Text

NRC Staff Responses to Public Comments on Draft Protective Order Templates for ITAAC Hearings On September 4, 2018 (83 Fed. Reg. 44,925), the NRC staff requested comment on two draft protective order templates for use in hearings associated with closure of inspections, tests, analyses, and acceptance criteria (ITAAC). One draft template was for Sensitive Unclassified Non-Safeguards Information (SUNSI) (Agencywide Documents Access and Management System (ADAMS)

Accession No. ML18239A329). The other draft template was for Safeguards Information (SGI) (ADAMS Accession No. ML18239A322).

The NRC staff received one comment submission (ADAMS Accession No. ML18298A267), which came from Southern Nuclear Operating Company. The NRC staffs responses to comments on the draft SUNSI template are in Table 1, and the NRC staffs responses to comments on the draft SGI template are in Table 2. The final SUNSI template is available at ADAMS Accession No. ML19036A727, and the final SGI template is available at ADAMS Accession No. ML19036A718.

Table 1 - NRC Staff Responses to Public Comments on Draft SUNSI Protective Order Template Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template)

Comment: Paragraph 2.c does not require legal 1 (¶ 2.c) The NRC staff adopts the suggestion to require staff counsels staff to execute the Non- Disclosure for petitioners legal counsel to execute Non-Declaration. The other provisions describing Disclosure Declarations to ensure they understand Authorized Recipients in paragraphs 2.a and 2.b the specific protection requirements in the order and require execution of the Non-Disclosure Declaration their obligation to protect SUNSI. Also, completing prior to receipt of SUNSI, which we interpret to and filing the Non-Disclosure Declarations would be include the legal counsel itself. Given the sensitivity of minimally burdensome, particularly since the information that may be transferred under the notarization is not required.

SUNSI protective order, Paragraph 2.c should be deleted, consistent with the SGI template. This would However, the final template retains language require legal counsel staff to execute Non-Disclosure requiring petitioners legal counsel to take steps to Declarations. The benefit of this increased focus and ensure that persons under their supervision or sensitivity to protection of the information transferred control comply with the protective order. This under the SUNSI protective order outweighs any provision has commonly been included in past increased administrative burden. SUNSI protective orders. Also, the NRC staff is adding this provision to the final SGI template.

Proposed Resolution: Delete paragraph 2.c.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template)

Finally, the NRC staff has modified the provision in paragraph 2.b on authorization for additional or substitute persons necessary for preparation of the petitioners case to receive SUNSI. As modified, persons under the direct supervision of petitioners legal counsel may receive SUNSI upon execution and filing of Non-Disclosure Declarations without having to obtain express permission from the presiding officer or the relevant hearing participant.

Permission would undoubtedly be granted in these situations, so requiring express permission is unnecessary.

2 (¶ 4) Comment: Paragraph 4 states that the filing Paragraph 4 of the draft template excluded NRC requirements are the only part of the order to which personnel from the orders requirements except NRC personnel are subject. However, the need for those for filing documents and, as applicable, this broad carve-out for activities conducted to initially providing SUNSI to the petitioner.

support the ITAAC hearing is unclear and could Numerous SUNSI protective orders in the last ten create future confusion, particularly as to the marking years have similar exclusions, and the NRC staff is requirements in paragraph 7 and the transmittal not aware of any confusion having arisen as a requirements in paragraph 9. result. The exclusion exists because NRC personnel are already subject to laws, regulations, Proposed Resolution: Add references to the marking and policies governing the protection of SUNSI, requirements in paragraph 7 and the transmittal including marking and transmission requirements.

requirements in paragraph 9 to paragraph 4 or, The protective order provisions are largely alternatively, delete paragraph 4 entirely.

