ML052870511: Difference between revisions
StriderTol (talk | contribs) (Created page by program invented by StriderTol) |
StriderTol (talk | contribs) (StriderTol Bot change) |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
| number = ML052870511 | | number = ML052870511 | ||
| issue date = 04/30/2003 | | issue date = 04/30/2003 | ||
| title = | | title = Protection of Safeguards Information from Unauthorized Disclosure | ||
| author name = Beckner W, Miller C | | author name = Beckner W, Miller C | ||
| author affiliation = NRC/NMSS/IMNS, NRC/NRR/DRIP | | author affiliation = NRC/NMSS/IMNS, NRC/NRR/DRIP | ||
| Line 19: | Line 19: | ||
=Text= | =Text= | ||
{{#Wiki_filter:UNITED | {{#Wiki_filter:UNITED STATES | ||
underwater irradiators, and fuel cycle facilities. | NUCLEAR REGULATORY COMMISSION | ||
OFFICE OF NUCLEAR REACTOR REGULATION | |||
OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS | |||
WASHINGTON, DC 20555-0001 | |||
April 30, 2003 | |||
NRC REGULATORY ISSUE SUMMARY 2003-08 | |||
PROTECTION OF SAFEGUARDS INFORMATION | |||
FROM UNAUTHORIZED DISCLOSURE | |||
ADDRESSEES | |||
All holders of operating licenses for nuclear power reactors, decommissioning reactor facilities, | |||
independent spent fuel storage installations, research and test reactors, large panoramic and | |||
underwater irradiators, and fuel cycle facilities. | |||
INTENT | |||
The U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS) | |||
and the attached Summary of Safeguards Information Requirements to inform addressees of | |||
the importance of protecting Safeguards Information from inadvertent release and unauthorized | the importance of protecting Safeguards Information from inadvertent release and unauthorized | ||
disclosure. The need to protect sensitive security information from inadvertent release and | disclosure. The need to protect sensitive security information from inadvertent release and | ||
| Line 31: | Line 45: | ||
covered by these requirements. This RIS is intended to serve as a consolidated source of | covered by these requirements. This RIS is intended to serve as a consolidated source of | ||
information to reinforce the overall knowledge of Safeguards Information requirements as well | information to reinforce the overall knowledge of Safeguards Information requirements as well | ||
as to highlight the serious consequences for failure to control and protect it.Licensees are encouraged to broadly disseminate this information to affected employees and | as to highlight the serious consequences for failure to control and protect it. | ||
employees who handle Safeguards Information are located. | Licensees are encouraged to broadly disseminate this information to affected employees and to | ||
post the attached Summary of Safeguards Information Requirements in areas where | |||
employees who handle Safeguards Information are located. | |||
BACKGROUND | |||
Several recent events involving published articles or comments to the media demonstrate the | |||
need for the NRC to reemphasize the importance of protecting Safeguards Information from | |||
inadvertent release and unauthorized disclosure. The release of this information, for example, | inadvertent release and unauthorized disclosure. The release of this information, for example, | ||
could result in harm to the public health and safety and the Nations common defense and | could result in harm to the public health and safety and the Nations common defense and | ||
security, as well as damage to the Nations critical infrastructure, including nuclear power plants | security, as well as damage to the Nations critical infrastructure, including nuclear power plants | ||
and other facilities licensed and regulated by the NRC. ML031150743 | and other facilities licensed and regulated by the NRC. | ||
RIS 2003- | ML031150743 | ||
RIS 2003-08 | |||
Page 2 of 4 | |||
SUMMARY OF ISSUE | |||
Safeguards Information is a special category of sensitive unclassified information authorized by | |||
Section 147 of the Atomic Energy Act of 1954, as amended (the Act), to be protected. While | |||
Safeguards Information is considered sensitive unclassified information, it is handled and | Safeguards Information is considered sensitive unclassified information, it is handled and | ||
protected more like classified confidential information than like other sensitive unclassified | protected more like classified confidential information than like other sensitive unclassified | ||
| Line 44: | Line 69: | ||
through a background check. The criteria for designating special nuclear material and power | through a background check. The criteria for designating special nuclear material and power | ||
reactor information as Safeguards Information and associated restrictions on access to and | reactor information as Safeguards Information and associated restrictions on access to and | ||
protection of Safeguards Information are codified in Section 73.21 of Title 10 of the | protection of Safeguards Information are codified in Section 73.21 of Title 10 of the Code of | ||
Federal Regulations (10 CFR 73.21). Part 73 applies to licensees of operating power reactors, | |||
research and test reactors, decommissioning facilities, facilities transporting irradiated reactor | |||
fuel, fuel cycle facilities, and spent fuel storage installations. Examples of the types of | fuel, fuel cycle facilities, and spent fuel storage installations. Examples of the types of | ||
information designated as Safeguards Information include the physical security plan for a | information designated as Safeguards Information include the physical security plan for a | ||
| Line 56: | Line 82: | ||
