On December 26, 2017, the U.S. Nuclear Regulatory Commission (NRC) issued a revision to Regulatory Information Summary (RIS) 2005-31, Control of Security-Related Sensitive Unclassified Non-Safeguards Information Handled by Individuals, Firms and Entities Subject to NRC Regulation of the Use of Source, Byproduct and Special Nuclear Material.

Intent

The NRC issued RIS 2005-31, Revision 1, in order to:

• inform licensees and others of the screening criteria that the NRC uses to identify and protect security-related sensitive information in documents generated by the NRC and in documents developed by licensees and others, particularly those received by the NRC;

• encourage licensees and others to identify security-related sensitive information in documents submitted to the NRC by using specified marking procedures and screening criteria; and,

• encourage licensees and others that may possess security-related sensitive information to control the information in order to limit the risk that the information might fall into the hands of those who would use it for malevolent acts.

No specific action or written response is required.

Overview

The NRC’s sensitive unclassified non-safeguards information (SUNSI) policy addresses information that can reasonably be foreseen to harm the public interest, the commercial or financial interests of an entity, the conduct of NRC and federal programs or the personal privacy of individuals if lost, misused or modified.  It also includes security-related information.

If practical, licensees and others that submit documents to the NRC should avoid including any security-related sensitive information to permit the release of the document to the public in its entirety.  However, if that is not practical, the following steps will help ensure that sensitive information is not released:

• Screening of Licensee-Generated Documents: 
To ensure that any security-related sensitive information in submitted documents is not made publicly available in the Agency-wide Documents Access and Management System (ADAMS), the NRC is encouraging licensees and other entities to screen submittals in accordance with specified criteria.  In addition, to ensure that licensees and other entities identify and control security-related sensitive information in their documents, the NRC is encouraging them to develop implementing procedures to screen documents that might have sensitive security-related information in order to identify and control the information appropriately.  The goal is to limit the risk that the information might fall into the hands of those who would use it for malevolent acts.

• Cover Letter: 
If a cover letter that does not itself contain sensitive information is used to transmit a document(s) that contains security-related sensitive information, the cover letter should clearly state this.  Furthermore, the cover letter should have a statement that indicates that once its sensitive attachments are removed, the cover letter itself may be handled as an uncontrolled document. However, if the cover letter itself contains security-related sensitive information, it cannot be decontrolled.

•  Marking Documents That Contain Security-Related Sensitive Information:  The marking “Security-Related Information—Withhold under 10 CFR 2.390” should be included at the top center of every page.  If submitting both a public and a nonpublic version of the same document, licensees and other entities should “black out” the sensitive information in the public version or withhold the sensitive information with a notation that it was withheld on the basis that it is “security-related information.”  Alternately, security-related sensitive information may be segregated from the main body of the document and included only in attachments to the submittal.  In this scenario, only the attachments that contain security-related sensitive information would be marked for withholding from public disclosure.  If this approach is used, the public version does not need to be marked as containing security-related sensitive information.  Additional information on suggested handling and methods of submitting security-related sensitive information can be found in Enclosure 1 to RIS 2005-31, Revision 1.

Protection of Security-Related Sensitive Information

Documents that contain security-related sensitive information should be protected from public disclosure using methods similar to those for protecting proprietary information.  To the extent practical, any existing documents that contain security-related sensitive information that licensees or other entities have previously made available to the public should be withdrawn from public access.  Licensees and other entities should have sufficient internal controls to prevent release of information to limit the risk that sensitive security-related information could be released to someone with malevolent intent.  In addition to the points enumerated above, other methods to prevent the inadvertent release of security-related sensitive information include restricting access to electronic recordkeeping systems that contain such information; controlling the reproduction, distribution and destruction of potentially sensitive records; and, releasing sensitive information only to those individuals who have a need to know the information to perform their jobs and who are made aware of the security-related nature of the information.

Certain categories of security-related sensitive information under 10 CFR Part 37, “Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material,” must be protected pursuant to 10 CFR 37.43(d) and 37.77(f).