redundant to these existing requirements, which are sometimes more stringent than the protective order (e.g., transmission requirements). Thus, the NRC staff is retaining the exclusion in the final template without modification.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 3 (¶ 8) Comment: Paragraph 8.a states that Authorized Paragraph 8.a of the draft template reflected the Recipients must establish a controlled environment requirement for controlled environments in the to protect SUNSI. 8.c states that the SUNSI must be Controlled Unclassified Information (CUI) rule. 32 kept under the Authorized Recipients direct control or C.F.R. §§ 2002.4(f), 2002.14(c). This requirement stored in a secure location. It is unclear whether the exists because Authorized Recipients must parameters described in paragraph 8.c establish a consider the space in which they will use or store controlled environment. SUNSI to ensure that SUNSI will be appropriately protected in accordance with paragraphs 8.b to 8.d Proposed Resolution: Combine paragraphs 8.a and of the draft template. For example, use of SUNSI 8.c.

on a computer in a space where unauthorized persons can view the computer screen would not be a controlled environment and would not satisfy paragraph 8.b. The NRC staff has modified paragraph 8.a to show the relationship between this paragraph and paragraphs 8.b to 8.d. and to give examples illustrating the controlled environment requirement. Consistent with these examples, the staff has modified the footnote in paragraph 9.a.iii to specify that if facsimile transmission is allowed, the protective order should prohibit use of facsimile machines whose memories may be accessed by unauthorized individuals.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 4A (¶ 9.a) Comment: This paragraph generally requires The draft templates requirement to use encryption electronic transmittal of SUNSI to be encrypted (e.g., if available came from NRC Regulatory Issue password-protected PDF file). However, if the sender Summary (RIS) 2005-26, Control of Sensitive determines that encryption is not available, they Unclassified Nonsafeguards Information Related to may satisfy the protection requirement by merely Nuclear Power Reactors (ADAMS Accession No.

double-checking the email address. This broad ML051430228), dated November 7, 2005. RIS exception essentially eviscerates the encryption 2005-26 is the currently applicable NRC guidance requirement and exposes electronically transmitted and is specifically directed at protection of security-SUNSI to higher risk of unauthorized disclosure. related information for power reactors.

Proposed Resolution: Delete the phrase if available The draft templates encryption requirement was in the first sentence of paragraph 9.a and all of the also applied to proprietary information because RIS following sentence. Delete all of paragraph 9.a.i. 2005-26 states that security-related information is protected in much the same way as commercial or financial information. RIS 2005-26, at 4. Even so, most protective orders for proprietary information in the last ten years have not had any encryption requirement.

Moreover, the NRC staff disagrees that conditioning use of encryption on its availability eviscerates the requirement. The draft and final templates encourage the hearing participants to discuss the availability of encryption. To the extent encrypted transmission is available, the proposed protective order may specify the permitted forms of encrypted transmission and disallow other forms of unencrypted transmission, as practical.

For the reasons stated above, the encryption requirement in the final template is the same as the requirement in the draft template.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 4B (¶ 9.a) Comment: Paragraph 9.a.iii. allows fax transmission if The NRC staff adopts the commenters suggested no other form of electronic transmission is available. deletion because experience suggests facsimile Fax transmission should not be allowed under any transmission is no longer necessary or practical in circumstances due to the same security risks adjudicatory proceedings, as stated in the draft discussed in the paragraph above [Comment 4A]. template. However, the NRC staff is retaining instructions on measures for facsimile transmission Proposed Resolution: Delete the phrase unless no in the unlikely case that facsimile transmission is other form of electronic transmission is available in deemed to be necessary.

paragraph 9.a.iii.

5 (¶ 12) Comment: Paragraph 12 requires the Petitioner to The NRC staff agrees that all Authorized Recipients maintain a log of all copies of SUNSI materials within should track the SUNSI in their possession or its possession or control. However, disclosure of control to ensure it is properly protected. The SUNSI may extend beyond Petitioner to other template has been modified accordingly.

Authorized Recipients, including Petitioners experts, consultants and legal counsel. All Authorized Recipients should be required to comply with paragraph 12 in order to maintain adequate SUNSI recordkeeping.

