See also: RIS 2003-08

Text

April 30, 2003

NRC REGULATORY ISSUE SUMMARY 2003-08PROTECTION OF FROM UNAUTHORIZED DISCLOSUREADDRESSEESAll holders of operating licenses for nuclear power reactors, decommissioning reactor facilities,independent spent fuel storage installations, research and test reactors, large panoramic andunderwater irradiators, and fuel cycle facilities.INTENTThe U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS)and the attached Summary of Safeguards Information Requirements to inform addressees ofthe importance of protecting Safeguards Information from inadvertent release and unauthorizeddisclosure. The need to protect sensitive security information from inadvertent release andunauthorized disclosure which might compromise the security of nuclear facilities is heightenedsince the events of September 11, 2001. Addressees, including all cognizant personnel, have acontinuing obligation to be mindful of their responsibilities in protecting such securityinformation. Although many addressees have extensive experience in complying withapplicable regulations related to handling and protection of Safeguards Information, additionallicensees and individuals with limited or no experience in this area may now or soon will becovered by these requirements. This RIS is intended to serve as a consolidated source ofinformation to reinforce the overall knowledge of Safeguards Information requirements as wellas to highlight the serious consequences for failure to control and protect it.Licensees are encouraged to broadly disseminate this information to affected employees and topost the attached Summary of Safeguards Information Requirements in areas whereemployees who handle Safeguards Information are located.BACKGROUNDSeveral recent events involving published articles or comments to the media demonstrate theneed for the NRC to reemphasize the importance of protecting Safeguards Information frominadvertent release and unauthorized disclosure. The release of this information, for example,could result in harm to the public health and safety and the Nation's common defense andsecurity, as well as damage to the Nation's critical infrastructure, including nuclear power plantsand other facilities licensed and regulated by the NR RIS 2003-08Page 2 of 4SUMMARY OF ISSUESafeguards Information is a special category of sensitive unclassified information authorized bySection 147 of the Atomic Energy Act of 1954, as amended (the Act), to be protected. WhileSafeguards Information is considered sensitive unclassified information, it is handled andprotected more like classified confidential information than like other sensitive unclassifiedinformation (e.g., privacy and proprietary information). Access to Safeguards Information iscontrolled by a valid need-to-know and an indication of trustworthiness normally obtainedthrough a background check. The criteria for designating special nuclear material and powerreactor information as Safeguards Information and associated restrictions on access to andprotection of Safeguards Information are codified in Section 73.21 of Title 10 of the Code ofFederal Regulations (10 CFR 73.21). Part 73 applies to licensees of operating power reactors,research and test reactors, decommissioning facilities, facilities transporting irradiated reactorfuel, fuel cycle facilities, and spent fuel storage installations. Examples of the types ofinformation designated as Safeguards Information include the physical security plan for anuclear facility or site possessing special nuclear material, the design features of the physicalprotection system, operational procedures for the security organization, improvements orupgrades to the security system, and vulnerabilities or weaknesses not yet corrected, and suchother information as the Commission may designate by order. An example of additionalinformation designated by order is the January 7, 2003 order to operating power reactorlicensees concerning access authorization programs. That order made the details of NRC'senhanced access authorization requirements and licensee response to these requirementsSafeguards Information. Another example is the April 29, 2003 order to operating powerreactor licensees concerning security force training requirements.In addition to the licensees subject to the Safeguards Information requirements of Part 73, andthe types of information designated as Safeguards Information under those regulations, theCommission has authority under Section 147 to designate, by regulation or order, other types ofinformation as Safeguards Information. For example, Section 147 allows the Commission todesignate... a licensee's or applicant's detailed ... security measures (including security plans,procedures and equipment) for the physical protection of source material or byproductmaterial, by whomever possessed, whether in transit or at fixed sites, in quantitiesdetermined by the Commission to be significant to the public health and safety