enhanced access authorization requirements and licensee response to these requirements | enhanced access authorization requirements and licensee response to these requirements | ||
Safeguards Information. Another example is the April 29, 2003 order to operating power | Safeguards Information. Another example is the April 29, 2003 order to operating power | ||
reactor licensees concerning security force training requirements.In addition to the licensees subject to the Safeguards Information requirements of Part 73, | reactor licensees concerning security force training requirements. | ||
In addition to the licensees subject to the Safeguards Information requirements of Part 73, and | |||
the types of information designated as Safeguards Information under those regulations, the | |||
Commission has authority under Section 147 to designate, by regulation or order, other types of | Commission has authority under Section 147 to designate, by regulation or order, other types of | ||
information as Safeguards Information. For example, Section 147 allows the Commission to | information as Safeguards Information. For example, Section 147 allows the Commission to | ||
designate . . . a licensees or applicants detailed . . . security measures (including security plans,procedures and equipment) for the physical protection of source material or byproduct | designate | ||
. . . a licensees or applicants detailed . . . security measures (including security plans, | |||
procedures and equipment) for the physical protection of source material or byproduct | |||
material, by whomever possessed, whether in transit or at fixed sites, in quantities | material, by whomever possessed, whether in transit or at fixed sites, in quantities | ||
determined by the Commission to be significant to the public health and safety or the | determined by the Commission to be significant to the public health and safety or the | ||
common defense and security . . . to be Safeguards Information. The Commission also may, by order, impose | common defense and security . . . | ||
to be Safeguards Information. The Commission also may, by order, impose Safeguards | |||
Information handling requirements on these other licensees. An example of this type of order is | |||
the March 25, 2002 order to Honeywell International, a uranium conversion facility. Violations | the March 25, 2002 order to Honeywell International, a uranium conversion facility. Violations | ||
of Safeguards Information handling requirements, whether those of Part 73 or those imposed | of Safeguards Information handling requirements, whether those of Part 73 or those imposed | ||
by order, are equally subject to the applicable civil and criminal sanctions, as discussed below | by order, are equally subject to the applicable civil and criminal sanctions, as discussed below | ||
and in the attached Summary of Safeguards Information Requirements. Employees, past or present, and all persons who have had access to Safeguards | and in the attached Summary of Safeguards Information Requirements. | ||
Employees, past or present, and all persons who have had access to Safeguards Information | |||
have a continuing obligation to protect Safeguards Information against inadvertent release and | |||
unauthorized disclosure. The NRC staff and licensees have discovered several cases where | unauthorized disclosure. The NRC staff and licensees have discovered several cases where | ||
Safeguards Information was inadvertently included in uncontrolled plant documents and | Safeguards Information was inadvertently included in uncontrolled plant documents and | ||
documents intended for distribution to the public. Documents or other forms of communication | documents intended for distribution to the public. Documents or other forms of communication | ||
RIS 2003- | |||
RIS 2003-08 | |||
Page 3 of 4 | |||
that include discussions about plant security should be reviewed carefully to ensure that | |||
Safeguards Information is not physically included or that plant security is not otherwise being | |||
compromised. Attachment 1 to this RIS further explains licensee and individual responsibilities | compromised. Attachment 1 to this RIS further explains licensee and individual responsibilities | ||
under current regulations, issued Orders, and future Orders regarding the protection of | under current regulations, issued Orders, and future Orders regarding the protection of | ||
Safeguards Information, and addresses penalties for inadequate protection and unauthorized | Safeguards Information, and addresses penalties for inadequate protection and unauthorized | ||
disclosure.Licensees are reminded that information designated as Safeguards Information must | disclosure. | ||
Licensees are reminded that information designated as Safeguards Information must be | |||
withheld from public disclosure and must be physically controlled and protected. Physical | |||
protection requirements include (1) secure storage, (2) document marking, (3) access restricted | protection requirements include (1) secure storage, (2) document marking, (3) access restricted | ||
to authorized individuals, (4) limited reproduction, (5) protected transmission, and (6) enhanced | to authorized individuals, (4) limited reproduction, (5) protected transmission, and (6) enhanced | ||
| Line 80: | Line 120: | ||
applicable to Safeguards Information as a result of ongoing evaluations. Personnel security | applicable to Safeguards Information as a result of ongoing evaluations. Personnel security | ||
controls, including background checks and other means, are in effect for individuals authorized | controls, including background checks and other means, are in effect for individuals authorized | ||