Proposed Resolution: Paragraph 12 should be revised to state: All Authorized Recipients shall maintain a log of all copies of materials containing SUNSI within its possession or control.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 6 (¶ 15) Comment: Paragraph 15 requires Authorized The NRC staff does not agree that there is a lack of Recipients to destroy or return all SUNSI materials clarity regarding jurisdiction over filings on within 60 days of the Access Termination Date (e.g., protective orders that are made after termination of termination of the proceeding), and to certify the proceeding. See CB&I AREVA MOX Servs.,

compliance with this requirement to the NRC and the LLC (Mixed Oxide Fuel Fabrication Facility licensee. However, no enforcement mechanism is Possession and Use License), CLI-16-14, 84 NRC contemplated. The presiding officer loses jurisdiction 11 (2016) (The Commission granted a motion filed once it terminates the proceeding; and, if the after termination of the proceeding to amend a Petitioner decides to ignore this requirement and protective order issued by a licensing board).

keep the documents, the procedural next step for the Therefore, the NRC staff is not adopting the licensee is unclear. commenters suggestion.

Proposed Resolution: Include a specific enforcement mechanism, like a request to the Commission, in paragraph 15.

7 (¶ 18) Comment: Paragraph 18 allows the presiding officer The NRC staff has added to the final template a to impose sanctions for violation of the protective reference to Commission policy on the imposition of order or Non-Disclosure Declaration. However, sanctions in adjudicatory proceedings, which presiding officers rarely, if ever, actually impose includes examples of possible sanctions. See sanctions that would help prevent unauthorized Statement of Policy on Conduct of Licensing disclosures. If the order explicitly included some Proceedings, CLI-81-8, 13 NRC 452, 454 (1981).

examples of possible sanctions, their imposition may Consistent with this policy, the imposition of be more readily available to the presiding officer. It is sanctions is a fact-dependent exercise.

important that sanctions remain a plausible possibility in cases where the protective order is violated in order to deter unauthorized disclosures of SUNSI.

Proposed Resolution: Revise paragraph 18 to include specific examples of sanctions, such as termination of the proceeding, a permanent ban from participation in future proceedings, or a permanent ban from obtaining SUNSI.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 8 (¶ 19) Comment: Paragraph 19 requires the licensee or The NRC staff does not anticipate that a protective NRC to provide SUNSI documents to the Petitioner order would be issued before a request for access within 2 days of receiving the executed Non- to SUNSI. ITAAC proceedings are narrowly Disclosure Declarations. In a typical proceeding, a focused and of short duration, and the need for a licensee would provide a disclosure log of proprietary protective order would become clear in response to documents, the petitioner would request certain (or a petitioners specific request for documents.

all) documents, a protective order would be issued, Moreover, access to SUNSI may not be granted and the documents provided. The template language until a specific request is made. The template is makes sense, assuming the petitioner has already premised on such a request being received and identified which documents it seeks to obtain; granted. In drafting the template, the NRC staff however, it does not contemplate the scenario in consciously avoided accounting for unlikely which the presiding officer issues the protective order scenarios for simplicity. Thus, the NRC staff is not early in the proceeding before such requests are modifying the template.

made, or later SUNSI documents become available.

In order to ensure the SUNSI is properly identified The NRC staff agrees, however, that the word and requested prior to disclosure, the trigger for the provide is ambiguous. Therefore, the final two-day timeline for providing the documents should template uses the word transmit as suggested by be the later of (1) the filing of the Non-Disclosure the commenter. But mailing SUNSI would cause Declarations and (2) Petitioners request for SUNSI. unnecessary delay, which should be avoided given the accelerated ITAAC hearing schedule. Thus, the Also, the requirement to provide the copies to the final template states a requirement for this Petitioner within 2 days introduces some ambiguity as transmission to be made by email.

to whether the Petitioner must, in fact, receive the copies in that time frame. The language should be revised to make it clear that mailing time is not calculated in the 2-day limit.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template)

Proposed Resolution: Paragraph 19 should be revised as follows: Within two (2) business days after the later of (1) the filing of the executed Non-Disclosure Declarations and (2) Petitioners request for SUNSI the [Licensee OR NRC Staff] shall transmit to the Petitioners representative a copy of the following information: [identify that SUNSI for which the Petitioners need has been determined].

