Information Notice 2008-03, Precautions to Take Before Sharing Sensitive Security-Related Information
| ML080370453 | |
| Person / Time | |
|---|---|
| Issue date: | 05/16/2008 |
| From: | Robert Lewis NRC/FSME/DMSSA |
| To: | |
| Blanton R, FSME/DMSSA, 301-415-2322 | |
| References | |
| IN-08-003 | |
| Download: ML080370453 (5) | |
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF FEDERAL AND STATE MATERIALS
AND ENVIRONMENTAL MANAGEMENT PROGRAMS
WASHINGTON, DC 20555-0001
May 16, 2008
NRC INFORMATION NOTICE 2008-03: PRECAUTIONS TO TAKE
BEFORE SHARING SENSITIVE
SECURITY-RELATED
INFORMATION
ADDRESSEES
All U.S. Nuclear Regulatory Commission (NRC) licensees who are implementing U.S. Nuclear
Regulatory Commissions Order Imposing Increased Controls (IC Order) or implementing
Increased Control requirements by license condition. All Agreement State Radiation Control
Program Directors and State Liaison Officers.
PURPOSE
The NRC is issuing this Information Notice (IN) to alert licensees of precautions to consider
before sharing sensitive security-related information with others. Recipients of this IN should
review the information contained for applicability and consider any necessary actions, as
appropriate. However, recommendations contained in this IN are not new NRC requirements;
therefore, neither specific action nor written response is required. NRC is providing this IN to
the Agreement States for their information, and for distribution to their licensees implementing
the Increased Controls.
BACKGROUND
NRC first imposed the requirements in the IC Order in 2005. The Agreement States also
imposed the requirements of the IC Order on their licensees in 2005. The IC Order applies to
licensees possessing the radioactive material and quantities described in Table 1 of the Order.
Increased Control requirement number 6 (IC6) requires, in part, that licensees treat the detailed
information describing the physical protection of radioactive material as sensitive information, and to protect it from unauthorized disclosure. In addition, Regulatory Issue Summary (RIS)
2005-31, Control of Security-Related Sensitive Unclassified Non-Safeguards Information
Handled by Individuals, Firms, and Entities Subject to NRC Regulation of the Use of Source, Byproduct, and Special Nuclear Material, sets forth procedures that licensees and others are
encouraged to follow when handling documents, and/or when submitting documents to the
NRC that contain security-related sensitive information. A copy of the RIS is available on the
NRC Web site at http://www.nrc.gov/reading-rm/doc-collections/gen-comm/reg-issues/2005/.
Sensitive information is defined in IC6 as detailed information generated by the licensee that
describes the physical protection of risk-significant radioactive material. Sensitive information is
required to be protected from unauthorized disclosure. Some examples of sensitive
information include the licensees Increased Control procedures, information related to the
licensees security system, and the list of approved/authorized personnel who have been
deemed trustworthy and reliable. Below are some examples of situations that have occurred
regarding sharing of sensitive information.
DESCRIPTION OF CIRCUMSTANCES
Information on the World Wide Web
During an inspection conducted in September 2007, a source informed NRC staff that a
licensees Web site, available to the public, contained sensitive information. Following up on
this information, the NRC discovered a chat room where participants discussed sensitive
information related to personnel staffing, security and other information that could be useful to
an adversary.
The NRC also discovered another public Web site that revealed the location of a licensees
irradiator building and room, the name and phone number of the authorized user and the
scheduled time of irradiator usage, thus providing information that could potentially be useful to
an adversary.
In addition to the above examples, random NRC searches of various types of licensees Web
sites have revealed that certain licensees, particularly those in university settings or larger
medical facilities and cancer centers associated with universities, often post their radiation
safety manuals on the Web. The information contained on many of these Web sites included, in part, the types of devices possessed, the type of radioactive material in the devices, the
activities, the specific room locations and building identification where the devices are located, and even the specific room numbers and locations where the keys to the devices were
controlled. A few licensees have recently updated their Web sites and specifically referenced
the IC Order in their disclosure of information, including information about the process used for
trustworthy and reliability determinations. The information contained on these Web sites could
allow an adversary to obtain sensitive information concerning the licensees possession, location and use of risk-significant radioactive material.
