive Director for Operations, is eligible for a security clearance for access to Restricted Data or Classified National Security Information.

Classified mail address means a mail address established for each facility 24

approved by the NRC, to which all Classified information for the facility is to be sent.

Classified National Security Information means information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and that is so designated.

Classified shipping address means an address established for a facility, approved by the NRC, to which classified material, that cannot be transmitted

as normal mail is to be sent .

Closed area means an area that meets the requirements of the CSA, for the purpose of safeguarding classified material that, because of its size, nature, or operational necessity, cannot be adequately protected by the normal safeguards or stored during nonworking hours in approved containers.

Cognizant Security Agency (CSA) means agencies of the Executive Branch that have been authorized by E.O. 12829 to establish an industrial security program for the purpose of safeguarding classified information under the jurisdiction of those agencies when disclosed or released to U.S. Industry.

These agencies are the Department of Defense, the Department of Energy, the Central Intelligence Agency, and the Nuclear Regulatory Commission. The Secretary of Defense has been designated as Executive Agent for the National Industrial Security Program.

Facility (Security) Clearance (FCL) means an administrative determination that, from a security viewpoint, a facility is eligible for access to classified information of a certain category (and all lower categories).

forejgn ownership. control. or influence (FOCI) means a foreign interest 25

has the power, direct or indirect. whether or not exercised, and whether or not exercisable through the ownership of a U.S. company's securities, by contractual arrangements or other means, to direct or decide matters affecting the management or operations of that company in a manner which may result in unauthorized access to classified information or may affect adversely the performance of classified contracts.

Infractjon means any knowing, willful, or negligent action contrary to the requirements of E.O. 12958, or its implementing directives, that does not comprise a "violation," as defined below.

Need-to-know means a determination made by an authorized holder of classified information that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function under the cognizance of the Commission.

Restric~ed area means a controlled access area established to safeguard classified material, that because of its size or nature, cannot be adequately protected during working hours by the usual safeguards, but that is capable of being stored during non-working hours in an approved repository or secured by other methods approved by the CSA.

Security revjews means random security reviews of cleared facilities conducted to ensure that safeguards employed by licensees and others are adequate for the protection of classified information.

SuRp]emental Protection means additional security procedures such as intrusion detection systems, security guards, and access control systems.

26

Y1olatjon means any knowing, willful. or negligent action that could reasonably be expected to result in an unauthorized disclosure of classified information or any knowing, willful, or negligent action to classify or continue the classification of information contrary to the requirements of Executive Order 12958 or its implementing directives.

22. Section 95.8 is revised to read as follows:

§ 95.8 Information collection requirements: 0MB approval.

(a) The Nuclear Regulatory Commission has submitted the information collection requirements contained in this part to the Office of Management and Budget (0MB) for approval as required by the Paperwork Reduction Act (44 U.S.C. 3501 et seq.). The NRC may not conduct or sponsor and a person is not required to respond to a collection of information unless it displays a currently valid 0MB control number. 0MB has approved the information collection requirements contained in this part under control numb~r 3150-0047.

(b) The approved information collection requirements contained in this part appear in §§95.11, 95.15, 95.18, 95.19, 95.21, 95.25, 95.29, 95.33, 95.36, 95.37, 95.39, 95.41, 95.43, 95.45, 95.47, 95.53, 95.57.

23. In §95.13, paragraph (a) is revised to read as follows:

§ 95.13 Maintenance of records.

(a) Each licensee, certificate holder or other person granted facility 27

clearance under this part shall maintain records prescribed within the part.

These records are subject to review and inspection by CSA representatives during security reviews.

24. In §95.15, paragraphs (a) and (b) are revised to read as follows:

§ 95.15 Approval for processing licensees and others for facility clearance, (a) A licensee, certificate holder or other person who has a need to use, process, store, reproduce, transmit, transport, or handle classified information at any location in connection with Commission related activities shall promptly request an NRC facility clearance.

(b) The request must include the name of the facility, the location of the facility and an identification of any facility clearance issued by another government agency. If there is no existing facility clearance, the request must include a security Standard Practice and Procedures Plan that outlines the facility's proposed security procedures and controls for the protection of classified information, a floor plan of the area in which the matter is to be used, processed, stored, reproduced, transmitted, transported or handled; and Foreign Ownership, Control or Influence information as required by §95.l?(a).

25. Section 95.17 is revised to read as follows:

§ 95.17 Processing facility clearance.

