[Federal Register: October 31, 2006 (Volume 71, Number 210)]
[Proposed Rules]
[Page 64003-64068]
-----------------------------------------------------------------------
Part IV
Nuclear Regulatory Commission
-----------------------------------------------------------------------
10 CFR Parts 2, 30, et al.
Protection of Safeguards Information; Proposed Rule
[[Page 64004]]
-----------------------------------------------------------------------
NUCLEAR REGULATORY COMMISSION
10 CFR Parts 2, 30, 40, 50, 52, 60, 63, 70, 71, 72, 73, 76, and 150
RIN: 3150-AH57
Protection of Safeguards Information
AGENCY: Nuclear Regulatory Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Nuclear Regulatory Commission (NRC) is proposing to amend
its regulations for the protection of Safeguards Information (SGI) to
protect SGI from inadvertent release and unauthorized disclosure which
might compromise the security of nuclear facilities and materials. The
amendments would affect certain licensees, information, and materials
not currently subject to SGI regulations, but which are within the
scope of Commission authority under the Atomic Energy Act of 1954, as
amended (AEA). The NRC originally published a proposed rule on SGI on
February 11, 2005 (70 FR 7196). The NRC is again publishing the
proposed rule on SGI protection requirements in order to allow the
public to comment on changes to the proposed rule text in response to
public comment and to reflect amendments to the AEA in the Energy
Policy Act of 2005 (EPAct) and Commission Orders issued to licensees
authorized to possess and transfer items containing certain quantities
of radioactive material.
DATES: The comment period expires January 2, 2007. Submit comments
specific to information collection aspects of this rule January 2,
2007. Comments received after that date will be considered if it is
practical to do so, but the NRC is able to ensure consideration only
for comments received on or before this date.
ADDRESSES: You may submit comments by any one of the following methods.
Please include the following number (RIN 3150-AH57) in the subject line
of your comments. Comments on this rulemaking submitted in writing or
in electronic form will be made available for public inspection.
Because your comments will not be edited to remove identifying
information, the NRC cautions against including personal information
such as social security numbers and birth dates in your submission.
Mail comments to: Secretary, U.S. Nuclear Regulatory Commission,
Washington, DC 20555-0001, Attn: Rulemaking and Adjudications Staff.
E-mail comments to: SECY@nrc.gov. If you do not receive a reply e-
mail confirming that we have received your comments, contact us
directly at (301) 415-1966. You may also submit comments via the NRC's
rulemaking Web site at http://ruleforum.llnl.gov. Address questions
about our rulemaking Web site to Carol Gallagher at (301) 415-5905; e-
mail: cag@nrc.gov. Comments can also be submitted via the Federal
Rulemaking Portal http://www.regulations.gov.
Hand deliver comments to 11555 Rockville Pike, Rockville, Maryland,
20852, between 7:30 a.m. and 4:15 p.m. Federal workdays. (Telephone:
(301) 415-1966).
Fax comments to: Secretary, U.S. Nuclear Regulatory Commission at
(301) 415-1101. Publicly available documents related to this rulemaking
may be examined and copied for a fee at the NRC's Public Document Room
(PDR), Public File Area 01F21, One White Flint North, 11555 Rockville
Pike, Rockville, Maryland. Selected documents, including comments, can
be reviewed and downloaded electronically via the NRC rulemaking Web
site at http://ruleforum.llnl.gov.
You may submit comments on the information collections by the
methods indicated in the Paperwork Reduction Act Statement.
Publicly available documents created or received at the NRC after
November 1, 1999, are available electronically at the NRC's Electronic
Reading Room at http://www.nrc.gov/ NRC/ADAMS/index.html. From this
site, the public can gain entry into the NRC's Agencywide Document
Access and Management System (ADAMS), which provides text and image
files of NRC's public documents. If you do not have access to ADAMS or
if there are problems in accessing the documents located in ADAMS,
contact the NRC's PDR Reference staff at 1-800-397-4209, 301-415-4737
or by e-mail to pdr@nrc.gov.
FOR FURTHER INFORMATION CONTACT: Marjorie Rothschild, Senior Attorney,
Office of the General Counsel, U.S. Nuclear Regulatory Commission,
Washington, DC 20555-0001, telephone (301) 415-1633, e-mail MUR@nrc.gov
or Bernard Stapleton, Office of Nuclear Security and Incident Response,
Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone
(301) 415-2432, e-mail BWS2@nrc.gov.
Supplementary Information:
I. Background
II. Need for Rule
III. Purpose of Rulemaking
IV. Discussion
A. Overview of Public Comments on the Original Proposed Rule
B. Comments and Issues
1. Comments in Response to Specific Request for Comments
2. General Issues
3. Section-Specific Comments
C. Section-by-Section Analysis
D. Request for Specific Comment
V. Criminal Penalties
VI. Agreement State Issues
VII. Voluntary Consensus Standards
VIII. Finding of No Significant Impact: Environmental Assessment
IX. Paperwork Reduction Act Statement
X. Regulatory Analysis
XI. Regulatory Flexibility Certification
XII. Backfit Analysis
I. Background
The NRC first published proposed amendments to its rules in parts
2, 30, 40, 50, 52, 60, 63, 70, 71, 72, 73, 76, 150 governing the
handling of Safeguards Information and creating a new category of
protected material, Safeguards Information-Modified Handling on
February 11, 2005 (70 FR 7196). Subsequently, Congress passed the
Energy Policy Act of 2005 (EPAct), Pub. L. No. 109-58, 119 Stat. 594.
Section 652 of the EPAct amended section 149 of the Atomic Energy Act
(AEA) to require fingerprinting, for criminal history check purposes,
of a broader class of persons. With regard to access to SGI before the
EPAct, the NRC's fingerprinting authority was limited to requiring
licensees and applicants for a license to operate a nuclear power
reactor under 10 CFR part 50 to fingerprint individuals prior to
granting access to SGI. The EPAct expanded the NRC's authority to
require fingerprinting of only individuals with access to SGI. Under
the EPAct, NRC has the authority to require that the following
individuals conduct fingerprinting before granting access to SGI: (1)
Individuals licensed or certified to engage in an activity subject to
regulation by the Commission; (2) individuals who have filed an
application for a license or certificate to engage in Commission-
regulated activities; and (3) have notified the Commission in writing
of an intent to file an application for licensing, certification,
permitting, or approval of a product or activity subject to regulation
by the Commission. Previously, section 149 of the AEA only required
fingerprinting and criminal history records checks of individuals
seeking access to SGI (as defined in Sec. 73.2) from a power reactor
licensee or license applicant.
The EPAct preserved the Commission's authority in section 149 to
relieve by rule certain persons from the fingerprinting,
identification, and
[[Page 64005]]
criminal history records checks. The Commission recently exercised that
authority to relieve by rule certain categories of persons from those
requirements including Federal, State, and local officials involved in
security planning and incident response, Agreement State employees who
evaluate licensee compliance with security-related orders, members of
Congress who request SGI as part of their oversight function, and
certain foreign representatives. These exemptions are based on the
Commission's findings that (1) interrupting those individuals' access
to SGI to perform fingerprinting and criminal history checks would harm
vital inspection, oversight, planning, and enforcement functions, (2)
it would impair communications among the NRC, its licensees, and first
responders in the event of an imminent security threat or other
emergency, and (3) it could strain the Commission's cooperative
relationships with its international counterparts, and might delay
needed exchanges of information to the detriment of current security
initiatives both at home and abroad. The final rule was published in
the Federal Register on June 13, 2006 (71 FR 33,989). That final rule
was necessary to avoid disruption of the Commission's information
sharing activities during the interim period while the Commission
completes the overall revision of the regulations in this rulemaking.
We have revised the original proposed rule to reflect the new
requirements under the EPAct, and the final rule cited above, and we
are again seeking public comment before promulgating a final SGI rule.
We have also made revisions to reflect public comments on the original
proposed rule, recent Commission direction, and Orders issued to
licensees authorized to possess and transfer items containing certain
quantities of radioactive material.
The Commission requests that comments on this revised proposed rule
focus on the changes and additions to the original proposed rule and
not on areas discussed in previous comments. Because the public has
already had opportunity to comment on much of the material contained in
this revised proposed rule, the Commission has determined that a 60-day
comment period is appropriate, and requests for extension of the
commenting period will not be granted.
SGI is a special category of sensitive unclassified information to
be protected from unauthorized disclosure under Section 147 of the AEA.
Although SGI is considered to be sensitive unclassified information, it
is handled and protected more like Classified National Security
Information than like other sensitive unclassified information (e.g.,
privacy and proprietary information). Part 73, ``Physical Protection of
Plants and Materials,'' of the NRC's regulations in Title 10 of the
Code of Federal Regulations (CFR) contains requirements for the
protection of SGI. Commission orders issued since September 11, 2001,
have also imposed requirements for the designation and protection of
SGI. These requirements apply to SGI in the hands of any person,
whether or not a licensee of the Commission, who produces, receives, or
acquires SGI. An individual's access to SGI requires both a valid
``need to know'' the information and authorization based on an
appropriate background investigation. Power reactors, certain research
and test reactors, and independent spent fuel storage installations are
examples of the categories of licensees currently subject to the
provisions of 10 CFR part 73 for the protection of SGI. Examples of the
types of information designated as SGI include the physical security
plan for a licensee's facility, the design features of a licensee's
physical protection system, and operational procedures for the
licensee's security organization.
The Commission has authority under Section 147 of the AEA to
designate, by regulation or order, other types of information as SGI.
For example, Section 147a.(2) allows the Commission to designate as SGI
a licensee's or applicant's detailed security measures (including
security plans, procedures and equipment) for the physical protection
of source material or byproduct material in quantities determined by
the Commission to be significant to the public health and safety or the
common defense and security. The AEA explicitly provides in Section
147a. that ``any person, whether or not a licensee of the Commission,
who violates any regulations adopted under this section shall be
subject to the civil monetary penalties of Section 234 of this Act.''
Furthermore, willful violation of any regulation or order governing SGI
is a felony subject to criminal penalties in the form of fines or
imprisonment, or both, as prescribed in Section 223 of the AEA.
The Commission has, by order, imposed SGI handling requirements on
certain categories of these licensees. An example is the November 25,
2003 Order issued to certain materials licensees.\1\ Violations of SGI
handling and protection requirements, whether those specified in part
73 or those imposed by order, are subject to civil and criminal
sanctions. Licensee employees, past or present, and all other persons
who have had access to SGI have a continuing obligation to protect SGI
in order to prevent inadvertent release and unauthorized disclosure.
Information designated as SGI must be withheld from public disclosure
and must be physically controlled and protected. Protection
requirements include: (1) Secure storage; (2) document marking; (3)
restriction of access; (4) limited reproduction; (5) protected
transmission; (6) controls for information processing on electronic
systems; and (7) destruction of SGI. The AEA explicitly provides in
Section 147a. that ``any person, whether or not a licensee of the
Commission, who violates any regulations adopted under this section
shall be subject to the civil monetary penalties of Section 234 of this
Act.'' Furthermore, willful violation of any regulation or order
governing SGI is a felony subject to criminal penalties in the form of
fines or imprisonment, or both, as prescribed in Section 223 of the
AEA.
---------------------------------------------------------------------------
\1\ This Order was published in the Federal Register as
``Licensees Authorized to Manufacture or Initially Transfer Items
Containing Radioactive Material for Sale or Distribution and Who
Possess Certain Radioactive Material of Concern and all Persons Who
Obtain Safeguards Information Described Herein; Order Issued on
November 25, 2003, Imposing Requirements for the Protection of
Certain Safeguards Information (Effective Immediately),'' (69 FR
3397; Jan. 23, 2004).
---------------------------------------------------------------------------
II. Need for Rule
Changes in the threat environment have revealed the need to protect
as SGI additional types of security information held by a broader group
of licensees. The current regulations do not specify all of the types
of information that could be designated as SGI and are now recognized
to be significant to the public health and safety or the common defense
and security. The unauthorized release of this information could result
in harm to the public health and safety and the Nation's common defense
and security, as well as damage to the Nation's critical
infrastructure, including nuclear power plants and other facilities and
materials licensed and regulated by the NRC or Agreement States.
