SAFEGUARDS INFORMATION AUTHORITY: Secs. 145. 161b.. .. and o.. Pub. L. 83-703, 68 Stat. 942. as amended. 948, as amended (42 U.S.C. 2165. 2201): Sec. 201(f). Pub. L. 93-438. 88 Stat. 1243 (42 U.S.C. 5841); E.O. 10865 and E.O. 12065. Sec. 95.36 also issued under Sec. 122. Pub. L. 83 703. 68 Stat. 939 (42 U.S.C. 2152).

SOURCE: 45 FR 14483. Mar. 5. 1980, unless otherwise noted.

GENERAL PROVISIONS

$95.1 Purpose.

The regulations in this part estab lish procedures for obtaining security

facility approval and for safeguarding Secret and Confidential National Security Information and Restricted Data received or developed in conjunction with activities licensed or regulated by the Commission. This part does not apply to Top Secret information since no such information may be forwarded to licensees or others within the scope of an NRC license.

$95.3 Scope.

The regulations in this part apply to licensees and others regulated by the Commission who may require access to National Security Information and/or Restricted Data used. processed. stored, reproduced. transmitted or handled in connection with a license or application for a license.

§ 95.5 Definitions.

"Access authorization" is an administrative determination by the Commission that an individual (including a consultant) who is employed by or an applicant for employment with Commission contractors, licensee contractors, agents, or licensees of the Commission or any other individual designated by the Executive Director for Operations is eligible for access to National Security Information and/or Restricted Data; and an individual (including a consultant) who is a Commission employee or applicant for Commission employment is eligible for security clearance.

"Act" means the Atomic Energy Act of 1954 (68 Stat. 919), as amended.

"Authorized Classifier" means an individual authorized in writing by appropriate NRC authority to classify, declassify or downgrade the classification of information. work projects. documents, and materials.

"Classified mail address" means a mail address established for each facility approved by the NRC, to which all National Security Information or Restricted Data for the facility is to be sent.

"Classified matter" means documents and material containing classified information.

"Combination lock" means a three position, manipulation resistant, dial type lock bearing an Underwriters'

Laboratories, Inc. certification that it is a Group 1 or Group IR unit.

"Commission" means the Nuclear Regulatory Commission or its duly authorized representatives.

"Infraction" means an act or omission involving failure to comply with NRC security regulations, and may include a violation of law.

"Intrusion alarm" means a tamperindicating electrical, electro-mechanical, electro-optical, electronic or similar device which will detect unauthorized intrusion by an individual into a building, protected area, security area, vital area, or material access area, and alert guards or watchmen by means of actuated visible and audible signals.

"L" access authorization means an access authorization granted by the Commission which is normally based on a National Agency Check (NAC) or NAC and Inquiry (NACI) conducted by the Office of Personnel Management.

"License" means a license issued pursuant to 10 CFR Part 50, 70, or 72. "Material" means chemical substance without regard to form; fabricated or processed item; or assembly, machinery or equipment.

"Matter" means documents or mate

rial.

"National security" means the national defense and foreign relations of the United states.

"National security information" means information or matter that is owned by, produced for or by, or under the control of, the United States Government and that has been determined pursuant to Executive Order 12065 or prior orders to require protection against unauthorized disclosure and is so designated.

"Need-to-know" means a determination, by persons having responsibility for classified information or matter, that a proposed recipient's access to such classified information or matter is necessary in the performance of his official, contractual or licensee duties of employment under the cognizance of the Commission.

"Person" means (1) any individual, corporation, partnership, firm, association, trust, estate, public or private institution, group, government agency other than the Commission or the De

partment of Energy (DOE), except that the DOE shall be considered a person to the extent that its facilities are subject to the licensing and related regulatory authority of the Commission pursuant to section 202 of the Energy Reorganization Act of 1974 and sections 104, 105 and 202 of the Uranium Mill Tailings Radiation Control Act of 1978, any State or any political subdivision of, or any political entity within a State, any foreign government or nation or any political subdivision of any such government or nation, or other entity; and (2) any legal successor, representative, agent or agency of the foregoing.

"Protective personnel” means guards or watchmen as defined in 10 CFR Part 73 or other persons designated responsibility for the protection of classified matter.

"Q" access authorization means an access authorization granted by the Commission based on a full field investigation conducted by the Office of Personnel Management, the Federal Bureau of Investigation, or other U.S. Government agency which conducts personnel security investigations.

