Proposed Generic Communications; Protection of Safeguards Information, 10786-10790 [E9-5296]
Download as PDF
<![CDATA[
10786
Federal Register / Vol. 74, No. 47 / Thursday, March 12, 2009 / Notices
Environmental Impacts of the
Alternatives to the Proposed Action
Due to the largely administrative
nature of the proposed action, its
environmental impacts are small.
Therefore, the only alternative the staff
considered is the no-action alternative,
under which the staff would leave
things as they are by simply denying the
amendment request. This no-action
alternative is not feasible because it
conflicts with 10 CFR 30.36(d),
requiring that decommissioning of
byproduct material facilities be
completed and approved by the NRC
after licensed activities cease. The
NRC’s analysis of the Licensee’s final
status survey data confirmed that the
Facility meets the requirements of 10
CFR 20.1402 for unrestricted release.
Additionally, denying the amendment
request would result in no change in
current environmental impacts. The
environmental impacts of the proposed
action and the no-action alternative are
therefore similar, and the no-action
alternative is accordingly not further
considered.
Conclusion
The NRC staff has concluded that the
proposed action is consistent with the
NRC’s unrestricted release criteria
specified in 10 CFR 20.1402. Because
the proposed action will not
significantly impact the quality of the
human environment, the NRC staff
concludes that the proposed action is
the preferred alternative.
cprice-sewell on PRODPC61 with NOTICES
Agencies and Persons Consulted
NRC provided a draft of this
Environmental Assessment to the
Missouri Department of Health and
Senior Services for review on February
18, 2009. By response dated February
20, 2009, the State agreed with the
conclusions of the EA, and otherwise
provided no comments.
The NRC staff has determined that the
proposed action is of a procedural
nature, and will not affect listed species
or critical habitat. Therefore, no further
consultation is required under Section 7
of the Endangered Species Act. The
NRC staff has also determined that the
proposed action is not the type of
activity that has the potential to cause
effects on historic properties. Therefore,
no further consultation is required
under Section 106 of the National
Historic Preservation Act.
III. Finding of No Significant Impact
The NRC staff has prepared this EA in
support of the proposed action. On the
basis of this EA, the NRC finds that
there are no significant environmental
impacts from the proposed action, and
VerDate Nov<24>2008
14:56 Mar 11, 2009
Jkt 217001
that preparation of an environmental
impact statement is not warranted.
Accordingly, the NRC has determined
that a Finding of No Significant Impact
is appropriate.
IV. Further Information
Documents related to this action,
including the application for license
amendment and supporting
documentation, are available
electronically at the NRC’s Electronic
Reading Room at https://www.nrc.gov/
reading-rm/adams.html. From this site,
you can access the NRC’s Agencywide
Documents Access and Management
System (ADAMS), which provides text
and image files of NRC’s public
documents. The documents related to
this action are listed below, along with
their ADAMS accession numbers.
1. Kevin J. Sharkey, Pharmacia
Corporation, letter dated January 15,
2009, (ADAMS Accession No.
ML090200063);
2. Title 10 Code of Federal
Regulations, Part 20, Subpart E,
‘‘Radiological Criteria for License
Termination;’’
3. Title 10 Code of Federal
Regulations, Part 51, ‘‘Environmental
Protection Regulations for Domestic
Licensing and Related Regulatory
Functions;’’
4. NUREG–1496, ‘‘Generic
Environmental Impact Statement in
Support of Rulemaking on Radiological
Criteria for License Termination of NRCLicensed Nuclear Facilities;’’
5. NUREG–1757, ‘‘Consolidated
Decommissioning Guidance’’.
If you do not have access to ADAMS,
or if there are problems in accessing the
documents located in ADAMS, contact
the NRC Public Document Room (PDR)
Reference staff at 1–800–397–4209, 301–
415–4737, or by e-mail to pdr@nrc.gov.
These documents may also be viewed
electronically on the public computers
located at the NRC’s PDR, O 1 F21, One
White Flint North, 11555 Rockville
Pike, Rockville, MD 20852. The PDR
reproduction contractor will copy
documents for a fee.
Dated at Lisle, Illinois, this 2nd day of
March, 2009.
For the Nuclear Regulatory Commission.
Christine Lipa,
Chief Materials Control, ISFSI, and
Decommissioning Branch, Division of Nuclear
Materials Safety, Region III.
[FR Doc. E9–5356 Filed 3–11–09; 8:45 am]
BILLING CODE 7590–01–P
PO 00000
Frm 00083
Fmt 4703
Sfmt 4703
NUCLEAR REGULATORY
COMMISSION
[NRC–2009–0106]
Proposed Generic Communications;
Protection of Safeguards Information
AGENCY: Nuclear Regulatory
Commission.
ACTION: Notice of opportunity for public
comment.
SUMMARY: The U.S. Nuclear Regulatory
Commission (NRC) is proposing to issue
a regulatory issue summary (RIS) to
remind all stakeholders of the
significant changes to Title 10 of the
Code of Federal Regulations 10 CFR
73.21, 73.22 and 73.23. Previously,
many licensees, applicants, certificate
holders, or other persons were issued
Orders in the aftermath of the terrorist
attacks of September 11, 2001, that
required them to protect certain detailed
information designated as SGI or SGI–
M. Further Orders were issued by the
NRC after the enactment of the Energy
Policy Act of 2005 (EPAct), which
expanded the NRC’s fingerprinting
authority with respect to access to SGI.
This RIS provides clarifying information
of the impact of the new rule (effective
date February 23, 2009).
This Federal Register notice is
available through the NRC’s
Agencywide Documents Access and
Management System (ADAMS) under
accession number ML090630662.
DATES: Comment period expires April
13, 2009. Comments submitted after this
date will be considered if it is practical
to do so, but assurance of consideration
cannot be given except for comments
received on or before this date.
ADDRESSES: Submit written comments
to the Chief, Rulemaking, Directives and
Editing Branch, Division of
Administrative Services, Office of
Administration, U.S. Nuclear Regulatory
Commission, Mail Stop TWB 5B01M,
Washington, DC 20555–0001, and cite
the publication date and page number of
this Federal Register notice.
FOR FURTHER INFORMATION CONTACT:
Robert Norman, at 301–415–2278 or by
e-mail at robert.norman@nrc.gov.
SUPPLEMENTARY INFORMATION:
NRC Regulatory Issue Summary 2009–
XX
Implementation of New Final Rule,
Protection of Safeguards Information
Addressees
Each NRC licensee, certificate holder,
applicant, or other person who
produces, receives, or acquires
Safeguards Information.