or thecommon defense and security...to be Safeguards Information. The Commission also may, by order, impose SafeguardsInformation handling requirements on these other licensees. An example of this type of order isthe March 25, 2002 order to Honeywell International, a uranium conversion facility. Violationsof Safeguards Information handling requirements, whether those of Part 73 or those imposedby order, are equally subject to the applicable civil and criminal sanctions, as discussed belowand in the attached Summary of Safeguards Information Requirements.Employees, past or present, and all persons who have had access to Safeguards Information'have a continuing obligation to protect Safeguards Information against inadvertent release andunauthorized disclosure. The NRC staff and licensees have discovered several cases whereSafeguards Information was inadvertently included in uncontrolled plant documents anddocuments intended for distribution to the public. Documents or other forms of communication RIS 2003-08Page 3 of 4that include discussions about plant security should be reviewed carefullyto ensure thatSafeguards Information is not physically included or that plant security is not otherwise being.compromised. Attachment 1 to this RIS further explains licensee and individual responsibilitiesunder current regulations, issued Orders, and future Orders regarding the protection ofSafeguards Information, and addresses penalties forinadequate protection and unauthorizeddisclosure.Licensees are reminded that information designated as Safeguards Information must bewithheld from public disclosure and must be physically controlled and protected. Physicalprotection requirements include (1) secure storage, (2) document marking, (3) access restrictedto authorized individuals, (4) limited reproduction, (5) protected transmission, and (6) enhancedautomatic data processing system controls. Changes are being proposed to NRC regulationsapplicable to Safeguards Information as a result of ongoing evaluations. Personnel securitycontrols, including background checks and other means, are in effect for individuals authorizedaccess to Safeguards Information, as is the strict adherence to the need-to-know principle.Inadequate protection of Safeguards Information, including inadvertent release andunauthorized disclosure, may result in civil and/or criminal penalties. The Act explicitly providesin Section 147a that any person, whether or not a licensee of the Commission, who violates anyregulations adopted under this section shall be subject to the civil monetary penalties ofSection 234 of the Act. Furthermore, willful violation of any regulation or order governingSafeguards Information is a felony subject to criminal penalties in the form of fines orimprisonment, or both, as prescribed in Section 223 of the Act. The specific penaltiesassociated with such violations will be determined by the staff in its implementation of the NRCEnforcement Policy, and the discretion of the Commission based on the details and significanceof any violation. Statutory maximum penalties are addressed in Attachment 1.The NRC will continue to evaluate its requirements, policies and guidance concerning theprotection and unauthorized disclosure of Safeguards Information. Licensees and otherstakeholders will be informed of proposed revisions or clarifications.BACKFIT DISCUSSIONThe RIS and the attachment do not request any action or written response; therefore, the staffdid not perform a backfit analysis.FEDERAL REGISTER NOTIFICATIONA notice of opportunity for public comment on this RIS was not published in the FederalRegiste RIS 2003-08Page 4 of 4PAPERWORK REDUCTION ACT STATEMENTThis RIS does not 'request any information collection and, therefore, is not subject to thePaperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).If you have any questions about this matter, please contact the person listed below.IRA/Charles L. Miller, DirectorDivision of Industrial andMedical Nuclear SafetyOffice of Nuclear Materials Safetyand SafeguardsIRA/William D. Beckner, Program DirectorOperating Reactor Improvements ProgramDivision of Regulatory Improvement ProgramsOffice of Nuclear Reactor RegulationContact: Bernard Stapleton, NSIR(301) 415-2432E-mail:

Attachments:

1. Summary of Safeguards Information Requirements2. List of Recently Issued NRC Regulatory Issue Summaries Attachment 1RIS 2003-08Page 1 of 4SUMMARY OF REQUIREMENTSI. AUTHORITYThe Atomic Energy Act of 1954, as amended, 42 U.S.C. §§ 2011 et seq. (Act), grants theNuclear Regulatory Commission broad and unique authority to prohibit the unauthorizeddisclosure of Safeguards Information upon a determination that the unauthorized disclosure ofsuch information could reasonably be expected to have a significant adverse effect on thehealth and safety of the public or the common defense and security by significantly increasingthe likelihood of theft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction.Section 147 of the Act, 42 U.S.C. § 2167.For licensees and any other person, whether or not a licensee (primarily 10 C.F.R. Part 50reactor licensees, 10 C.F.R. Part 70 licensees for special nuclear material, and their employeesand contractors) subject to the requirements in 10 C.F.R. Part 73, Safeguards Information isdefined by NRC regulation as follows:Safeguards Information means information not otherwise classified as NationalSecurity Information or Restricted Data which specifically identifies a licensee'sor applicant's detailed, (1) security measures for the physical protection ofspecial nuclear material, or (2) security measures for the physical protection andlocation of certain plant equipment vital to the safety of production or utilizationfacilities.10 C.F.R. § 73.2.Specific requirements for the protection of Safeguards Information are contained in10 C.F.R. § 73.21. Access to Safeguards Information is limited as follows:(c) Access to Safeguards Information. (1) Except as the Commission mayotherwise authorize, no person may have access to Safeguards Informationunless the person has an established "need to know" for the information and is:(i) An employee, agent, or contractor of an applicant, a licensee, theCommission, or the United States Government. However, an individual to beauthorized access to Safeguards Information by a nuclear power reactorapplicant or licensee must undergo a Federal Bureau of Investigation criminalhistory check to the extent required by 10 CFR 73.57;(ii) A member of a duly authorized committee of the Congress;(iii) The, Governor of a State or designated representatives;(iv) A representative of the International Atomic Energy Agency (IAEA) engagedin activities associated with the U.S./IAEA Safeguards Agreement who has beencertified by the NRC; Attachment 1RIS 2003-08Page 2 of 4(v) A member of a state or local law enforcement authority that is responsible forresponding to requests for assistance during safeguards emergencies; or(vi) An individual to whom disclosure is ordered pursuant to § 2.744(e) of thischapter [10 CFR 2.744(e)].(2) Except as the Commission may otherwise authorize, no person may discloseSafeguards Information to any other person except as set forth in paragraph(c)(1) of this section.10 C.F.R, § 73.21(c).The "need to know" requirement is specified by NRC regulation as follows:Need to know means a determination by a person having responsibility forprotecting Safeguards Information that a proposed recipient's access toSafeguards Information is necessary in the performance of official, contractual,or licensee duties of employment.10 C.F.R, § 73.2.Thus, unless otherwise authorized by the Commission, NRC regulations limit access toSafeguards Information to certain specified individuals who have been determined to have a"need to know," i.e., specified individuals whose access has been determined to be necessaryin the performance of official,-contractual or licensee duties of employment.Furthermore, except as otherwise authorized by the Commission, no person may discloseSafeguards Information to any other person unless that other person is one of the specifiedpersons listed in 10 C.F.R. § 73.21(c)(1) and that person also has a "need to know."10 C.F.R. § 73.21(c)(2). These regulations and prohibitions on unauthorized disclosure ofSafeguards Information are applicable to all licensees and all individuals:This part [10 C.F.R. Part 73] prescribes requirements for the protection ofSafeguards Information in the hands of any person, whether or not a licensee ofthe Commission, who produces, receives, or acquires Safeguards Information.10 C.F.R. § 73.1(b)(7).The Commission's statutory authority to protect and prohibit the unauthorized disclosure ofSafeguards Information is even broader than is reflected in these regulations. Section 147 ofthe Act grants the Commission explicit authority to "issue such orders, as necessary to prohibitthe unauthorized disclosure of safeguards information ...." This authority extends toinformation concerning special nuclear material, source material, and byproduct material, aswell as production and utilization facilitie Attachment 1RIS 2003-08Page 3 of 4The Act explicitly provides: "Any person, whether or not a licensee of the Commission, whoviolates any regulations adopted under this section shall be subject to the civil monetarypenalties of Section 234 bf this Act." Section 147a of the Act. Section 234a of the Actprovides for a civil monetary penalty not to exceed $120,000 for each violation. See10 C.F.R. § 2.2050) (2003). Furthermore, a willful violation of any regulation or order governingSafeguards Information is a felony subject to criminal penalties in the form of fines orimprisonment, or both. See Sections 147b and 223a of the Act.The NRC Enforcement Policy outlines potential NRC actions against both licensees andindividuals for violations of the regulations and Orders using criteria that evaluate both thedetails and severity of the