Protection of WMD Safeguards Information

This file is available on a Cryptome DVD offered by Cryptome. Donate $25 for a DVD of the Cryptome 10-year archives of 35,000 files from June 1996 to June 2006 (~3.5 GB). Click Paypal or mail check/MO made out to John Young, 251 West 89th Street, New York, NY 10024. Archives include all files of cryptome.org, cryptome2.org, jya.com, cartome.org, eyeball-series.org and iraq-kill-maim.org. Cryptome offers with the Cryptome DVD an INSCOM DVD of about 18,000 pages of counter-intelligence dossiers declassified by the US Army Information and Security Command, dating from 1945 to 1985. No additional contribution required -- $25 for both. The DVDs will be sent anywhere worldwide without extra cost.

13 October 2006

Two notices.

[Federal Register: October 13, 2006 (Volume 71, Number 198)]
[Notices]
[Page 60583-60587]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr13oc06-110]

-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[EA-06-241]

In the Matter of All Licensees Who Possess Radioactive Material
in Quantities of Concern and All Other Persons Who Obtain Safeguards
Information Described Herein; Order Imposing Requirements for the
Protection of Certain Safeguards Information (Effective Immediately)

The Licensees, identified in Attachment 1 \1\ to this Order, hold
licenses issued in accordance with the Atomic Energy Act of 1954, by
the U.S. Nuclear Regulatory Commission (NRC or Commission) or an
Agreement State, authorizing them to possess and transfer items
containing radioactive material quantities of concern. The NRC intends
to issue security Orders to these licensees in the near future. Orders
will be issued to both NRC and Agreement State materials licensees who
may transport radioactive material quantities of concern. The Orders
will require compliance with specific Additional Security Measures to
enhance the security for transport of certain radioactive material
quantities of concern. The NRC will issue Orders to both NRC and
Agreement State licensees under its authority to protect the common
defense and security, which has not been relinquished to the Agreement
States. The Commission has determined that these documents will contain
Safeguards Information, will not be released to the public, and must be
protected from unauthorized disclosure. Therefore, the Commission is
imposing the requirements, as set forth in Attachments 2 and 3 to this
Order and in Order EA-06-242, so that affected Licensees can receive
these documents. This Order also imposes requirements for the
protection of Safeguards

[[Page 60584]]

Information in the hands of any person,\2\ whether or not a licensee of
the Commission, who produces, receives, or acquires Safeguards
Information.
---------------------------------------------------------------------------

\1\ Attachment 1 contains sensitive information and will not be
released to the public.
\2\ Person means (1) any individual, corporation, partnership,
firm, association, trust, estate, public or private institution,
group, government agency other than the Commission or the
Department, except that the Department shall be considered a person
with respect to those facilities of the Department specified in
section 202 of the Energy Reorganization Act of 1974 (88 Stat.
1244), any State or any political subdivision of, or any political
entity within a State, any foreign government or nation or any
political subdivision of any such government or nation, or other
entity; and (2) any legal successor, representative, agent, or
agency of the foregoing.
---------------------------------------------------------------------------

The Commission has broad statutory authority to protect and
prohibit the unauthorized disclosure of Safeguards Information. Section
147 of the Atomic Energy Act of 1954, as amended, grants the Commission
explicit authority to ``* * * issue such orders, as necessary to
prohibit the unauthorized disclosure of safeguards information * * *''
This authority extends to information concerning transfer of special
nuclear material, source material, and byproduct material. Licensees
and all persons who produce, receive, or acquire Safeguards Information
must ensure proper handling and protection of Safeguards Information to
avoid unauthorized disclosure in accordance with the specific
requirements for the protection of Safeguards Information contained in
Attachments 2 and 3 to this Order. The Commission hereby provides
notice that it intends to treat violations of the requirements
contained in Attachments 2 and 3 to this Order applicable to the
handling and unauthorized disclosure of Safeguards Information as
serious breaches of adequate protection of the public health and safety
and the common defense and security of the United States. Access to
Safeguards Information is limited to those persons who have established
the need-to-know the information, are considered to be trustworthy and
reliable, and meet the requirements of Order EA-06-242. A need-to-know
means a determination by a person having responsibility for protecting
Safeguards Information that a proposed recipient's access to Safeguards
Information is necessary in the performance of official, contractual,
or licensee duties of employment. Licensees and all other persons who
obtain Safeguards Information must ensure that they develop, maintain
and implement strict policies and procedures for the proper handling of
Safeguards Information to prevent unauthorized disclosure, in
accordance with the requirements in Attachments 2 and 3 to this Order.
All licensees must ensure that all contractors whose employees may have
access to Safeguards Information either adhere to the licensee's
policies and procedures on Safeguards Information or develop, maintain
and implement their own acceptable policies and procedures. The
licensees remain responsible for the conduct of their contractors. The
policies and procedures necessary to ensure compliance with applicable
requirements contained in Attachments 2 and 3 to this Order must
address, at a minimum, the following: the general performance
requirement that each person who produces, receives, or acquires
Safeguards Information shall ensure that Safeguards Information is
protected against unauthorized disclosure; protection of Safeguards
Information at fixed sites, in use and in storage, and while in
transit; correspondence containing Safeguards Information; access to
Safeguards Information; preparation, marking, reproduction and
destruction of documents; external transmission of documents; use of
automatic data processing systems; removal of the Safeguards
Information category; the need-to-know the information; and background
checks to determine access to the information.
In order to provide assurance that the licensees are implementing
prudent measures to achieve a consistent level of protection to
prohibit the unauthorized disclosure of Safeguards Information, all
licensees who hold licenses issued by the U.S. Nuclear Regulatory
Commission or an Agreement State authorizing them to possess and who
may transport items containing radioactive material quantities of
concern shall implement the requirements identified in Attachments 2
and 3 to this Order. The Commission recognizes that licensees may have
already initiated many of the measures set forth in Attachments 2 and 3
to this Order for handling of Safeguards Information in conjunction
with current NRC license requirements or previous NRC Orders.
Additional measures set forth in Attachments 2 and 3 to this Order
should be incorporated into the licensee's current program for
Safeguards Information. In addition, pursuant to 10 CFR Part 2.202, I
find that in light of the common defense and security matters
identified above, which warrant the issuance of this Order, the public
health, safety and interest require that this Order be effective
immediately.