E:\FR\FM\12MRN1.SGM
12MRN1
Federal Register / Vol. 74, No. 47 / Thursday, March 12, 2009 / Notices
Intent
The U.S. Nuclear Regulatory
Commission (NRC) is issuing this
regulatory issue summary (RIS) to
remind all stakeholders of the
significant changes to Title 10 of the
Code of Federal Regulations 10 CFR
73.21, 73.22 and 73.23. This RIS
provides clarifying information of the
impact of the new rule (effective date
February 23, 2009). This RIS requires no
action or written response on the part of
an addressee.
cprice-sewell on PRODPC61 with NOTICES
Background
Previously, many licensees,
applicants, certificate holders, or other
persons were issued Orders in the
aftermath of the terrorist attacks of
September 11, 2001, that required them
to protect certain detailed information
designated as SGI or SGI–M. Further
Orders were issued by the NRC after the
enactment of the Energy Policy Act of
2005 (EPAct), which expanded the
NRC’s fingerprinting authority with
respect to access to SGI.
SGI, which includes both SGI and
SGI–M, is a special category of sensitive
unclassified information that licensees
must protect from unauthorized
disclosure under Section 147 of the
Atomic Energy Act of 1954 (AEA), as
amended. Section 147 of the AEA gives
the Commission authority to designate,
by regulation or order, other types of
information as SGI. For example,
Section 147.a.(2) of the AEA allows the
Commission to designate as SGI a
licensee’s or applicant’s detailed
security measures (including security
plans, procedures, and equipment) for
the physical protection of source
material or byproduct material in
quantities that the Commission
determines to be significant to the
public health and safety or the common
defense and security. Prior to the events
of September 11, the Commission
implemented its Section 147 authority
through regulations in 10 CFR sections
73.21 and 73.57. These requirements
generally applied to security
information associated with nuclear
power plants, formula quantities of
strategic special nuclear materials, and
the transportation of irradiated fuel.
However, changes in the threat
environment after September 11, have
resulted in the need to protect, as SGI,
additional types of security related
information held by a broader group of
persons, including licensees, applicants,
vendors, and certificate holders.
Subsequently, orders were issued that
increased the number of licensees
whose security measures would be
protected as SGI and added types of
VerDate Nov<24>2008
14:56 Mar 11, 2009
Jkt 217001
security related information that would
be considered SGI. For example, EA–
04–190, issued to certain NRC
byproduct materials licensees on
November 4, 2004 (69 Federal Register
(FR) 65470, November 12, 2004). The
Commission determined the
unauthorized release of this information
could harm the public health and safety
and the Nation’s common defense and
security and damage the Nation’s
critical infrastructure, including nuclear
power plants and other facilities and
materials licensed and regulated by the
NRC or Agreement States.
Subsequently, Congress enacted the
EPAct (Pub. L. 109–58, 119 Stat. 594).
Section 652 of the EPAct amended
Section 149 of the AEA to require the
fingerprinting of a broader class of
persons for the purpose of checking
criminal history records. Before the
EPAct, the NRC’s fingerprinting
authority was limited to requiring
licensees and applicants for a license to
operate a nuclear power reactor under
10 CFR part 50, ‘‘Domestic Licensing of
Production and Utilization Facilities,’’
to fingerprint individuals before
granting them access to SGI. The EPAct
expanded the NRC’s authority to require
fingerprinting of individuals associated
with other types of activities before
granting them access to SGI. The EPAct
preserved the Commission’s authority in
Section 149 of the AEA to relieve, by
rule, certain persons from the
fingerprinting, identification, and
criminal history records checks required
for access to SGI. The Commission
exercised that authority to relieve, by
rule, certain categories of persons from
the fingerprint identification and
criminal history records check along
with other elements of the background
check requirement. Categories of
individuals relieved from the
background check are described in 10
CFR 73.59.
In addition to the orders mentioned
above, the NRC issued a second round
of orders to licensees to impose the
fingerprinting requirements mandated
by the EPAct. Those orders were issued
to the same persons who had previously
received SGI protection orders, and
required fingerprinting for an FBI
identification and criminal history
record check for any person with access
to SGI. One significant aspect of the SGI
fingerprinting orders was the
requirement that the recipients
designate a ‘‘reviewing official’’ who
needed access to SGI, and who would
be required to be approved by the NRC
as ‘‘trustworthy and reliable’’ based on
the NRC’s review of his or her
fingerprint-based criminal history
records (e.g., Order EA–06–155; 71 FR
PO 00000
Frm 00084
Fmt 4703
Sfmt 4703
10787
51861, 51862, August 31, 2006,
Paragraph C.2). The orders specified
that only the NRC-approved reviewing
official could make determinations of
access to SGI for the licensee. In
addition, the SGI fingerprinting orders
also did not require the fingerprinting of
a licensee employee who ‘‘has a
favorably-decided U.S. Government
criminal history records check within
the last five (5) years, or has an active
federal security clearance’’ id.
(Paragraph A.3).
All of the orders issued by the NRC
contained a relaxation clause that
generally permitted the order issuing
official (NRC Office Director) to ‘‘in
writing, relax or rescind any of the
above conditions upon demonstration of
good cause by the licensee.’’ The
cumulative efforts of the staff to increase
the protection requirements associated
with SGI and SGI–M, culminated in a
final rulemaking. The final rule,
Protection of Safeguards Information,
was published in the Federal Register
on October 24, 2008, (73 FR 63546). As
stated in the final rule, the purpose of
the rulemaking was, in part, to
‘‘implement generally applicable
requirements for SGI that are similar to
requirements imposed by the orders.’’
Discussion
Since publication of the final rule in
October 2008, licensees and other
stakeholders who routinely use SGI
have raised a number of questions with
the NRC staff regarding implementation
of the final SGI rule, which was
effective February 23, 2009. All persons
subject to the rule’s requirements
(meaning any person, including
licensees, vendors, industry groups, etc.
who are currently in possession of SGI)
were required to be in compliance with
the rule by that date. Based upon
stakeholder questions and comments
with implementation of the rule, the
NRC is issuing this RIS to review rule
requirements and articulate the staff’s
position on several implementation
issues. Stakeholders are advised to
closely examine the final rule itself to
ensure that they are in compliance with
all requirements.
• Continuing Effect of the Orders
A common question from
stakeholders has been whether the final
rule supersedes the existing SGI Orders.
It is the Commission’s intent for all SGI
order requirements to be codified in
regulations. However, the final rule does
not automatically supersede the SGI
orders. Those orders will remain in
effect until further notice and
administrative action is taken. As the
Commission noted in the revised
E:\FR\FM\12MRN1.SGM
12MRN1
10788
Federal Register / Vol. 74, No. 47 / Thursday, March 12, 2009 / Notices
proposed rule, ‘‘the final rule would, on
its effective date, supersede all SGI
orders and advisory letters issued prior
to that effective date. The Commission
will, however, take administrative
action to withdraw all previously issued
[sic] orders where appropriate’’ (71 FR
64004, 64009 (October 31, 2006)). The
Commission will ultimately have to
decide when and by what means it will
relax the SGI orders. The NRC staff is
currently examining this issue as well as
the need for additional SGI rulemaking.
As noted earlier, the orders contain
several provisions, such as the
requirement for a ‘‘reviewing official,’’
that were not included in the final rule
that the NRC staff continues to view as
an essential part of the NRC’s SGI
protection requirements.1
The NRC staff also notes that to the
extent there may be a conflict between
the orders and the rule, the more
stringent of the requirements would
apply. For example, the background
check requirements of the rule would be
imposed as a prerequisite for access to
SGI. Additionally, order recipients
would still be obligated to maintain an
NRC-approved reviewing official as
required by the order.