"Restricted data" means all data concerning design, manufacture or utilization of atomic weapons, the production of special nuclear material, or the use of special nuclear material in the production of energy, but shall not include data declassified or removed from the Restricted Data category pursuant to Section 142 of the Act.

"Security area" means a physically defined space containing classified matter and subject to physical protection and personnel access controls.

"Security container" includes any of the following repositories: (1) A security filing cabinet-one that bears a Test Certification Label on the side of the locking drawer, inside wall adjaIcent to the locking drawer, or interior door plate, and is marked, "General Services Administration Approved Security Container" on the exterior of the top drawer or door.

(2) A safe-burglar-resistive cabinet or chest which bears a label of the Underwriters Laboratories, Inc. certifying the unit to be a TL-15, TL-30, or TRTL-30, and has a body fabricated of not less than 1 inch steel and a door

fabricated of not less than 11⁄2 inches steel exclusive of the combination lock and bolt work; or bears a Test Certification Label on the inside of the door and is marked "General Services Administration Approved Security Container" and has a body of steel at least 1⁄2" thick, and a combination locked steel door at least 1" thick, exclusive of bolt work and locking devices.

(3) A vault-a windowless enclosure constructed with walls, floor, roof and door(s) that will delay penetration sufficient to enable the arrival of emergency response forces capable of preventing theft, diversion, damage or compromise of classified information or matter, when delay time is assessed in

conjunction with detection and communication subsystems of the physical protection system.

(4) A vault-type room-a room which has a combination lock door and is protected by an intrusion alarm system which alarms upon the unauthorized penetration of a person anywhere into the room.

(5) Other repositories which in the judgment of the Division of Security would provide comparable physical protection.

"Security

facility"-any facility which has been approved by NRC for using, processing, storing, reproducing, transmitting or handling classified matter.

"Security facility approval" means that a determination has been made by the NRC that a facility is eligible to use, process, store, reproduce, transmit or handle classified matter.

"Security survey“ is an examination by an NRC representative of all devices, equipment, and procedures employed at a security facility to safeguard classified matter.

[45 FR 14483. Mar. 5, 1980, as amended at 46 FR 58284, Dec. 1. 1981]

§ 95.7 Interpretations.

Except as specifically authorized by the Commission in writing, no interpretation of the meaning of the regulations in this part by any officer or employee of the Commission other than a written interpretation by the General Counsel will be recognized to be binding upon the Commission.

$95.9 Communications.

Except where otherwise specified, all communications and reports concerning the regulations in this part should be addressed to the Director, Division of Security. Nuclear Regulatory Commission, Washington, DC 20555.

$95.11 Specific exemptions.

The Commission may, upon application of any interested party, grant an exemption from the requirements of Part 95. Exemptions will be granted only if they are authorized by law and will not constitute an undue risk to the common defense and security. Documentation related to the request. notification and processing of an exemption shall be maintained for two years beyond the period covered by the exemption.

$95.13 Records maintenance.

Each licensee or organization granted security facility approval under this part shall maintain such records as prescribed within the part. These records shall be subject to review and inspection by NRC representatives during security surveys.

PHYSICAL SECURITY

$95.15 Approval for processing licensees and others for security facility approval.

(a) A licensee, or other person who has a need to use, process, store, reproduce, transmit or handle National Security Information and/or Restricted Data at any location in connection with Commission related activities shall promptly request an NRC security facility approval.

(b) The request shall include the following information: The name of the facility; the location of the facility; a security plan outlining the facility's proposed security procedures and controls for the protection of National Security Information and/or Restricted Data; a floor plan of the area in which the matter is to be used, processed, stored, reproduced, transmitted or handled.

(c) NRC will promptly inform applicants of the acceptability of the request for further processing and will

notify the licensee or other person of their decision in writing.

§ 95.17 Processing security facility approval.

Following receipt of an acceptable request for security facility approval NRC will perform an initial security survey of the licensee or other facility to determine that granting a security facility approval would be consistent with the national security. If NRC makes such a determination, security facility approval will be granted. If not, security facility approval will be withheld pending compliance with survey recommendations or until an exemption is granted pursuant to § 95.11.

§ 95.19 Grant, denial, or suspension of security facility approval.

Notification of the Commission's grant, denial, or suspension of security facility approval will be furnished in writing, or orally with written confirmation. This information will also be furnished to representatives of NRC, NRC licensees, or other Federal agencies, having a need to transmit National Security Information and/or Restricted Data to the licensee or other person.