Since September 11, 2001, the NRC has issued orders that have
increased the number of licensees whose security measures will be
protected as SGI and added types of security information considered to
be SGI. Orders have been issued to power reactor licensees, fuel cycle
facility licensees, certain source material licensees, and certain
byproduct material licensees. Some of
[[Page 64006]]
the orders expanded the types of information to be protected by
licensees who already have an SGI protection program, such as nuclear
power reactor licensees. Other orders were issued to licensees that
have not previously been subject to SGI protection requirements in the
regulations, such as certain licensees authorized to manufacture or
initially transfer items containing radioactive material.\2\ Some
orders imposed a new designation detailing modified handling
requirements for certain SGI: Safeguards Information-Modified Handling
(SGI-M). The more precise term is ``Safeguards Information-designated
as Safeguards Information-Modified Handling'' to distinguish between
``type of information''--SGI, and the two sets of handling requirements
``SGI'' and ``SGI-M''. We are not seeking to create another type of
information separate from SGI, and in fact SGI-M is SGI.
---------------------------------------------------------------------------
\2\1\ See Order (69 FR 3397; January 23, 2004).
---------------------------------------------------------------------------
SGI-M refers to SGI with handling requirements that are modified
somewhat due to the lower risk posed by unauthorized disclosure of the
information. The SGI-M protection requirements apply to certain
security-related information regarding quantities of source, byproduct,
and special nuclear materials for which the harm caused by unauthorized
disclosure of information would be less than that for SGI.
Some of the requirements imposed by orders that have increased the
types of information to be considered SGI are not covered by the
current regulations. Although the Commission has the authority to
impose new SGI requirements through the issuance of orders, the
regulations would not reflect current Commission SGI policy and/or
requirements. Consequently, the NRC has opted to amend its regulations.
III. Purpose of Rulemaking
NRC staff review of the SGI regulatory program indicates that
changes in the regulations are needed to address issues such as access
to SGI, types of security information to be protected, and handling and
storage requirements.
This rulemaking will:
(1) Revise the definition of ``need to know'' in 10 CFR 73.2;
(2) Implement expanded fingerprinting and criminal history check
procedures for broader categories of individuals who will have access
to SGI unless exempt from those requirements;
(3) Implement a requirement for background checks which form the
basis for demonstrating trustworthiness and reliability for individuals
who will have access to SGI unless exempt from those requirements. As
discussed in detail later, background checks are comprised of several
elements, which would now include a criminal history check;
(4) Modify part 73 to reflect the Commission's recent experience
and actions, including addressing requirements contained in Orders
issued following the terrorist attacks of September 11, 2001;
(5) Expand the scope of part 73 to include additional categories of
licensees (e.g., source and byproduct material licensees, research and
test reactors not previously covered, and fuel cycle facilities not
previously covered);
(6) Expand the types of security information covered by the
definition of SGI in Sec. 73.2 and the information categories
described in Sec. Sec. 73.22 and 73.23 to include detailed security
measures for the physical protection of byproduct, source, and special
nuclear material; security-related scenarios and implementing
procedures; uncorrected vulnerabilities or weaknesses in a security
system; and certain training and qualification information; and
(7) Clarify requirements for obtaining access to SGI in the context
of adjudications and clarify the appeal procedures available.
(8) Modify the original proposed rule to align it with the final
rule in 10 CFR 73.59 granting relief from the identification and
criminal history records check element (including fingerprinting) of
background checks for designated categories of individuals.
(9) Modify 10 CFR 73.59 to make it consistent with the language and
structure of the proposed SGI rule.
A graded approach based on the risks and consequences of
information disclosure would be used in determining which category of
licensee or type of information would be subject to certain protection
requirements. This graded approach can be applied to issues such as the
type of information to be protected, the classes of licensees subject
to the rule, and the level of handling requirements necessary for the
various licensees. For example, the graded approach would allow certain
licensees to employ the modified-handling procedures introduced in
recent orders and now set forth in the provisions of this revised
proposed rule.
The requirements set forth in this revised proposed rule are the
minimum restrictions the Commission finds necessary to protect SGI
against inadvertent release or unauthorized disclosure which might
compromise the health and safety of the public or the common defense
and security. The revised proposed rule would cover those facilities
and materials the Commission has already determined need to be
protected against theft or sabotage. The categories of information
constituting SGI relate to the types of facilities and the quantities
of special nuclear material, source material and byproduct material
determined by the Commission to be significant and therefore subject to
protection against unauthorized disclosure pursuant to Section 147 of
the AEA. Unauthorized release of SGI could reduce the deterrence value
of systems and measures used to protect nuclear facilities and
materials and allow for the possible compromise of those facilities and
materials. Such disclosures could also facilitate advance planning by
an adversary intent on committing acts of theft or sabotage against the
facilities and materials within the scope of the revised proposed rule.
Further, the Commission has determined, pursuant to Section 147a.(3)(B)
of the AEA, that the unauthorized disclosure of the information that is
the subject of this revised proposed rule could reasonably be expected
to have a significant adverse effect on the health and safety of the
public or the common defense and security by significantly increasing
the likelihood of theft, diversion, or sabotage of nuclear material or
a production or utilization facility. The Commission has distinguished
SGI designated as SGI-M, needing modified protection, from SGI for
reactors and fuel cycle facilities that require a higher level of
protection.
IV. Discussion
A. Overview of Public Comments on the Original Proposed Rule
On February 11, 2005, (70 FR 7196), the Commission published a
proposed rule and requested public comments by March 28, 2005. Twenty-
five comment letters were received, in addition to 622 letters from
members of the public that were substantively identical. Copies of
those letters are available for public inspection and copying for a fee
at the NRC Public Document Room, 11555 Rockville Pike, Rockville,
Maryland, or on the NRC's Agencywide Document Access and Management
System, available online at: http://www.nrc.gov/reading-rm/adams/web-based.html
.
Two comment letters were from trade unions, four were from public
interest or government watchdog groups, one was from a journalist
group, three were from members of the public, one was from a State
government agency, two were from the U.S. Department of
[[Page 64007]]
Energy, one was from a law firm that represents nuclear utilities, and
eleven were from utilities or nuclear industry groups. The comment
letters provided various points of view and suggestions for
clarifications, additions, deletions, and changes. Responses to the
comments, including those in the 622 letters from the public, are set
forth below.
B. Comments and Issues
1. Comments In Response to Specific Request for Comments
In the February 2005 proposed rule, the NRC solicited specific
public comment on the issue associated with differing requirements for
access to SGI and SGI-M. The original proposed rule Sec. Sec.
73.22(b)(1) and 73.23(b)(1) contained different requirements for
performing background checks and making trustworthiness and reliability
determinations for granting personnel access to SGI or SGI-M. These
proposed requirements were based on the then-existing statutory
authorization in Section 149 of the AEA for the NRC to require nuclear
power reactor applicants or licensees to fingerprint individuals to be
granted access to SGI. Before enactment of the EPAct on August 8, 2005,
there was no similar statutory authorization to require fingerprinting
by other applicants or licensees. Section 652 of the EPAct, however,
amended Section 149 of the AEA to authorize the NRC to require
fingerprinting of individuals granted access to SGI by all: (1)
Individuals and entities engaged in activities subject to regulation by
the Commission; (2) applicants for a license or certificate to engage
in Commission-regulated activities; and (3) individuals and entities
who have notified the Commission in writing of an intent to file an
application for licensing, certification, permitting, or approval of a
product or activity subject to regulations by the Commission.
The NRC published the original proposed rule six months before the
Energy Policy was enacted, specifically inviting comment on whether
stakeholders perceived difficulties in complying with the varying
requirements of SGI and SGI-M. The Commission has considered
stakeholders' suggestions, comments, and proposals regarding the issue
of whether a more uniform approach can be provided for background
checks and trustworthiness and reliability determinations. Although
comments may not have explicitly referred to this request for specific
comment, many comments addressed the issue of performing background
checks and the criteria for determining trustworthiness and reliability
for access to SGI and SGI-M. These comments and detailed responses are
set forth below. Commission views are also presented.
One commenter expressed concern that the criteria to judge
``trustworthiness and reliability'' could be applied arbitrarily to
restrict access to information by persons deemed to have interests
opposing the NRC or nuclear industry. Commenters also questioned how a
``comprehensive background check'' would be conducted and what ``the
other means'' for determining ``trustworthiness and reliability'' would
be. Other commenters noted that the definition of ``trustworthiness and
reliability'' does not clearly address how its requirements will be
uniformly applied for all classes of individuals (for example, an
individual who is not a utility employee such as an attorney for a
utility or intervenor in an NRC adjudicatory proceeding), and whether
there is a need for continued monitoring. Another commenter requested
that the NRC address when background checks are required for persons
requiring infrequent access to SGI or SGI-M such as commercial vendors
periodically supplying security equipment and needed services to
facilities. Some commenters requested greater detail on the criteria
the NRC will use to determine access to SGI-M and that such criteria
should allow for greater access to SGI-M because it poses ``a lower
security risk.''
In response to these comments, the Commission notes that the
purpose of the criteria to determine ``trustworthiness and
reliability'' for access to SGI is to provide reasonable assurance to
the person granting access and to the Commission that granting an
individual access to SGI does not constitute an unreasonable risk to
the public health and safety or the common defense and security.
Applying the criteria to improperly restrict access to SGI on the basis
of an individual's support or opposition to the nuclear industry is not
consistent with the regulatory framework the Commission has established
for granting access to SGI.
The changes to the original proposed rule text reflect Commission
efforts to more thoroughly address the criteria for determining access
to SGI. For example, the revised proposed rule defines the term
``background check'' and provides greater specificity in the definition
of the term ``trustworthiness and reliability.'' The revised proposed
rule provides procedural protections to individuals seeking access to
SGI in the context of adjudication both before and after an adverse
determination of trustworthiness and reliability by the NRC Office of
Administration. Before an adverse determination of trustworthiness and
reliability is made, individuals would be entitled to use the
procedures set forth in Sec. 73.57. In the context of NRC
adjudications, individuals receiving an adverse determination on their
background check for trustworthiness and reliability would be able to
appeal that adverse determination to the presiding officer of the
proceeding in which the SGI is sought. Potential witnesses,
participants without attorneys, and attorneys would be able to request
that the Chairman of the Atomic Safety and Licensing Board Panel
designate an officer other than the presiding officer of the proceeding
to review the determination. Moreover, in the revised proposed rule,
the Commission has standardized the criteria for access to SGI to
implement amendments to Section 149 of the AEA contained in Section 652
of the EPAct. The revised proposed rule would require a Federal Bureau
of Investigation criminal history check as part of the background check
used to determine whether an individual is trustworthy and reliable
before obtaining access to SGI, unless the Commission has otherwise
provided. This requirement would extend to participants in NRC
adjudicatory proceedings.
The frequency with which access to SGI is needed is not a factor
for determining access to SGI or SGI-M based on the governing
provisions of the AEA or the Commission's regulatory framework
implementing those provisions. Establishing an individual's need-to-
know the information and trustworthiness and reliability is necessary
whether an individual needs a one-time access to SGI or SGI-M or access
multiple times. A trustworthiness and reliability determination based
on a background check must be made except for individuals enumerated in
Sec. 73.59 including contractors of an applicant or licensee. The
Commission has determined that access to SGI and Safeguards Information
designated as SGI-M by licensee employees, agents, vendors, or
contractors must include both an appropriate need-to-know finding by
the licensee and a finding concerning the trustworthiness and
reliability of individuals having access to the information. Although a
separate need-to-know determination will be required for each specific
request for access to SGI, the requirement for a determination of
trustworthiness and
[[Page 64008]]
reliability based on a background check could be considered satisfied
within a certain period of time, 5 years for example. The same interval
would apply to criminal history records checks (including
fingerprinting), which are an element of a background check to
determine trustworthiness and reliability.
A commenter also questioned why the Commission would institute
requirements applicable to SGI-M and suggested that the ``less risk-
associated information'' be ``Official Use Only'' while some of the
more sensitive information be ``Classified National Security
Information.'' The Commission has distinguished SGI designated as SGI-
M, needing a lower level of protection. Information meeting the
definition of SGI in Section 147 of the AEA is being protected as such
rather than under the designations proposed by this commenter because
such information should be protected as SGI does not constitute
Classified National Security Information.