III

Accordingly, pursuant to Sections 81, 147, 161b, 161i, 161o, 182
and 186 of the Atomic Energy Act of 1954, as amended, and the
Commission's regulations in 10 CFR 2.202, 10 CFR Part 30, 10 CFR Part
32, 10 CFR Part 35, and 10 CFR Part 70, It is hereby ordered, effective
immediately, that all licensees identified in Attachment 1 to this
order and all other persons who produce, receive, or acquire the
additional security measures identified above (whether draft or final)
or any related safeguards information shall comply with the
requirements of Attachments 2 and 3 to this order.
The Director, Office of Federal and State Materials and
Environmental Management Programs, may, in writing, relax or rescind
any of the above conditions upon demonstration of good cause by the
licensee.

[[Page 60585]]

answers and requests for hearing be transmitted to the Secretary of the
Commission either by means of facsimile transmission to 301-415-1101 or
by e-mail to hearingdocket@nrc.gov and also to the Office of the
General Counsel either by means of facsimile transmission to 301-415-
3725 or by e-mail to OGCMailCenter@nrc.gov. If a person other than the
Licensee requests a hearing, that person shall set forth with
particularity the manner in which his interest is adversely affected by
this Order and shall address the criteria set forth in 10 CFR 2.309.
If a hearing is requested by the Licensee or a person whose
interest is adversely affected, the Commission will issue an Order
designating the time and place of any hearing. If a hearing is held,
the issue to be considered at such hearing shall be whether this Order
should be sustained.
Pursuant to 10 CFR 2.202(c)(2)(i), the Licensee may, in addition to
demanding a hearing, at the time the answer is filed or sooner, move
the presiding officer to set aside the immediate effectiveness of the
Order on the ground that the Order, including the need for immediate
effectiveness, is not based on adequate evidence but on mere suspicion,
unfounded allegations, or error. In the absence of any request for
hearing, or written approval of an extension of time in which to
request a hearing, the provisions specified in Section III above shall
be final twenty (20) days from the date of this Order without further
order or proceedings. If an extension of time for requesting a hearing
has been approved, the provisions specified in Section III shall be
final when the extension expires if a hearing request has not been
received.
An answer or a request for hearing shall not stay the immediate
effectiveness of this order.

Dated this 4th day of October 2006.

For the Nuclear Regulatory Commission.
Charles L. Miller,
Director, Office of Federal and State Materials and Environmental
Management Programs.

Attachment 1--List of Applicable Materials Licensees

Redacted

Attachment 2--Modified Handling Requirements for the Protection of
Certain Safeguards Information (SGI-M)

Modified Handling Requirements for the Protection of Certain Safeguards
Information (SGI-M)

General Requirement

Information and material that the U.S. Nuclear Regulatory
Commission (NRC) determines are safeguards information must be
protected from unauthorized disclosure. In order to distinguish
information needing modified protection requirements from the
safeguards information for reactors and fuel cycle facilities that
require a higher level of protection, the term ``Safeguards
Information-Modified Handling'' (SGI-M) is being used as the
distinguishing marking for certain materials licensees. Each person
who produces, receives, or acquires SGI-M shall ensure that it is
protected against unauthorized disclosure. To meet this requirement,
licensees and persons shall establish and maintain an information
protection system that includes the measures specified below.
Information protection procedures employed by state and local police
forces are deemed to meet these requirements.

Persons Subject to These Requirements

Any person, whether or not a licensee of the NRC, who produces,
receives, or acquires SGI-M is subject to the requirements (and
sanctions) of this document. Firms and their employees that supply
services or equipment to materials licensees would fall under this
requirement if they possess facility SGI-M. A licensee must inform
contractors and suppliers of the existence of these requirements and
the need for proper protection. (See more under Conditions for
Access)
State or local police units who have access to SGI-M are also
subject to these requirements. However, these organizations are
deemed to have adequate information protection systems. The
conditions for transfer of information to a third party, i.e., need-
to-know, would still apply to the police organization as would
sanctions for unlawful disclosure. Again, it would be prudent for
licensees who have arrangements with local police to advise them of
the existence of these requirements.

