Final OMB SS Part 95 2013

FINAL OMB Supporting Statement

for

10 CFR Part 95

Facility Security Clearance and Safeguarding of

National Security Information and Restricted Data

3150-0047

Revision to Extension Request

Description of Information Collection

The reporting requirements of Title 10 of the Code of Federal Regulations (10 CFR) Part 95 affect approximately 10 respondents, including 3 licensees, 1 certificate holder, and several licensee contractors who possess classified matter. The licensees, certificate holder, and contractors make reportable information available at their places of business or send the reports to the U.S. Nuclear Regulatory Commission (NRC) at its Headquarters or Regional Offices. Reports or applications are only required as occasioned by the occurrence of specific events such as the request for a facility clearance, a modification to an existing security Standard Practice Procedures Plan (SPPP), a cancellation or termination of a facility clearance, or a report of loss of classified information. Other requirements for recordkeeping are necessary for checking the licensees', certificate holder’s, and contractors’ procedures for maintaining acceptable security education, facility, and classification/declassification programs. The limited amount of personal information submitted in connection with facility clearance requests, classification/declassification actions, and other areas within these requirements is handled and protected in accordance with NRC directives and the provisions of the Privacy Act of 1974. Other information submitted to the NRC in response to the application, recordkeeping, and reporting requirements is available for public inspection in accordance with 10 CFR Part 9.

The number of respondents has decreased since the last extension request because some licensees have reduced their number of contractor facilities needed to possess classified matter. In addition, the NRC is preparing a Direct Final Rule to implement changes to Executive Order (E.O.) 13526, “Classified National Security Information,” memorandum of December 29, 2009. The major changes affecting respondents are increasing the frequency of security refresher training from 3 years to annually and requiring derivative classifiers to receive refresher training every 2 years. Respondents will now have to keep records more often for security refresher training and start keeping derivative classifiers training records. These records will be reviewed during NRC security inspections.

A. JUSTIFICATION

1. Need for and Practical Utility of the Collection of Information.

Part 95 of 10 CFR contains numerous reporting, recordkeeping, and application requirements, including requirements for submittal of information, plans and procedures for the protection of classified information, automatic data processing (ADP) and telecommunications security plans, security recordkeeping requirements for compliance purposes and security reporting and notification procedures for comp­liance and appropriate responses to certain events. In all cases, the requirements are necessary to help ensure that an adequate level of protection is provided for information determined to be classified. Essentially, all of the reporting, recordkeeping, and application requirements are necessary for one of the reasons listed below:

a. To obtain essential descriptive data concerning the content and planned operation of the licensees’, certificate holder’s, or their contractors’ information security program which is necessary for NRC to determine the adequacy of planned methods and procedures for safeguarding classified information and material that is used, stored, transmitted, reproduced, or destroyed.

b. To obtain essential data describing the licensees’, certificate holder’s, or their contractors’ planned program for ensuring employee indoctrination and continued awareness of their security responsibilities, so as to preclude unauthorized disclosure of classified information or material and to ensure compliance with E.O. 13526 and the National Industrial Security Program Operating Manual.

c. To obtain essential data that will permit NRC review and inspection of the licensees’, certificate holder’s, or their contractors’ classification procedures and compliance with regulatory requirements for classification and procedures concerning release of classified information to International Atomic Energy Agency (IAEA) representatives.

d. To obtain essential data that will permit NRC review and appraisal of the licensees’, certificate holder's or their contractors’ degree of foreign ownership, control or influence to prevent unauthorized international transfer or disclosure of classified informa­tion or material and to ensure that classified activities are not adversely affected.

The currently effective information collection requirements of 10 CFR Part 95 are identified and explained below:

Section 95.11 The NRC may grant exemptions from the requirements of the regulations of 10 CFR Part 95 upon application by any interested person (licensee or certificate holder) or upon its own initiative, provided the exemptions are authorized by law, will not present an undue risk to the public health and safety, and are consistent with the common defense and security.

Section 95.13 This section requires that licensees/certificate holders maintain records that are subject to review and inspection by cognizant security agency (CSA) representatives during security reviews.