28

(a) Following the receipt of an acceptable request for facility clearance, the NRC will either accept an existing facility clearance granted by a current CSA and authorize possession of license or certificate related classified information or process the facility for a facility clearance. Processing will include--

(I) A determination based on review and approval of a Standard Practice.and Procedure Plan that granting of the Facility Security Clearance would not be inconsistent with the national interest, including a finding that the facility is not under foreign ownership, control, or influence to a such a degree that such a determination could not be made; (2) An acceptable security survey conducted by NRC; (3) Submitting key management personnel for personnel clearances (PCLs); and (4). Appointing a U.S. citizen employee as the facility security officer.

(b) An interim Facility Security Clearance may be granted by the CSA on a temporary basis pending completion of the full investigative requirements.

26. A new §95.18 is added to read as follows:

§ 95.18 Key Qersonnel, The senior management official and the Facility Security Officer must 29

always be cleared to the level of the Facility Security Clearance. Other key management officials, as determined by the CSA, must be granted a personnel security clearance or be excluded from classified access. When formal exclusion action is required, the organization's board of directors or similar executive body shall affirm the following, as appropriate.

(a) Officers, directors, partners, regents, or trustees (designated by name) that are excluded may not require, may not have, and can be effectively excluded from access to all classified information disclosed to the organization. These individuals also may not occupy positions that would enable them to adversely affect the organization's policies or practices in the performance of activities involving classified information. This action will be made a matter of record by the organization's executive body. A copy of the resolution must be furnished to the CSA.

(b) Officers directors, partners, regents, or trustees (designated by name) that are excluded may not require, may not have, and can be effectively denied access to higher-level classified information (specify which higher level(s)). These individuals may not occupy positions that would enable them to adversely affect the organization's policies or practices in the protection of classified information. This action will be made a matter of record by the organization's executive body. A copy of the resolution must be furnished to the CSA.

27. Section 95.18 is redesignated as §95.19 and the introductory text of paragraphs (a) and (b) are revised to read as follows:

§ 95.19 Changes to security practices and procedures.

30

(a) Except as specified in paragraph (b) of this section, each licensee, certificate holder or other person shall obtain prior CSA approval for any proposed change to the name, location, security procedures and controls, or floor plan of the approved facility. A written description of the proposed change must be furnished to the CSA with copies to the Director, Division of Security, Office of Administration, NRC, Washington, DC 20555-0001, and the NRC Regional Administrator of the cognizant Regional Office listed in appendix A of part 73. The CSA shall promptly respond in writing to all such proposals.

Some examples of substantive changes requiring prior CSA approval include-(b) A licensee or other person may effect a minor, non-substantive change to an approved Standard Practice and Procedure Plan for the safeguarding of classified information without receiving prior CSA approval, provided prompt notification of such minor change is furnished to the addressees noted in paragraph (a) of this section, and the change does not decrease the effectiveness of the Standard Practice and Procedure Plan. Some examples of minor, non-substantive changes to the Standard Practice and Procedure Plan include--

28. Section 95.19 is redesignated as §95.20 and revised to read as follows:

§ 95.20 Grant. denial or termination of facility clearance

The Division of Security shall provide notification in writing (or orally with written confirmation) to the licensee or other organization of the Commission's grant, acceptance of another agency's Facility Security 31

Clearance, denial, or termination of facility clearance. This information must also be furnished to representatives of NRC, NRC licensees, NRC Certificate Holders, NRC contractors, or other Federal agencies having a need to transmit classified information to the licensee or other person.

29. Section 95.21 is revised to read as follows:

§ 95.21 Withdrawal of reguests for facj]ity clearance.

When a request for facility clearance is to be withdrawn or canceled, the requester shall notify the NRC Division of Security immediately by telephone so that processing for this approval may be terminated. The notification must identify the full name of the individual requesting discontinuance, his position with the facility, and the full identification of the facility. The requestor shall confirm the telephone notification promptly in writing.

30. Section 95.23 is revised to read as follows:

§ 95.23 Termination of facility clearance.

(a) Facility clearance will be terminated when (1) There is no longer a need to use, process, store, reproduce, transmit, transport or handle classified matter at the facility; or (2) The Commission makes a determination that continued facility clearance is not in the interest of national security.

(b) When facility clearance is terminated, the licensee or other person will be notified in writing of the determination and the procedures outlined 32

in §95.53 apply.

31. In §95.25, paragraphs (a), (b), (c), (d), (g), (h), and (i) are revised and paragraph (j) is added to read as follows:

§ 95,25 Protection of classified information in storage.

(a) Secret documents, while unattended or not in actual use, must be

stored in-(1) A safe, steel file cabinet, or safe-type steel file container that has an automatic unit locking mechanism. All such receptacles will be accorded supplemental protection during non-working hours; or (2) Any steel file cabinet that has four sides and a top and bottom (all permanently attached by welding, rivets or peened bolts so the contents cannot be removed without leaving visible evidence of entry) and is secured by a rigid metal lock bar and an approved key operated or combination padlock.