Criminal and Civil Sanctions

The Atomic Energy Act of 1954, as amended, explicitly provides
that any person, ``whether or not a licensee of the Commission, who
violates any regulations adopted under this section shall be subject
to the civil monetary penalties of section 234 of this Act.''
Furthermore, willful violation of any regulation or order governing
safeguards information is a felony subject to criminal penalties in
the form of fines or imprisonment, or both. See sections 147b. and
223 of the Act.

Conditions for Access

Access to SGI-M beyond the initial recipients of the order will
be governed by the background check requirements imposed by the
order. Access to SGI-M by licensee employees, agents, or contractors
must include both an appropriate need-to-know determination by the
licensee, as well as a determination concerning the trustworthiness
of individuals having access to the information. Employees of an
organization affiliated with the licensee's company, e.g., a parent
company, may be considered as employees of the licensee for access
purposes.

Need-To-Know

Need-to-know is defined as a determination by a person having
responsibility for protecting SGI-M that a proposed recipient's
access to SGI-M is necessary in the performance of official,
contractual, or licensee duties of employment. The recipient should
be made aware that the information is SGI-M and those having access
to it are subject to these requirements as well as criminal and
civil sanctions for mishandling the information.

Occupational Groups

Dissemination of SGI-M is limited to individuals who have an
established need-to-know and who are members of certain occupational
groups. These occupational groups are:
A. An employee, agent, or contractor of an applicant, a
licensee, the Commission, or the United States Government;
B. member of a duly authorized committee of the Congress;
C. The Governor of a State or his designated representative;
D. A representative of the International Atomic Energy Agency
(IAEA) engaged in activities associated with the U.S./IAEA
Safeguards Agreement who has been certified by the NRC;
E. A member of a state or local law enforcement authority that
is responsible for responding to requests for assistance during
safeguards emergencies; or
F. A person to whom disclosure is ordered pursuant to Section
2.744(e) of Part 2 of part 10 of the Code of Federal Regulations.
G. State Radiation Control Program Directors (and State Homeland
Security Directors) or their designees.
In a generic sense, the individuals described above in (A)
through (G) are considered to be trustworthy by virtue of their
employment status. For non-governmental individuals in group (A)
above, a determination of reliability and trustworthiness is
required. Discretion must be exercised in granting access to these
individuals. If there is any indication that the recipient would be
unwilling or unable to provide proper protection for the SGI-M, they
are not authorized to receive SGI-M.

Information Considered for Safeguards Information Designation

Information deemed SGI-M is information the disclosure of which
could reasonably be expected to have a significant adverse effect on
the health and safety of the public or the common defense and
security by significantly increasing the likelihood of theft,
diversion, or sabotage of materials or facilities subject to NRC
jurisdiction.
SGI-M identifies safeguards information which is subject to
these requirements. These requirements are necessary in order to
protect quantities of nuclear material significant to the health and
safety of the public or common defense and security.
The overall measure for consideration of SGI-M is the usefulness
of the information (security or otherwise) to an adversary in
planning or attempting a malevolent act. The specificity of the
information increases the likelihood that it will be useful to an
adversary.

[[Page 60586]]

Protection While in Use

While in use, SGI-M shall be under the control of an authorized
individual. This requirement is satisfied if the SGI-M is attended
by an authorized individual even though the information is in fact
not constantly being used. SGI-M, therefore, within alarm stations,
continuously manned guard posts or ready rooms need not be locked in
file drawers or storage containers.
Under certain conditions the general control exercised over
security zones or areas would be considered to meet this
requirement. The primary consideration is limiting access to those
who have a need-to-know. Some examples would be:
Alarm stations, guard posts and guard ready rooms;
Engineering or drafting areas if visitors are escorted and
information is not clearly visible;
Plant maintenance areas if access is restricted and information
is not clearly visible;
Administrative offices (e.g., central records or purchasing) if
visitors are escorted and information is not clearly visible;

Protection While in Storage

While unattended, SGI-M shall be stored in a locked file drawer
or container. Knowledge of lock combinations or access to keys
protecting SGI-M shall be limited to a minimum number of personnel
for operating purposes who have a ``need-to-know'' and are otherwise
authorized access to SGI-M in accordance with these requirements.
Access to lock combinations or keys shall be strictly controlled so
as to prevent disclosure to an unauthorized individual.

Transportation of Documents and Other Matter

Documents containing SGI-M when transmitted outside an
authorized place of use or storage shall be enclosed in two sealed
envelopes or wrappers. The inner envelope or wrapper shall contain
the name and address of the intended recipient, and be marked on
both sides, top and bottom with the words ``Safeguards Information--
Modified Handling.'' The outer envelope or wrapper must be addressed
to the intended recipient, must contain the address of the sender,
and must not bear any markings or indication that the document
contains SGI-M.
SGI-M may be transported by any commercial delivery company that
provides nationwide overnight service with computer tracking
features, U.S. first class, registered, express, or certified mail,
or by any individual authorized access pursuant to these
requirements.
Within a facility, SGI-M may be transmitted using a single
opague envelope. It may also be transmitted within a facility
without single or double wrapping, provided adequate measures are
taken to protect the material against unauthorized disclosure.
Individuals transporting SGI-M should retain the documents in their
personal possession at all times or ensure that the information is
appropriately wrapped and also secured to preclude compromise by an
unauthorized individual.