2. General Issues
Comment: Some commenters stated that the proposed regulations go
beyond the ``minimum restrictions'' needed to protect the health and
safety of the public or the common defense and security, as required by
Section 147 of the AEA. Rather than applying this provision, the
Commission has expanded the SGI category to include virtually anything
it wants to withhold. Therefore, the original proposed rule should be
withdrawn or drastically revised.
Response: The Commission recognizes there are limits to its
discretion under Section 147 of the AEA in determining what information
presents security concerns significant enough to warrant protection as
SGI. The revised proposed rule does not expand the Commission's
discretion beyond statutory limits--the revised proposed rule describes
the information the Commission considers SGI and is within the scope of
the authority granted by Section 147 of the AEA.
Section 147 of the AEA authorizes the Commission to protect
information that specifically identifies the control and accounting
procedures or security measures, including plans, procedures, and
equipment used to protect source, byproduct, and special nuclear
material. The categories of information to be protected under the rule
fall well within this scope. Sections 73.22(a)(1) and 73.23(a)(1) would
protect information associated with physical protection such as alarm
system layouts, intrusion detection equipment, and security
communications systems, among other information. Sections 73.22(a)(2)
and 73.23(a)(2) would protect information associated with physical
protection such as intrusion alarms, vehicle immobilization features,
and plans for law enforcement coordination. Sections 73.22(a)(3) and
73.23(a)(3) would protect inspection reports, audits, and evaluations
to the extent they discuss security measures or security
vulnerabilities. All of this and other information categorized in the
regulations, if publicly disclosed, could be used to specifically
identify the control and accounting procedures or security measures,
including security plans, procedures, and equipment used to protect
source, byproduct, and special nuclear material and allow the
circumvention of those plans, procedures, or equipment.
The Commission's proposed conditions for access to SGI are not
overly restrictive. Persons authorized access must be trustworthy and
reliable based upon a background check to ensure that they will not
purposely or inadvertently compromise the information. Access to SGI is
limited to those with a ``need to know'' the information to avoid
unnecessarily broad distribution of the information, which would
increase the risk of inadvertent disclosures. As in the current SGI
regulations, certain persons would be deemed trustworthy and reliable
by virtue of their occupational status-these persons are generally
members of government or law enforcement agencies, who in many cases
have undergone background checks as a condition of their employment.
Representatives of foreign governments or organizations would also not
be subject to the background and criminal history checks, if approved
by the Commission for access to SGI. Such an exemption is consistent
with the Commission's historical practice. All of these persons would
still be required to demonstrate a ``need to know'' the information.
The Commission's proposed SGI handling requirements are not overly
restrictive. Document marking requirements are necessary to distinguish
SGI from other information so that it can be properly controlled.
Locking up SGI while unattended is necessary to prevent unauthorized
access to the information, as is limiting access to keys and knowledge
of lock combinations. Restrictions on electronic processing,
telecommunications and transmission are important to prevent
interception of SGI, whether by electronic surveillance or other means.
Comment: Many commenters suggested that the SGI designation does
not permit the NRC to withhold all information and that the NRC is
acting illegally and trying to silence those who are trying to improve
nuclear safety. If instituted, these regulations would compromise the
public's ability to hold the nuclear industry and its government
regulators accountable for their management of nuclear facilities and
materials.
Response: The Commission recognizes that there are statutory limits
to the use of the SGI designation. The revised proposed rule remains
within these limits and describes categories of information that may
properly be considered SGI. The revised proposed rule recognizes the
Commission's authority to issue further orders or regulations
designating information as SGI, provided it is within the scope of
Section 147 of the AEA.
The Commission's purpose in proposing this rulemaking is not to
unnecessarily withhold information from the public, to silence
criticism of nuclear safety or security policies or to prevent the
public from offering suggestions for improvement. The proposed SGI
regulations are intended to ensure adequate protection of the public
health and safety and the common defense and security by preventing
authorized disclosure of certain, limited category of information that
could be used to compromise the security of nuclear facilities and
materials.
The Commission always welcomes public input on nuclear safety and
nuclear security. Members of the public may write letters to the
Commission, file petitions for rulemaking under 10 CFR 2.802, and file
requests to institute a proceeding to modify, suspend, or revoke a
license under 10 CFR 2.206. Members of the public may seek to initiate
or participate in adjudications held in connection with proposed
licensing actions. They may also attend public meetings to communicate
their safety and security concerns. The NRC will always consider and
respond to public concerns, but it must do so without compromising the
safety and security of nuclear materials and facilities.
Comment: One commenter stated that the original proposed rule would
create a system without rights, duties, and obligations such as those
in the Freedom of Information Act (FOIA), which would abuse the open
government principles on which the United States was founded. Other
commenters proposed that a final rule include procedures for
designating
[[Page 64009]]
officials who may withhold SGI, to provide oversight of the system, and
to allow for review or appeal of SGI or SGI-M determinations. A
commenter stated that the NRC has not provided an individual the
opportunity to challenge an SGI determination by appealing to the head
of the agency. A commenter expressed concerns that a final rule needed
the types of controls and checks that are built into the national
security classification system. According to the commenter, there are
no mechanisms for reviewing and appealing decisions to categorize
information as SGI; the rule has an inadequate mechanism for removing
information from SGI status once it has been categorized; there are no
truly independent bodies to exercise oversight over SGI determinations;
there is no recognized channel for getting disputes over SGI status
into court; and there are insufficient mechanisms for making the
portions of SGI information which would not present a risk in the form
of redacted documents available to Congress, the news media, and the
public.
Response: Section 147 of the AEA sets forth the substantive legal
requirements governing the protection of SGI. Section 147 of the AEA
does not require the Commission to develop FOIA-like appeal procedures
to resolve individual challenges to SGI designation on a case-by-case
basis.
Creation of FOIA-like appeal procedures would result in a
cumbersome administrative process for SGI designation and potentially
require substantial resources to implement and administer. The
preferred approach is the one the Commission is proposing here--
providing the public notice of and opportunity to comment on categories
of information the Commission would consider SGI.
Throughout this rulemaking, the Commission has been open about the
categories of information it seeks to protect and the reasons for
protecting that information. The Commission is giving the public
adequate notice of the approach and ample opportunity to challenge the
Commission's SGI designations on a generic basis. There is no need to
develop procedures for challenging the designation of information as
SGI or SGI-M.
Comment: One commenter proposed that the NRC should followup this
rulemaking with the deletion of or revisions to current orders and
advisory letters. In the interim, NRC should, by order or regulation,
state that the revised regulations supersede all conflicting orders and
advisory letters issued prior to the effective date of the revision to
the regulations.
Response: This revised proposed rule incorporates the requirements
for SGI protection previously described in NRC orders and advisory
letters. The final rule would, on its effective date, supersede all SGI
orders and advisory letters issued prior to that effective date. The
Commission will, however, take administrative action to withdraw all
previously orders where appropriate.
Comment: One commenter recommended that the NRC rule specify that
security information or plans associated with a licensee possessing,
using, transporting, or offering for transport greater than or equal to
Category (CAT) I quantities of Strategic Special Nuclear Material
(SSNM) be controlled as Classified National Security Information in
accordance with the provisions of 10 CFR parts 25 and 95. In addition,
the commenter recommends that the NRC revise the final rule with
respect to the protection of information associated with security
information and plans for a licensee possessing, using, transporting,
or offering for transport CAT II and III quantities of special nuclear
material (SNM) to utilize a risk-informed and graded approach
consistent with the change to CAT I SSNM, specifically:
(1) Security information and plans for licensees possessing, using,
transporting, or offering for transport less than a formula quantity of
SSNM but greater than or equal to a CAT II quantity of SNM (consisting
of U-233, Pu, or high-enriched U-235 (enriched to 20 percent or more))
should be controlled as SGI per the requirements of Sec. Sec. 73.21
and 73.22 of the original proposed rule;
(2) Security information and plans for licensees possessing, using,
transporting, or offering for transport less than a CAT II quantity of
SNM (consisting of U-233, Pu, or high-enriched U-235 (enriched to 20
percent or more)), but more than 10 kg of a CAT III quantity of SNM, or
a CAT II quantity of low-enriched U-235 (enriched to less than 20%)
should be controlled as SGI-M per the requirements of Sec. Sec. 73.21
and 73.23 of the original proposed rule;
(3) The risks associated with security information and plans for
licensees possessing, using, transporting, or offering for transport
less than a CAT III of SNM do not require protection under part 73.
The commenter suggests that this approach would provide greater
regulatory clarity than the NRC's original proposed rule language of
``fuel cycle facilities required to implement security measures'' and
``fuel cycle facilities'' in Sec. Sec. 73.21(a)(1)(i) and 73.22
introductory text, respectively, by clearly identifying de minimis
levels of SNM requiring protection.
The commenter also recommends that the NRC revise part 76 to
incorporate this graded approach for certificate holders under part 76,
because the requirements for protection of CAT I, II, or III SNM under
parts 70 and 76 should be the same.
Response: The revised proposed rule language clearly indicates that
it only applies to information that is not classified as Restricted
Data or National Security Information. If the specific information is
considered to be Restricted Data or National Security Information it
would be protected as such and the SGI provisions would not apply.
The NRC staff agrees that a graded approach should be used, and the
revised proposed rule uses a graded approach. The staff agrees that
additional clarification is necessary to explain what is meant by fuel
cycle facilities. The original proposed rule text has been revised to
add clarity. Fuel fabrication facilities, uranium enrichment
facilities, uranium hexafluoride conversion facilities, and independent
spent fuel storage installations will be subject to the provisions in
Sec. 73.22 for SGI. Research and test reactors and other facilities
that have special nuclear material of low or moderate strategic
significance will be subject to the provisions of Sec. 73.23 for SGI-
M.
Comment: One commenter suggested that a final rule either: (1)
Remove the designation of site access information as SGI; or (2)
specify that the ``need to know'' includes the protection of employment
and labor rights, so that individuals involved in employment-related
grievances, arbitration, litigation, and/or labor contract negotiations
and administration may gain access to relevant SGI when such
individuals qualify as ``Individuals Authorized to Access Safeguards
Information''. Also, the commenter requests that the rule set forth a
procedure by which employees and their representatives may apply to
gain access to relevant SGI for the protection of employment and labor
rights so that individuals involved in employment-related grievances,
arbitration, litigation and/or labor contract negotiations and
administration may gain access to relevant SGI when such individuals do
not qualify as ``Individuals Authorized to Access Safeguards
information.''
The commenter asserts that it is additionally problematic that site
access information is SGI because it could lead to an unnecessary
chilling effect having adverse safety implications. Removing
[[Page 64010]]
site access information as SGI or, alternatively, establishing
provisions whereby employees and their representatives may obtain such
information, will prevent violations of individuals' rights under
applicable laws and will not compromise the safety of nuclear
facilities.
Response: The revised proposed rule would not designate ``site
access information'' as SGI and is not intended to discourage
individuals from raising safety or security concerns to licensees or
the NRC. Employees of NRC licensees who feel they have been retaliated
against for raising safety or security concerns are encouraged to seek
potential enforcement action through the NRC and to go to the
Department of Labor for potential personal remedies.
There is no presumptive ``need to know'' for agents representing
employees of NRC licensees in employment-related grievances. The
revised proposed rule would not establish a special procedure by which
agents representing employees of NRC licensees may have access to SGI,
but the Commission retains the authority to grant such access if the
circumstances of an individual case so require.
Comment: One commenter contended that the Commission lacks the
statutory authority to impose regulations for the protection of SGI
pertaining to the security measures of State licensees. According to
this commenter, the licensees or applicants referred to in Section 147
of the AEA are clearly those of the Commission only, and not of the
Agreement States.
Response: Section 147a. of the AEA requires the Commission, in
relevant part, to prescribe such regulations or issue such orders as
necessary to prohibit the unauthorized disclosure of SGI. The
Commission also has authority under Subsections 161b. and 161i. to
issue rules, regulations, or orders to protect the common defense and
security. Moreover, Section 274m. of the AEA, ``Cooperation with
States,'' provides that no agreement entered into pursuant to Section
274b. shall affect the Commission's authority under Subsections 161b.
and, 161i.
As to the commenter's assertions regarding the terms ``licensee''
or ``applicant,'' the plain language of Section 147 refers simply to
``licensee's or applicant's [detailed information].'' Section 147 draws
no distinction between a ``Commission licensee'' as the commenter
asserts and an ``Agreement State licensee.'' Thus, on its face, the
statute does not support the commenter's viewpoint.