The keepers of the rigid metal lock bar must be secured to the cabinet by welding, rivets, or bolts, so they cannot be removed and replaced without leaving evidence of the entry. The drawers of the container must be held securely, so their contents cannot be removed without forcing open the drawer.

This type cabinet will be accorded supplemental protection during non-working hours.

(b) Confidential matter while unattended or not in use must be stored in the same manner as SECRET matter except that no supplemental protection is required.

33

(c) Classified lock combinations.

(1) A minimum number of authorized persons may know the combinations to authorized storage containers. Security containers, vaults, cabinets, and other authorized storage containers must be kept locked when not under the direct supervision of an authorized person entrusted with the contents.

(2) Combinations must be changed by a person authorized access to the contents of the container, or by the Facility Security Officer or his or her designee. Combinations must be changed upon--

(i) The initial use of an approved container or lock for the protection of classified material; (ii) The termination of employment of any person having knowledge of the combination, or when the clearance granted to any such person has been withdrawn, suspended, or revoked; (iii) The compromise or suspected compromise of a container or its combination, or discovery of a container left unlocked and unattended; (iv) At other times when considered necessary by the Facility Security Officer or CSA; or (v) In any event at least once every 12 months.

(d) Records of combinations. If a record is made of a combination, the record must be marked with the highest classification of material authorized for storage in the container. Superseded combinations must be destroyed.

(g) Posted information. Containers may not bear external markings indicating the level of classified material authorized for storage. A record of the names of persons having knowledge of the combination must be posted 34

inside the container.

(h) End of day security checks.

(1) Facilities that store classified material shall establish a system of security checks at the close of each working day to ensure that all classified material and security repositories have been appropriately secured.

(2) Facilities operating with multiple work shifts shall perform the security checks at the end of the last working shift in which classified material had been removed from storage for use. The checks are not required during continuous 24-hour operations.

(1) Unattended security container found opened. If an unattended security container housing classified matter is found unlocked, the custodian or an alternate must be notified immediately. The container must be secured by protective personnel and the contents inventoried as soon as possible but not later than the next workday. A report reflecting all actions taken must be submitted to the responsible Regional Office (see appendix A, 10 CFR part 73 for addresses) with an information copy to the NRC Division of Security. The licensee shall retain records pertaining to these matters for three years after completion of final corrective action.

(j) Supervision of keys and padlocks. Use of key-operated padlocks are subject to the following requirements:

(1) A key and lock custodian shall be appointed to ensure proper custody and handling of keys and locks used for protection of classified material; (2) A key and lock control register must be maintained to identify keys for each lock and their current location and custody; (3) Keys and locks must be audited each month; (4) Keys must be inventoried with each change of custody; (5) Keys must not be removed from the premises;_

35

(6) Keys and spare locks must be protected equivalent to the level of classified material involved; (7) Locks must be changed or rotated at least annually, and must be replaced after loss or compromise of their operable keys; and (8) Master keys may not be made.

32. Section 95.27 is revised to read as follows:

§ 95,27 Protect1on whjle in use.

While in use, matter containing classified information must be under the direct control of an authorized individual to preclude physical, audio, and visual access by persons who do not have the prescribed access authorization or other written CSA disclosure authorization (see §95.36 for additional information concerning disclosure authorizations).

33. Section 95.29 is revised to read as follows:

§ 95,29 Establishment of Restricted or Closed areas.

(a) If, because of its nature, sensitivity or importance, matter containing classified information cannot otherwise be effectively controlled in accordance with the provisions of§§ 95.25 and 95.27, a Restricted or Closed Area must be established to protect such matter.

(b) The following measures apply to Restricted Areas:

(1) Restricted areas must be separated from adjacent areas by a physical barrier designed to prevent unauthorized access (physical, audio and visual) 36

into such areas.

(2) Controls must be established to prevent unauthorized access to and removal of classified matter.

(3) Access to classified matter must be limited to persons who possess appropriate access authorization or other written CSA disclosure authorization and who require access in the performance of their official duties or regulatory obligations.

(4) Persons without appropriate access authorization for the area visited must be escorted by an appropriate CSA access authorized person at all times while within Restricted or Closed areas.

(5) ch individual authorized to enter a Restricted or Closed area must be issued a distinctive form of identification (e.g., badge) when the number of employees assigned to the area exceeds thirty per shift.

(6) During nonworking hours, admittance must be controlled by protective personnel. Protective personnel shall conduct patrols during nonworking hours at least every 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months and more frequently if necessary to maintain a commensurate level of protection. Entrances must be continuously monitored by protective personnel or by an approved alarm system.