• Grandfathering of Persons With
Current Access to SGI
cprice-sewell on PRODPC61 with NOTICES
Some licensees have asked if the
access requirements set forth in the final
SGI rule are applicable to all current
and future persons subject to the rule’s
requirements. Persons who have not
been subjected to the rule’s background
check requirement (i.e., the employment
history, education history and personal
references check), must complete such
checks and be found to be trustworthy
and reliable by the responsible party
before they are permitted access to any
SGI. This does not mean that
individuals who have recently been
subject to an equivalent background
check (such as for unescorted access or
for access to national security
information), will have to re-accomplish
a background check simply for access to
SGI. The final rule requirements are
intended to apply to those individuals
to whom these requirements have not
been applied or have not otherwise been
1 The NRC staff notes that the Commission has
also expressed its concern with the continuing
effectiveness of the reviewing official provision in
that only last year, the Commission asked Congress
for an amendment to Section 149 that would permit
the NRC to collect fingerprints from persons
responsible for making decisions regarding a
person’s trustworthiness and reliability. See Letter
to the Honorable Nancy Pelosi from Chairman Dale
E. Klein, dated June 9, 2008 (Legislative Proposal
Package, ADAMS Accession Number
ML0815505691).
VerDate Nov<24>2008
14:56 Mar 11, 2009
Jkt 217001
applied in a reasonably recent time
period.
• Expanded Applicability of the Rule
An important change to SGI
requirements reflected in the final rule
is the expansion of applicability of the
rule to all persons who use SGI. Under
the previous version of the rule, section
73.21(a), the only person subject to the
SGI protection requirements by
regulations were licensees who
possessed formula quantities of strategic
special nuclear material, who were
authorized to operate a nuclear power
reactor, who transported a formula
quantity of strategic special nuclear
material or more than 100 grams of
irradiated reactor fuel, or to persons
who dealt with SGI through a
relationship with any of these categories
of licensees. Under the new rule, 10
CFR 73.21(a)(1), that limitation has been
eliminated, so that the rule applies
broadly to ‘‘Each licensee, certificate
holder, applicant or other person who
produces, receives, or acquires
Safeguards Information (including
Safeguards Information with the
designation or marking: Safeguards
Information-Modified Handling) shall
ensure that it is protected against
unauthorized disclosure.’’
• Elimination of Categories of Persons
Permitted Access to SGI
Under the previous SGI rule, only
categories of persons specifically
identified in paragraphs 73.21(c)(1)(i)
through (iv), or specifically approved by
the Commission on a case by case basis,
were permitted access to Safeguards
Information. This often resulted in a
lengthy approval process when certain
persons sought access to SGI who were
not included within one of the listed
categories. The rule no longer contains
this restriction. In essence, any person
who has a need to know and who has
been determined by the possessor of the
SGI to be trustworthy and reliable based
on meeting all elements of a background
check, may have access to SGI.
• Validity of Active Federal Security
Clearances
Several licensees have asked the NRC
whether personnel with active Federal
security clearances (e.g., ‘‘Q’’ or ‘‘L’’
clearances) would be required to have
additional fingerprinting and
background checks for purposes of
access to SGI. These stakeholders noted
that, although the orders essentially
relieved these individuals from being
fingerprinted for access to SGI (e.g.,
Order EA–06–155; 71 FR 51861, 51862,
August 31, 2006, Paragraph A.3), the
PO 00000
Frm 00085
Fmt 4703
Sfmt 4703
new SGI rule did not contain provisions
for continuing this practice.
It is the NRC Staff’s view that the SGI
rule does not require additional
fingerprinting and background checks
for persons with active Federal security
clearances, provided that sufficient
documentation of the active security
clearance can be obtained by the
adjudicating official. Rather than being
‘‘relieved’’ from the fingerprinting and
background check requirement, such
individuals are considered to have
satisfied the requirements through other
means, namely, the completion of their
national security clearance
investigations. This reflects a longstanding practice of the Commission as
reflected in the hundreds of SGI
fingerprinting orders that it has issued.
• Relief From Fingerprinting
In response to licensee questions of
‘‘relief from fingerprinting’’
requirements, the staff provides the
following clarification. As noted in the
previous section, persons with active
Federal security clearances are not
‘‘relieved’’ from being fingerprinted, but
rather may continue to have access to
SGI based on the fingerprinting for their
national security clearance investigation
and their meeting all other access
requirements. However, 10 CFR 73.59
does identify categories of person
assigned or occupying certain positions
that are categorically relieved from
fingerprinting by virtue of their
occupational status. These categories of
personnel were originally published in
an Immediately Effective Final
Rulemaking that created 10 CFR 73.59
(71 FR 33989, June 13, 2006). The final
SGI rule maintained the majority of
those relief provisions, with several
modifications and additions. Most
notably, 10 CFR 73.59 relieves from
fingerprinting ‘‘any agent, contractor, or
consultant of the aforementioned
persons who has undergone equivalent
criminal history records checks to those
required by 10 CFR 73.22(b) or 10 CFR
73.23(b).’’
It is important to note that personnel
relieved from the fingerprinting and
other elements of the background check
requirement by 10 CFR 73.59 are still
required to possess a valid need to know
prior to obtaining access to SGI or SGIM.
• Storage of SGI or SGI–M
Some licensees raised questions
concerning the storage of Safeguards
Information. The section that addresses
the protection of SGI while in use and
storage was modified by the final rule,
sections 73.22(c)(1) and 73.23(c)(1), to
recognize that SGI can be considered
E:\FR\FM\12MRN1.SGM
12MRN1
Federal Register / Vol. 74, No. 47 / Thursday, March 12, 2009 / Notices
cprice-sewell on PRODPC61 with NOTICES
‘‘under the control of an individual
authorized access to SGI’’ when it is
attended by such a person though not
constantly being used. Safeguards
Information within alarm stations, or
rooms continuously occupied by
authorized individuals need not be
stored in a locked security container. As
has always been the case, SGI must be
stored in a locked security storage
container when unattended. In contrast,
SGI controlled as SGI–M need only be
stored in a locked file drawer or cabinet.
In either case, the rule requires that the
container where SGI or SGI–M is stored
not bare markings that identify the
contents.
• Marking, Reproduction, and
Transmittal of SGI or SGI–M
In response to questions concerning
the marking, reproduction and
transmittal of Safeguards Information,
the staff provided responses, as
summarized here. The SGI document
marking requirements were changed to
assist the reader with the identification
of the document’s designator and the
date that the document or material was
designated as SGI. The first page of SGI
documents or other matter must now
contain the name, title, and organization
of the individual authorized to make a
SGI determination and who has
determined that the document or other
matter contains SGI. The document or
other matter must also indicate the date
that the determination was made, and
indicate that unauthorized disclosure
will be subject to civil and criminal
sanctions. Additional instructions were
provided to aid those tasked with
creating transmittal letters or
memorandum to the NRC that do not in
themselves contain SGI, but is
associated with an attachment or
enclosure that does.