access to Safeguards Information, as is the strict adherence to the need-to-know principle. Inadequate protection of Safeguards Information, including inadvertent release | access to Safeguards Information, as is the strict adherence to the need-to-know principle. | ||
Inadequate protection of Safeguards Information, including inadvertent release and | |||
unauthorized disclosure, may result in civil and/or criminal penalties. The Act explicitly provides | |||
in Section 147a that any person, whether or not a licensee of the Commission, who violates any | in Section 147a that any person, whether or not a licensee of the Commission, who violates any | ||
regulations adopted under this section shall be subject to the civil monetary penalties of | regulations adopted under this section shall be subject to the civil monetary penalties of | ||
| Line 88: | Line 130: | ||
associated with such violations will be determined by the staff in its implementation of the NRC | associated with such violations will be determined by the staff in its implementation of the NRC | ||
Enforcement Policy, and the discretion of the Commission based on the details and significance | Enforcement Policy, and the discretion of the Commission based on the details and significance | ||
of any violation. Statutory maximum penalties are addressed in Attachment 1. The NRC will continue to evaluate its requirements, policies and guidance concerning | of any violation. Statutory maximum penalties are addressed in Attachment 1. | ||
stakeholders will be informed of proposed revisions or clarifications. BACKFIT | The NRC will continue to evaluate its requirements, policies and guidance concerning the | ||
RIS 2003- | protection and unauthorized disclosure of Safeguards Information. Licensees and other | ||
Division of Industrial | stakeholders will be informed of proposed revisions or clarifications. | ||
Medical Nuclear | BACKFIT DISCUSSION | ||
Office of Nuclear Materials | The RIS and the attachment do not request any action or written response; therefore, the staff | ||
and | did not perform a backfit analysis. | ||
E-mail: bws2@nrc. | FEDERAL REGISTER NOTIFICATION | ||
Attachment | A notice of opportunity for public comment on this RIS was not published in the Federal | ||
Page 1 of | Register. | ||
et seq. (Act), grants | |||
RIS 2003-08 | |||
Page 4 of 4 | |||
PAPERWORK REDUCTION ACT STATEMENT | |||
This RIS does not request any information collection and, therefore, is not subject to the | |||
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). | |||
If you have any questions about this matter, please contact the person listed below. | |||
/RA/ | |||
/RA/ | |||
Charles L. Miller, Director | |||
William D. Beckner, Program Director | |||
Division of Industrial and | |||
Operating Reactor Improvements Program | |||
Medical Nuclear Safety | |||
Division of Regulatory Improvement Programs | |||
Office of Nuclear Materials Safety | |||
Office of Nuclear Reactor Regulation | |||
and Safeguards | |||
Contact: | |||
Bernard Stapleton, NSIR | |||
(301) 415-2432 | |||
E-mail: bws2@nrc.gov | |||
Attachments: 1. Summary of Safeguards Information Requirements | |||
2. List of Recently Issued NRC Regulatory Issue Summaries | |||
Attachment 1 | |||
RIS 2003-08 | |||
Page 1 of 4 | |||
SUMMARY OF SAFEGUARDS INFORMATION REQUIREMENTS | |||
I. AUTHORITY | |||
The Atomic Energy Act of 1954, as amended, 42 U.S.C. §§ 2011 et seq. (Act), grants the | |||
Nuclear Regulatory Commission broad and unique authority to prohibit the unauthorized | |||
disclosure of Safeguards Information upon a determination that the unauthorized disclosure of | disclosure of Safeguards Information upon a determination that the unauthorized disclosure of | ||
such information could reasonably be expected to have a significant adverse effect on the | such information could reasonably be expected to have a significant adverse effect on the | ||
health and safety of the public or the common defense and security by significantly increasing | health and safety of the public or the common defense and security by significantly increasing | ||
the likelihood of theft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction. | the likelihood of theft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction. | ||
Section 147 of the Act, 42 U.S.C. § 2167. For licensees and any other person, whether or not a licensee (primarily 10 C.F.R. Part | Section 147 of the Act, 42 U.S.C. § 2167. | ||
For licensees and any other person, whether or not a licensee (primarily 10 C.F.R. Part 50 | |||
reactor licensees, 10 C.F.R. Part 70 licensees for special nuclear material, and their employees | |||
and contractors) subject to the requirements in 10 C.F.R. Part 73, Safeguards Information is | and contractors) subject to the requirements in 10 C.F.R. Part 73, Safeguards Information is | ||
defined by NRC regulation as follows:Safeguards Information means information not otherwise classified as | defined by NRC regulation as follows: | ||
Safeguards Information means information not otherwise classified as National | |||
Security Information or Restricted Data which specifically identifies a licensee's | |||
or applicant's detailed, (1) security measures for the physical protection of | or applicant's detailed, (1) security measures for the physical protection of | ||
special nuclear material, or (2) security measures for the physical protection and | special nuclear material, or (2) security measures for the physical protection and | ||
location of certain plant equipment vital to the safety of production or utilization | location of certain plant equipment vital to the safety of production or utilization | ||
facilities. 10 C.F.R. § 73.2. | facilities. | ||