Much of the NRC’s information is readily available to the public through the NRC’s Web site and ADAMS.  In addition, the agency may release other information to the public in response to formal or informal requests.  Although the NRC developed these security-related sensitive information-screening criteria with the principles of the Freedom of Information Act (FOIA) in mind, a review for security-related sensitive information does not substitute for a FOIA review.  The NRC will continue to review and process FOIA requests under 10 CFR 2.390(d)(1), independently from the security-related sensitive information review process.

Background

The NRC traditionally has given the public access to a significant amount of information about the facilities and materials the agency regulates.  Openness has been and remains a cornerstone of the NRC’s regulatory philosophy.  The Atomic Energy Act of 1954 (as amended), subsequent legislation and various NRC regulations have given the public the right to participate in the licensing and oversight process for NRC licensees.  To participate in a meaningful way, the public must have access to information about the design and operation of regulated facilities and use of nuclear materials.  However, the NRC and other government agencies have always withheld some information from public disclosure for reasons of security, personal privacy or designation as proprietary information (commercial or trade secret protection).

Following the terrorist attacks of September 11, 2001, the NRC has found it necessary to be more judicious in determining what information to voluntarily release so that it does not inadvertently provide assistance to those who might use certain information for malevolent acts.  The NRC has issued orders, advisories, and rules; taken specific actions on the security of its licensed facilities; and, assessed and revised its policies and practices for making information available to the public.  On October 25, 2004, the NRC temporarily suspended public access to documents in ADAMS.  Subsequently, the NRC screened those documents to determine whether they contained security-related sensitive information.  Based on this screening, the NRC returned a large number of documents to public access in ADAMS.  This screening process continues as requests for specific documents are received, as the NRC creates new documents and as the agency receives new documents from licensees and other entities.

The NRC has continued to presumptively withhold some categories of documents from routine public release.  In SECY-04-0191, “Withholding Sensitive Unclassified Information Concerning Nuclear Power Reactors from Public Disclosure” (October 19, 2004), and SECY-05-0101, “Withholding from Public Disclosure Sensitive Unclassified Information Concerning Materials Licensees and Certification Holders” (October 7, 2005), the staff proposed to withhold certain information on fire protection and emergency planning and response to ensure that information that could reasonably be expected to be useful to a potential adversary was not made public.  The Commission approved the initial withholding of this information and the review of the information for release in response to requests such as those made under FOIA.  In SECY-15-0032, “Reviewing Documents for Public Release Using Sensitive Unclassified Non-Safeguards Information Guidance” (March 6, 2015), the staff proposed to discontinue this policy and instead apply the SUNSI policy to review, release and withhold fire protection and emergency preparedness documents.  On June 15, 2015, the Commission approved this proposal in its Staff Requirements Memorandum (SRM) to SECY-15-0032.  The advice in RIS 2005-31, Revision 1, reflects that change.

To facilitate the screening process for the public release of information, the NRC developed screening criteria and issued two RIS’s that pertain to nuclear reactors for conducting its reviews.  On November 7, 2005, the NRC issued RIS 2005-26, “Control of Sensitive Unclassified Non-Safeguards Information Related to Nuclear Power Reactors,” for assessing whether documents associated with reactor licensees should be made publicly available.  On December 23, 2015, the NRC issued RIS 2015-17, “Review and Submission of Updates to Final Safety Analysis Reports, Emergency Preparedness Documents, and Fire Protection Documents,” to remind licensees of the review and submission requirements of
10 CFR 2.390, “Public Inspections, Exemptions, Requests for Withholding,” on information that may be withheld from public disclosure.

As part of related efforts in the nonreactor arena, the NRC has developed criteria for identifying security-related sensitive information that the staff encourages licensees to screen out or to mark and protect as sensitive information—particularly before those licensees that handle source, byproduct or special nuclear material submit documents to the NRC.

The advice in RIS 2005-31, Revision 1, and its enclosures does not apply to classified information, safeguards information or safeguards information—modified handling that by law must be withheld from the public.

For additional information, please contact Andrea Kock, Acting Director Division of Material Safety, State, Tribal and Rulemaking Programs in the NRC’s Office of Nuclear Material Safety and Safeguards (NMSS), at (301) 415-2368 or at andrea.kock@nrc.gov.