When transmittal letters or
memorandum to the NRC include
enclosures that contain SGI but do not
themselves contain SGI or any other
form of sensitive unclassified
information, the transmittal letter or
memorandum shall be conspicuously
marked, on the top and bottom, with the
words Safeguards Information. In
addition to the SGI marking at the top
and bottom of the transmittal letter or
memorandum, the bottom of the
transmittal letter or memorandum shall
be marked with text to inform the reader
that the document is decontrolled when
separated from SGI enclosure(s).
Correspondence to the NRC containing
SGI and non-SGI must be portion
marked (i.e., cover letters, but not the
attachments) to allow the recipient to
identify and distinguish those sections
of the correspondence or transmittal
VerDate Nov<24>2008
14:56 Mar 11, 2009
Jkt 217001
document containing SGI from those
that do not. The portion marking
requirement is no longer applicable to
guard qualification and training plans.
The new rule has also removed the
guidance that allowed documents and
other matter containing SGI in the
hands of contractors and agents of
licensees that were produced more than
one year prior to the effective date of the
old rule to go unmarked as SGI
documents as long as they remained in
storage containers and were not
removed for use. Those documents and
other matter, whether or not removed
from storage containers for use, must
now be properly marked as SGI
documents.
It is important to note however, that
the rule does not require current
possessors of SGI to retroactively mark
SGI documents that were produced
prior to the effective date of the rule. As
noted by the Commission in the final
rule, ‘‘the Commission does not expect
that licensees or applicants must go
back and mark documents for which a
cover sheet was used for the required
information instead of the first page of
the document, as set forth in 10 CFR
73.22(d)(1)’’ (73 FR 63557).
Safeguards Information may continue
to be reproduced to the minimum extent
necessary consistent with need without
permission of the originator. Equipment
used to reproduce SGI however, must be
evaluated to ensure that unauthorized
individuals cannot obtain SGI by
gaining access to retained memory or
through network connectivity.
The new rule no longer speaks in
generalities to the packaging
requirement for SGI that is transmitted
outside an authorized place of use or
storage. The rule, sections 73.22(f) and
73.23(f), now states that SGI or SGI–M,
when transmitted outside an authorized
place of use or storage, must be
packaged in two sealed envelopes or
wrappers to preclude disclosure of the
presence of protected information. The
inner envelope or wrapper must contain
the name and address of the intended
recipient and be marked on both sides,
top and bottom, with the words
‘‘Safeguards Information’’ or
‘‘Safeguards Information-Modified
Handling,’’ as applicable. The outer
envelope or wrapper must be opaque,
addressed to the intended recipient,
must contain the address of the sender,
and may not bare any markings or
indication that the document or other
matter contains SGI or SGI–M. The new
rule no longer makes reference to the
use of ‘‘messenger-couriers’’ for the
transportation of SGI. It now states that
SGI or SGI–M may be transported by
any commercial delivery company that
PO 00000
Frm 00086
Fmt 4703
Sfmt 4703
10789
provides service with computer tracking
features. It also authorizes the continued
use of U.S. first class, registered,
express, or certified mail for the
transportation of SGI. Individuals
authorized access to SGI or SGI–M may
also transport SGI or SGI–M outside of
an authorized place of use or storage.
The NRC continues to allow for
exceptions when SGI is transmitted
under emergency or extraordinary
conditions. Additionally, a requirement
was added to change what was stated as
‘‘protected telecommunications circuits
approved by the NRC’’ to ‘‘NRC
approved secure electronic devices,
such as facsimiles or telephone
devices.’’ The authorized use of those
NRC-approved devices is conditional
and based upon the transmitter and
receivers compliance with information
security prerequisites. To meet the
requirements, the transmitter and
receiver must implement processes that
will provide high assurance that SGI is
protected before and after the
transmission. Electronic mail, through
the internet, is permitted provided that
the information is encrypted by a
method (Federal Information Processing
Standard [FIPS] 140–2 or later)
approved by the appropriate NRC office.
The information must be produced by a
self contained secure automatic data
process system; and transmitters and
receivers implement the information
handling processes that will provide
high assurance that SGI is protected
before and after transmission.
• Electronic Processing of SGI or SGI–M
The requirements for processing SGI
on automatic data processing systems
have not been significantly revised by
the new SGI rule. However, there are
noticeable differences between the
requirements for processing SGI and
SGI–M on computers. For SGI,
automatic data processing systems used
to process or produce SGI must
continue to be isolated in that they can
not be connected to a network
accessible by users who are not
authorized access to SGI. The
requirement that an entry code be used
to access the stored information has
been deleted. Each computer however,
used to process SGI that is not located
within an approved and lockable
security storage container, must have a
removable storage medium with a
bootable operating system. The bootable
operating system must be used to load
and initialize the computer. The
removable storage medium must also
contain the software application
programs, and be secured in a locked
security storage container when not in
use.
E:\FR\FM\12MRN1.SGM
12MRN1
10790
Federal Register / Vol. 74, No. 47 / Thursday, March 12, 2009 / Notices
implementation of 10 CFR 73.21, 10
CFR 73.22 or 10 CFR 73.23. It requires
no action or written response. Any
action by addressees to implement
changes to their safeguards information
protection system, or procedures in
accordance with the information in this
RIS ensures compliance with 10 CFR
part 73 and existing orders, is strictly
voluntary and therefore, is not a backfit
under 10 CFR 50.109, ‘‘Backfitting.’’
Consequently, the NRC staff did not
perform a backfit analysis.
SECURITIES AND EXCHANGE
COMMISSION
Federal Register Notification
• Removal From SGI or SGI–M Category
When documents or other matter are
removed from the SGI category, because
the information no longer meets the
criteria, care must be exercised to
ensure that any document or other
matter decontrolled not disclose SGI in
some other form or be combined with
other unprotected information to
disclose SGI. The authority to determine
that a document or other matter may be
decontrolled will only be exercised by
the NRC, with the NRC approval, or in
consultation with the individual or
organization that made the original SGI
determination.
cprice-sewell on PRODPC61 with NOTICES
A mobile device, such as a laptop,
may be used for processing SGI
provided the device is secured in a
locked security storage container when
not in use. Where previously not
addressed in the old rule, the new rule
makes allowance for electronic systems
that have been used for storage,
processing or production of SGI to
migrate to non-SGI exclusive use. Any
electronic system that has been used for
storage, processing or production of SGI
must be free of recoverable SGI prior to
being returned to nonexclusive use.
However, SGI–M need not be processed
on a stand-alone computer. The rule
permits SGI–M to be stored, processed
or produced on a computer or computer
system, provided that the system is
assigned to the licensee’s or contractor’s
facility. SGI–M files must be protected,
either by a password or encryption.
Word processors such as typewriters are
not subject to these requirements as long
as they do not transmit information
offsite.
This RIS does not contain any
information collections and, therefore,
is not subject to the requirements of the
Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.)