(c) Due to the size and nature of the classified material, or operational necessity, it may be necessary to construct Closed Areas for storage because GSA-approved containers or vaults are unsuitable or impractical. Closed Areas must be approved by the CSA. The following measures apply to Closed Areas:

(1) Access to Closed Areas must be controlled to preclude unauthorized access. This may be accomplished through the use of a cleared employee or by a CSA approved access control device or system.

(2) Access must be limited to authorized persons who have an appropriate security clearance and a need-to-know for the classified material/information 37

within the area. Persons without the appropriate level of clearance and/or need to know must be escorted at all times by an authorized person where inadvertent or unauthorized exposure to classified information cannot otherwise be effectively prevented.

(3) The Closed Area must be accorded supplemental protection during non-working hours. During these hours, admittance to the area must be controlled by locked entrances and exits secured by either an approved built in combination lock or an approved combination or key-operated padlock.

However, doors secured from the inside with a panic bolt (for example, actuated by a panic bar), a dead bolt, a rigid wood or metal bar, or other means approved by the CSA, do not require additional locking devices.

(4) Open shelf or bin storage of classified documents in Closed Areas requires CSA approval. Only areas protected by an approved intrusion detection system will qualify for approval.

34. Section 95.31 is revised to read as follows:

§ 95.31 Protective personnel.

Whenever protective personnel are used to protect classified information they shall:

(a) Possess an L access authorization (or CSA equivalent) if the licensee or other person possesses information classified Confidential National Security Information, Confidential Restricted Data or Secret National Security Information.

(b) Possess a Q access authorization (or CSA equivalent) if the licensee or other person possesses Critical Secret Restricted Data and the 38

protective personnel require access as part of their regular duties.

35. Section 95.33 is revised to read as follows:

§ 95,33 Security education.

All cleared employees must be provided w1th security training and briefings commensurate with their involvement with classified information.

The facility may obtain defensive security, threat awareness, and other education and training information and material from their CSA or other sources.

(a) Facility Security Officer Training. Licensees and others are responsible for ensuring that the Facility Security Officer, and others performing security duties, complete security training deemed appropriate by the CSA. Training requirements must be based on the facility's involvement with classified information and may include a Facility Security Officer orientation course and, for Facility Security Officers at facilities with safeguarding capability, a Facility Security Officer Program Management Course. Training, if required, should be completed within 1 year of appointment to the position of Facility Security Officer.

(b) Government Provided Bri ings. The CSA is responsible for providing initial security briefings to the Facility Security Officer, and for ensuring that other briefings required for special categories of information are provided.

(c) Temporary Help Suppliers. A temporary help supplier, or other contractor who employs cleared individuals solely for dispatch elsewhere, is responsible for ensuring that required briefings are provided to their cleared 39

personnel. The temporary help supplier or the using licensee or other facility may conduct these briefings.

(d) Classified Information Nondisclosure Agreement (SF-312). The SF-312 is an agreement between the United States and an individual who is cleared for access to classified information. An employee issued an initial personnel security clearance must, in accordance with the requirements of §25.23 of this chapter, execute an SF-312 prior to being granted access to classified information. The Facility Security Officer shall forward the executed SF-312 to the CSA for retention. If the employee refuses to execute the SF-312, the licensee or other facility shall deny the employee access to classified information and submit a report to the CSA. The SF-312 must be signed and dated by the employee and witnessed. The employee's and witness' signatures must bear the same date.

(e) Initial Security Briefings. Before being granted access to classified information, an employee shall receive an initial security briefing that includes the following topics:

(1) A Threat Awareness Briefing.

(2) A Defensive Security Briefing.

(3) An overview of the security classification system.

(4) Employee reporting obligations and requirements.

(5) Security procedures and duties applicable to the employee's job.

(f) Refresher Briefings. The licensee or other facility shall conduct periodic refresher briefings for all cleared employees. As a minimum, the refresher briefing must reinforce the information provided during the initial briefing and inform employees of appropriate changes in security regulations.

This requirement may be satisfied by use of audio/video materials and by issuing written materials on a regular basis.

40

(g) Debriefings. Licensee and other facilities shall debrief cleared employees at the time of termination of employment (discharge, resignation, or retirement); when an employee's personnel security clearance is terminated, suspended, or revoked; and upon termination of the Facility Security Clearance.

(h) Records reflecting an individual's initial and refresher security orientations and security termination must be maintained for three years after termination of the individual's access authorization .

36. Section 95.35 is revised to read as follows:

§ 95.35 Access to Classified Information (a) Unless authorized by the Commission, a person subject to the regulations in this part may not receive or permit any individual to have access to Secret or Confidential National Security Information or Restricted Data unless the individual has:

(1) One of the following access authorizations.