Section 95.15(a) A licensee shall request an NRC facility clearance to store or handle classified information in connection with NRC-related activities.

Section 95.15(b) This section specifies the content of the request required by 10 CFR 95.15(a). If there is no existing facility clearance, the request must include a security SPPP that outlines the facility's proposed security procedures and controls for the protection of classified information; a floor plan of the area in which the matter is to be used, processed, stored, reproduced, transmitted, transported or handled; and foreign ownership, control or influence information.

The request for facility clearance and accompanying security SPPP provides pertinent data including information concerning foreign ownership, control or influence which enables the NRC Division of Security Operations to assess the licensees’, certificate holder’s, or their contractors’ eligibility for a facility clearance. Facilities are inspected to ensure their compliance with the procedures outlined in their security SPPP and the reporting requirements contained within 10 CFR Part 95.

Section 95.17 Within 30 days of submitting a request for a facility clearance the licensee, certificate holder, or their contractor must advise the NRC of any significant events or changes that may affect its status concerning foreign ownership, control, or influence (e.g., changes in ownership; changes that affect the company’s answers to original foreign ownership, control or influence questions; indebtedness; and changes in the required form that identifies owners, officers, directors, and executive personnel).

Section 95.18(a) This section requires that licensees/certificate holders submit documentation when excluding key management officials from access to classified information. These individuals may not occupy positions that would enable them to adversely affect the organization’s policies or practices in the performance of activities involving classified information. A record must be made concerning the lack of clearance for all such personnel and a copy forwarded by the organization’s executive body to the CSA.

This list of key personnel is expected to be forwarded to the CSA annually. The burden for developing the list of employees, reviewing and filing it, and forwarding a copy to the CSA is estimated to require a maximum of 15 hours.

Section 95.18(b) This section requires that each licensee, certificate holder, and their contractors submit documentation when excluding key management officials from access to higher-level classified information. These individuals may not occupy positions that would enable them to adversely affect the organization’s policies or practices in the protection of classified information. A record must be made concerning the lack of clearance for all such personnel and a copy forwarded by the organization’s executive body to the CSA.

Section 95.19(a) This section requires that each licensee, certificate holder, and their contractors shall obtain prior CSA approval for any proposed change to the name, location, security procedures and controls, or floor plan of the approved facility. These substantive changes to a security SPPP are reported to the CSA (the NRC Division of Security Operations) and the NRC Regional Administrator. The substantive changes to the SPPP that affect security of the facility must be submitted to the CSA 30 days prior to the change.

Section 95.19(b) This section requires that a licensee, certificate holder or their contractors may effect a minor, non-substantive change to an approved SPPP for the safeguarding of classified information without receiving prior CSA approval. These minor changes that do not affect the security of the facility may be submitted to the addressees noted in Section (a) of this section within 30 days of the change.

Section 95.19(c) This section requires that a licensee, certificate holder, or their contractors must update its NRC facility clearance every 5 years either by submitting a complete SPPP or a certification that the existing SPPP is fully current.

Section 95.21. This section requires the reporting of withdrawal or cancellation requests for facility clearances to the NRC Division of Security Operations by the requestor in the most expeditious manner so that processing for these clearances may be terminated. The requestor shall confirm the notification promptly in writing.

The information required by this section is necessary each time a licensee, certificate holder, or contractor wishes to withdraw or cancel a facility clearance request. This information will be used by the NRC Division of Security Operations as a basis for discontinuing further processing of the application and, if no access to classified information or material is needed, would indicate that pending personnel security access authorization requests should also be canceled.

Section 95.25(d) If a record is made of a classified combination to an authorized storage container, the record must be marked with the highest classification of material authorized for storage in the container. Superseded combinations must be destroyed. This record should be kept as long as the classified storage container is in use.

This information and recordkeeping requirement helps ensure that written lock combinations are properly classified and safeguarded in accordance with the provisions of E.O. 13526 and its implementing directives.

Section 95.25(g) A record of names of persons having knowledge of the combination must be posted inside the container to ensure that responsible personnel may be contacted in the case of an emergency. This record should be kept as long as the classified storage container is in use.