Comment: One commenter suggested that a final rule should focus not
only on SGI and SGI-M material, but should include rules for the
protection of other levels of information.
Response: The scope of this rulemaking, as stated in the original
proposed rule, is limited to amending the regulations for the
protection of SGI. Other types of information are governed by separate
requirements. For example, an executive order, applicable government-
wide, controls Classified National Security Information. E.O. 12958, as
amended, ``Classified National Security Information'', and related
directives of the Information Security Oversight Office, National
Archives and Records Administration, April 20, 1995. NRC regulations
found in 10 CFR 2.390 govern handling of other categories of sensitive
unclassified information. The NRC has determined that no further
changes to NRC regulations are warranted at this time.
Comment: One commenter questioned the ``correct'' categorization of
information the NRC considers to be SGI. According to the commenter,
when a Department of Energy (DOE) facility is licensed, there may be
difficulties in deciding if the information should be Classified
National Security Information (CNSI) or SGI. On the other hand, the
commenter asserted that ``Official Use Only'' should be considered
before marking the information as SGI.
Response: The proposed amendments to the regulations reflect the
statutory definitions of SGI in Section 147 of the AEA. The Commission
believes that the definitions in the revised proposed rule accurately
reflect the information described in Section 147 as SGI. Both the
relevant proposed amendments to part 73 as well as guidance that would
be issued by the staff would assist licensees in correctly designating
information to be protected as SGI. The DOE has previously demonstrated
that it has a comprehensive program governing the classification of
information. As noted in the original proposed rule, any information
classified as National Security Information would carry that
designation and not be designated as SGI.
It is appropriate for any entity possessing sensitive information,
classified or otherwise, to consider all possible and appropriate
classifications/designations of information when making decisions to
protect such information from public disclosure. The Commission expects
that information falling within the definition of SGI will be so
designated, thus mandating the withholding of the information from
public disclosure and that only information properly characterized as
SGI will be designated as such. In this regard, the Commission notes
that information marked as ``Official Use Only'' does not assure that
the information will be withheld from public disclosure.
Comment: One commenter recognized that requirements in 10 CFR
73.22, for SGI, would apply to reactors and licensees authorized to
possess a formula quantity of SSNM, while requirements in 10 CFR 73.23,
for SGI-M, would apply to licensees authorized to possess certain
quantities of source and byproduct material and SNM of moderate or low
strategic significance. The commenter pointed out that some licensees
are authorized to possess, in one license, in excess of a formula
quantity of SSNM, in addition to a significant quantity of source
material and byproduct material. The commenter suggested that the rule
is not clear on whether such a licensee should follow Sec. 73.22 or
Sec. 73.23. The commenter further suggested that it would seem
burdensome for a single licensee to have separate SGI and SGI-M
programs. Another commenter noted that industry discussions with the
NRC led it to believe that controlling SGI-M documents under its
existing SGI program was acceptable; however, the proposed changes in
paragraph (d) of Sec. Sec. 73.22 and 73.23 appear to contradict that
position and expand the marking and handling requirements to apply to
both SGI and SGI-M documents. That commenter noted that, given the
effectiveness of the current program, there does not appear to be any
justification for the additional marking requirements in paragraph (d).
Response: The NRC agrees with the comment that it could be
inefficient for licensees possessing categories or quantities of
material under Sec. Sec. 73.22 and 73.23 to implement both information
protection schemes. Licensees subject to both Sec. Sec. 73.22 and
73.23 would be in compliance with the requirements for protection of
SGI if they implement the higher protection standards in Sec. 73.22,
or they may choose to implement a multi-level approach. Licensees with
a single-level information security system could use the marking
``Safeguards Information'' in place of ``Safeguards Information--
Modified Handling.'' This alternative would be appropriate because the
facility security measures and associated information protection
requirements would be based on the higher category of asset possessed
by the licensee.
A primary difference between the SGI protection requirements in
Sec. 73.22 and the SGI-M protection requirements in Sec. 73.23 is how
the information is
[[Page 64011]]
marked and stored. SGI in the former category is marked ``Safeguards
Information'' while the latter category is marked ``Safeguards
Information designated as Safeguards Information-Modified Handling.''
The different markings are associated with different storage
requirements. SGI described in Sec. 73.22 must be stored in a locked
security storage container, but SGI described in Sec. 73.23 has a less
stringent storage requirement--the information must be stored in a
locked file drawer or cabinet or may be stored in a security container
as described in Sec. 73.22.
Proper marking is necessary when SGI is communicated between
entities or parties so that the recipient does not receive a document
with markings that would require storage in a container that the
recipient does not possess. It is the duty of the licensee or applicant
who transfers documents containing SGI to a party beyond their control
to ensure that the document is properly marked. Without the appropriate
document markings, the sender inadvertently could cause a violation of
the regulations.
Comment: One commenter noted that the expanded types of documents
that must be handled as SGI or SGI-M and the addition of marking
requirements will require additional effort and time to implement.
Therefore, the commenter suggested that the rule allow at least one
year for the licensee to effectively implement the requirements.
Response: The NRC recognizes that SGI requirements require effort
and time to implement, but does not concur that one year is necessary
for implementation. This revised proposed rule reflects orders already
imposed by the Commission and would expand the types of security
information covered by Sec. 73.2. Considering the scope of the rule,
the Commission proposes to set an effective date for the final rule of
90 days from publication in the Federal Register.
Comment: One commenter stated that the reference in the
Supplementary Information portion of the original proposed rule to
criminal penalties for violation of Commission requirements governing
SGI should clarify that criminal sanctions are only imposed for willful
violations.
Response: In response to this comment, the relevant language in
Section I. (``Background'') of this revised proposed rule has been
changed to remove ambiguity about the application of criminal penalties
for violations of the AEA (i.e., such penalties apply to willful
violations only).
Comment: One commenter asked whether DOE facilities licensed by the
NRC would be excluded from all orders.
Response: To the extent that the NRC has regulatory authority over
a DOE facility, the NRC has the authority to issue orders to the DOE
applicable to that facility.
3. Section-Specific Comments
Parts 60 and 63: Disposal of High-Level Radioactive Waste in Geologic
Repositories; Disposal of High-Level Radioactive Wastes in a Geologic
Repository in Yucca Mountain, Nevada
Comment: One commenter suggested that the degree of information
security required for facilities licensed under parts 60 and 63 is
insufficient for the protection of National Security Information and is
inconsistent with long-standing NRC classification guidance, recent
Commission and staff actions, as well as the 2004 ``Joint DOE and NRC
Sensitive Unclassified Information and Classification Guide for the
Office of Civilian Radioactive Waste Management Program'' (CG-OCRWM-1,
which is non-public). The commenter contends that this inconsistency in
language will cause regulatory confusion and could lead to inadequate
protection of National Security Information or inadequate enforcement
authority.
Specifically, the commenter notes that the proposed language in
Sec. Sec. 70.22, 70.32, 73.2, and 73.22 refers to physical security,
safeguards contingency, and guard qualification and training plans
information being controlled as SGI per Sec. Sec. 73.21 and 73.22.
However, CG-OCRWM-1, the commenter notes, indicates that certain
information associated with the proposed Yucca Mountain repository will
be considered National Security Information.
In addition, the commenter contends that Sec. Sec. 60.21, 60.42,
63.21, and 63.42 refer to the ``design for physical security'' to be
protected as SGI, but does not mention the ``physical security plan.''
The commenter suggests that the NRC explicitly require the physical
security plan for a repository licensed under parts 60 or 63 be
protected as SGI or classified information, to ensure that the plan
itself is properly protected and that greater regulatory consistency is
maintained. In addition, the commenter recommends that the NRC revise
parts 60 and 63 to require design for physical security and the
physical security, safeguards contingency, and guard qualification and
training plans be controlled as SGI or classified information per parts
25 and 95.
Response: The SGI definition includes the disclaimer that it does
not include information classified as National Security Information or
Restricted Data. Any information covered by the classification guide as
constituting National Security Information would continue to be
classified. The proposed regulation would cover security related
information that is not covered by the classification guide. Changes to
this revised proposed rule are not necessary to specify which
information is considered to be National Security Information and which
is SGI, however, changes to the original proposed rule have been made
in Sec. Sec. 60.21, 60.42, 63.21, and 63.42 to clarify that security
information associated with a geologic repository would be protected as
SGI or as classified information. The NRC has also revised the original
proposed rule language to remove the inconsistency in terminology for
the ``physical security,'' ``safeguards contingency,'' and ``guard
qualification and training plans.''
Comment: One commenter suggested that the program entitled ``Joint
DOE and NRC Sensitive Unclassified Information and Classification Guide
for the Office of Civilian Radioactive Waste Management Program''
remains an adequate and acceptable program, as written, for the
identification of SGI and its continued use in the part 63 licensing
process will be in compliance with this rulemaking.
Response: A classification/designation guide, ``Joint DOE and NRC
Sensitive Unclassified Information and Classification Guide for the
Office of Civilian Radioactive Waste Management Program,'' has been
issued by the NRC and the DOE. This guide reflects the current laws and
regulations governing classification and designation of information
required to be protected from unauthorized disclosure. The NRC staff
believes that this guide represents the information proposed to be
protected by the current rulemaking.
Part 73: Physical Protection of Plants and Materials
Section 73.2 Definitions
The Commission received numerous comments on the definitions.
Commenters asked the Commission to revise, delete, or add definitions
for terms used in the rule. Some new terms have been added because of
changes made in other sections of the revised proposed rule. Public
comments and responses to the comments, as well other reasons for
changes to Sec. 73.2, are presented below.
[[Page 64012]]
Comprehensive Background Check
Comment: Commenters suggested that the term ``comprehensive
background check'' be defined.
Response: The Commission has changed the phrase ``comprehensive
background check'' to ``background check'' in the new proposed rule.
The change is intended to more clearly distinguish the background check
requirements of this revised proposed rule from the background
investigation requirements of other regulations governing access
authorization (10 CFR 73.56). Background investigations required under
those regulations are arguably more comprehensive. To avoid the
impression that the background check that would be required by this
rule would be more stringent or probing than background investigations,
the word ``comprehensive'' has been deleted.
The Commission has included a general definition of ``background
check'' in Sec. 73.2 of the revised proposed rule. A background check
performed to determine the trustworthiness and reliability of an
individual to be authorized access to SGI or SGI-M includes, at a
minimum, a criminal history check, verification of identity, employment
history, education, and personal references. The EPAct expanded the
NRC's authority to fingerprint, and as such, entities engaged in
activities subject to regulation by the Commission, entities who
applied for licenses or certificates to engage in Commission-regulated
activities, and entities who have notified the Commission in writing of
an intent to file an application for licensing, certification,
permitting, or approval of a product or activity subject to regulation
by the Commission would be required under 10 CFR 73.57 to conduct
criminal history checks, including fingerprints, before granting access
to SGI or SGI-M to the employees of the individual's organization.
Ultimately, the decision whether an individual is sufficiently
trustworthy and reliable to receive SGI or SGI-M is made by the person
granting access. In the case of information held by the NRC staff and
the originator, the NRC staff would make the determination. The
background check must be sufficient to support a trustworthiness and
reliability determination so that the person granting access and the
Commission have reasonable assurance that individuals granted access to
SGI do not constitute an unreasonable risk to the public health and
safety or the common defense and security.
To reiterate, the background check that would be required by this
revised proposed rule may not completely satisfy the background
investigations required under other regulations. Nor does the
trustworthiness and reliability determination based on the background
check that would be required by this revised proposed rule satisfy the
trustworthiness and reliability objectives of other regulations. For
example, determining trustworthiness and reliability under 10 CFR 73.56
requires not only a background investigation, but a psychological
assessment and behavioral observation as well. Determining
trustworthiness and reliability under 10 CFR 26.10 requires chemical
and alcohol testing under a fitness-for-duty program. Those
requirements are separate from the requirements of this revised
proposed rule.
The NRC staff plans to issue further guidance that will include a
discussion of acceptable background checks to support a licensee's
trustworthiness and reliability determinations.
Detailed Control and Accounting Procedures
Comment: One commenter suggested that the term ``detailed control
and accounting procedures'' for SNM needs clarification, for example,
as to whether it includes: (1) The written directions for transferring
fuel between the fuel pool and the reactor; (2) the outage schedule
that shows when fuel movement occurs; (3) the real-time communication
channels or video-monitoring to support fuel movement; or (4) the
computer and software that performs the isotopic calculations for
irradiated fuel. The commenter is concerned that restricting access to
these types of detailed information would significantly hamper work
coordination and communication within the protected area, without
affecting what is commonly known outside the protected area in a more
general sense.