Specific requirements for the protection of Safeguards Information are contained | 10 C.F.R. § 73.2. | ||
unless the person has an established "need to know" for the information and is: (i) An employee, agent, or contractor of an applicant, a licensee, | Specific requirements for the protection of Safeguards Information are contained in | ||
10 C.F.R. § 73.21. Access to Safeguards Information is limited as follows: | |||
(c) Access to Safeguards Information. (1) Except as the Commission may | |||
otherwise authorize, no person may have access to Safeguards Information | |||
unless the person has an established "need to know" for the information and is: | |||
(i) An employee, agent, or contractor of an applicant, a licensee, the | |||
Commission, or the United States Government. However, an individual to be | |||
authorized access to Safeguards Information by a nuclear power reactor | authorized access to Safeguards Information by a nuclear power reactor | ||
applicant or licensee must undergo a Federal Bureau of Investigation criminal | applicant or licensee must undergo a Federal Bureau of Investigation criminal | ||
history check to the extent required by 10 CFR 73.57; (ii) A member of a duly authorized committee of the Congress; | history check to the extent required by 10 CFR 73.57; | ||
(iii) The Governor of a State or designated representatives; | |||
(iv) A representative of the International Atomic Energy Agency (IAEA) | (ii) A member of a duly authorized committee of the Congress; | ||
certified by the NRC; | |||
Attachment | (iii) The Governor of a State or designated representatives; | ||
Page 2 of 4 (v) A member of a state or local law enforcement authority that is responsible | |||
(c)(1) of this section. 10 C.F.R. § 73.21(c). | (iv) A representative of the International Atomic Energy Agency (IAEA) engaged | ||
The need to know requirement is specified by NRC regulation as follows:Need to know means a determination by a person having responsibility | in activities associated with the U.S./IAEA Safeguards Agreement who has been | ||
certified by the NRC; | |||
Attachment 1 | |||
RIS 2003-08 | |||
Page 2 of 4 | |||
(v) A member of a state or local law enforcement authority that is responsible for | |||
responding to requests for assistance during safeguards emergencies; or | |||
(vi) An individual to whom disclosure is ordered pursuant to § 2.744(e) of this | |||
chapter [10 CFR 2.744(e)]. | |||
(2) Except as the Commission may otherwise authorize, no person may disclose | |||
Safeguards Information to any other person except as set forth in paragraph | |||
(c)(1) of this section. | |||
10 C.F.R. § 73.21(c). | |||
The need to know requirement is specified by NRC regulation as follows: | |||
Need to know means a determination by a person having responsibility for | |||
protecting Safeguards Information that a proposed recipient's access to | |||
Safeguards Information is necessary in the performance of official, contractual, | Safeguards Information is necessary in the performance of official, contractual, | ||
or licensee duties of employment.10 C.F.R. § 73.2. | or licensee duties of employment. | ||
Thus, unless otherwise authorized by the Commission, NRC regulations limit access | 10 C.F.R. § 73.2. | ||
Thus, unless otherwise authorized by the Commission, NRC regulations limit access to | |||
Safeguards Information to certain specified individuals who have been determined to have a | |||
need to know, i.e., specified individuals whose access has been determined to be necessary | need to know, i.e., specified individuals whose access has been determined to be necessary | ||
in the performance of official, contractual or licensee duties of employment. Furthermore, except as otherwise authorized by the Commission, no person may | in the performance of official, contractual or licensee duties of employment. | ||
Furthermore, except as otherwise authorized by the Commission, no person may disclose | |||
Safeguards Information to any other person unless that other person is one of the specified | |||
persons listed in 10 C.F.R. § 73.21(c)(1) and that person also has a need to know. | persons listed in 10 C.F.R. § 73.21(c)(1) and that person also has a need to know. | ||
10 C.F.R. § 73.21(c)(2). These regulations and prohibitions on unauthorized disclosure of | 10 C.F.R. § 73.21(c)(2). These regulations and prohibitions on unauthorized disclosure of | ||
Safeguards Information are applicable to all licensees and all individuals:This part [10 C.F.R. Part 73] prescribes requirements for the protection | Safeguards Information are applicable to all licensees and all individuals: | ||
the Commission, who produces, receives, or acquires Safeguards Information.10 C.F.R. § 73.1(b)(7). | This part [10 C.F.R. Part 73] prescribes requirements for the protection of | ||
The Commissions statutory authority to protect and prohibit the unauthorized disclosure | Safeguards Information in the hands of any person, whether or not a licensee of | ||
the Commission, who produces, receives, or acquires Safeguards Information. | |||
10 C.F.R. § 73.1(b)(7). | |||
The Commissions statutory authority to protect and prohibit the unauthorized disclosure of | |||
Safeguards Information is even broader than is reflected in these regulations. Section 147 of | |||
the Act grants the Commission explicit authority to issue such orders, as necessary to prohibit | the Act grants the Commission explicit authority to issue such orders, as necessary to prohibit | ||
the unauthorized disclosure of safeguards information . . . . This authority extends to | the unauthorized disclosure of safeguards information . . . . This authority extends to | ||