Ci) AU. S. Government granted access authorization based on a Single Scope Background Investigation and issued by the CSA which permits an individual access to--

CA) Critical Secret and Confidential Restricted Data; and CB) Secret and Confidential National Security Information which includes intelligence information, CRYPTO (i.e., cryptographic information) or other classified communications security (COMSEC) information, or (ii) AU. S. Government granted access authorization based on a National Agency Check or National Agency Check with Inquiries and issued by the CSA 41

which permits an individual access to Secret and Confidential Restricted Data and Secret and Confidential National Security Information other than that noted in paragraph (a)(l)(i) of this section.

(11i) Access to certain Confidential COMSEC information is permitted as authorized by a National Communications Security Committee waiver dated February 14, 1984.

(2) An established need-to-know for the information. (See Definitions, §95.5).

(3) CSA approved storage facilities if classified documents or material are to be transmitted to the individual.

(b) Classified information must not be released by a licensee or other person to any personnel other than properly access authorized Commission licensee employees or other individuals authorized access by the Commission.

(c) Access to Classified National Security Information at NRC-licensed, certified or otherwise regulated facilities by authorized representatives of IAEA is permitted in accordance with §95.36.

37. Section 95.36 is revised to read as follows:

§ 95.36 Access by representatives of the International Atomic Energy Agency or by partjcipants in other International agreements.

(a) Based upon written disclosure authorization from the NRC Division of Security that an individual is an authorized representative of the International Atomic Energy Agency (IAEA) or other international organization and that the individual is authorized to make visits or inspections in accordance with an established Agreement with the United States Government, a 42

licensee. cert1ficate holder or other person subject to this part shall permit the individual (upon presentat1on of the credentials specified in §75.7 of this chapter and any other credentials identified in the disclosure authorization) to have access to matter which is Classified National Security Information that is relevant to the conduct of a visit or inspection. A disclosure authorization under this section does not authorize a licensee.

certificate holder, or other person subject to this part to provide access to Restricted Data.

(b) For purposes of this section, Classified National Security Information is relevant to the conduct of a visit or inspection if--

(1) In the case of a visit, this information is needed to verify information according to §75.13 of this chapter, or (2) In the case of an inspection, the information is information to which an inspector is entitled to have access under §75.42 of this chapter.

(c) In accordance with the specific disclosure authorization provided by the Division of Security, licensees or other persons subject to this part are authorized to release (i.e., transfer possession of) copies of documents which contain Classified National Security Information directly to IAEA inspectors and other representatives officially designated to request and receive Classified National Security Information documents. These documents must be marked specifically for release to IAEA or other international organization in accordance with instructions contained in NRC's disclosure authorization letter. Licensees and other persons subject to this part may also forward these documents through NRC to the international organization's headquarters in accordance with the NRC disclosure authorization. Licensees and other persons may not reproduce documents containing Classified National Security Information except as provided in §95.43.

43

(d) Records regarding these visits and inspections must be maintained for five years beyond the date of the visit or inspection. These records must specifically identify each document which has been released to an authorized representative and indicate the date of the release. These records must also identify (in such detail as the Division of Security, by letter, may require) the categories of documents to which the authorized representative has had access and the date of this access. A licensee or other person subject to this part shall also retain Division of Security disclosure authorizations for five years beyond the date of any visit or inspection when access to classified information was permitted.

(e) Licensees or other persons subject to this part shall take such measures as may be necessary to preclude access to classified matter by participants of other international agreements unless specifically provided for under the terms of a specific agreement.

38. In §95.37, paragraphs (a) and (b) are revised to read as follows:

§ 95.37 Classification and preparation of documents.

(a) Classification. Classified information generated or possessed by a licensee or other person must be appropriately marked. Classified material which is not conducive to markings (e.g., equipment) may be exempt from this requirement. These exemptions are subject to the approval of the CSA on a case-by-case basis. If a person or facility generates or possesses information that is believed to be classified based on guidance provided by NRC or by derivation from classified documents, but which no authorized classifier has determined to be classified, the information must be protected and marked with the appropriate classification markings pending review and signature of 44

an NRC authorized classifier. Such information shall be protected as classified information pending final determination.

(b) Classification consistent with content. Each document containing classif1ed information shall be classified Secret or Confidential according to its content. NRC licensees subject to the requirements of 10 CFR Part 95 may not make original classification decisions.

(c) Markings required on face of documents (1) For derivative classification of Classified National Security Information:

(i) Derivative classifications of Classified National Security Information must contain the identity of the source document or the classification guide, including the agency and office of origin, on the "Derived From" line and its classification date. If more than one source is cited, the "Derived From" line should indicate "Multiple Sources."