Response: In response to the request in this comment, the
Commission notes that ``detailed control and accounting procedures'' do
not include any of the four types of information set forth in this
comment. Therefore, there should be no concern about restricting access
to these types of information on the basis that they are SGI.
High-Level Radioactive Waste, Spent Nuclear Fuel, and Irradiated
Reactor Fuel
Comment: A commenter requested that these terms be defined in Sec.
73.2.
Response: The revised proposed rule would make conforming changes
to 10 CFR part 72, ``Licensing Requirements for the Independent Storage
of Spent Nuclear Fuel, High-Level Radioactive Waste, and Reactor-
Related Greater than Class C Waste.'' The terms ``high-level
radioactive waste'' and ``spent nuclear fuel'' are defined in existing
10 CFR 72.3. These definitions of ``high-level radioactive waste'' and
``spent nuclear fuel'' would not be affected and would continue to
apply. The description of ``irradiated reactor fuel'' provided in Sec.
73.37 includes certain spent fuel described in parts 71 and 72, is
consistent with the definition of spent fuel in the Nuclear Waste
Policy Act (NWPA), and appropriately uses a graded approach for
physical protection and safeguards considerations. Therefore, the
Commission does not believe a separate definition of the term is needed
in Sec. 73.2.
Safeguards Information (``SGI'')
Comment: Commenters stated that the definition of this term in the
original proposed rule is too broad. They asked that the terms used in
Section 147 of the AEA, ``a licensee's or applicant's'' detailed
information, be included in the rule's definition of SGI.
Response: This revised proposed rule modifies the definition of SGI
to more closely track the language in Section 147, by including the
term ``licensee's or applicant's [detailed information].'' However, SGI
could include information other entities generate, e.g. vendors, as
such information could ultimately identify a licensee's or applicant's
detailed procedures, security measures, or other information within the
scope of Section 147.
Comment: A commenter suggested that while security measures to
protect certain plant equipment vital to the safety of production or
utilization facilities should be protected as SGI, the location of the
equipment should not be included within the definition of SGI.
Response: As set forth in Section 147 of the AEA, SGI includes
``security measures for the physical protection of and the ``location
of certain plant equipment vital to the safety of production or
utilization facilities involving nuclear material covered by paragraphs
(1) and (2) [of Section 147a]''. The Commission has determined, in
accordance with Section 147a.(3) of the AEA, that the unauthorized
disclosure of this type of information could reasonably be expected to
have a significant adverse effect on the health and safety of the
public or the common defense and security. As required by Section
[[Page 64013]]
147a.(3)(A), the Commission applied the minimum restrictions necessary
to protect the health and safety of the public or the common defense
and security in making this determination. As noted in the Statement of
Considerations for the original proposed rule, one purpose of this
rulemaking is to include in part 73 the types of information the
Commission may protect as SGI, based on the description of SGI in
Section 147 of the AEA. Accordingly, the Commission is keeping the
language which is the subject of this comment in the definition of SGI
in Sec. 73.2.
Comment: A commenter requested that the definition of SGI in Sec.
73.2 include language that allows for temporary status of SGI, based,
for example, on a six-month period in which there would be an immediate
risk if the information were disclosed.
Response: Designation of information as SGI is not static. Section
73.22(h), ``Removal from Safeguards Information category'' would
require that documents originally containing SGI must be removed from
the SGI category, in accordance with the criteria in Sec. 73.22(h), at
such time as the information no longer meets the criteria contained in
part 73. In addition, a review of such documents to make that
determination shall be conducted every 10 years. Documents that are 10
years or older and designated as SGI or SGI-M shall be reviewed for a
decontrol determination if they are currently in use or removed from
storage. The Commission sees no need to modify the definition of SGI to
reflect the non-permanent nature of the SGI designation, as the
commenter requests.
Comment: According to another comment, the definition of SGI should
not allow a source or byproduct material ``exemption'' that would allow
the NRC to categorize anything as SGI if it believed disclosure of that
information could have an adverse effect on the public health and
safety or the common defense and security. The commenter expressed
concern that such language could be overused or abused, and therefore
suggested that it be eliminated and that the definition of SGI be more
precise and have clearly defined limits.
Response: Section 147a.(2) of the AEA specifically includes as SGI
security measures for the physical protection of source material or
byproduct material in quantities determined by the Commission to be
significant to the public health and safety or the common defense and
security. The Commission has appropriately defined the categories of
information to be protected as SGI or SGI-M in this rulemaking. Those
categories are within the limits of the Commission's authority under
Section 147 of the AEA.
Comment: A commenter objected to the ``blanket exemption'' in the
definition of SGI and requested that this ``exemption'' be eliminated.
According to the commenter, such an ``exemption'' was unnecessary and
could adversely impact workers'' and communities' abilities to monitor
health risks.
Response: The definition of SGI does not contain any explicit
``exemption.'' Therefore, the Commission can only surmise as to the
``exemption'' to which this comment refers. The commenter may be
referring to that portion of the definition which reflects the
Commission's authority, under Section 147a.(3) of the AEA, to determine
certain security measures to be SGI, provided certain findings are made
pursuant to Sections 147a.(3)(A) and (B). In exercising this authority,
the Commission would, as reflected in the SGI definition, make the
designation by order or regulation as specified in revised 73.22(a)(5)
and 73.23(a)(5). The Commission is proposing to modify this portion of
the definition of SGI to make clear that the ``other information''
would be within the scope of Section 147.
Safeguards Information-Modified Handling (``SGI-M'')
Comment: A commenter believes that the definition of this term is
unclear and should be defined as ``lower-risk information'' and
therefore have less rigorous restrictions and greater public access.
Response: The definition of SGI-M in Sec. 73.2 is not as specific
as the definition of SGI in Sec. 73.2. The main reason for this is
that SGI-M is SGI for which modified handling requirements apply. As
stated in the Statement of Considerations for the original proposed
rule, the term SGI-M ``would be added to reflect this new designation
for marking [and handling] of SGI subject to this regulation.'' 70 FR
at 7199. The marking and handling requirements for SGI-M are set forth
in Sec. 73.23, ``Protection of Safeguards Information-Modified
Handling: Specific Requirements.'' Those requirements are less
restrictive than for information marked SGI, for example, requirements
for unattended storage of SGI-M set forth in Sec. 73.23(c)(2). The
introductory text of Sec. 73.23 and paragraph (a) of that section
specifically describe the types of information SGI-M that are subject
to the handling requirements. Therefore, the Commission sees no need to
modify the definition of SGI-M in the revised proposed rule.
Significant Adverse Effect
Comment: One commenter proposed that a final rule define the term
``significant adverse effect''.
Response: The term ``significant adverse effect'' appears in
Section 147.a. of the AEA, in the proposed definition of SGI, and
elsewhere in the revised proposed rule. The term reflects the
Commission's authority under Section 147a.(2) and (3) to protect
against a certain type of unauthorized disclosure of information. Such
an unauthorized disclosure is one which ``could reasonably be expected
to have a significant adverse effect on the health and safety of the
public or the common defense and security by significantly increasing
the likelihood of theft, diversion, or sabotage'' of material or a
facility. Thus, a ``significant adverse effect'' is one which could
significantly increase the likelihood of such effects. The Commission
believes that this statement adequately describes the term and a
separate definition is not necessary.
Transportation Physical Security Plan
Comment: One commenter proposed that the final rule define the term
``transportation physical security plan''.
Response: The phrase ``transportation physical security plan'' does
not appear in the revised proposed rule. The new proposed rule would
require protection of ``the composite physical security plan for
transportation'' in Sec. 73.22(a)(2)(i), and ``information regarding
transportation security measures, including physical security plans and
procedures'' in Sec. 73.23(a)(2)(i). The revision was made in part
because not all licensees who would be subject to the revised proposed
rule are explicitly required to have a ``transportation security
plan.''
The revised proposed rule is intended to protect information
detailing the physical security measures and procedures used to protect
source, byproduct, and special nuclear material in transit, whether or
not those measures and procedures are contained in a document labeled
``transportation security plan.'' Because the term ``transportation
physical security plan'' is not used in the revised proposed rule,
there is no need to provide a definition.
Threat Environment
Comment: One commenter proposed that a final rule define the term
``threat environment.''
Response: The phrase, ``threat environment,'' does not appear in
the revised proposed rule text and, therefore, a definition for that
term is not warranted.
[[Page 64014]]
Trustworthiness and Reliability
Comment: Several commenters from both public interest and industry
groups expressed concern with the proposed definition of
``Trustworthiness and Reliability'' and whether it is sufficiently
clear. One commenter wrote that it is conceivable that the criteria
used to judge ``trustworthiness and reliability'' could be applied
arbitrarily to restrict access to information by persons deemed to have
interests in opposition to the NRC or the nuclear industry. This
commenter also expressed concern that the procedure by which the
``comprehensive background check'' would be conducted is not clear.
Another commenter expressed the opinion that the ``definition of
trustworthiness and reliability does not clearly address how its
requirements will be uniformly applied for all classes of individuals,
nor is it clear as to whether there is a necessity for continued
monitoring, nor is it clear what process an individual who is not a
utility employee and does not have unescorted access must undergo to
satisfy the criteria.''
A third commenter suggested that the definition of trustworthiness
and reliability should include a link to Sec. Sec. 73.56 and 26.10
such that a positive conclusion for access authorization and fitness
for duty would allow a licensee to conclude an individual is
trustworthy and reliable; however, unescorted access should not be a
requirement for ``trustworthiness and reliability.''
Finally, along similar lines, one commenter questioned whether
elements in Sec. Sec. 73.56 and 26.10 must be completed in order to
determine trustworthiness and reliability. If that is the case, the
commenter suggested that it should be specified. The commenter also
expressed concerns that such a definition would be challenging to
administer, especially for contract engineering firms who are never at
the site.
Response: Ultimately, the decision whether an individual is
sufficiently trustworthy and reliable to receive SGI is made by the
person granting access based on a background check. The background
check must be sufficient to support the trustworthiness and reliability
determination so that the person granting access and the Commission
have reasonable assurance that granting an individual access to SGI
does not constitute an unreasonable risk to the public health and
safety or the common defense and security. The general elements of a
background check are defined in the revised proposed rule and discussed
briefly above.
Not all persons who would be subject to this rule will have fitness
for duty or access authorization programs, so the revised proposed rule
does not include cross-references to trustworthiness and reliability
requirements in Sec. Sec. 26.10 or 73.56. Trustworthiness and
reliability determinations required by those regulations may inform or
serve as the trustworthiness and reliability determination that would
be required under this revised proposed rule, if those determinations
are based on a background check that also meet the requirements of this
rule. The NRC staff plans to issue further guidance that will include
discussion of acceptable background checks to support a licensee's
trustworthiness and reliability determinations.
There is no requirement in this revised proposed rule that an
individual determined to be trustworthy and reliable undergo a periodic
background check to confirm or monitor trustworthiness and reliability.
However, should a licensee learn of information that would reasonably
call into question the trustworthiness and reliability of an individual
authorized access to SGI or SGI-M, the licensee should re-evaluate the
individual. In the case of NRC adjudicatory proceedings where
subsequent requests for access are made, a new determination may be
required depending on the length of time that has elapsed between
requests.
The trustworthiness and reliability determination based on a
background check that would be required does not necessarily satisfy
the trustworthiness and reliability objectives of other regulations.
For example, determining trustworthiness and reliability under 10 CFR
73.56 requires not only a background investigation, but a psychological
assessment and behavioral observation as well. Determining
trustworthiness and reliability under 10 CFR 26.10 requires chemical
and alcohol testing under a fitness-for-duty program. Those
requirements are separate from the requirements of this rule.
The Commission realizes that the trustworthiness and reliability
requirement could be difficult to administer. But the same is true of
many requirements aimed at monitoring the behavior and character of
individuals. That does not make the requirement any less essential to
ensuring safety and security. Determining trustworthiness and
reliability is crucial to minimizing the risk that SGI will be
compromised, and the Commission expects persons making trustworthiness
and reliability determinations to do so in a fair and reasoned way.