Preparation and Marking of Documents

While the NRC is the sole authority for determining what
specific information may be designated as ``SGI-M,'' originators of
documents are responsible for determining whether those documents
contain such information. Each document or other matter that
contains SGI-M shall be marked ``Safeguards Information--Modified
Handling'' in a conspicuous manner on the top and bottom of the
first page to indicate the presence of protected information. The
first page of the document must also contain (i) the name, title,
and organization of the individual authorized to make a SGI-M
determination, and who has determined that the document contains
SGI-M, (ii) the date the document was originated or the
determination made, (iii) an indication that the document contains
SGI-M, and (iv) an indication that unauthorized disclosure would be
subject to civil and criminal sanctions. Each additional page shall
be marked in a conspicuous fashion at the top and bottom with
letters denoting ``Safeguards Information--Modified Handling.''
In additional to the ``Safeguards Information--Modified
Handling'' markings at the top and bottom of each page, transmittal
letters or memoranda which do not in themselves contain SGI-M shall
be marked to indicate that attachments or enclosures contain SGI-M
but that the transmittal does not (e.g., ``When separated from SGI-M
enclosure(s), this document is decontrolled'').
In addition to the information required on the face of the
document, each item of correspondence that contains SGI-M shall, by
marking or other means, clearly indicate which portions (e.g.,
paragraphs, pages, or appendices) contain SGI-M and which do not.
Portion marking is not required for physical security and safeguards
contingency plans.
All documents or other matter containing SGI-M in use or storage
shall be marked in accordance with these requirements. A specific
exception is provided for documents in the possession of contractors
and agents of licensees that were produced more than one year prior
to the effective date of the order. Such documents need not be
marked unless they are removed from file drawers or containers. The
same exception applies to old documents stored away from the
facility in central files or corporation headquarters.
Since information protection procedures employed by state and
local police forces are deemed to meet NRC requirements, documents
in the possession of these agencies need not be marked as set forth
in this document.

Removal From SGI-M Category

Documents containing SGI-M shall be removed from the SGI-M
category (decontrolled) only after the NRC determines that the
information no longer meets the criteria of SGI-M. Licensees have
the authority to make determinations that specific documents which
they created no longer contain SGI-M information and may be
decontrolled. Consideration must be exercised to ensure that any
document decontrolled shall not disclose SGI-M in some other form or
be combined with other unprotected information to disclose SGI-M.
The authority to determine that a document may be decontrolled
may be exercised only by, or with the permission of, the individual
(or office) who made the original determination. The document shall
indicate the name and organization of the individual removing the
document from the SGI-M category and the date of the removal. Other
persons who have the document in their possession should be notified
of the decontrolling of the document.

Reproduction of Matter Containing SGI-M

SGI-M may be reproduced to the minimum extent necessary
consistent with need without permission of the originator. Newer
digital copiers which scan and retain images of documents represent
a potential security concern. If the copier is retaining SGI-M
information in memory, the copier cannot be connected to a network.
It should also be placed in a location that is cleared and
controlled for the authorized processing of SGI-M information.
Different copiers have different capabilities, including some which
come with features that allow the memory to be erased. Each copier
would have to be examined from a physical security perspective.

Use of Automatic Data Processing (ADP) Systems

SGI-M may be processed or produced on an ADP system provided
that the system is assigned to the licensee's or contractor's
facility and requires the use of an entry code/password for access
to stored information. Licensees are encouraged to process this
information in a computing environment that has adequate computer
security controls in place to prevent unauthorized access to the
information. An ADP system is defined here as a data processing
system having the capability of long term storage of SGI-M. Word
processors such as typewriters are not subject to the requirements
as long as they do not transmit information off-site. (Note: If SGI-
M is produced on a typewriter, the ribbon must be removed and stored
in the same manner as other SGI-M information or media.) The basic
objective of these restrictions is to prevent access and retrieval
of stored SGI-M by unauthorized individuals, particularly from
remote terminals. Specific files containing SGI-M will be password-
protected to preclude access by an unauthorized individual. The
National Institute of Standards and Technology (NIST) maintains a
listing of all validated encryption systems at http://csrc.nist.gov/cryptval/140-1/1401val.htm.
SGI-M files may be transmitted over a

network if the file is encrypted. In such cases, the licensee will
select a commercially available encryption system that NIST has
validated as conforming to Federal Information Processing Standards
(FIPS). SGI-M files shall be properly labeled as ``Safeguards
Information--Modified Handling'' and saved to removable media and
stored in a locked file drawer or cabinet.

Telecommunications

SGI-M may not be transmitted by unprotected telecommunications
circuits

[[Page 60587]]

except under emergency or extraordinary conditions. For the purpose
of this requirement, emergency or extraordinary conditions are
defined as any circumstances that require immediate communications
in order to report, summon assistance for, or respond to a security
event (or an event that has potential security significance).
This restriction applies to telephone, telegraph, teletype,
facsimile circuits, and to radio. Routine telephone or radio
transmission between site security personnel, or between the site
and local police, should be limited to message formats or codes that
do not disclose facility security features or response procedures.
Similarly, call-ins during transport should not disclose information
useful to a potential adversary. Infrequent or non-repetitive
telephone conversations regarding a physical security plan or
program are permitted provided that the discussion is general in
nature.
Individuals should use care when discussing SGI-M at meetings or
in the presence of others to ensure that the conversation is not
overheard by persons not authorized access. Transcripts, tapes or
minutes of meetings or hearings that contain SGI-M shall be marked
and protected in accordance with these requirements.