(ii) Declassification instructions. When marking derivatively classified documents, the "DECLASSIFY ON" line must carry forward the declassification instructions as reflected in the original document. If multiple sources are used, the instructions will carry forward the longest duration.

(iii) If the source document used for derivative classification contains the declassification instruction, "Originating Agency's Determination Required" (OADR), the new document should reflect the date of the original classif1cation of the information as contained in the source document or classification guide. An example of the stamp might be as follows:

45

Derived From

(source)

Reason--,c-=----------:----,,------=--=-----=

Declassify On: source Marked "OADR" Date of Source: - - - -

Classifier:

(Name/Title/Number (1v) The derivative classifier shall maintain the identification of each source with the file or record copy of the derivatively classified document.

(2) For Restricted Data documents:

(i) Identity of the classifier. The identity of the classifier must be shown by completion of the "Derivative Classifier" line. The "Derivative Classifier line must show the name of the person classifying the document and the basis for the classification. Dates for downgrading or declassification do not apply.

(ii) Classification designation (e.g., Secret, Confidential) and Restricted Data. NOTE: No "Declassification" instructions will be placed on documents containing Restricted Data.

(d) Placement of markings. 'The highest classification marking assigned to a document must be placed in a conspicuous fashion in letters at the top and bottom of the outside of the front covers and title pages, if any, and first and last pages on which text appears, on both bound and unbound documents, and on the outside of back covers of bound documents. The balance of the pages must be marked at the top and bottom either with:

(i) The overall classification marking assigned to the document, or (ii) The highest classification marking required by content of the page, or (iii) The marking UNCLASSIFIED if they have no classified content.

46

(e) Additional markings.

(1) If the document contains any form of Restricted Data, it must bear the appropriate marking on the first page of text, on the front cover and title page, if any. For example: "This document contains Restricted Data as defined in the Atomic Energy Act of 1954. Unauthorized disclosure subject to Administrative and Criminal Sanctions."

(2) Limitation on reproduction or dissemination. If the originator or

classifier determines that reproduction or further dissemination of a document should be restricted, the following additional wording may be placed on the face of the document:

Reproduction or Further Dissemination Requires Approval of If any portion of this additional marking does not apply, it should be crossed out.

(f) Portion markings. In addition to the information required on the face of the document, each classified document is required, by marking or other means, to indicate clearly which portions are classified (e.g., paragraphs or pages) and which portions are not classified. The symbols (S) for*Secret, (C) for Confidential, (U) for Unclassified, or (RD) for Restricted Data may be used immediately preceding or following the text to which it applies except that the designation must follow titles or subjects. (Portion marking of paragraphs is not required for documents containing Restricted Data.) If this type of portion marking is not practicable, the document must contain a description sufficient to identify the classified information and the unclassified information.

47

Example Pages 1-3 Secret Pages 4-19 Unclassified Pages 20-26 Secret Pages 27-32 Confident1al (g) Transmittal document. If a document transmitting classified information contains no classified information or the classification level of the transmittal document is not as high as the highest classification level of its enclosures, then the document must be marked at the top and bottom with a classification at least as high as its h1ghest classified enclosure. The classification may be higher if the enclosures, when combined, warrant a higher classification than any individual enclosure. When the contents of the transmittal document warrants a lower classification than the highest classified enclosure(s) or combination of enclosures or requires no classification, a stamp or marking such as the following must also be used on the transmittal document:

UPON REMOVAL OF ATTACHMENTS THIS DOCUMENT IS:

(Classification level of transmittal document standing .alone or the word

UNCLASSIFIED if the transmittal document contains no classified information.)

(h) Classification challenges. Persons in authorized possession of Classified National Security Information who in good faith believe that the information's classification status, i.e. that the document is classified at 48

either too high a level for its content (overclassification) or too low for its content (underclassification) are expected to challenge its classification status. Persons who wish to challenge a classification status shall--

(i) Refer the document or information to the originator or to an authorized NRC classifier for review. The authorized classifier shall review the document and render a written classification decision to the holder of the information.

(ii) In the event of a question regarding classification review, the holder of the information or the authorized classifier shall consult the NRC Division of Security, Information Security Branch for assistance.

(iii) Persons who challenge classification decisions have the right to appeal the classification decision to the Interagency Security Classification Appeals Panel.

(iv) Persons seeking to challenge the classification of information will not be the subject of retribution.

(i) Files, folders or group of documents. Files, folders, binders, or groups of physically connected documents must be marked at least as high as the highest classified document which they contain.

(j) Drafts and working papers. Drafts of documents and working papers which contain, or which are believed to contain classified information must be marked as classified information.