Table 2 - NRC Staff Responses to Public Comments on Draft SGI Protective Order Template Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 1 (¶ 1) Comment: Paragraph 1 presents presiding officer The NRC staff revised the template consistent with findings that the Authorized SGI Recipients are the commenters suggestions, as discussed below.

qualified to possess SGI. However, it is silent as to The findings in paragraph 1 of the draft template their means of protecting SGI, such as availability of reflect the determinations on access to SGI that in security storage containers and security electronic most circumstances would be made by the NRC equipment satisfying Part 73 requirements, or staff. The presiding officer would become involved alternative means such as using another entitys SGI-only if there is a dispute over the NRC staffs compliant equipment. This should be a required determinations.

finding to ensure that Authorized SGI Recipients can adequately protect the SGI. The draft template directly addressed the concerns raised by the commenter regarding protection of Proposed Resolution: Paragraph 1 should be revised SGI. Paragraph 6 of the draft template explicitly as follows: As described in the Joint Motion, certain required all Authorized SGI Recipients to certify identified person(s) are qualified for access to the SGI whether they have compliant security storage described in the Joint Motion by (1) having a need to containers and electronic equipment. Paragraph 6 know the SGI described therein, as defined by 10 also (1) discussed alternative means of using and C.F.R. § 73.2; (2) having previously undergone a protecting SGI if compliant storage containers or Federal Bureau of Investigation (FBI) criminal history electronic equipment are not available and (2) records check, as appropriate; (3) having been encouraged the hearing participants to discuss determined to be trustworthy and reliable, based these issues prior to filing a proposed protective upon a background check or other means approved order.

by the Commission, as prescribed by 10 C.F.R.

§ 73.22(b)(2); and (4) having been determined to Further, paragraph 6 discussed the NRC staffs possess materials and equipment necessary to opportunity to inspect the petitioners SGI protection protect SGI in accordance with 10 C.F.R. Part 73, system. This discussion was revised in the final which shall include possession of a Security Storage template to better reflect a similar provision Container, or access to an approved SGI storage contained in Final Template A: Notice of Intended location, and appropriate security electronic Operation and Associated Orders (ADAMS equipment. Accession No. ML16167A469), issued as part of the ITAAC Hearing Procedures (July 1, 2016) (81 Fed.

Reg. 43,266). Final Template A states, Prior to

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) providing SGI to the requestor, the NRC staff will conduct (as necessary) an inspection to confirm that the recipients information protection system is sufficient to satisfy the requirements of 10 CFR 73.22. Final Template A, at 49. Any inspection would take place before a motion proposing a protective order. Id. at 55-56. This provision was taken from the Procedures to Allow Potential Intervenors to Gain Access to Relevant Records that Contain Sensitive Unclassified Non-Safeguards Information or Safeguards Information (SUNSI-SGI Access Procedures) (ADAMS Accession No. ML080380626). SUNSI-SGI Access Procedures, Attach. 1, at 5, 6-7.

Thus, the concerns raised in the comment should be addressed by the hearing participants before they file a motion requesting a proposed protective order. Since the SGI protective order template assumes the filing of a joint motion, the template assumes there is agreement that the petitioner has the means of complying with 10 C.F.R. § 73.22.

The NRC staff has revised paragraph 1 of the template to reflect this assumption and to reference the discussion in paragraph 6 on the measures to be taken by the hearing participants to confirm the petitioners means of compliance.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 2 (¶ 2.a) Comment: This paragraph mentions the requirements The NRC staff is adopting the commenters for Authorized SGI Recipients. It makes reference to suggestion for consistency and completeness.

two of the three necessary conditions for access, as set forth in paragraph 1; however, it does not make reference to the required FBI criminal history records check. Language should be added to make paragraph 2.a consistent with the requirements in paragraph 1.