Notice is hereby given that, pursuant
to the Paperwork Reduction Act of 1995
(44 U.S.C. 3501 et seq.), the Securities
and Exchange Commission (the
‘‘Commission’’) is soliciting comments
on the collection of information
summarized below. The Commission
plans to submit this existing collection
of information to the Office of
Management and Budget for extension
and approval:
Rule 489 (17 CFR 230.489) under the
Securities Act of 1933 (15 U.S.C. 77a et
seq.) requires foreign banks and foreign
insurance companies and holding
companies and finance subsidiaries of
foreign banks and foreign insurance
companies that are exempted from the
definition of ‘‘investment company’’ by
virtue of Rules 3a–1 (17 CFR 170.3a–1),
3a–5 (17 CFR 270.3a–5), and 3a–6 (17
CFR 270.3a–6) under the Investment
Company Act of 1940 (15 U.S.C. 80a–1
et seq.) to file Form F–N (17 CFR
239.43), under the Securities Act of
1933 to appoint an agent for service of
process when making a public offering
of securities in the United States.
Approximately 19 entities are required
by Rule 489 to file Form F–N, which is
estimated to require an average of one
hour to complete. The estimated annual
burden of complying with the rule’s
filing requirement is approximately 24
hours, as some of the entities submitted
multiple filings.
The estimates of average burden hours
are made solely for the purposes of the
Paperwork Reduction Act of 1995 (44
U.S.C. 3501 et seq.) and are not derived
from a comprehensive or even
representative survey or study of the
cost of Commission rules and forms.
Written comments are invited on: (a)
Whether the proposed collection of
information is necessary for the proper
performance of the functions of the
agency, including whether the
information will have practical utility;
(b) the accuracy of the agency’s estimate
of the burden of the collection of
information; (c) ways to enhance the
quality, utility, and clarity of the
information collected; and (d) ways to
minimize the burden of the collection of
• Destruction of Matter Containing SGI
or SGI–M
The final rule now states that SGI and
SGI–M shall be destroyed when no
longer needed. The information can be
destroyed by burning, shredding or any
other method that precludes
reconstruction by means available to the
public at large. Of particular note in the
new rule it is stated one-quarter inch
dimension size for pieces that are
considered destroyed when thoroughly
mixed with several pages or documents.
The NRC will continue to evaluate its
requirements, policies and guidance
concerning the protection and
unauthorized disclosure of SGI.
Licensees, certificate holders, applicants
and other persons who produce, receive,
or acquire SGI will be informed of
proposed revisions or clarifications.
Backfit Discussion
This RIS does not represent a new or
different staff position regarding the
VerDate Nov<24>2008
14:56 Mar 11, 2009
Jkt 217001
To be done after the public comments
periods.
Congressional Review Act
This RIS is not a rule as designated by
the Congressional Review Act (5 U.S.C.
801–886) and therefore, is not subject to
the Act.
Paperwork Reduction Act Statement
Contact
Please direct any questions about this
matter to Robert Norman, at 301–415–
2278 or by e-mail at
robert.norman@nrc.gov.
End of Draft Regulatory Issue Summary
Documents may be examined, and/or
copied for a fee, at the NRC’s Public
Document Room at One White Flint
North, 11555 Rockville Pike (first floor),
Rockville, Maryland. Publicly available
records will be accessible electronically
from the Agencywide Documents
Access and Management System
(ADAMS) Public Electronic Reading
Room on the Internet at the NRC Web
site, https://www.nrc.gov/NRC/ADAMS/
index.html. If you do not have access to
ADAMS or if you have problems in
accessing the documents in ADAMS,
contact the NRC Public Document Room
(PDR) reference staff at 1–800–397–4209
or 301–415–4737 or by e-mail to
pdr@nrc.gov.
Dated at Rockville, Maryland, this 4th day
of March 2009.
For The Nuclear Regulatory Commission,
Martin C. Murphy,
Chief, Generic Communications Branch,
Division of Policy and Rulemaking, Office
of Nuclear Reactor Regulation.
[FR Doc. E9–5296 Filed 3–11–09; 8:45 am]
BILLING CODE 7590–01–P
PO 00000
Frm 00087
Fmt 4703
Sfmt 4703
Proposed Collection; Comment
Request
Upon Written Request, Copies Available
From: Securities and Exchange
Commission, Office of Investor
Education and Advocacy,
Washington, DC 20549.
Extension:
Rule 489 and Form F–N, SEC File No. 270–
361, OMB Control No. 3235–0411.
E:\FR\FM\12MRN1.SGM
12MRN1
]]>Agencies
[Federal Register Volume 74, Number 47 (Thursday, March 12, 2009)]
[Notices]
[Pages 10786-10790]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-5296]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
[NRC-2009-0106]
Proposed Generic Communications; Protection of Safeguards
Information
AGENCY: Nuclear Regulatory Commission.
ACTION: Notice of opportunity for public comment.
-----------------------------------------------------------------------
SUMMARY: The U.S. Nuclear Regulatory Commission (NRC) is proposing to
issue a regulatory issue summary (RIS) to remind all stakeholders of
the significant changes to Title 10 of the Code of Federal Regulations
10 CFR 73.21, 73.22 and 73.23. Previously, many licensees, applicants,
certificate holders, or other persons were issued Orders in the
aftermath of the terrorist attacks of September 11, 2001, that required
them to protect certain detailed information designated as SGI or SGI-
M. Further Orders were issued by the NRC after the enactment of the
Energy Policy Act of 2005 (EPAct), which expanded the NRC's
fingerprinting authority with respect to access to SGI. This RIS
provides clarifying information of the impact of the new rule
(effective date February 23, 2009).
This Federal Register notice is available through the NRC's
Agencywide Documents Access and Management System (ADAMS) under
accession number ML090630662.
DATES: Comment period expires April 13, 2009. Comments submitted after
this date will be considered if it is practical to do so, but assurance
of consideration cannot be given except for comments received on or
before this date.
ADDRESSES: Submit written comments to the Chief, Rulemaking, Directives
and Editing Branch, Division of Administrative Services, Office of
Administration, U.S. Nuclear Regulatory Commission, Mail Stop TWB
5B01M, Washington, DC 20555-0001, and cite the publication date and
page number of this Federal Register notice.
FOR FURTHER INFORMATION CONTACT: Robert Norman, at 301-415-2278 or by
e-mail at robert.norman@nrc.gov.
SUPPLEMENTARY INFORMATION:
NRC Regulatory Issue Summary 2009-XX
Implementation of New Final Rule, Protection of Safeguards Information
Addressees
Each NRC licensee, certificate holder, applicant, or other person
who produces, receives, or acquires Safeguards Information.
[[Page 10787]]
Intent
The U.S. Nuclear Regulatory Commission (NRC) is issuing this
regulatory issue summary (RIS) to remind all stakeholders of the
significant changes to Title 10 of the Code of Federal Regulations 10
CFR 73.21, 73.22 and 73.23. This RIS provides clarifying information of
the impact of the new rule (effective date February 23, 2009). This RIS
requires no action or written response on the part of an addressee.