Destruction

Documents containing SGI-M should be destroyed when no longer
needed. They may be destroyed by tearing into small pieces, burning,
shredding or any other method that precludes reconstruction by means
available to the public at large. Piece sizes one half inch or
smaller composed of several pages or documents and thoroughly mixed
would be considered completely destroyed.

Attachment 3--Trustworthiness and Reliability Requirements for
Individuals Handling Safeguards Information

Trustworthiness and Reliability Requirements for Individuals Handling
Safeguards Information

In order to ensure the safe handling, use, and control of
information designated as Safeguards Information, each licensee
shall control and limit access to the information to only those
individuals who have established the need-to-know the information,
and are considered to be trustworthy and reliable. Licensees shall
document the basis for concluding that there is reasonable assurance
that individuals granted access to Safeguards Information are
trustworthy and reliable, and do not constitute an unreasonable risk
for malevolent use of the information.
The Licensee shall comply with the requirements of this
attachment:
1. The trustworthiness and reliability of an individual shall be
determined based on a background investigation:
(a) The background investigation shall address at least the past
three (3) years, and, at a minimum, include verification of
employment, education, and personal references. The licensee shall
also, to the extent possible, obtain independent information to
corroborate that provided by the employee (i.e., seeking references
not supplied by the individual).
(b) If an individual's employment has been less than the
required three (3) year period, educational references may be used
in lieu of employment history.
The licensee's background investigation requirements may be
satisfied for an individual that has an active Federal security
clearance.
2. The licensee shall retain documentation regarding the
trustworthiness and reliability of individual employees for three
years after the individual's employment ends.

[FR Doc. E6-16995 Filed 10-12-06; 8:45 am]

BILLING CODE 7590-01-P

[Federal Register: October 13, 2006 (Volume 71, Number 198)]
[Notices]
[Page 60587-60590]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr13oc06-111]

-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

[EA-06-242]

In the Matter of All Licensees Identified in Attachment 1 to
Order EA-06-241 and All Other Persons Who Seek or Obtain Access to
Safeguards Information Described Herein; Order Imposing Fingerprinting
and Criminal History Records Check Requirements for Access to
Safeguards Information (Effective Immediately)

The Licensees identified in Attachment 1 \1\ to Order EA-06-241
hold licenses issued in accordance with the Atomic Energy Act (AEA) of
1954, as amended, by the U.S. Nuclear Regulatory Commission (NRC or
Commission) or Agreement States, authorizing them to engage in an
activity subject to regulation by the Commission or Agreement States.
On August 8, 2005, the Energy Policy Act of 2005 (EPAct) was enacted.
Section 652 of the EPAct amended Section 149 of the AEA to require
fingerprinting and a Federal Bureau of Investigation (FBI)
identification and criminal history records check of any person who is
to be permitted to have access to Safeguards Information (SGI).\2\ The
NRC's implementation of this requirement cannot await the completion of
the SGI rulemaking, which is underway, because the EPAct fingerprinting
and criminal history records check requirements for access to SGI were
immediately effective upon enactment of the EPAct. Although the EPAct
permits the Commission by rule to except certain categories of
individuals from the fingerprinting requirement, which the Commission
has done (see 10 CFR Part 73.59, 71 FR 33,989 (June 13, 2006)), it is
unlikely that licensee employees or others are excepted from the
fingerprinting requirement by the ``fingerprinting relief'' rule.
Individuals relieved from fingerprinting and criminal history records
checks under the relief rule include Federal, State, and local
officials and law enforcement personnel; Agreement State inspectors who
conduct security inspections on behalf of the NRC; members of Congress
and certain employees of members of Congress or Congressional
Committees, and representatives of the International Atomic Energy
Agency (IAEA) or certain foreign government organizations. In addition,
individuals who have a favorably-decided U.S. Government criminal
history records check within the last five (5) years, or individuals
who have active Federal security clearances (provided in either case
that they make available the appropriate documentation), have satisfied
the EPAct fingerprinting requirement and need not be fingerprinted
again. Therefore, in accordance with Section 149 of the AEA, as amended
by the EPAct, the Commission is imposing additional requirements for
access to SGI, as set forth by this Order, so that affected licensees
can obtain and grant access to SGI. This Order also imposes
requirements for access to SGI by any person, from any person,\3\
whether or not a Licensee, Applicant, or Certificate Holder of the
Commission or Agreement States.
---------------------------------------------------------------------------

\1\ Attachment 1 to Order EA-06-241 contains sensitive
information and will not be released to the public.
\2\ Safeguards Information is a form of sensitive, unclassified,
security-related information that the Commission has the authority
to designate and protect under section 147 of the AEA.
\3\ Person means (1) any individual, corporation, partnership,
firm, association, trust, estate, public or private institution,
group, government agency other than the Commission or the Department
of Energy, except that the Department of Energy shall be considered
a person with respect to those facilities of the Department of
Energy specified in section 202 of the Energy Reorganization Act of
1974 (88 Stat. 1244), any State or any political subdivision of, or
any political entity within a State, any foreign government or
nation or any political subdivision of any such government or
nation, or other entity; and (2) any legal successor,
representative, agent, or agency of the foregoing.
---------------------------------------------------------------------------