(k) Classification guidance. Licensees, certificate holders, or other persons subject to part 95 shall classify and mark classified matter as National Security Information or Restricted Data, as appropriate, in accordance with classification guidance provided by NRC as part of the facility security clearance process.

49

39. Section 95.39 is revised to read as follows:

§ 95.39 External transmission of documents and material.

(a) Restrictions. Documents and material containing classified information received or originated in connection with an NRC license or certificate must be transmitted only to CSA approved security facilities.

(b) Preparation of documents. Documents containing classified information must be prepared in accordance with the following, when transmitted outside an individual installation.

(1) They must be enclosed in two sealed opaque envelopes or wrappers.

(2) The inner envelope or wrapper must contain the addressee's classified mail address and the name of the intended recipient. The appropriate classification must be placed on both sides of the envelope (top and bottom) and the additional markings, as appropriate, referred to in §95.37(e) must be placed on the side bearing the address.

(3) The outer envelope or wrapper must contain the addressee's classified mail address. The outer envelope or wrapper may not contain any classification, additional marking or other notation that indicates that the enclosed document contains classified information.

(4) A receipt that contains an unclassified description of the document, the document number, if any, date of the document, classification, the date of transfer, the recipient and the person transferring the document must be enclosed within the inner envelope containing the document and be signed by the recipient and returned to the sender whenever the custody of a Secret document is transferred. This receipt process is at the option of the sender for Confidential information.

50

(c) Methods of transportation.

(1) Secret matter may be transported only by one of the following methods within and directly between the U.S., Puerto Rico, or a U.S. possession or trust territory:

(i) U.S. Postal Service Express Mail and U.S. Postal Service Registered Mail. NOTE: The "Waiver of Signature and Indemnity" block on the U.S. Postal Service Express Mail Label 11-B may not be executed and the use of external (street side) express mail collection boxes is prohibited.

(ii) A cleared "Commercial Carrier."

(iii) A cleared commercial messenger service engaged in the intracity/local area delivery (same day delivery only) of classified material.

(iv) A commercial delivery company, approved by the CSA, that provides nation wide, overnight service with computer tracing and reporting features.

Such companies need not be security cleared.

(v) Other methods as directed, in writing, by the CSA.

(2) Confidential matter may be transported by one of the methods set forth in paragraph (c)(l) of this section, by U.S. first class, express or certified mail. First class, express, or certified mail may be used in transmission of Confidential documents to Puerto Rico or any United States territory or possession.

(d) Telecommunication of classified information. Classified information may not be telecommunicated unless the telecommunication system has been approved by the CSA. Licensees, certificate holders or other persons who may require a secure telecommunication system shall submit a telecommunication plan as part of their request for facility clearance, as outlined in §95.15, 51

or as an amendment to their existing Standard Practice and Procedure Plan for the protection of classified information.

(e) Security of classified information in transit. Classified matter that, because of its nature, cannot be transported in accordance with

§95.39(c), may only be transported in accordance with procedures approved by the CSA. Procedures for transporting classified matter are based on a satisfactory transportation plan submitted as part of the licensee's, certificate holder, or other person's request for facility clearance or submitted as an amendment to its existing Standard Practice Procedure Plan.

40. Section 95.41 is revised to read as follows:

§ 95.41 External receipt and dispatch records.

Each licensee, certificate holder or other person possessing classified information shall maintain a record that reflects:

(a) The date of the material; (b) The date of receipt or dispatch; (c) The classification; (d) An unclassified description of the material; and (e) The identity of the sender from which the material was received or recipient to which the material was dispatched. Receipt and dispatch records must be retained for 2 years.

41. ction 95.43 is revised to read as follows:

52

§ 95,43 Authority to reproduce.

(a) Each licensee or other person possessing classified information shall establish a reproduction control system to ensure that reproduction of classified material is held to the minimum consistent with operational requirements. Classified reproduction must be accomplished by authorized employees knowledgeable of the procedures for classified reproduction. The use of technology that prevents, discourages, or detects the unauthorized reproduction of classified documents is encouraged.

(b) Unless restricted by the CSA, Secret and Confidential documents may be reproduced. Reproduced copies of classified documents are subject to the same protection as the original documents.

(c) All reproductions of classified material must be conspicuously marked with the same classification markings as the material being reproduced. Copies of classified material must be reviewed after the reproduction process to ensure that these markings are visible.

42. Section 95.45 is revised to read as follows:

§ 95.45 Changes in classification.

(a) Documents containing Classified National Security Information must be downgraded or declassified as authorized by NRC classification guides or as determined by NRC. Requests for downgrading or declassifying any NRC classified information should be forwarded to the NRC Division of Security, Office of Administration, Washington, DC 20555-0001. Requests for downgrading or declassifying of Restricted Data will be forwarded to the NRC Division of 53

Security for coordination with the Department of Energy.