Background
Previously, many licensees, applicants, certificate holders, or
other persons were issued Orders in the aftermath of the terrorist
attacks of September 11, 2001, that required them to protect certain
detailed information designated as SGI or SGI-M. Further Orders were
issued by the NRC after the enactment of the Energy Policy Act of 2005
(EPAct), which expanded the NRC's fingerprinting authority with respect
to access to SGI.
SGI, which includes both SGI and SGI-M, is a special category of
sensitive unclassified information that licensees must protect from
unauthorized disclosure under Section 147 of the Atomic Energy Act of
1954 (AEA), as amended. Section 147 of the AEA gives the Commission
authority to designate, by regulation or order, other types of
information as SGI. For example, Section 147.a.(2) of the AEA allows
the Commission to designate as SGI a licensee's or applicant's detailed
security measures (including security plans, procedures, and equipment)
for the physical protection of source material or byproduct material in
quantities that the Commission determines to be significant to the
public health and safety or the common defense and security. Prior to
the events of September 11, the Commission implemented its Section 147
authority through regulations in 10 CFR sections 73.21 and 73.57. These
requirements generally applied to security information associated with
nuclear power plants, formula quantities of strategic special nuclear
materials, and the transportation of irradiated fuel. However, changes
in the threat environment after September 11, have resulted in the need
to protect, as SGI, additional types of security related information
held by a broader group of persons, including licensees, applicants,
vendors, and certificate holders. Subsequently, orders were issued that
increased the number of licensees whose security measures would be
protected as SGI and added types of security related information that
would be considered SGI. For example, EA-04-190, issued to certain NRC
byproduct materials licensees on November 4, 2004 (69 Federal Register
(FR) 65470, November 12, 2004). The Commission determined the
unauthorized release of this information could harm the public health
and safety and the Nation's common defense and security and damage the
Nation's critical infrastructure, including nuclear power plants and
other facilities and materials licensed and regulated by the NRC or
Agreement States.
Subsequently, Congress enacted the EPAct (Pub. L. 109-58, 119 Stat.
594). Section 652 of the EPAct amended Section 149 of the AEA to
require the fingerprinting of a broader class of persons for the
purpose of checking criminal history records. Before the EPAct, the
NRC's fingerprinting authority was limited to requiring licensees and
applicants for a license to operate a nuclear power reactor under 10
CFR part 50, ``Domestic Licensing of Production and Utilization
Facilities,'' to fingerprint individuals before granting them access to
SGI. The EPAct expanded the NRC's authority to require fingerprinting
of individuals associated with other types of activities before
granting them access to SGI. The EPAct preserved the Commission's
authority in Section 149 of the AEA to relieve, by rule, certain
persons from the fingerprinting, identification, and criminal history
records checks required for access to SGI. The Commission exercised
that authority to relieve, by rule, certain categories of persons from
the fingerprint identification and criminal history records check along
with other elements of the background check requirement. Categories of
individuals relieved from the background check are described in 10 CFR
73.59.
In addition to the orders mentioned above, the NRC issued a second
round of orders to licensees to impose the fingerprinting requirements
mandated by the EPAct. Those orders were issued to the same persons who
had previously received SGI protection orders, and required
fingerprinting for an FBI identification and criminal history record
check for any person with access to SGI. One significant aspect of the
SGI fingerprinting orders was the requirement that the recipients
designate a ``reviewing official'' who needed access to SGI, and who
would be required to be approved by the NRC as ``trustworthy and
reliable'' based on the NRC's review of his or her fingerprint-based
criminal history records (e.g., Order EA-06-155; 71 FR 51861, 51862,
August 31, 2006, Paragraph C.2). The orders specified that only the
NRC-approved reviewing official could make determinations of access to
SGI for the licensee. In addition, the SGI fingerprinting orders also
did not require the fingerprinting of a licensee employee who ``has a
favorably-decided U.S. Government criminal history records check within
the last five (5) years, or has an active federal security clearance''
id. (Paragraph A.3).
All of the orders issued by the NRC contained a relaxation clause
that generally permitted the order issuing official (NRC Office
Director) to ``in writing, relax or rescind any of the above conditions
upon demonstration of good cause by the licensee.'' The cumulative
efforts of the staff to increase the protection requirements associated
with SGI and SGI-M, culminated in a final rulemaking. The final rule,
Protection of Safeguards Information, was published in the Federal
Register on October 24, 2008, (73 FR 63546). As stated in the final
rule, the purpose of the rulemaking was, in part, to ``implement
generally applicable requirements for SGI that are similar to
requirements imposed by the orders.''
Discussion
Since publication of the final rule in October 2008, licensees and
other stakeholders who routinely use SGI have raised a number of
questions with the NRC staff regarding implementation of the final SGI
rule, which was effective February 23, 2009. All persons subject to the
rule's requirements (meaning any person, including licensees, vendors,
industry groups, etc. who are currently in possession of SGI) were
required to be in compliance with the rule by that date. Based upon
stakeholder questions and comments with implementation of the rule, the
NRC is issuing this RIS to review rule requirements and articulate the
staff's position on several implementation issues. Stakeholders are
advised to closely examine the final rule itself to ensure that they
are in compliance with all requirements.
Continuing Effect of the Orders
A common question from stakeholders has been whether the final rule
supersedes the existing SGI Orders. It is the Commission's intent for
all SGI order requirements to be codified in regulations. However, the
final rule does not automatically supersede the SGI orders. Those
orders will remain in effect until further notice and administrative
action is taken. As the Commission noted in the revised
[[Page 10788]]
proposed rule, ``the final rule would, on its effective date, supersede
all SGI orders and advisory letters issued prior to that effective
date. The Commission will, however, take administrative action to
withdraw all previously issued [sic] orders where appropriate'' (71 FR
64004, 64009 (October 31, 2006)). The Commission will ultimately have
to decide when and by what means it will relax the SGI orders. The NRC
staff is currently examining this issue as well as the need for
additional SGI rulemaking. As noted earlier, the orders contain several
provisions, such as the requirement for a ``reviewing official,'' that
were not included in the final rule that the NRC staff continues to
view as an essential part of the NRC's SGI protection requirements.\1\
---------------------------------------------------------------------------
\1\ The NRC staff notes that the Commission has also expressed
its concern with the continuing effectiveness of the reviewing
official provision in that only last year, the Commission asked
Congress for an amendment to Section 149 that would permit the NRC
to collect fingerprints from persons responsible for making
decisions regarding a person's trustworthiness and reliability. See
Letter to the Honorable Nancy Pelosi from Chairman Dale E. Klein,
dated June 9, 2008 (Legislative Proposal Package, ADAMS Accession
Number ML0815505691).
---------------------------------------------------------------------------
The NRC staff also notes that to the extent there may be a conflict
between the orders and the rule, the more stringent of the requirements
would apply. For example, the background check requirements of the rule
would be imposed as a prerequisite for access to SGI. Additionally,
order recipients would still be obligated to maintain an NRC-approved
reviewing official as required by the order.