Proposed Resolution: All of the requirements listed paragraph 1 should be added to the first sentence of paragraph 2a.

3 (¶ 4) Comment: Paragraph 4 states that the filing Paragraph 4 of the draft template excluded NRC requirements are the only part of the order to which personnel from the orders requirements except NRC personnel are subject. However, the need for those for filing documents, updating the SGI access this broad carve-out for activities conducted to list, and, as applicable, initially providing SGI to the support the ITAAC hearing is unclear and could petitioner. Numerous SUNSI protective orders in create future confusion, particularly as to the marking the last ten years have similar exclusions, and the requirements in paragraph 6 and the transmittal NRC staff is not aware of any confusion having requirements in paragraph 8. arisen as a result. The NRC staff does not believe that a similar exclusion in an SGI protective order Proposed Resolution: Add references to the marking would cause confusion. The exclusion exists requirements in paragraph 6 and the transmittal because NRC personnel are already subject to requirements in paragraph 8 to paragraph 4 or, laws, regulations, and policies governing the alternatively, delete paragraph 4 entirely.

protection of SGI, including marking and transmission requirements. The protective order provisions are largely redundant to these existing requirements. Thus, the NRC staff is retaining the exclusion in the final template without modification.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 4 (¶ 10) Comment: Paragraph 10 requires the Petitioner to The NRC staff agrees that all Authorized SGI maintain a log of all copies of SGI materials within its Recipients should track the SGI in their possession possession or control. However, disclosure of SGI or control to ensure it is properly protected. The may extend beyond Petitioner to other Authorized template has been modified accordingly.

SGI Recipients, including Petitioners experts, consultants and legal counsel. All Authorized Recipients should be required to comply with paragraph 10 in order to maintain adequate SGI recordkeeping.

Proposed Resolution: Paragraph 10 should be revised to state: All Authorized SGI Recipients shall maintain a log of all copies of materials containing SGI within its possession or control.

5 (¶ 11) Comment: Paragraph 11 requires notification of The NRC staff agrees and has adopted the potential loss or unauthorized disclosure of SGI to be commenters suggestion so that the NRC and the reported within 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. However, in such licensee can more effectively mitigate any harm situations time is of the essence. Requiring from the potential loss or unauthorized disclosure of immediate notice allows the licensee to more SGI.

effectively mitigate potential harm.

Proposed Resolution: Paragraph 11 should be revised to state: If the Petitioner has reason to believe that SGI may have been lost or misplaced, or that SGI has otherwise become available to unauthorized persons, the Petitioner shall immediately (but in no circumstances greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) notify the {Board OR Presiding Officer}, the Licensees counsel, and NRC Staff counsel regarding that belief and the reasons for that belief. If any Authorized SGI Recipient has reason to believe that SGI may have been lost or misplaced, or that SGI

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) has otherwise become available to unauthorized persons, that Authorized SGI Recipient shall immediately (but in no circumstances greater than 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />) notify the Petitioners representative of that belief and the reasons for that belief so that the Petitioner may make the required notification.

6 (¶ 11b.) Comment: Paragraph 11.b contemplates the The NRC staff agrees that notifications should be notification of potential loss of unauthorized transmitted by prompt means and has modified disclosure of SGI be sent via mail. As noted above, paragraph 11.b to require use of overnight mail.

time is of the essence in such situations. It would be more beneficial if a quicker communication process is devised to allow the licensee to receive notice in a shorter time period.

Proposed Resolution: Devise a process to more quickly communicate situations of lost SGI or unauthorized disclosure, such as requiring the notification to be sent via overnight express.