(b) If a change of classification or declassification is approved the previous classification marking must be canceled and the following statement, properly completed, must be placed on the first page of the document:

Classification canceled (or changed to)

(Insert appropriate classification) by authority of (Person authorizing change in classification) by (Signature of person making change and date thereof)

(c) New markings reflecting the current classification status of the document will be applied in accordance with the requirements of §95.37.

(d) Any persons making a change in classification or receiving notice of such a change shall forward notice of the change in classification to holders of all copies as shown on their records.

43. Section 95.47 is revised to read as follows:

§ 95.47 Destruction of matter containing classified Information.

Documents containing classified information may be destroyed by burning, 54

pulping, or another method that ensures complete destruction of the information that they contain. The method of destruction must preclude recognition or reconstruction of the classified information. Any doubts on methods should be referred to the CSA. If the document contains Secret information a record of the subject or title, document number, if any, originator, its date of origination and the date of destruction must be signed by the person destroying the document and must be maintained in the office of the custodian at the time of destruction. These destruction records must be retained for two years after destruction.

44. Section 95.49 is revised to read as follows:

§ 95.49 Security of automatic data processing (ADP) systems.

Classified data or information may not be processed or produced on an ADP system unless the system and procedures to protect the classified data or information have been approved by the CSA. Approval of the ADP system and procedures is based on a satisfactory ADP security proposal submitted as part of the licensee's or other person's request for facility clearance outlined in

§95.15 or submitted as an amendment to its existing Standard Practice and Procedure Plan for the protection of classified information .

45. Section 95.51 is revised to read as follows:

§ 95,51 Retrieval of classified matter following suspension or revocation of access authorization.

55

In any case where the access authorization of an individual is suspended or revoked in accordance with the procedures set forth in part 25 of this chapter, or other relevant CSA procedures, the licensee, certificate holder or other organization shall, upon due notice from the Commission of such suspension or revocation, retrieve all classified information possessed by the individual and take the action necessary to preclude that individual having further access to the information.

§

46. Section 95.53 is revised to read as follows:

95.53 Termination of facility clearance.

(a) If the need to use, process, store, reproduce, transmit, transport, or handle classified matter no longer exists, the facility clearance will be terminated. The facility may deliver all documents and materials containing classified information to the Commission or to a person authorized to receive them or destroy all such documents and materials. In either case, the facility shall submit a certification of nonpossession of classified information to the NRC Division of Security.

(b) In any instance where facility clearance has been terminated based on a determination of the CSA that further possession of classified matter by the facility would not be in the interest of the national security, the cility shall, upon notice from the CSA, immediately deliver all classified documents and materials to the Commission along with a certificate of nonpossession of classified information.

47. Section 95.55 is revised to read as follows:

56

§ 95,55 Continued applicability of the regulations in this part, The suspension, revocation or other termination of access authorization or the termination of facility clearance does not relieve any person from compliance with the regulations in this part.

48. Section 95.57 is revised to read as follows:

§ 95,57 Reports, Each licensee or other person having a facility clearance shall immediately report to the CSA and the Regional Administrator of the appropriate NRC Regional Office listed in appendix A, 10 CFR part 73:

(a) Any alleged or suspected violation of the Atomic Energy Act, Espionage Act, or other Federal statutes related to classified information.

(b) Any infractions, losses, compromises or possible compromise of classified information or classified documents not falling within paragraph (a) of this section.

(c) In addition, an authorized classifier of a licensee, certificate holder or other organization subject to this Part shall complete an NRC Form 790 {Classification Record) whenever matter containing classified information is generated, its classification changed or it is declassified. Notification of declassification is not required for any document or material which has an automatic declassification date. Completed NRC Forms 790 must be submitted to the NRC Division of Security, Washington, DC 20555-0001, on a monthly basis.

57

49. Section 95.59 is revised to read as follows:

§ 95.59 Inspections, The Commission shall make inspections and surveys of the premises, activities, records and procedures of any person subject to the regulations in this part as the Commission and CSA deem necessary to effect the purposes of the Act, E.0. 12958 and/or NRC rules.

Dated at Rockville, Maryland, this ,;}t,,J( d a f r , 1996.

For the Nuclear Regulatory Commission .

58

ML23151A590

Contents

Text

REFERENCE:

SUMMARY

Dear Sir:

Dear Sir:

Dear Sir:

SUMMARY

Background

Navigation menu

ML23151A590

Text

REFERENCE:

SUMMARY

Dear Sir:

Dear Sir:

Dear Sir:

SUMMARY

Background

Navigation menu

Search