violation.I1. DISCUSSIONAll licensees and all other persons who now have, or in the future may have, access toSafeguards Information must comply with all applicable requirements delineated in regulationsand Orders governing the handling and unauthorized disclosure of Safeguards Information. Asstipulated in 10 C.F.R. § 73.21(a), licensees and persons who produce, receive or acquireSafeguards Information are required to ensure that Safeguards Information is protected againstunauthorized disclosure. To meet this requirement, licensees and persons subject to10 C.F.R. § 73.21(a) shall establish and maintain an information protection system governingthe proper handling and unauthorized disclosure of Safeguards Information. All licenseesshould be aware that since the requirements of 10 C.F.R. § 73.21(a) apply to all persons whoreceive Safeguards Information, they apply to all contractors whose employees may haveaccess to Safeguards Information and they must either adhere to the licensee's policies andprocedures on Safeguards Information or develop, maintain and implement their owninformation protection system, but the licensees remain responsible for the conduct of theircontractors. The elements of the required information protection system are specified in10 C.F.R. § 73.21(b) through (i). The information protection system must address, at aminimum, the following: the general performance requirement that each person who produces,receives, or acquires Safeguards Information shall ensure that Safeguards Information isprotected against unauthorized disclosure; protection of Safeguards Information at fixed sites,in use and in storage, and while in transit; inspections, audits and evaluations; correspondencecontaining Safeguards Information; access to Safeguards Information; preparation, marking,reproduction and destruction of documents; external transmission of documents; use ofautomatic data processing systems; and removal of the Safeguards Information category.As noted above, in addition to the responsibility of each licensee to ensure that all of itsemployees, contractors and subcontractors, and their employees comply with applicablerequirements, all contractors, subcontractors, and individual employees also are individuallyresponsible for complying with applicable requirements and all are subject to civil and criminalsanctions for failures to comply. The NRC considers that violations of the requirementsapplicable to the handling of Safeguards Information are a serious breach of adequateprotection of the public health and safety and the common defense and security of the UnitedState Attachment 1RIS 2003-08Page 4 of 4As a result, the staff intends to use the NRC Enforcement Policy, including the discretion toincrease penalties for violations, to determine appropriate sanctions against licensees andindividuals who violate these requirements. In addition, the Commission may use its discretion,based on the severity of the violation, to further increase the penalty for any violation up to thestatutory maximum. Willful violations of these requirements will also be referred to theDepartment of Justice for a determination of whether criminal penalties will be pursue Attachment 2RIS 2003-08Page 1 of 1LIST OF RECENTLY ISSUEDNRC REGULATORY ISSUE SUMMARIESRegulatory Issue Date ofSummary No. Subject Issuance Issued to2003-07 Issuance of Regulations Revising 04/23/2003 .All U.S. Nuclear ReculatoryFiling Requirements for AdvanceNotification of the Shipment ofSpent Nuclear Fuel and SpecialNuclear Material2003-062003-052003-04High Security Protected and VitalArea Barrier/EquipmentPenetration ManualIssuance of Orders ImposingAdditional Physical ProtectionMeasures For Independent SpentFuel Storage Installations UsingDry StorageUse of the Effective DoseEquivalent in Place of the DeepDose Equivalent in DoseAssessments03/20/200303/19/200302/13/2003Commission (NRC) power reactorlicensees, research and testreactor licensees, independentspent fuel storage installationlicensees, and special nuclearmaterial licensees who ship spentnuclear fuel and special nuclearmaterial.All power reactor (includingdecommissioning reactor)licensees, independent spent fuelstorage installation licensees, theconversion facility licensee,gaseous diffusion plant licensees,and Category I fuel cycle facilitylicensees.All U.S. Nuclear RegulatoryCommission (NRC) licensees.whohold general licenses forindependent spent fuel storageinstallations (ISFSIs) using drystorage pursuant to 10 CFR Part72 and all applicants for site-specific licenses for ISFSlspursuant to 10 CFR Part 72.All U.S. Nuclear Regulatory.Commission (NRC) licensees.Note:NRC generic communications may be received in electronic format shortly after they areissued by subscribing to the NRC listserver as follows:To subscribe send an e-mail to <listproc(anrc.qov >, no subject, and the followingcommand in the message portion:subscribe gc-nrr firstname lastnameOL = Operating LicenseCP = Construction Permit