The Commission has broad statutory authority to protect and
prohibit the unauthorized disclosure of SGI. Section 147 of the AEA
grants the Commission explicit authority to issue such Orders as
necessary to prohibit the unauthorized disclosure of SGI. Furthermore,
Section 652 of the EPAct amended Section 149 of the AEA to require
fingerprinting and an FBI identification and a criminal history records
check of each individual who seeks access to SGI. In addition, no
person may have access to SGI unless

[[Page 60588]]

the person has an established need-to-know the information and
satisfies the trustworthy and reliability requirements described in
Attachment 3 to Order EA-06-241.
In order to provide assurance that the Licensees identified in
Attachment 1 to Order EA-06-241 are implementing appropriate measures
to comply with the fingerprinting and criminal history records check
requirements for access to SGI, all Licensees identified in Attachment
1 to Order EA-06-241 shall implement the requirements of this Order. In
addition, pursuant to 10 CFR 2.202, I find that in light of the common
defense and security matters identified above, which warrant the
issuance of this Order, the public health, safety and interest require
that this Order be effective immediately.

III

Accordingly, pursuant to Sections 81, 147, 149, 161b, 161i, 161o,
182 and 186 of the Atomic Energy Act of 1954, as amended, and the
Commission's regulations in 10 CFR 2.202, 10 CFR Parts 30 and 73, it is
hereby ordered, effective immediately, that all licensees identified in
attachment 1 to order EA-06-241 and all other Persons who seek or
obtain access to safeguards information, as described above, shall
comply with the requirements set forth in this order.
A. 1. No person may have access to SGI unless that person has a
need-to-know the SGI, has been fingerprinted or who has a favorably-
decided FBI identification and criminal history records check, and
satisfies all other applicable requirements for access to SGI.
Fingerprinting and the FBI identification and criminal history records
check are not required, however, for any person who is relieved from
that requirement by 10 CFR 73.59 (71 FR 33989 (June 13, 2006)), or who
has a favorably-decided U.S. Government criminal history records check
within the last five (5) years, or who has an active Federal security
clearance, provided in the latter two cases that the appropriate
documentation is made available to the Licensee's NRC-approved
reviewing official.
2. No person may have access to any SGI if the NRC has determined,
based on fingerprinting and an FBI identification and criminal history
records check, that the person may not have access to SGI.
B. No person may provide SGI to any other person except in
accordance with Condition III.A. above. Prior to providing SGI to any
person, a copy of this Order shall be provided to that person.
C. All Licensees identified in Attachment 1 to Order EA-06-241
shall comply with the following requirements:
1. The Licensee shall, within twenty (20) days of the date of this
Order, establish and maintain a fingerprinting program that meets the
requirements of Attachment 1 to this Order.
2. The Licensee shall, within twenty (20) days of the date of this
Order, submit the fingerprints of one (1) individual who (a) the
Licensee nominates as the ``reviewing official'' for determining access
to SGI by other individuals, and (b) has an established need-to-know
the information and has been determined to be trustworthy and reliable
in accordance with the requirements described in Attachment 3 to Order
EA-06-241. The NRC will determine whether this individual (or any
subsequent reviewing official) may have access to SGI and, therefore,
will be permitted to serve as the Licensee's reviewing official.\4\ The
Licensee may, at the same time or later, submit the fingerprints of
other individuals to whom the Licensee seeks to grant access to SGI.
Fingerprints shall be submitted and reviewed in accordance with the
procedures described in Attachment 1 of this Order.
---------------------------------------------------------------------------

\4\ The NRC's determination of this individual's access to SGI
in accordance with the process described in Enclosure 5 to the
transmittal letter of this Order is an administrative determination
that is outside the scope of this Order.
---------------------------------------------------------------------------

3. The Licensee shall, in writing, within twenty (20) days of the
date of this Order, notify the Commission, (1) if it is unable to
comply with any of the requirements described in this Order, including
Attachment 1 to this Order, or (2) if compliance with any of the
requirements is unnecessary in its specific circumstances. The
notification shall provide the Licensee's justification for seeking
relief from or variation of any specific requirement.
Licensee responses to C.1., C.2., and C.3. above shall be submitted
to the Director, Office of Federal and State Materials and
Environmental Management Programs, U.S. Nuclear Regulatory Commission,
Washington, DC 20555. In addition, Licensee responses shall be marked
as ``Security-Related Information--Withhold Under 10 CFR 2.390.''
The Director, Office of Federal and State Materials and
Environmental Management Programs, may, in writing, relax or rescind
any of the above conditions upon demonstration of good cause by the
Licensee.