7 (¶ 13) Comment: Paragraph 13 requires Authorized SGI The NRC staff does not agree that there is a lack of Recipients to destroy or return all SGI materials clarity regarding jurisdiction over filings on within 60 days of the Access Termination Date (e.g., protective orders that are made after termination of termination of the proceeding), and to certify the proceeding. See CB&I AREVA MOX Servs.,

compliance with this requirement to the NRC and the LLC (Mixed Oxide Fuel Fabrication Facility licensee. However, no enforcement mechanism is Possession and Use License), CLI-16-14, 84 NRC contemplated. The presiding officer loses jurisdiction 11 (2016) (The Commission granted a motion filed once it terminates the proceeding; and, if the after termination of the proceeding to amend a Petitioner decides to ignore this requirement and protective order issued by a licensing board).

keep the documents, the procedural next step for the Therefore, the NRC staff is not adopting the licensee is unclear. commenters suggestion.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template)

Proposed Resolution: Include a specific enforcement mechanism, like a request to the Commission, in paragraph 13.

8 (¶ 16) Comment: Paragraph 16 allows the presiding officer The NRC staff has added to the final template a to impose sanctions for violation of the protective reference to Commission policy on the imposition of order or Non-Disclosure Declaration. However, sanctions in adjudicatory proceedings, which presiding officers rarely, if ever, actually impose includes examples of possible sanctions. See sanctions that would help prevent unauthorized Statement of Policy on Conduct of Licensing disclosures. If the order explicitly included some Proceedings, CLI-81-8, 13 NRC 452, 454 (1981).

examples of possible sanctions, their imposition may Consistent with this policy, the imposition of be more readily available to the presiding officer. It is sanctions is a fact-dependent exercise.

important that sanctions remain a plausible possibility in cases where the protective order is violated in order to deter unauthorized disclosures of SGI.

Proposed Resolution: Revise paragraph 16 to include specific examples of sanctions, such as termination of the proceeding, a permanent ban from participation in future proceedings, or a permanent ban from obtaining SGI.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template) 9 (¶ 17) Comment: Paragraph 17 requires the licensee or The NRC staff does not anticipate that a protective NRC to provide SGI documents to the Petitioner order would be issued before a request for access within 2 days of receiving the executed Non- to SGI. ITAAC proceedings are narrowly focused Disclosure Declarations. In a typical proceeding, a and of short duration, and the need for a protective licensee would provide a disclosure log of protected order would become clear in response to a documents, the petitioner would request certain (or petitioners specific request for documents.

all) documents, a protective order would be issued, Moreover, the petitioner would have to submit a and the documents provided. The template language specific request for SGI to show a need to know for makes sense, assuming the petitioner has already it. The template is premised on a specific request identified which documents it seeks to obtain; for SGI having been received and granted. In however, it does not contemplate the scenario in drafting the template, the NRC staff consciously which the presiding officer issues the protective order avoided accounting for unlikely scenarios for early in the proceeding before such requests are simplicity. Thus, the NRC staff is not modifying the made, or later SGI documents become available. In template.

order to ensure the SGI is properly identified and requested prior to disclosure, the trigger for the two- The NRC staff agrees, however, that the word day timeline for providing the documents should be provide is ambiguous. Therefore, the final the later of (1) the filing of the Non- Disclosure template uses the word transmit as suggested by Declarations and (2) Petitioners request for SGI. the commenter. Also, the final template requires this transmission to be made by overnight mail, Also, the requirement to provide the copies to the consistent with the accelerated ITAAC hearing Petitioner within 2 days introduces some ambiguity as schedule and the filing requirement in paragraph 8 to whether the Petitioner must, in fact, receive the of the template.

copies in that time frame. The language should be revised to make it clear that mailing time is not calculated in the 2-day limit.

Comment # Comment and Proposed Resolution NRC Staff Response

(¶ of Draft Template)

Proposed Resolution: Paragraph 17 should be revised as follows: Within two (2) business days after the later of (1) the filing of the executed Non-Disclosure Declarations and (2) Petitioners request for SGI the [Licensee OR NRC Staff] shall transmit to the Petitioners representative a copy of the following information: [identify that SGI for which the Petitioners need has been determined].