information concerning special nuclear material, source material, and byproduct material, as | information concerning special nuclear material, source material, and byproduct material, as | ||
well as production and utilization facilities. | well as production and utilization facilities. | ||
Attachment | |||
Page 3 of | Attachment 1 | ||
provides for a civil monetary penalty not to exceed $120,000 for each violation. | RIS 2003-08 | ||
Page 3 of 4 | |||
The Act explicitly provides: Any person, whether or not a licensee of the Commission, who | |||
violates any regulations adopted under this section shall be subject to the civil monetary | |||
penalties of Section 234 of this Act. Section 147a of the Act. Section 234a of the Act | |||
provides for a civil monetary penalty not to exceed $120,000 for each violation. See | |||
10 C.F.R. § 2.205(j) (2003). Furthermore, a willful violation of any regulation or order governing | |||
Safeguards Information is a felony subject to criminal penalties in the form of fines or | Safeguards Information is a felony subject to criminal penalties in the form of fines or | ||
imprisonment, or both. | imprisonment, or both. See Sections 147b and 223a of the Act. | ||
See Sections 147b and 223a of the Act. The NRC Enforcement Policy outlines potential NRC actions against both licensees | The NRC Enforcement Policy outlines potential NRC actions against both licensees and | ||
details and severity of the violation. II. | individuals for violations of the regulations and Orders using criteria that evaluate both the | ||
details and severity of the violation. | |||
II. DISCUSSION | |||
All licensees and all other persons who now have, or in the future may have, access to | |||
Safeguards Information must comply with all applicable requirements delineated in regulations | |||
and Orders governing the handling and unauthorized disclosure of Safeguards Information. As | and Orders governing the handling and unauthorized disclosure of Safeguards Information. As | ||
stipulated in 10 C.F.R. § 73.21(a), licensees and persons who produce, receive or acquire | stipulated in 10 C.F.R. § 73.21(a), licensees and persons who produce, receive or acquire | ||
| Line 163: | Line 282: | ||
containing Safeguards Information; access to Safeguards Information; preparation, marking, | containing Safeguards Information; access to Safeguards Information; preparation, marking, | ||
reproduction and destruction of documents; external transmission of documents; use of | reproduction and destruction of documents; external transmission of documents; use of | ||
automatic data processing systems; and removal of the Safeguards Information category.As noted above, in addition to the responsibility of each licensee to ensure that all of | automatic data processing systems; and removal of the Safeguards Information category. | ||
As noted above, in addition to the responsibility of each licensee to ensure that all of its | |||
employees, contractors and subcontractors, and their employees comply with applicable | |||
requirements, all contractors, subcontractors, and individual employees also are individually | requirements, all contractors, subcontractors, and individual employees also are individually | ||
responsible for complying with applicable requirements and all are subject to civil and criminal | responsible for complying with applicable requirements and all are subject to civil and criminal | ||
| Line 169: | Line 290: | ||
applicable to the handling of Safeguards Information are a serious breach of adequate | applicable to the handling of Safeguards Information are a serious breach of adequate | ||
protection of the public health and safety and the common defense and security of the United | protection of the public health and safety and the common defense and security of the United | ||
States. | States. | ||
Attachment | |||
Page 4 of | Attachment 1 | ||
RIS 2003-08 | |||
Page 4 of 4 | |||
As a result, the staff intends to use the NRC Enforcement Policy, including the discretion to | |||
increase penalties for violations, to determine appropriate sanctions against licensees and | |||
individuals who violate these requirements. In addition, the Commission may use its discretion, | |||
based on the severity of the violation, to further increase the penalty for any violation up to the | based on the severity of the violation, to further increase the penalty for any violation up to the | ||
statutory maximum. Willful violations of these requirements will also be referred to the | statutory maximum. Willful violations of these requirements will also be referred to the | ||
Department of Justice for a determination of whether criminal penalties will be pursued. | Department of Justice for a determination of whether criminal penalties will be pursued. | ||
}} | }} | ||
Latest revision as of 14:37, 15 January 2025
| ML052870511 | |
| Person / Time | |
|---|---|
| Site: | WM-00011 |
| Issue date: | 04/30/2003 |
| From: | Beckner W, Chris Miller NRC/NMSS/IMNS, Division of Regulatory Improvement Programs |
| To: | |
| SECY RAS | |
| Shared Package | |
| ML052870505 | List: |
| References | |
| ASLBP 04-829-01-PAPO, HLW-PAP0-000150, PAPO-00 RIS-03-008 | |
| Download: ML052870511 (8) | |
See also: RIS 2003-08
Text
UNITED STATES
NUCLEAR REGULATORY COMMISSION
OFFICE OF NUCLEAR REACTOR REGULATION
OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS
WASHINGTON, DC 20555-0001
April 30, 2003
NRC REGULATORY ISSUE SUMMARY 2003-08
PROTECTION OF SAFEGUARDS INFORMATION
FROM UNAUTHORIZED DISCLOSURE
ADDRESSEES
All holders of operating licenses for nuclear power reactors, decommissioning reactor facilities,
independent spent fuel storage installations, research and test reactors, large panoramic and
underwater irradiators, and fuel cycle facilities.