Grandfathering of Persons With Current Access to SGI
Some licensees have asked if the access requirements set forth in
the final SGI rule are applicable to all current and future persons
subject to the rule's requirements. Persons who have not been subjected
to the rule's background check requirement (i.e., the employment
history, education history and personal references check), must
complete such checks and be found to be trustworthy and reliable by the
responsible party before they are permitted access to any SGI. This
does not mean that individuals who have recently been subject to an
equivalent background check (such as for unescorted access or for
access to national security information), will have to re-accomplish a
background check simply for access to SGI. The final rule requirements
are intended to apply to those individuals to whom these requirements
have not been applied or have not otherwise been applied in a
reasonably recent time period.
Expanded Applicability of the Rule
An important change to SGI requirements reflected in the final rule
is the expansion of applicability of the rule to all persons who use
SGI. Under the previous version of the rule, section 73.21(a), the only
person subject to the SGI protection requirements by regulations were
licensees who possessed formula quantities of strategic special nuclear
material, who were authorized to operate a nuclear power reactor, who
transported a formula quantity of strategic special nuclear material or
more than 100 grams of irradiated reactor fuel, or to persons who dealt
with SGI through a relationship with any of these categories of
licensees. Under the new rule, 10 CFR 73.21(a)(1), that limitation has
been eliminated, so that the rule applies broadly to ``Each licensee,
certificate holder, applicant or other person who produces, receives,
or acquires Safeguards Information (including Safeguards Information
with the designation or marking: Safeguards Information-Modified
Handling) shall ensure that it is protected against unauthorized
disclosure.''
Elimination of Categories of Persons Permitted Access to SGI
Under the previous SGI rule, only categories of persons
specifically identified in paragraphs 73.21(c)(1)(i) through (iv), or
specifically approved by the Commission on a case by case basis, were
permitted access to Safeguards Information. This often resulted in a
lengthy approval process when certain persons sought access to SGI who
were not included within one of the listed categories. The rule no
longer contains this restriction. In essence, any person who has a need
to know and who has been determined by the possessor of the SGI to be
trustworthy and reliable based on meeting all elements of a background
check, may have access to SGI.
Validity of Active Federal Security Clearances
Several licensees have asked the NRC whether personnel with active
Federal security clearances (e.g., ``Q'' or ``L'' clearances) would be
required to have additional fingerprinting and background checks for
purposes of access to SGI. These stakeholders noted that, although the
orders essentially relieved these individuals from being fingerprinted
for access to SGI (e.g., Order EA-06-155; 71 FR 51861, 51862, August
31, 2006, Paragraph A.3), the new SGI rule did not contain provisions
for continuing this practice.
It is the NRC Staff's view that the SGI rule does not require
additional fingerprinting and background checks for persons with active
Federal security clearances, provided that sufficient documentation of
the active security clearance can be obtained by the adjudicating
official. Rather than being ``relieved'' from the fingerprinting and
background check requirement, such individuals are considered to have
satisfied the requirements through other means, namely, the completion
of their national security clearance investigations. This reflects a
long-standing practice of the Commission as reflected in the hundreds
of SGI fingerprinting orders that it has issued.
Relief From Fingerprinting
In response to licensee questions of ``relief from fingerprinting''
requirements, the staff provides the following clarification. As noted
in the previous section, persons with active Federal security
clearances are not ``relieved'' from being fingerprinted, but rather
may continue to have access to SGI based on the fingerprinting for
their national security clearance investigation and their meeting all
other access requirements. However, 10 CFR 73.59 does identify
categories of person assigned or occupying certain positions that are
categorically relieved from fingerprinting by virtue of their
occupational status. These categories of personnel were originally
published in an Immediately Effective Final Rulemaking that created 10
CFR 73.59 (71 FR 33989, June 13, 2006). The final SGI rule maintained
the majority of those relief provisions, with several modifications and
additions. Most notably, 10 CFR 73.59 relieves from fingerprinting
``any agent, contractor, or consultant of the aforementioned persons
who has undergone equivalent criminal history records checks to those
required by 10 CFR 73.22(b) or 10 CFR 73.23(b).''
It is important to note that personnel relieved from the
fingerprinting and other elements of the background check requirement
by 10 CFR 73.59 are still required to possess a valid need to know
prior to obtaining access to SGI or SGI-M.
Storage of SGI or SGI-M
Some licensees raised questions concerning the storage of
Safeguards Information. The section that addresses the protection of
SGI while in use and storage was modified by the final rule, sections
73.22(c)(1) and 73.23(c)(1), to recognize that SGI can be considered
[[Page 10789]]
``under the control of an individual authorized access to SGI'' when it
is attended by such a person though not constantly being used.
Safeguards Information within alarm stations, or rooms continuously
occupied by authorized individuals need not be stored in a locked
security container. As has always been the case, SGI must be stored in
a locked security storage container when unattended. In contrast, SGI
controlled as SGI-M need only be stored in a locked file drawer or
cabinet. In either case, the rule requires that the container where SGI
or SGI-M is stored not bare markings that identify the contents.
Marking, Reproduction, and Transmittal of SGI or SGI-M
In response to questions concerning the marking, reproduction and
transmittal of Safeguards Information, the staff provided responses, as
summarized here. The SGI document marking requirements were changed to
assist the reader with the identification of the document's designator
and the date that the document or material was designated as SGI. The
first page of SGI documents or other matter must now contain the name,
title, and organization of the individual authorized to make a SGI
determination and who has determined that the document or other matter
contains SGI. The document or other matter must also indicate the date
that the determination was made, and indicate that unauthorized
disclosure will be subject to civil and criminal sanctions. Additional
instructions were provided to aid those tasked with creating
transmittal letters or memorandum to the NRC that do not in themselves
contain SGI, but is associated with an attachment or enclosure that
does.
When transmittal letters or memorandum to the NRC include
enclosures that contain SGI but do not themselves contain SGI or any
other form of sensitive unclassified information, the transmittal
letter or memorandum shall be conspicuously marked, on the top and
bottom, with the words Safeguards Information. In addition to the SGI
marking at the top and bottom of the transmittal letter or memorandum,
the bottom of the transmittal letter or memorandum shall be marked with
text to inform the reader that the document is decontrolled when
separated from SGI enclosure(s). Correspondence to the NRC containing
SGI and non-SGI must be portion marked (i.e., cover letters, but not
the attachments) to allow the recipient to identify and distinguish
those sections of the correspondence or transmittal document containing
SGI from those that do not. The portion marking requirement is no
longer applicable to guard qualification and training plans. The new
rule has also removed the guidance that allowed documents and other
matter containing SGI in the hands of contractors and agents of
licensees that were produced more than one year prior to the effective
date of the old rule to go unmarked as SGI documents as long as they
remained in storage containers and were not removed for use. Those
documents and other matter, whether or not removed from storage
containers for use, must now be properly marked as SGI documents.