In accordance with 10 CFR 2.202, the Licensee must, and any other
person adversely affected by this Order may, submit an answer to this
Order, and may request a hearing on this Order, within twenty (20) days
of the date of this Order. Where good cause is shown, consideration
will be given to extending the time to request a hearing. A request for
extension of time in which to submit an answer or request a hearing
must be made in writing to the Director, Office of Federal and State
Materials and Environmental Management Programs, U.S. Nuclear
Regulatory Commission, Washington, DC 20555, and include a statement of
good cause for the extension. The answer may consent to this Order.
Unless the answer consents to this Order, the answer shall, in writing
and under oath or affirmation, specifically set forth the matters of
fact and law on which the Licensee or other person adversely affected
relies and the reasons as to why the Order should not have been issued.
Any answer or request for a hearing shall be submitted to the
Secretary, Office of the Secretary, U.S. Nuclear Regulatory Commission,
ATTN: Rulemakings and Adjudications Staff, Washington, DC 20555. Copies
also shall be sent to the Director, Office of Federal and State
Materials and Environmental Management Programs, U.S. Nuclear
Regulatory Commission, Washington, DC 20555, and to the Assistant
General Counsel for Materials Litigation and Enforcement at the same
address, and to the Licensee if the answer or hearing request is by a
person other than the Licensee. Because of possible delays in delivery
of mail to United States Government offices, it is requested that
answers and requests for hearing be transmitted to the Secretary of the
Commission either by means of facsimile transmission to 301-415-1101 or
by e-mail to hearingdocket@nrc.gov and also to the Office of the
General Counsel either by means of facsimile transmission to 301-415-
3725 or by e-mail to OGCMailCenter@nrc.gov. If a person other than the
Licensee requests a hearing, that person shall set forth with
particularity the manner in which his/her interest is adversely
affected by this Order and shall address the criteria set forth in 10
CFR 2.309.
If a hearing is requested by the Licensee or a person whose
interest is adversely affected, the Commission will issue an Order
designating the time and place of any hearing. If a hearing is held,
the issue to be considered at such hearing shall be whether this Order
should be sustained.

[[Page 60589]]

Pursuant to 10 CFR 2.202(c)(2)(i), the Licensee may, in addition to
demanding a hearing, at the time the answer is filed or sooner, move
the presiding officer to set aside the immediate effectiveness of the
Order on the ground that the Order, including the need for immediate
effectiveness, is not based on adequate evidence but on mere suspicion,
unfounded allegations, or error. In the absence of any request for
hearing, or written approval of an extension of time in which to
request a hearing, the provisions as specified above in Section III
shall be final twenty (20) days from the date of this Order without
further order or proceedings. If an extension of time for requesting a
hearing has been approved, the provisions as specified above in Section
III shall be final when the extension expires if a hearing request has
not been received.
An answer or a request for hearing shall not stay the immediate
effectiveness of this order.

Dated this 4th day of October 2006.

For the Nuclear Regulatory Commission.
Charles L. Miller,
Director, Office of Federal and State Materials and Environmental
Management Programs.

Attachment 1--Requirements for Fingerprinting and Criminal History
Records Checks of Individuals When Licensee's Reviewing Official is
Determining Access to Safeguards Information

General Requirements

Licensees shall comply with the requirements of this attachment.
A. 1. Each Licensee subject to the provisions of this attachment
shall fingerprint each individual who is seeking or permitted access
to Safeguards Information (SGI). The Licensee shall review and use
the information received from the Federal Bureau of Investigation
(FBI) and ensure that the provisions contained in the subject Order
and this attachment are satisfied.
2. The Licensee shall notify each affected individual that the
fingerprints will be used to secure a review of his/her criminal
history record and inform the individual of the procedures for
revising the record or including an explanation in the record, as
specified in the ``Right to Correct and Complete Information''
section of this attachment.
3. Fingerprints need not be taken if an employed individual
(e.g., a Licensee employee, contractor, manufacturer, or supplier)
is relieved from the fingerprinting requirement by 10 CFR Part
73.59, has a favorably-decided U.S. Government criminal history
records check within the last five (5) years, or has an active
Federal security clearance. Written confirmation from the Agency/
employer which granted the Federal security clearance or reviewed
the criminal history records check must be provided. The Licensee
must retain this documentation for a period of three (3) years from
the date the individual no longer requires access to SGI associated
with the Licensee's activities.
4. All fingerprints obtained by the Licensee pursuant to this
Order must be submitted to the Commission for transmission to the
FBI.
5. The Licensee shall review the information received from the
FBI and consider it, in conjunction with the trustworthy and
reliability requirements included in Attachment 3 to this Order, in
making a determination whether to grant access to SGI to individuals
who have a need-to-know the SGI.
6. The Licensee shall use any information obtained as part of a
criminal history records check solely for the purpose of determining
an individual's suitability for access to SGI.
7. The Licensee shall document the basis for its determination
whether to grant access to SGI.
B. The Licensee shall notify the NRC of any desired change in
reviewing officials. The NRC will determine whether the individual
nominated as the new reviewing official may have access to SGI based
on a previously-obtained or new criminal history check and,
therefore, will be permitted to serve as the Licensee's reviewing
official.

Prohibitions

A Licensee shall not base a final determination to deny an
individual access to SGI solely on the basis of information received
from the FBI involving: An arrest more than one (1) year old for
which there is no information of the disposition of the case, or an
arrest that resulted in dismissal of the charge or an acquittal.
A Licensee shall not use information received from a criminal
history check obtained pursuant to this Order in a manner that would
infringe upon the rights of any individual under the First Amendment
to the Constitution of the United States, nor shall the Licensee use
the information in any way which would discriminate among
individuals on the basis of race, religion, national origin, sex, or
age.