§ 95.21 Cancellation of requests for security facility approval.

When a request for security facility approval is to be withdrawn or cancelled, the NRC Division of Security will be notified by the requestor immediately by telephone so that processing for this approval may be terminated. The notification will identify the full name of the individual requesting discontinuance, his position with the facility, and the full identification of the facility. Such telephone advice shall be confirmed promptly in writing.

$95.23 Termination of security facility approval.

Security facility approval will be terminated when:

(a) There is no longer a need to use. process, store, reproduce, transmit or handle classified matter at the facility:

or

(b) The Commission makes a determination that continued security facility approval is not in the interest of national security.

In such cases the licensee or other person will be notified in writing of the determination and the procedures outlined in $ 95.53 of this part will apply.

$95.25 Protection of national security information and restricted data in storage.

(a) Protection of secret matter. (1) Secret documents while unattended or not in actual use shall be stored in locked security containers protected by an NRC approved intrusion alarm or by protective personnel.

(2) Protective personnel must be used where National Security Information or Restricted Data cannot be adequately safeguarded during working hours by employees or during nonworking hours by an intrusion alarm system. In either case, protective personnel must be capable of responding within fifteen minutes.

(3) When protective personnel are used, physical checks of security containers shall be made as soon as possible after the close of each normal workday and at least once every eight hours thereafter during non-working hours. Records of such physical checks shall be maintained for one year.

(b) Confidential matter while unattended or not in use shall be stored:

(1) Under any of the methods used for Secret matter as set forth in paragraph (a) of this section, or

(2) In a locked security container within a locked room or building.

(c) Classified lock combinations. (1) Knowledge of lock combinations protecting classified information shall be limited to a minimum number of personnel necessary for operating purposes, with a need-to-know, and possessing the highest access authorization of the matter stored or authorized to be stored in the container. Records identifying personnel having knowledge of such lock combinations shall be maintained until superseded by a new form or list, or until the container is removed from service.

(2) Combinations shall be changed: (i) Whenever the container is placed in use.

(ii) Whenever a person knowing the combination no longer requires access to a combination. This may be as a result of a change in duties or location in the licensee's or licensee related organization or termination of employment with the licensee or other organization.

(iii) Whenever a combination has been subjected to possible compromise.

(iv) Whenever the container is taken out of service, and

(v) In any event at least once every year.

(d) Records of combinations. Records of combinations shall be classified, marked and safeguarded in a manner appropriate for the highest classification of the matter authorized to be stored in the security container.

(e) Selections of combinations. Each combination must be randomly selected and require the use of at least three different numbers. In selecting combinations, multiples, simple arithmetical ascending or descending series, telephone numbers, social security numbers, car license numbers, and calendar dates such as birthdates and anniversaries, shall be avoided.

(f) Cautions regarding combinations. (1) When closing a combination lock, the dial must be turned at least four times in the same direction.

(2) Combinations shall be changed only by persons authorized access to Secret or Confidential National Security Information and/or Restricted Data depending upon the matter authorized to be stored in the security container.

(g) Posted information. (1) The names, addresses, and telephone numbers of the custodian and all alternates having knowledge of the combination shall be posted on the outside of each security container.

(2) A record of the date of last change of the combination of each security container shall be maintained as long as the container is in service.

(3) A monitor sheet shall be posted on each security container approved for the storage of classified matter. The monitor sheet shall contain space

for the date and initials of the persons locking and checking the container to assure it is secured. It shall be initialed at the end of each work day by the person locking the container and, where feasible, by another person who can physically double check the lock. locked drawer, or door and all exposed drawers to assure proper securing of the container. Such monitor sheets shall be maintained for one month.

(h) Unattended security container found opened. In the event that an unattended security container housing classified matter is found unlocked, the custodian or an alternate shall be notified immediately. The container shall be secured by protective personnel and the contents shall be inventoried as soon as possible but not later than the next workday. A report reflecting all actions taken shall be submitted to the responsible Regional Office (see Appendix A, 10 CFR Part 73 for addresses) with an information copy to the NRC Division of Security. Records pertaining to such matters shall be retained for two years after completion of final corrective action.

(i) Keys to locks used to secure gates or doors in security area perimeters shall be issued only to persons authorized access to the matter or to the area. Files relating to accountability for keys issued shall be maintained for 3 years after the key has been turned in.