Fire Department Request
In October 2007, a radiography licensee, subject to the IC Order, notified the NRC that their
local fire department inspected them and directed the licensee to install a system to allow rapid
Fire Department access. This installation, which is required by some State Fire Codes, would
allow the fire department to access the facility, and potentially the risk-significant radioactive
material. The fire department requested that the installation include a list of the hazardous
materials, a map of their location, and keys to the building. The fire department also requested
unescorted access to the entire building.
The licensee asked the NRC to evaluate this request. After careful consideration, the NRC
informed the licensee that it is acceptable to provide the fire department a means of rapid
access to the facility, but not direct access to the radioactive material. In addition, the licensee was instructed to ensure that a barrier is in place for portable devices
(i.e., vault, devices are locked in a storage container which is also locked to an immovable
object) and not provide alarm and access codes to the fire department. The licensee was
allowed to provide the fire department a map of the facility listing the location of radioactive
materials, provided that the map did not list the security system locations or the activity of the
licensed material.
Submission of Increased Controls Program Documentation with License Amendment
Requests
Some licensees are submitting documentation of their Increased Controls program as part of
their license amendment requests. Please note that licensees are not required to submit IC
program documentation in this manner. Further, if IC program documentation is submitted as
part of a license amendment request, that documentation becomes part of the license via the
tie-down condition. Licensees may instead choose to submit IC program documentation as a
stand-alone document that can be revised without the need to amend the license.
Regardless of whether a licensee chooses to submit IC program documentation as a stand- alone document or as part of an amendment request, the licensee should take care to properly
marking it in accordance with Title 10 of the Code of Federal Regulations (10 CFR) Section
2.390, Public Inspections, Exemptions, Requests for Withholding.
DISCUSSION
A list of approved/authorized personnel who have been deemed trustworthy and reliable is
sensitive because these individuals have been granted unescorted access to the risk-significant
radioactive material. If the list is posted in a general area, an unapproved individual may alter
the list to add his/her name and thus may, potentially, gain unauthorized access to the risk- significant radioactive material. Licensees are encouraged to assess all information generated
as a result of the Increased Controls and protect it accordingly.
The NRC has contacted those licensees discovered using the World Wide Web to inadvertently
divulge sensitive security information. The licensees have secured access to their Web sites
and sensitive information is no longer accessible by the public. Note that any information that
reveals the type and activity of radioactive material, the location, and the level of security (or
lack thereof) should not be available on Web sites that permit public access.
The NRC reminds licensees that the sharing of information with public officials must be
protected in compliance with IC6, and should be shared only with those who have a need-to- know. Generally, public officials such as fire department personnel do not have a need-to- know. Licensees needing assistance to determine whether such information can be shared with
public officials should follow the example of the radiography licensee provided in this IN.
Licensees with questions concerning information security should contact the appropriate NRC
regional office. The NRC requests that licensees not submit IC documents during the licensing process.
Inspection staff will review the appropriate documentation during security inspections.
However, a licensee may submit related information to respond to the IC Order or to respond to
a violation provided the information is properly marked in accordance with 10 CFR 2.390.
Additional information regarding Increased Controls can be found under the heading of
Holders of Material Licenses Authorized to Possess Radioactive Material Quantities of
Concern, at: http://www.nrc.gov/reading-rm/doc-collections/enforcement/security/index.html.
In addition, licensees with questions concerning information security should contact the
appropriate NRC regional office.
CONTACT
S
This IN requires no specific licensee action or response. If you have any questions about the
information in this notice, please contact one of the technical contacts below, or the appropriate
regional office.