Procedures for Processing Fingerprint Checks

For the purpose of complying with this Order, Licensees shall,
using an appropriate method listed in 10 CFR Part 73.4, submit to
the NRC's Division of Facilities and Security, Mail Stop T-6E46, one
completed, legible standard fingerprint card (Form FD-258,
ORIMDNRCOOOZ) or, where practicable, other fingerprint records for
each individual seeking access to Safeguards Information, to the
Director of the Division of Facilities and Security, marked for the
attention of the Division's Criminal History Check Section. Copies
of these forms may be obtained by writing the Office of Information
Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555-
0001, by calling (301) 415-5877, or by e-mail to forms@nrc.gov.
Practicable alternative formats are set forth in 10 CFR Part 73.4.
The Licensee shall establish procedures to ensure that the quality
of the fingerprints taken results in minimizing the rejection rate
of fingerprint cards due to illegible or incomplete cards.
The NRC will review submitted fingerprint cards for
completeness. Any Form FD-258 fingerprint record containing
omissions or evident errors will be returned to the Licensee for
corrections. The fee for processing fingerprint checks includes one
re-submission if the initial submission is returned by the FBI
because the fingerprint impressions cannot be classified. The one
free re-submission must have the FBI Transaction Control Number
reflected on the re-submission. If additional submissions are
necessary, they will be treated as initial submittals and will
require a second payment of the processing fee.
Fees for processing fingerprint checks are due upon application.
Licensees shall submit payment with the application for processing
fingerprints by corporate check, certified check, cashier's check,
money order, or electronic payment, made payable to ``U.S. NRC.''
[For guidance on making electronic payments, contact the Facilities
Security Branch, Division of Facilities and Security, at (301) 415-
7404]. Combined payment for multiple applications is acceptable. The
application fee (currently $27) is the sum of the user fee charged
by the FBI for each fingerprint card or other fingerprint record
submitted by the NRC on behalf of a Licensee, and an NRC processing
fee, which covers administrative costs associated with NRC handling
of Licensee fingerprint submissions. The Commission will directly
notify Licensees who are subject to this regulation of any fee
changes.
The Commission will forward to the submitting Licensee all data
received from the FBI as a result of the Licensee's application(s)
for criminal history records checks, including the FBI fingerprint
record.

Right to Correct and Complete Information

Prior to any final adverse determination, the Licensee shall
make available to the individual the contents of any criminal
records obtained from the FBI for the purpose of assuring correct
and complete information. Written confirmation by the individual of
receipt of this notification must be maintained by the Licensee for
a period of one (1) year from the date of the notification.
If, after reviewing the record, an individual believes that it
is incorrect or incomplete in any respect and wishes to change,
correct, or update the alleged deficiency, or to explain any matter
in the record, the individual may initiate challenge procedures.
These procedures include either direct application by the individual
challenging the record to the agency (i.e., law enforcement agency)
that contributed the questioned information, or direct challenge as
to the accuracy or completeness of any entry on the criminal history
record to the Assistant Director, Federal Bureau of Investigation
Identification Division, Washington, DC 20537-9700 (as set forth in
28 CFR Part 16.30 through 16.34). In the latter case, the FBI
forwards the challenge to the agency that submitted the data and
requests that agency to verify or correct the challenged entry. Upon
receipt of an official communication directly from the agency that
contributed the original information, the FBI Identification
Division makes any changes necessary in accordance with the
information supplied by that agency. The Licensee must provide at
least ten (10) days for an

[[Page 60590]]

individual to initiate an action challenging the results of an FBI
criminal history records check after the record is made available
for his/her review. The Licensee may make a final SGI access
determination based upon the criminal history record only upon
receipt of the FBI's ultimate confirmation or correction of the
record. Upon a final adverse determination on access to SGI, the
Licensee shall provide the individual its documented basis for
denial. Access to SGI shall not be granted to an individual during
the review process.

Protection of Information

1. Each Licensee who obtains a criminal history record on an
individual pursuant to this Order shall establish and maintain a
system of files and procedures for protecting the record and the
personal information from unauthorized disclosure.
2. The Licensee may not disclose the record or personal
information collected and maintained to persons other than the
subject individual, his/her representative, or to those who have a
need to access the information in performing assigned duties in the
process of determining access to Safeguards Information. No
individual authorized to have access to the information may re-
disseminate the information to any other individual who does not
have a need-to-know.
3. The personal information obtained on an individual from a
criminal history record check may be transferred to another Licensee
if the Licensee holding the criminal history record check receives
the individual's written request to re-disseminate the information
contained in his/her file, and the gaining Licensee verifies
information such as the individual's name, date of birth, social
security number, sex, and other applicable physical characteristics
for identification purposes.
4. The Licensee shall make criminal history records, obtained
under this section, available for examination by an authorized
representative of the NRC to determine compliance with the
regulations and laws.
5. The Licensee shall retain all fingerprint and criminal
history records received from the FBI, or a copy if the individual's
file has been transferred, for three (3) years after termination of
employment or determination of access to SGI (whether access was
approved or denied). After the required three (3) year period, these
documents shall be destroyed by a method that will prevent
reconstruction of the information in whole or in part.

[FR Doc. E6-16996 Filed 10-12-06; 8:45 am]

BILLING CODE 7590-01-P