INTENT
The U.S. Nuclear Regulatory Commission (NRC) is issuing this regulatory issue summary (RIS)
and the attached Summary of Safeguards Information Requirements to inform addressees of
the importance of protecting Safeguards Information from inadvertent release and unauthorized
disclosure. The need to protect sensitive security information from inadvertent release and
unauthorized disclosure which might compromise the security of nuclear facilities is heightened
since the events of September 11, 2001. Addressees, including all cognizant personnel, have a
continuing obligation to be mindful of their responsibilities in protecting such security
information. Although many addressees have extensive experience in complying with
applicable regulations related to handling and protection of Safeguards Information, additional
licensees and individuals with limited or no experience in this area may now or soon will be
covered by these requirements. This RIS is intended to serve as a consolidated source of
information to reinforce the overall knowledge of Safeguards Information requirements as well
as to highlight the serious consequences for failure to control and protect it.
Licensees are encouraged to broadly disseminate this information to affected employees and to
post the attached Summary of Safeguards Information Requirements in areas where
employees who handle Safeguards Information are located.
BACKGROUND
Several recent events involving published articles or comments to the media demonstrate the
need for the NRC to reemphasize the importance of protecting Safeguards Information from
inadvertent release and unauthorized disclosure. The release of this information, for example,
could result in harm to the public health and safety and the Nations common defense and
security, as well as damage to the Nations critical infrastructure, including nuclear power plants
and other facilities licensed and regulated by the NRC.
Page 2 of 4
SUMMARY OF ISSUE
Safeguards Information is a special category of sensitive unclassified information authorized by
Section 147 of the Atomic Energy Act of 1954, as amended (the Act), to be protected. While
Safeguards Information is considered sensitive unclassified information, it is handled and
protected more like classified confidential information than like other sensitive unclassified
information (e.g., privacy and proprietary information). Access to Safeguards Information is
controlled by a valid need-to-know and an indication of trustworthiness normally obtained
through a background check. The criteria for designating special nuclear material and power
reactor information as Safeguards Information and associated restrictions on access to and
protection of Safeguards Information are codified in Section 73.21 of Title 10 of the Code of
Federal Regulations (10 CFR 73.21). Part 73 applies to licensees of operating power reactors,
research and test reactors, decommissioning facilities, facilities transporting irradiated reactor
fuel, fuel cycle facilities, and spent fuel storage installations. Examples of the types of
information designated as Safeguards Information include the physical security plan for a
nuclear facility or site possessing special nuclear material, the design features of the physical
protection system, operational procedures for the security organization, improvements or
upgrades to the security system, and vulnerabilities or weaknesses not yet corrected, and such
other information as the Commission may designate by order. An example of additional
information designated by order is the January 7, 2003 order to operating power reactor
licensees concerning access authorization programs. That order made the details of NRCs
enhanced access authorization requirements and licensee response to these requirements
Safeguards Information. Another example is the April 29, 2003 order to operating power
reactor licensees concerning security force training requirements.
In addition to the licensees subject to the Safeguards Information requirements of Part 73, and
the types of information designated as Safeguards Information under those regulations, the
Commission has authority under Section 147 to designate, by regulation or order, other types of
information as Safeguards Information. For example, Section 147 allows the Commission to
designate
. . . a licensees or applicants detailed . . . security measures (including security plans,
procedures and equipment) for the physical protection of source material or byproduct
material, by whomever possessed, whether in transit or at fixed sites, in quantities
determined by the Commission to be significant to the public health and safety or the
common defense and security . . .
to be Safeguards Information. The Commission also may, by order, impose Safeguards
Information handling requirements on these other licensees. An example of this type of order is
the March 25, 2002 order to Honeywell International, a uranium conversion facility. Violations
of Safeguards Information handling requirements, whether those of Part 73 or those imposed
by order, are equally subject to the applicable civil and criminal sanctions, as discussed below
and in the attached Summary of Safeguards Information Requirements.
Employees, past or present, and all persons who have had access to Safeguards Information
have a continuing obligation to protect Safeguards Information against inadvertent release and
unauthorized disclosure. The NRC staff and licensees have discovered several cases where
Safeguards Information was inadvertently included in uncontrolled plant documents and
documents intended for distribution to the public. Documents or other forms of communication
Page 3 of 4
that include discussions about plant security should be reviewed carefully to ensure that
Safeguards Information is not physically included or that plant security is not otherwise being
compromised. Attachment 1 to this RIS further explains licensee and individual responsibilities
under current regulations, issued Orders, and future Orders regarding the protection of
Safeguards Information, and addresses penalties for inadequate protection and unauthorized
disclosure.