/RA/
Robert J. Lewis, Director
Division of Materials Safety
and State Agreements
Office of Federal and State Materials
and Environmental Management Programs
Technical Contacts:
Kathy Modes, Region I
(301)415-5422
(610)337-5251 E-mail: cee1@nrc.gov
E-mail: kad@nrc.gov
Enclosure: List of Recently Issued FSME Generic Communications The NRC requests that licensees not submit IC documents during the licensing process. Inspection staff will
review the appropriate documentation during security inspections. However, a licensee may submit related
information to respond to the IC Order or to respond to a violation provided the information is properly marked
in accordance with 10 CFR 2.390.
Additional information regarding Increased Controls can be found under the heading of Holders of Material
Licenses Authorized to Possess Radioactive Material Quantities of Concern, at: http://www.nrc.gov/reading- rm/doc-collections/enforcement/security/index.html.
In addition, licensees with questions concerning information security should contact the appropriate NRC
regional office.
CONTACT
S
This IN requires no specific licensee action or response. If you have any questions about the information in this
notice, please contact one of the technical contacts below, or the appropriate regional office.
/RA/
Robert J. Lewis, Director
Division of Materials Safety
and State Agreements
Office of Federal and State Materials
and Environmental Management Programs
Technical Contacts:
Kathy Modes, Region I
(301)415-5422
(610)337-5251 E-mail: cee1@nrc.gov
E-mail: kad@nrc.gov
Enclosure: List of Recently Issued FSME Generic Communications
ML080370453 OFC
FSME/SSB
FSME/SSB
FSME/SSB
R1:DNMS
R1:DNMS
NAME
RBlanton:smh
CEinberg
AMauer
KModes
MMiller
DATE
02/26/08
02/ 26 /08
02/26 /08
2/27/08
03/03/08 OFC
TechEd
FSME/MSEA
FSME/DMSSA
NSIR/DSR
NAME
QTE
AMcIntosh
RLewis
PHolihan
MClark
DATE
03/04/08
03/05/08
03/12/08
04/02/08
04/16/08 OFFICIAL RECORD COPY Enclosure
List of Recently Issued FSME Generic Communications
Date
GC No.
Subject
Addressees
10/04/07 RIS-07-22 Status Update For
Implementation Of NRC
Regulatory Authority for
Certain Naturally-Occurring
and Accelerator-Produced
Radioactive Material
All U.S. Nuclear Regulatory
Commission materials licensees, radiation control program directors, State liaison officers, and the
NRCs Advisory Committee on the
Medical Uses of Isotopes.
10/04/07 RIS-07-23 Date For Operation Of
National Source Tracking
System
All licensees authorized to possess
Category 1 or Category 2 quantities of radioactive materials.
All Radiation Control Program
Directors and State Liaison
Officers.
12/05/07 RIS-07-27 Improving Public
Understanding of the Risks
Associated with Medical
Events
All U.S. Nuclear Regulatory
Commission medical use
licensees. All Radiation Control
Program Directors, and State
Liaison Officers
12/07/07 RIS-07-28 Security Requirements for
Portable Gauges
U.S. Nuclear Regulatory
Commission portable gauge
licensees and Agreement State
Radiation Control Program
Directors and Liaison Officers
12/14/07 RIS-07-38 Ensuring Complete and
Accurate Information In the
Documentation of Training
and Experience for
Individuals Seeking Approval
as Medical Authorized Users
All U.S. Nuclear Regulatory
Commission medical use licensees
and NRC master materials
licensees. All Agreement State
Radiation Control Program
Directors and State Liaison
Officers
02/01/08 RIS-08-02 Actions to Increase the
Security of High Activity
Radioactive Sources
All U.S. Nuclear Regulatory
Commission Materials and Master
Materials Licensees. All Agreement
State Radiation Control Program
Directors and State Liaison
Officers.
Note: This list contains the six most recently issued generic communications, issued by the
Office of Federal and State Materials and Environmental Management Programs (FSME). A
full listing of all generic communications may be viewed at the NRC public website at the
following address:
http://www.nrc.gov/reading-rm/doc-collections/gen-comm/index.html