Section 73.21 Protection of Safeguards Information: Performance
Requirements
Comment: One commenter suggested that Sec. 73.21 be revised to
require SGI protection for information associated with the
transportation of spent nuclear fuel (SNF) or high level waste (HLW) in
greater quantities than 15 grams in order to be consistent with the
NRC's fissile exemption limit for transportation purposes found in
Sec. 71.15(b). As a conforming change, the commenter also proposed
that Sec. 73.2 be revised to include definitions for ``spent nuclear
fuel,'' ``high-level radioactive waste,'' and ``irradiated nuclear
fuel,'' and that Sec. 73.72 should be revised in the final rule to
refer to advance notifications of shipments of greater than 15 grams of
SNF or HLW.
Response: The Commission believes that the physical protection
measures for shipments involving 100 grams or more of irradiated
reactor fuel are appropriately controlled as SGI per Sec. 73.22.
Detailed security measures, physical security plans and procedures for
the transportation of source, byproduct, and SNM in greater than or
equal to Category 1 quantities of concern are designated as SGI-M
pursuant to Sec. 73.23(a)(2)(i). Those quantities cover the lower
threshold for material as proposed by the commenter. NRC orders issued
to persons transporting such materials require protection of such
information and material when in transit.
In response to the comment requesting definitions of the terms
``spent nuclear fuel,'' ``high-level radioactive waste,'' and
``irradiated nuclear fuel,'' the Commission noted that the first two
terms are defined in 10 CFR 72.3 and the third term is described in
Sec. 73.37. Therefore, separate definitions of these terms in part 73
are unnecessary.
Section 73.21(a)(1)
Comment: Two commenters suggested that the use of the terms ``fuel
cycle facilities required to implement security measures'' in Sec.
73.21(a)(1)(i) and ``fuel cycle facilities'' in the introductory
language of Sec. 73.22 are unclear. The commenters requested
clarification on whether this is meant to apply to all fuel cycle
facilities, or only those authorized to possess a formula quantity of
special nuclear material, and not low strategic significance fuel cycle
facilities, where SGI-M requirements might apply.
Response: The Commission has changed the text of the new proposed
rule by deleting the phrase ``fuel cycle facilities'' and replacing it
with ``uranium hexafluoride production
[[Page 64015]]
facilities, fuel fabrication facilities, and uranium enrichment
facilities.'' Fuel cycle licensees authorized to possess a formula
quantity of SSNM remain subject to the requirements of Sec. 73.22 as
originally proposed.
Section 73.21(a)(2)
Comment: Two commenters proposed that Sec. 73.21(a)(2) be amended
to state that information protection procedures employed by Federal law
enforcement agencies are also deemed to meet the general performance
requirement, as some licensee facilities are located on Federal lands
and Federal law enforcement officers respond to security events.
Response: In response to this comment, the proposed Sec.
73.21(a)(2) is being modified to provide that information protection
procedures employed by law enforcement agencies are presumed to meet
the general performance requirements included in that section.
Section 73.22 Protection of Safeguards Information: Specific
Requirements
Section 73.22(a) Information To Be Protected
Comment: One comment recommended that the NRC should specify all
the types of information and documents that are part of the
``expansion'' of what is considered to be SGI. Clarification is needed
as to the meaning and application of undefined terms such as
``additional security measures,'' ``protective measures,'' and
``interim compensatory measures.''
Response: Both the definition of SGI and the description of the
specific types of information to be protected as SGI provide sufficient
details as to what information constitutes SGI. Any other information
to be designated as SGI would be set forth in an order or regulation,
in compliance with Section 147 of the AEA. Additionally, the terms
``additional security measures,'' ``protective measures,'' and
``interim compensatory measures,'' are being deleted from the text of
Sec. 73.22(a), and therefore need not be defined.
Section 73.22(a)(1) and 73.23(a)(1) Physical Protection
Comment: A commenter suggested that Sec. Sec. 73.22(a)(1) and
73.23(a)(1) should be narrowed to those documents that contain
sufficient detail on the licensee's actual strategies or procedures
that, if inadvertently disclosed, could reasonably be expected to have
a significant adverse effect on the health and safety of the public or
the common defense and security by significantly increasing the
likelihood of theft, diversion, or sabotage of material or a facility.
The commenter indicated that it is unnecessary to categorize documents
as SGI or SGI-M unless the information is specific to the facility or
its protective strategy, or unless the protective features cannot be
readily observed by an unauthorized individual from outside the
Protected Area.
Response: Proposed Sec. Sec. 73.22 and 73.23 would not protect all
information related to the materials and facilities described in those
sections. Sections 73.22 and 73.23 are explicitly limited to the
protection of SGI and SGI-M. By definition, SGI and SGI-M is
information the unauthorized disclosure of which could reasonably be
expected to have a significant adverse effect on the health and safety
of the public or the common defense and security by significantly
increasing the likelihood of sabotage or theft or diversion of source,
byproduct, or SNM. Sections 73.22(a)(1) and 73.23(a)(1) do not expand
that limited scope. No changes have been made to the revised proposed
rule.
The Commission disagrees that SGI should include only information
specific to a facility or its defensive strategy. While such
information clearly requires protection, so does certain generic
information, such as the design basis threat implementing guidance,
which describe in detail the specific operational and tactical
capabilities of the hypothetical adversary force more generally
described in the design basis threat rule. Those details, which are
generically applicable to a number of licensees, could be used to
identify licensee security measures, and if disclosed, could reasonably
be expected to have a significant adverse effect on the health and
safety of the public or the common defense and security by
significantly increasing the likelihood of theft, diversion, or
sabotage of material or a facility.
Comment: One commenter suggested that Sec. 73.22(a)(1)(ii) be
amended to clarify the term ``substantially represent the final design
features.'' The commenter suggests, for example, that the language
``substantially represent the final design features such that an
engineer or security professional could detect vulnerabilities'' would
provide the necessary clarity.
Response: The Commission does not believe the language the
commenter proposes would clarify this provision because the inclusion
of the phrase ``such that an engineer or security professional could
detect vulnerabilities'' adds an unnecessary level of complexity.
Determining ``which site specific drawings, diagrams, sketches, or maps
substantially represent final design features of the physical security
system,'' as stated in the revised proposed rule text, is less
subjective. In addition, SGI need not contain information limited to
vulnerabilities.
Comment: A commenter recommended that Sec. 73.22(a)(1)(ii) be
modified to exclude from the SGI designation site specific drawings,
diagrams, sketches, or maps that substantially represent the final
design features of the physical security system which are accessible to
members of the public. According to the commenter, information relating
to security features such as fences, barriers, guard posts, and certain
security cameras are in plain view and therefore not appropriate for
designation as SGI. The commenter also proposed a similar change to
Sec. 73.22(1)(a)(iii) that would apply to alarm system layouts showing
the location of intrusion detection devices, alarm assessment
equipment, alarm system wiring, emergency power sources, and duress
alarms which are accessible to the public.
Response: In response to these comments, the paragraphs cited above
are being changed to add the phrase ``not clearly discernible by
members of the public'' at the end of each paragraph.
Comment: Two commenters felt that the meaning of ``emergency power
sources'' in Sec. Sec. 73.22(a)(1)(iii) and 73.23(a)(1)(ii) is not
sufficiently clear as to whether it included emergency power sources
for alarm systems only or any and all emergency power systems. One
commenter proposed changing the language to read: ``As installed
details of alarm system layouts, location, and electrical design, that
if disclosed, could facilitate gaining unauthorized access to special
nuclear material, nuclear facilities, or Safeguards Information''.
Response: The Commission has modified the revised proposed rule
text in response to this comment by inserting the additional words
``for security equipment'' after the term ``emergency power sources''.
Comment: Two commenters noted, with respect to Sec.
73.22(a)(1)(iv), that not all written physical security orders and
procedures need to be SGI, as some security procedures are general or
administrative and do not require SGI protection. Moreover, the
commenters stated, designation of all security procedures as SGI would
delay training new employees in the security force. Therefore, the
commenters proposed that Sec. 73.22(a)(1)(iv) be modified to allow
flexibility in the control of security procedures. Another commenter
proposed amending
[[Page 64016]]
Sec. 73.22(a)(1)(iv) to read ``[w]ritten physical security protective
strategy orders and procedures for members of the security
organization, duress codes, and patrol routes''.
Response: In response to these comments, the phrase ``Written
physical security orders and procedures for members of the security
organization, duress codes, and patrol schedules'' is modified in the
revised proposed rule to read ``Physical security orders and procedures
issued by the licensee for members of the security organization
detailing duress codes, patrol routes and schedules, or responses to
security contingency events''.
Comment: A commenter suggested that it is unnecessary to classify
documents as SGI or SGI-M unless the information is specific to the
facility and its protective strategy. Therefore, the commenter proposed
changing Sec. 73.22(a)(1)(v) to read ``[s]ite-specific design features
or evaluations of site-specific plant radio and telephone
communications systems revealing vulnerabilities or limitations in
operating capability'' in order to narrow the scope of documents to
those that contain sufficient detail on the licensee's actual
strategies or procedures that, if disclosed, could reasonably be
expected to have a significant adverse effect on the health and safety
of the public or the common defense and security by significantly
increasing the likelihood of theft, diversion, or sabotage of material
or a facility.
Response: In response to this comment, the language of Sec.
73.22(a)(1)(v) has been changed in the revised proposed rule to read
``Site specific design features of plant security'' at the beginning of
the section. These modifications to the text are not meant to address
the broader concern already addressed in response to comments on Sec.
73.22(a)(1) and Sec. 73.23(a)(1). In addition, and as previously
stated, the incorporation of such language in this section of the rule
does not exclude certain generic information applicable to a number of
licensees. Such information could be used, for example, to identify a
specific licensee's security measures.
Comment: One comment stated that Sec. Sec. 73.22(a)(1)(vii),
73.22(a)(1)(viii), and 73.22(a)(1)(ix) reference the safeguards
contingency plan and training and qualification plan. The commenter
then pointed out that these are now part of the composite security plan
that was submitted as a result of the April 29, 2003 Order.
Response: Before the April 2003 Order, power reactor licensees were
required to have the following three separate plans: ``physical
security plan'', ``safeguards contingency plan'', and ``guard training
and qualification plan''. In response to that order, power reactor
licensees chose to consolidate these three separate plans into a single
``security plan''. The original proposed rule text has been revised in
response to the comment to make clear that the composite physical
security plan is considered SGI under Sec. 73.22(a)(1)(i).
Comment: One commenter suggests modifying Sec. 73.22(a)(1)(ix) to
read ``[a]ll portions of the composite facility guard qualification and
training program that addresses the licensee's protective strategy'',
which would delete the language ``plan disclosing features of the
physical security system or response procedures'' from the end of that
paragraph. The commenter further suggests that, given that most
training and qualification plans do not include detailed information,
these plans be ``decontrolled'' by the NRC.
Response: In response to this comment, the beginning of Sec.
73.22(a)(1)(ix) has been changed in the revised proposed rule to delete
the phrase ``all portions of [the composite facility guard
qualification and training plan]''. The Commission acknowledges that
there may be some non-SGI in various licensee security plans and
accordingly is deleting the phrase ``all portions''. It is not entirely
clear what this commenter means in seeking to have this category of
information ``decontrolled''. To the extent the commenter wants
training and qualification plans to no longer be considered SGI, the
Commission is not taking that action. Contrary to what is asserted in
support of this request, this category of information includes details
warranting protection against unauthorized disclosure.
Comment: One commenter proposes changing the word ``identity'' in
Sec. 73.22(a)(1)(x) to ``agency'' or ``organization'' to eliminate any
potential confusion that ``identity'' could refer to identification of
specific individuals. In addition, the commenter proposes replacing
``safeguards or security emergencies'' with ``security contingency
events'' and making clear that ``armament'' refers specifically to the
armament of response forces. To have ``armament'' apply to licensees
would seem to require licensees to protect as SGI each purchase order
for weapons. The commenter further proposes eliminating ``information
concerning'' language and using the current part 73 language, and
therefore having the subsection read ``[r]esponse plans to specific
threats detailing size, disposition, response times, and armament of
responding forces.''