Licensees are reminded that information designated as Safeguards Information must be
withheld from public disclosure and must be physically controlled and protected. Physical
protection requirements include (1) secure storage, (2) document marking, (3) access restricted
to authorized individuals, (4) limited reproduction, (5) protected transmission, and (6) enhanced
automatic data processing system controls. Changes are being proposed to NRC regulations
applicable to Safeguards Information as a result of ongoing evaluations. Personnel security
controls, including background checks and other means, are in effect for individuals authorized
access to Safeguards Information, as is the strict adherence to the need-to-know principle.
Inadequate protection of Safeguards Information, including inadvertent release and
unauthorized disclosure, may result in civil and/or criminal penalties. The Act explicitly provides
in Section 147a that any person, whether or not a licensee of the Commission, who violates any
regulations adopted under this section shall be subject to the civil monetary penalties of
Section 234 of the Act. Furthermore, willful violation of any regulation or order governing
Safeguards Information is a felony subject to criminal penalties in the form of fines or
imprisonment, or both, as prescribed in Section 223 of the Act. The specific penalties
associated with such violations will be determined by the staff in its implementation of the NRC
Enforcement Policy, and the discretion of the Commission based on the details and significance
of any violation. Statutory maximum penalties are addressed in Attachment 1.
The NRC will continue to evaluate its requirements, policies and guidance concerning the
protection and unauthorized disclosure of Safeguards Information. Licensees and other
stakeholders will be informed of proposed revisions or clarifications.
BACKFIT DISCUSSION
The RIS and the attachment do not request any action or written response; therefore, the staff
did not perform a backfit analysis.
FEDERAL REGISTER NOTIFICATION
A notice of opportunity for public comment on this RIS was not published in the Federal
Register.
Page 4 of 4
PAPERWORK REDUCTION ACT STATEMENT
This RIS does not request any information collection and, therefore, is not subject to the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.).
If you have any questions about this matter, please contact the person listed below.
/RA/
/RA/
Charles L. Miller, Director
William D. Beckner, Program Director
Division of Industrial and
Operating Reactor Improvements Program
Medical Nuclear Safety
Division of Regulatory Improvement Programs
Office of Nuclear Materials Safety
Office of Nuclear Reactor Regulation
and Safeguards
Contact:
Bernard Stapleton, NSIR
(301) 415-2432
E-mail: bws2@nrc.gov
Attachments: 1. Summary of Safeguards Information Requirements
2. List of Recently Issued NRC Regulatory Issue Summaries
Attachment 1
Page 1 of 4
SUMMARY OF SAFEGUARDS INFORMATION REQUIREMENTS
I. AUTHORITY
The Atomic Energy Act of 1954, as amended, 42 U.S.C. §§ 2011 et seq. (Act), grants the
Nuclear Regulatory Commission broad and unique authority to prohibit the unauthorized
disclosure of Safeguards Information upon a determination that the unauthorized disclosure of
such information could reasonably be expected to have a significant adverse effect on the
health and safety of the public or the common defense and security by significantly increasing
the likelihood of theft, diversion, or sabotage of materials or facilities subject to NRC jurisdiction.
Section 147 of the Act, 42 U.S.C. § 2167.
For licensees and any other person, whether or not a licensee (primarily 10 C.F.R. Part 50
reactor licensees, 10 C.F.R. Part 70 licensees for special nuclear material, and their employees
and contractors) subject to the requirements in 10 C.F.R. Part 73, Safeguards Information is
defined by NRC regulation as follows:
Safeguards Information means information not otherwise classified as National
Security Information or Restricted Data which specifically identifies a licensee's
or applicant's detailed, (1) security measures for the physical protection of
special nuclear material, or (2) security measures for the physical protection and
location of certain plant equipment vital to the safety of production or utilization
facilities.
10 C.F.R. § 73.2.
Specific requirements for the protection of Safeguards Information are contained in
10 C.F.R. § 73.21. Access to Safeguards Information is limited as follows:
(c) Access to Safeguards Information. (1) Except as the Commission may
otherwise authorize, no person may have access to Safeguards Information
unless the person has an established "need to know" for the information and is:
(i) An employee, agent, or contractor of an applicant, a licensee, the
Commission, or the United States Government. However, an individual to be
authorized access to Safeguards Information by a nuclear power reactor
applicant or licensee must undergo a Federal Bureau of Investigation criminal
history check to the extent required by 10 CFR 73.57;
(ii) A member of a duly authorized committee of the Congress;
(iii) The Governor of a State or designated representatives;
(iv) A representative of the International Atomic Energy Agency (IAEA) engaged
in activities associated with the U.S./IAEA Safeguards Agreement who has been
certified by the NRC;
Attachment 1
Page 2 of 4
(v) A member of a state or local law enforcement authority that is responsible for
responding to requests for assistance during safeguards emergencies; or
(vi) An individual to whom disclosure is ordered pursuant to § 2.744(e) of this
chapter [10 CFR 2.744(e)].