It is important to note however, that the rule does not require
current possessors of SGI to retroactively mark SGI documents that were
produced prior to the effective date of the rule. As noted by the
Commission in the final rule, ``the Commission does not expect that
licensees or applicants must go back and mark documents for which a
cover sheet was used for the required information instead of the first
page of the document, as set forth in 10 CFR 73.22(d)(1)'' (73 FR
63557).
Safeguards Information may continue to be reproduced to the minimum
extent necessary consistent with need without permission of the
originator. Equipment used to reproduce SGI however, must be evaluated
to ensure that unauthorized individuals cannot obtain SGI by gaining
access to retained memory or through network connectivity.
The new rule no longer speaks in generalities to the packaging
requirement for SGI that is transmitted outside an authorized place of
use or storage. The rule, sections 73.22(f) and 73.23(f), now states
that SGI or SGI-M, when transmitted outside an authorized place of use
or storage, must be packaged in two sealed envelopes or wrappers to
preclude disclosure of the presence of protected information. The inner
envelope or wrapper must contain the name and address of the intended
recipient and be marked on both sides, top and bottom, with the words
``Safeguards Information'' or ``Safeguards Information-Modified
Handling,'' as applicable. The outer envelope or wrapper must be
opaque, addressed to the intended recipient, must contain the address
of the sender, and may not bare any markings or indication that the
document or other matter contains SGI or SGI-M. The new rule no longer
makes reference to the use of ``messenger-couriers'' for the
transportation of SGI. It now states that SGI or SGI-M may be
transported by any commercial delivery company that provides service
with computer tracking features. It also authorizes the continued use
of U.S. first class, registered, express, or certified mail for the
transportation of SGI. Individuals authorized access to SGI or SGI-M
may also transport SGI or SGI-M outside of an authorized place of use
or storage.
The NRC continues to allow for exceptions when SGI is transmitted
under emergency or extraordinary conditions. Additionally, a
requirement was added to change what was stated as ``protected
telecommunications circuits approved by the NRC'' to ``NRC approved
secure electronic devices, such as facsimiles or telephone devices.''
The authorized use of those NRC-approved devices is conditional and
based upon the transmitter and receivers compliance with information
security prerequisites. To meet the requirements, the transmitter and
receiver must implement processes that will provide high assurance that
SGI is protected before and after the transmission. Electronic mail,
through the internet, is permitted provided that the information is
encrypted by a method (Federal Information Processing Standard [FIPS]
140-2 or later) approved by the appropriate NRC office. The information
must be produced by a self contained secure automatic data process
system; and transmitters and receivers implement the information
handling processes that will provide high assurance that SGI is
protected before and after transmission.
Electronic Processing of SGI or SGI-M
The requirements for processing SGI on automatic data processing
systems have not been significantly revised by the new SGI rule.
However, there are noticeable differences between the requirements for
processing SGI and SGI-M on computers. For SGI, automatic data
processing systems used to process or produce SGI must continue to be
isolated in that they can not be connected to a network accessible by
users who are not authorized access to SGI. The requirement that an
entry code be used to access the stored information has been deleted.
Each computer however, used to process SGI that is not located within
an approved and lockable security storage container, must have a
removable storage medium with a bootable operating system. The bootable
operating system must be used to load and initialize the computer. The
removable storage medium must also contain the software application
programs, and be secured in a locked security storage container when
not in use.
[[Page 10790]]
A mobile device, such as a laptop, may be used for processing SGI
provided the device is secured in a locked security storage container
when not in use. Where previously not addressed in the old rule, the
new rule makes allowance for electronic systems that have been used for
storage, processing or production of SGI to migrate to non-SGI
exclusive use. Any electronic system that has been used for storage,
processing or production of SGI must be free of recoverable SGI prior
to being returned to nonexclusive use. However, SGI-M need not be
processed on a stand-alone computer. The rule permits SGI-M to be
stored, processed or produced on a computer or computer system,
provided that the system is assigned to the licensee's or contractor's
facility. SGI-M files must be protected, either by a password or
encryption. Word processors such as typewriters are not subject to
these requirements as long as they do not transmit information offsite.
Removal From SGI or SGI-M Category
When documents or other matter are removed from the SGI category,
because the information no longer meets the criteria, care must be
exercised to ensure that any document or other matter decontrolled not
disclose SGI in some other form or be combined with other unprotected
information to disclose SGI. The authority to determine that a document
or other matter may be decontrolled will only be exercised by the NRC,
with the NRC approval, or in consultation with the individual or
organization that made the original SGI determination.
Destruction of Matter Containing SGI or SGI-M
The final rule now states that SGI and SGI-M shall be destroyed
when no longer needed. The information can be destroyed by burning,
shredding or any other method that precludes reconstruction by means
available to the public at large. Of particular note in the new rule it
is stated one-quarter inch dimension size for pieces that are
considered destroyed when thoroughly mixed with several pages or
documents.
The NRC will continue to evaluate its requirements, policies and
guidance concerning the protection and unauthorized disclosure of SGI.
Licensees, certificate holders, applicants and other persons who
produce, receive, or acquire SGI will be informed of proposed revisions
or clarifications.
Backfit Discussion
This RIS does not represent a new or different staff position
regarding the implementation of 10 CFR 73.21, 10 CFR 73.22 or 10 CFR
73.23. It requires no action or written response. Any action by
addressees to implement changes to their safeguards information
protection system, or procedures in accordance with the information in
this RIS ensures compliance with 10 CFR part 73 and existing orders, is
strictly voluntary and therefore, is not a backfit under 10 CFR 50.109,
``Backfitting.'' Consequently, the NRC staff did not perform a backfit
analysis.
Federal Register Notification
To be done after the public comments periods.
Congressional Review Act
This RIS is not a rule as designated by the Congressional Review
Act (5 U.S.C. 801-886) and therefore, is not subject to the Act.
Paperwork Reduction Act Statement
This RIS does not contain any information collections and,
therefore, is not subject to the requirements of the Paperwork
Reduction Act of 1995 (44 U.S.C. 3501 et seq.)
Contact
Please direct any questions about this matter to Robert Norman, at
301-415-2278 or by e-mail at robert.norman@nrc.gov.
End of Draft Regulatory Issue Summary
Documents may be examined, and/or copied for a fee, at the NRC's
Public Document Room at One White Flint North, 11555 Rockville Pike
(first floor), Rockville, Maryland. Publicly available records will be
accessible electronically from the Agencywide Documents Access and
Management System (ADAMS) Public Electronic Reading Room on the
Internet at the NRC Web site, https://www.nrc.gov/NRC/ADAMS/.
If you do not have access to ADAMS or if you have problems in accessing
the documents in ADAMS, contact the NRC Public Document Room (PDR)
reference staff at 1-800-397-4209 or 301-415-4737 or by e-mail to
pdr@nrc.gov.
Dated at Rockville, Maryland, this 4th day of March 2009.
For The Nuclear Regulatory Commission,
Martin C. Murphy,
Chief, Generic Communications Branch, Division of Policy and
Rulemaking, Office of Nuclear Reactor Regulation.
[FR Doc. E9-5296 Filed 3-11-09; 8:45 am]
BILLING CODE 7590-01-P