Response: The Commission is changing the language of this provision
in the revised proposed rule by deleting the phrase ``safeguards or
security emergencies'' and inserting the phrase ``security contingency
events.'' As so worded, the section emphasizes that the requirement is
security-related and also maintains consistency with other regulatory
provisions. Also, the word ``identity'' is being deleted from the
phrase to avoid the implication that this provision refers to the
identification of specific individuals. Finally, the phrase ``of
response forces'' is added after the word ``armament'' in the revised
proposed rule. The Commission is retaining the language in this
paragraph connoting that there could be features of response forces
related to or derived from those specified in the rule text which also
warrant protection as SGI. The Commission also declines to adopt the
commenter's proposed language that would replace the term ``response
forces'' with ``response plans'' because security-related plans are
addressed elsewhere in Sec. Sec. 73.22(a)(1).
Comment: One commenter suggested modifying Sec. 73.22(a)(1)(xi) to
delete the language ``including the tactics and capabilities required
to defend against that threat'' because this is covered elsewhere in
the regulations. In addition, the commenter suggested deleting ``or
other information'' as it leaves too much room for interpretation.
Another commenter suggested deleting references to the design basis
threat in this subsection and elsewhere, or creating more prescribed
provisions for exactly what is to be covered with respect to design
basis threat information, as such information is important to public
participation and knowledge.
Response: The phrase ``or other information'' is deleted and the
section is reworded to clarify which information related to the design
basis threat would be considered SGI. Specifically, the Adversary
Characteristics Document and other design basis threat implementing
guidance, which describe in detail the specific operational and
tactical capabilities of the hypothetical adversary force more
generally described in the design basis threat rule, are considered
SGI. The phrase ``including the tactics and capabilities required to
defend against the threat'' is deleted from the revised proposed rule
because it is not necessary. Those tactics and capabilities are
described in licensee security plans which are considered to be SGI.
[[Page 64017]]
Comment: Several commenters expressed the concern that language in
Sec. 73.22(a)(1)(xii) would include engineering and safety analyses
and emergency planning procedures or scenarios within SGI protection,
and this would suppress information of significant concern to the
public. Commenters also suggested that the criterion found in Sec.
73.22(a)(1)(xii) was not sufficiently precise so as to alert a licensee
as to the type of information to be protected, that the proposed
language ``exposes such a licensee to second-guessing or enforcement
action.'' One commenter representing a public interest watchdog group
stated that the public has a ``right to know what risks they face from
nearby nuclear facilities'' and that ``public participation has proven
an effective tool for improving facility performance and safety.'' The
commenter expressed concern that if the public does not know what is
going on at a facility, it cannot effectively engage the facility and
advocate for safety improvements and that if the public was not aware
of emergency planning procedures, it would be at risk from an accident
or a possible attack against a facility. In addition, the commenter
proposes that the NRC should retain the current rule language that
allows only ``portions of'' documents to be protected as SGI, in order
to maximize the amount of information that the public receives without
divulging any protected information.
Another commenter similarly stated that ``it is crucially important
that the public has access to information regarding protective measures
taken by operators to defend their facilities so that they may be held
accountable'' and that the ``broad category of information that is
included in these sections, including, especially, safety analyses,
emergency planning procedures, and any other information related to the
security of a nuclear facility, sharply hinders the public's ability to
judge the competency of nuclear operators and the adequacy of their
programs to protect their facilities and materials.''
Another commenter expressed concerns that Sec. 73.22(a)(1)(xii)
could be used to ``suppress faulty assumptions as the basis for
engineering and safety analyses, which is a significant concern to
public safety policy analysts and intervenors.''
Other commenters also provided comments with regard to Sec. Sec.
73.22(a)(1)(xii) and 73.22(a)(2)(viii). One commenter proposed that it
should be clear that ``engineering and safety analyses'' mean only such
analyses pertinent to physical security and not plant safety, as that
information is already public. Industry commenters expressed concern
that control of emergency planning procedures as SGI would make
coordination with local and state agencies difficult, as well as
affected non-governmental entities, and could jeopardize effective and
safe operation of a plant. More specifically, one commenter notes broad
interpretation of these requirements would require state and local
governmental entities who are not in law enforcement but are involved
in emergency planning to be verified as ``trustworthy and reliable'' by
the licensee in order for the licensee to comply with 10 CFR part 50,
Appendix E IV.B.
One commenter recommends revising the wording at the end of Sec.
73.22(a)(1)(xii), proposed as ``by significantly increasing the
likelihood of theft, diversion, or sabotage of material or a
facility,'' to ``significantly increasing the likelihood of
radiological sabotage or theft or diversion of source, byproduct, or
special nuclear material,'' in order to correspond to the wording used
in the definition of SGI.
Response: In response to these comments, the phrase ``related to''
at the beginning of Sec. 73.22(a)(1)(xii) is being changed in the
revised proposed rule to ``revealing site specific details of''. The
phrase ``unauthorized disclosure of such information'' is changed to
``unauthorized disclosure of such analyses, procedures, scenarios, and
information''. These revisions clarify that the analyses, procedures,
scenarios, and other information described in this section are
considered to be SGI only if they reveal ``site specific details''
about the physical protection of the facility or source material,
byproduct material, or SNM. To clarify the fact that ``emergency
planning procedures or scenarios'' should remain publicly available, to
the extent possible, that phrase is being changed here and elsewhere in
the rule text, to ``security-related procedures or scenarios''.
However, security-related information, wherever it occurs, including
security information that is found within a specific emergency
preparedness procedure, could potentially need to be protected as SGI.
Also, in order to provide greater specificity in the revised proposed
rule text, the phrase ``material or facility'' at the end of the
revised proposed rule text is changed to ``source, byproduct, or
special nuclear material''.
Certain sections of the current rule language, as well as sections
of the revised proposed rule text, refer to ``portions of'' documents
to be protected as SGI. For example, current Sec. 73.21(b)(3)(i)
designates, in pertinent part, ``[p]ortions of safeguards inspection
reports'' to be SGI. Similarly, in the revised proposed rule text,
Sec. 73.22(a)(3)(i) refers to ``portions of'' inspection reports as
constituting SGI. Therefore, it is not correct that the current rule
only allows protection of portions of documents or information as SGI.
Because the Commission is revising the original proposed rule to
more closely track the language of Section 147 of the AEA, the
Commission is declining to make the suggested change to the end of
Sec. 73.22(a)(1)(xii) by substituting ``radiological sabotage'' for
the statutory language of ``sabotage.'' The relevant portions of
Section 147 refer simply to ``sabotage'' and the Commission is using
that term in the revised proposed rule.
The Commission's intent in revising the requirements in part 73 for
protection of SGI is not to deprive the public of information or to
suppress faulty assumptions in engineering analyses and safety
analyses, as some commenters assert. One of the main purposes of these
proposed amendments is to provide in 10 CFR part 73 the breadth of
information that Section 147 of the AEA requires the Commission to
protect. The Commission determined that unauthorized release of this
information could result in harm to the public health and safety or the
common defense and security.
Comment: One commenter noted that, ``as proposed, Sec.
73.22(a)(1)(xiii) requires `Information required by the Commission
pursuant to 10 CFR 73.55(c)(8) and (9)' to be protected as SGI without
explicitly identifying what must be protected as SGI''. The commenter
suggested that there is no apparent reason to protect this information
as SGI and the requirement should therefore be deleted.
Response: The Commission is deleting this paragraph because the
information described in this paragraph would be protected in Sec.
73.22(a)(1)(xi).
Section 73.22(a)(2) Physical Protection in Transit
Comment: One commenter stated that Sec. Sec. 73.22(a)(2) and
73.23(a)(2) would cover transportation related information that is
under the DOT's regulations in 49 CFR part 15, ``Protection of
Sensitive Security Information (SSI)''. If implemented in its current
form, the commenter continues, these regulations will require licensees
to handle, at a minimum, transportation security plan risk assessments
as both SSI and SGI or SGI-M, duplicative requirements that
[[Page 64018]]
add no discernible benefit. Furthermore, the commenter states,
classification of certain transportation related information as SGI
will be unworkable. Therefore, the commenter proposes, all of the
regulatory agencies should reach consensus on what information should
be protected, reduce the number of classifications, and develop a
single cohesive nationwide set of information security protection
standards that includes a clear definition of each classification. If
the NRC does impose duplicative requirements for protection of
transportation security-related information in addition to DOT's
regulations, the commenter further suggests, the NRC should replace
``transportation physical security plan'' with ``transportation
security plan'' to be consistent with DOT regulations, or provide a
definition of ``transportation physical security plan.''
Response: The NRC recognizes that transportation of radioactive
material may be subject to the requirements of both the DOT and the NRC
with respect to protective markings, SSI, SGI, and SGI-M. However,
requirements for the protection SSI are not as strict as NRC SGI or
SGI-M protection requirements. The NRC believes that the information
described in Sec. 73.22(a)(2)(i) requires the higher protection
afforded by the designation SGI. Similarly, the information set forth
in Sec. 73.23(a)(2)(i) must be protected as SGI-M. Finally, as noted
previously, the Commission has replaced the phrase ``transportation
physical security plan'' with ``composite physical security plan for
transportation'' to distinguish NRC-required plans from others.
Comment: One commenter contended that the new language of Sec.
73.22(a)(2)(ii), ``Routes and quantities for shipments of spent fuel
are not withheld from public disclosure,'' no longer assures public
access to route and quantity information for shipments of byproduct or
source material or nuclear waste. The commenter expresses concern that
the NRC does not have the authority to limit access to this
information, for which Congress has specifically protected public
disclosure in the AEA. The commenter therefore proposes that the NRC
ensure that the language in the final rule does not undermine the AEA
by narrowing disclosure requirements.
Response: The revised proposed rule would not designate shipping
routes and quantities as SGI or SGI-M. However, the rule would
designate schedules and itineraries as SGI and SGI-M. Schedules and
itineraries combine route and quantity information with specific
information about the timing and security of a shipment to create
information that, if disclosed, could reasonably be expected to have a
significant adverse effect on the health and safety of the public or
the common defense and security by significantly increasing the
likelihood of sabotage or theft or diversion of nuclear material.
Section 147a.(3) of the AEA provides in part that ``[n]othing in this
Act shall authorize the Commission to prohibit the public disclosure of
information pertaining to routes and quantities of shipments of source
material, by-product material, high level nuclear waste, or irradiated
nuclear reactor fuel.'' The revised proposed rule text has been revised
to be more consistent with the language of Section 147a.(3) of the AEA.
Comment: One commenter proposed removing Sec. 73.22(a)(2)(vii) on
the grounds that it is extremely vague and would allow the NRC to
protect from public disclosure any ``information concerning the tactics
and capabilities required to defend against attempted radiological
sabotage, or theft and diversion of formula quantities of special
nuclear material, or related information.'' The commenter expressed
concern over the NRC's use of ``vague terms'' such as ``any information
concerning'' and ``related information'' and suggested that this
provision could be used to conceal information about a town's
capabilities to respond to an attack on a rail car passing through it.
Response: The language ``related information'' portion of this
section has been deleted from the text of the revised proposed rule
because it is redundant of the language at the beginning of this
section (``information concerning''). The text of the rule does not
include the phrase ``any information concerning'' as stated in the
comment.
Comment: Commenters expressed concerns that Sec. 73.22(a)(2)(viii)
would exempt safety analyses, emergency planning procedures, or other
information about the protection of transported materials from public
disclosure as SGI. Accordingly, commenters recommended revising or
removing Sec. 73.22(a)(2)(viii) in order to ensure that the public has
access to emergency procedures and safety analyses information they
need to protect their community. A commenter proposed removing the
proposed Sec. Sec. 73.22(a)(2)(viii) and 73.23(a)(2)(iv) and (v) on
the grounds that these proposed changes would prevent communities from
learning what steps are being taken to protect them and from
participating in the process of keeping the community safe. The
commenter expressed concerns that these provisions are overly vague in
what information may be protected from public disclosure and could
result in too much information being concealed from the public.
Response: The Commission recognizes that the public needs
information about safety and emergency planning and will continue to
make much of that information publicly available. Therefore, the phrase
``emergency planning procedures or scenarios'' is being changed to
``security-related procedures or scenarios''. But a limited amount of
safety and emergency planning-related information, if publicly
disclosed, could be used to identify security measures for the
protection of nuclear facilities and materials, thereby significantly
increasing the likelihood of sabotage or theft and diversion. For
example, emergency planning information that specifies response times
for local law enforcement, or identifies the size, tactics, and
capabilities of first responders to a radiological event could be very
useful to a potential adversary in planning an attack. Accordingly,
that information could conceivably need to be protected as SGI.