(2) Except as the Commission may otherwise authorize, no person may disclose
Safeguards Information to any other person except as set forth in paragraph
(c)(1) of this section.
10 C.F.R. § 73.21(c).
The need to know requirement is specified by NRC regulation as follows:
Need to know means a determination by a person having responsibility for
protecting Safeguards Information that a proposed recipient's access to
Safeguards Information is necessary in the performance of official, contractual,
or licensee duties of employment.
10 C.F.R. § 73.2.
Thus, unless otherwise authorized by the Commission, NRC regulations limit access to
Safeguards Information to certain specified individuals who have been determined to have a
need to know, i.e., specified individuals whose access has been determined to be necessary
in the performance of official, contractual or licensee duties of employment.
Furthermore, except as otherwise authorized by the Commission, no person may disclose
Safeguards Information to any other person unless that other person is one of the specified
persons listed in 10 C.F.R. § 73.21(c)(1) and that person also has a need to know.
10 C.F.R. § 73.21(c)(2). These regulations and prohibitions on unauthorized disclosure of
Safeguards Information are applicable to all licensees and all individuals:
This part [10 C.F.R. Part 73] prescribes requirements for the protection of
Safeguards Information in the hands of any person, whether or not a licensee of
the Commission, who produces, receives, or acquires Safeguards Information.
10 C.F.R. § 73.1(b)(7).
The Commissions statutory authority to protect and prohibit the unauthorized disclosure of
Safeguards Information is even broader than is reflected in these regulations. Section 147 of
the Act grants the Commission explicit authority to issue such orders, as necessary to prohibit
the unauthorized disclosure of safeguards information . . . . This authority extends to
information concerning special nuclear material, source material, and byproduct material, as
well as production and utilization facilities.
Attachment 1
Page 3 of 4
The Act explicitly provides: Any person, whether or not a licensee of the Commission, who
violates any regulations adopted under this section shall be subject to the civil monetary
penalties of Section 234 of this Act. Section 147a of the Act. Section 234a of the Act
provides for a civil monetary penalty not to exceed $120,000 for each violation. See
10 C.F.R. § 2.205(j) (2003). Furthermore, a willful violation of any regulation or order governing
Safeguards Information is a felony subject to criminal penalties in the form of fines or
imprisonment, or both. See Sections 147b and 223a of the Act.
The NRC Enforcement Policy outlines potential NRC actions against both licensees and
individuals for violations of the regulations and Orders using criteria that evaluate both the
details and severity of the violation.
II. DISCUSSION
All licensees and all other persons who now have, or in the future may have, access to
Safeguards Information must comply with all applicable requirements delineated in regulations
and Orders governing the handling and unauthorized disclosure of Safeguards Information. As
stipulated in 10 C.F.R. § 73.21(a), licensees and persons who produce, receive or acquire
Safeguards Information are required to ensure that Safeguards Information is protected against
unauthorized disclosure. To meet this requirement, licensees and persons subject to
10 C.F.R. § 73.21(a) shall establish and maintain an information protection system governing
the proper handling and unauthorized disclosure of Safeguards Information. All licensees
should be aware that since the requirements of 10 C.F.R. § 73.21(a) apply to all persons who
receive Safeguards Information, they apply to all contractors whose employees may have
access to Safeguards Information and they must either adhere to the licensees policies and
procedures on Safeguards Information or develop, maintain and implement their own
information protection system, but the licensees remain responsible for the conduct of their
contractors. The elements of the required information protection system are specified in
10 C.F.R. § 73.21(b) through (i). The information protection system must address, at a
minimum, the following: the general performance requirement that each person who produces,
receives, or acquires Safeguards Information shall ensure that Safeguards Information is
protected against unauthorized disclosure; protection of Safeguards Information at fixed sites,
in use and in storage, and while in transit; inspections, audits and evaluations; correspondence
containing Safeguards Information; access to Safeguards Information; preparation, marking,
reproduction and destruction of documents; external transmission of documents; use of
automatic data processing systems; and removal of the Safeguards Information category.
As noted above, in addition to the responsibility of each licensee to ensure that all of its
employees, contractors and subcontractors, and their employees comply with applicable
requirements, all contractors, subcontractors, and individual employees also are individually
responsible for complying with applicable requirements and all are subject to civil and criminal
sanctions for failures to comply. The NRC considers that violations of the requirements
applicable to the handling of Safeguards Information are a serious breach of adequate
protection of the public health and safety and the common defense and security of the United
States.
Attachment 1
Page 4 of 4
As a result, the staff intends to use the NRC Enforcement Policy, including the discretion to
increase penalties for violations, to determine appropriate sanctions against licensees and
individuals who violate these requirements. In addition, the Commission may use its discretion,
based on the severity of the violation, to further increase the penalty for any violation up to the
statutory maximum. Willful violations of these requirements will also be referred to the
Department of Justice for a determination of whether criminal penalties will be pursued.