The Commission's intent is not to prevent public knowledge of vital
safety and emergency information. Hence, the revised proposed rule has
been changed in response to comments that it was too broadly worded as
originally proposed. The protection required for engineering and safety
analyses and security-related procedures or scenarios under Sec.
73.23(a)(1)(x) would be appropriately limited to information that could
reasonably be expected to have a significant adverse effect on the
health and safety of the public or the common defense and security by
significantly increasing the likelihood of theft, diversion, or
sabotage of source material, byproduct material, or SNM.
Section 73.22(a)(3) Inspections, Audits, and Evaluations
Comment: A commenter objected to what it saw as the broadening of
Sec. 73.22(a)(3) and stated that the proposed change lacks specificity
and could potentially conceal public health, safety, security, and
environmental concerns from public disclosure. The commenter expressed
concern that the provision could be interpreted to include and suppress
information that rightfully should be brought to the attention of the
public and policy makers.
Response: The Commission has eliminated references to specific
licensees from the revised proposed rule. This clarifies the scope of
the rule
[[Page 64019]]
and simplifies the text. The commenter provides no basis for the
assertion that the Commission would use revised Sec. 73.22(a)(3) to
conceal information from public disclosure. The regulations provide
access to individuals who have a ``need to know'' the information and
who are trustworthy and reliable. Protecting SGI and SGI-M from
unauthorized disclosure does not equate to concealing or suppressing
information that should be in the public domain.
Comment: Another commenter suggested that the NRC restore the
provision in proposed Sec. 73.22(a)(3)(i) to allow the release of
information developed in inspections, audits, and evaluations
concerning weaknesses and problems that have been corrected.
This paragraph retains the provision in current Sec.
73.21(b)(3)(i) which designates as SGI portions of safeguards
inspection reports, evaluations, audits, or investigations that contain
details of a licensee's or applicant's physical security system or that
disclose uncorrected defects, weaknesses, or vulnerabilities in a
licensee's or applicant's physical security system. This provision
implies that corrected defects, weaknesses, or vulnerabilities will be
released.
Response: In response to this comment, the proposed rule is revised
in part, to carry over the portion of Sec. 73.21 that provides for the
release of information regarding defects, weaknesses, or
vulnerabilities after corrections have been made. However, as stated in
the revised text, the disclosure of such information is not automatic,
and is subject to an assessment taking into account such factors as the
results of trend analyses and the impacts of disclosures on other
licensees having similar physical security systems. The partial
revision of the proposed rule text is consistent with the policy to
increase the amount of public information released pursuant to the
Security Oversight Process.
Section 73.22(a)(5)
Comment: Two commenters suggested that Sec. 73.22(a)(5) lacked
specificity. One commenter expressed concerns that Sec. 73.22(a)(5)
was not specific enough to ``allay growing public concerns that the
agency could arbitrarily and capriciously further conceal or
subordinate significant public health, safety, and security issues to
economically shield and benefit the nuclear industry.'' Another
commenter suggested that the language of Sec. 73.22(a)(5) was an
``incredible expansion of government secrecy that could allow instances
of extreme operational incompetence to go unnoticed by the public.''
That commenter suggested deleting the ``other information'' language to
narrow and clarify the rule.
Another commenter proposed making Sec. 73.22(a)(5) reflect the
preamble of Sec. 73.22 by stating that orders will only be used to
classify information in an emergency when rulemaking is not available.
Response: Section 147 of the AEA explicitly authorizes the
Commission to proceed by order or regulation to prohibit the
unauthorized disclosure of SGI. Nothing in the AEA limits the use of
the Commission's ordering authority to emergency situations. Such a
restriction could hinder security and safety in the event the
Commission needs to act quickly to protect SGI not already identified
in the regulations. The Commission declines to adopt such a limitation.
However, the Commission has changed the revised proposed rule language
to clarify that any information that would be categorized as SGI under
Sec. 73.22(a)(5) would have to be within the scope of Section 147 of
the AEA, and would be imposed by a new order or rulemaking.
Section 73.22(b) Conditions for Access
Comment: One commenter remarked that, in the context of Sec.
73.22(b), there is no benefit from imposing different access
authorization requirements for nuclear power reactors as compared to
other licensees.
Response: In the original proposed rule, access requirements varied
depending on whether an individual is to be granted access by a nuclear
power reactor licensee or applicant, as set forth in Sec.
73.22(b)(1)(i)(A) or by other licensees or applicants covered by Sec.
73.22, pursuant to Sec. 73.22(b)(1)(i)(B). Such variation was based on
Section 149 of the AEA, which required each licensee or applicant for a
license to operate a nuclear power reactor to fingerprint each
individual permitted access to SGI. The EPAct, however, amended Section
149 to authorize fingerprinting all individuals engaged in an activity
subject to regulation by the Commission, licensees, all applicants for
a license to engage in Commission-regulated activities, and all
individuals who have notified the Commission in writing of an intent to
file an application for licensing, certification, permitting, or
approval of a product or activity subject to regulation by the
Commission. Fingerprints would be submitted to the U.S. Department of
Justice for a criminal history check, which would be assessed as part
of the background check that provides the basis for a trustworthiness
and reliability determination.
Section 73.22(b)(1)
Comment: Several comments stated that Sec. Sec. 73.22(b)(1)(i)(B)
and 73.23(b)(1)(i) in the original proposed rule were unclear as to
what is meant by ``comprehensive background check or other means as
approved by the Commission.'' One commenter noted that requiring a
background investigation has proven to be challenging for
transportation companies, because the time required for background
investigations has often prevented transportation companies from
bidding on some jobs. That commenter suggested that the NRC specify the
``other means'' that would be acceptable for entities implementing an
SGI-M program. Another commenter expressed concern that if the
``comprehensive background check'' was similar to the ``Q'' or ``L''
access authorization investigations or checks of 10 CFR part 25, it
would impose an intolerable burden because of the time and resources
necessary for the completion of such a check, particularly for those
entities developing new SGI or SGI-M programs.
Response: As previously discussed, a definition of ``background
check'' is now included Sec. 73.2. NRC staff plans to issue further
guidance that will include a discussion of acceptable background checks
that would satisfy the rule requirements by ``other means'' and support
a licensee's trustworthiness and reliability determinations. The
requirements for access to SGI are different from the provisions for
access to classified information (part 25) or for access under part 95
to Classified National Security Information and/or, Restricted Data,
and/or Formerly Restricted Data.
Comment: A commenter expressed the concern that Sec.
73.22(b)(1)(ii)-(vi) in the original proposed rule in combination with
Sec. 73.22(b)(2) appears to require licensees to perform a Federal
Bureau of Investigation (FBI) criminal history check for NRC personnel.
If this is not the case, the commenter proposed that (b)(2) of both
sections should be modified to state: ``The individuals described in
paragraph (b)(1)(i) through (vi).''
Response: The Commission does not interpret the cited provisions of
the original proposed rule set forth by the commenter as requiring
licensees to perform FBI criminal history checks for NRC personnel.
Section 73.22(b)(3) would exempt governmental individuals from the
requirement for a
[[Page 64020]]
determination of trustworthiness and reliability, including NRC
employees.
Comment: One commenter stated that Sec. 73.22(b)(1)(vii) would
require a licensee to demonstrate trustworthiness and reliability for
an individual to whom disclosure is ordered pursuant to 10 CFR
2.709(f). The commenter noted that a licensee should not bear the
responsibility for making this finding for an intervenor. The commenter
also noted that the rule was not clear as to when a presiding officer
would have the responsibility to make this determination--when an
intervenor wants access to SGI or only if an intervenor appeals a
party's determination. For these reasons, the commenter suggested
rethinking the application of these criteria to adjudicatory hearing
matters and resolving such issues in a separate rulemaking or by
issuing Commission orders in each case where controlling the
dissemination and use of SGI might be an issue.
Response: The rule is not intended to require licensees to
determine whether intervenors in an adjudicatory proceeding are
trustworthy and reliable to receive SGI or SGI-M. Presiding officers
have the authority to make determinations about information disclosures
if a dispute over access to SGI or SGI-M documents arises. Section
73.22(b)(4) and 73.23(b)(4) have been added to the revised rule to make
this clear. Sections 2.709(f) and 2.1010(b)(6) have been revised and
new Sec. Sec. 2.336(f) and 2.705(c)(2) have been added to the revised
proposed rule to specify procedures to be followed in the event of such
a dispute.
Under the procedures set forth in these provisions, when a party or
participant in an adjudicatory proceeding seeks production of SGI from
another party or participant that refuses to produce it, the presiding
officer has the authority to decide the dispute. The presiding officer
will make the first determination necessary for access to SGI, which is
whether the individual seeking access has the requisite ``need to
know'', as defined in 10 CFR 73.2. If so, the presiding officer may
order production of the SGI after the second determination is made,
namely whether the individual to be authorized access to SGI has been
found to be trustworthy and reliable by the NRC Office of
Administration, based on a background check (including a criminal
history records check and fingerprinting). Procedurally, the presiding
officer may issue an order that designates the information as necessary
and relevant and that requires the party or participant seeking access
to SGI or SGI-M to designate those individuals who would receive it.
The order would also require the NRC Office of Administration to
determine the trustworthiness and reliability of those individuals
designated to receive SGI in accordance with the provisions of
Sec. Sec. 73.22(b) or 73.23(b), as appropriate.
If the NRC Office of Administration concludes that the designated
individuals are trustworthy and reliable to receive SGI, the presiding
officer would issue a second order requiring production of the SGI or
SGI-M under the provisions of a protective order. Presiding officers
have the authority to hear appeals on the NRC Office of
Administration's trustworthiness and reliability determination.
If parties or participants in an adjudicatory proceeding agree that
an intervenor has a ``need to know'' and are willing to share the SGI
or SGI-M without seeking a determination on ``need to know'' from the
presiding officer, then the parties or participants may do so, provided
that a protective order has been issued by the presiding officer and a
trustworthiness and reliability determination has been made by the NRC
Office of Administration. If the SGI sought by the intervenor is held
solely by the licensee or applicant, and not the NRC, the licensee or
applicant may provide the SGI to the intervenor under the terms of the
protective order. If the SGI is held by both the licensee or applicant
and the NRC (``dual holders''), the NRC will provide the SGI to the
intervenor, under the terms of the protective order.
Section 73.22(c)(1) Protection While in Use or Storage
Comment: Commenters proposed that Sec. 73.22(c)(1) be amended to
authorize SGI to be stored in the Reactor Control Room not in a locked
security storage container. The basis for this request is that control
rooms are continuously manned and this change would allow rapid access,
if necessary, to pertinent SGI material (e.g., controlled operating
procedures).
Response: In response to these comments, Sec. Sec. 73.22(c)(1) and
73.23(c)(1) are being changed to delete the phrase ``Safeguards
Information within alarm stations, manned guard posts or ready rooms
need not be locked in a locked security storage container.'' A new
phrase is being added to state ``Safeguards Information within alarm
stations, or rooms continuously occupied by individuals need not be
stored in a locked security storage container.''
Section 73.22(c)(2)
Comment: One commenter proposed that Sec. 73.22(c)(2) be modified
to allow licensees to mark containers as containing SGI, because this
practice ensures that the importance of those containers is clearly
understood and because those containers are typically located in areas
with no public access.
Response: The Commission is declining to adopt the change proposed
by the commenter because marking locked security storage containers to
indicate they contain SGI may assist in identifying the location of
SGI. The fact that such containers may typically be located in areas
without public access is irrelevant because not all individuals in such
areas are authorized for access to SGI. An unauthorized individual
seeking access to SGI might be aided by such markings, regardless of
whether the SGI is stored in areas without public access.
Section 73.22(d)(1)
Comment: One commenter proposed that the term ``first page'' in
Sec. 73.22(d)(1) be changed to ``first page or cover sheet'' to allow
licensees to continue with current practice which meets the intent of
the revised proposed rule.
Response: The Commission is not modifying Sec. 73.22(d)(1) as the
commenter suggests because the information specified in Sec.
73.22(d)(1)(i) through (iii) should be noted on the first page of the
document itself rather than in a separate document, such as a cover
sheet. The Commission does not expect that licensee