Section 95.25(i) If an unattended security container housing classified matter is found unlocked, the custodian or an alternate must be notified immediately, and the container must be secured by appropriate personnel. Incidents such as these are entered into a written log that is provided to the NRC on a monthly basis (see 10 CFR 95.57(b)).

This information collection and recordkeeping requirement assures: (1) that the licensee, certificate holder, or other organization complies with the Information Security Oversight Office (ISOO) directive to report the loss or possible compromise of classified information; and (2) that the NRC may evaluate such occurrences and corrective actions which have been taken.

Section 95.25(j) This section requires that a key and lock register be maintained, and that a monthly audit of keys and locks and a key inventory be performed with each change of custody. This recordkeeping requirement permits the NRC inspection and review of lock and key accountability records to determine that proper individuals with appropriate level of access authorization are issued keys and locks.

Section 95.33(d) Facility Security Officers must submit SF-312, AClassified Information Nondisclosure Agreement,@ forms to the CSA for retention. Facility Security Officers must also submit a report to the CSA in the event that an employee refuses to sign the SF-312.

The SF-312 is a required agreement with the United States not to disclose classified information. Submission of forms to the CSA and reports to the CSA in the event that an employee refuses to sign the SF-312, will allow verification through inspection that Section 25.23 requirements are being met before access to classified information is granted.

Section 95.33(h) All cleared employees must be provided with security training and briefings commensurate with their involvement with classified information. The facility may obtain defensive security, threat awareness, and other education and training information and material from their CSA or other sources. Records reflecting an individual’s initial and refresher security orientations and security termination must be maintained for 3 years after termination of the individual’s access authorization.

This requirement provides reasonable assurance that records are available when NRC conducts an inspection. This recordkeeping requirement permits verification through NRC inspection that individuals granted access authorizations are appropriately indoctrinated as to their individual security responsibilities and duties relative to the protection of classified information.

Section 95.34(b) Licensees, certificate holders, or their contractors subject to 10 CFR Part 95 shall take measures as may be necessary to preclude access to classified information by foreign visitors. The licensee, certificate holder, or contractor shall retain records of visits for 5 years beyond the date of the visit.

Section 95.36(d) Records of IAEA or other international organization visits, and records of inspections and disclosure authorizations must be maintained for 5 years. This recordkeeping requirement and its inspectability through NRC inspections ensures that licensees, the certificate holder, or their contractors maintain the proper procedures and controls over the release of classified information to IAEA or other international representatives in accordance with the disclosure authorization granted by NRC Division of Security Operations. The licensee, certificate holder, or their contractors shall retain records of visits for 5 years beyond the date of the visit.

Section 95.37(a) A licensee, certificate holder or their contractors must appropriately mark classified information in accordance with provided guidance.

This section requires licensees and others who possess classified material which is not conducive to markings (e.g., equipment) to request approval for exemption from marking requirements for such material. This requirement provides assurance that: (1) only those officials delegated classification authority are classifying material; (2) classified material is not downgraded or declassified without proper authority; and (3) there is accountability for future classification, downgrading and declassification actions.

Section 95.37(c) A licensee, certificate holder or their contractors are responsible for applying classification markings for National Security Information and Restricted Data.

These marking and labeling requirements, which require an authorized classifier to place the appropriate classification markings on the document and sign his/her name, will be used whenever an NRC licensee, certificate holder, or contractor derivative classifier generates a classified document or the classification of an existing document is to be changed (e.g., declassified or downgraded). A file or record copy must be maintained of the derivatively classified document as long as the document remains classified. These requirements provide assurance that: (1) only those officials delegated classification authority are classifying documents; (2) documents are not downgraded or declassified without proper authority; and (3) there is accountability for future classification, downgrading, and declassification actions.

Section 95.37(e)(2) If the originator or classifier determines that reproduction or further dissemination of a document should be restricted, the following additional wording may be placed on the face of the document: Reproduction or Further Dissemination Requires Approval of .

Section 95.37(f). In addition to the information required on the face of the document, each classified document is required, by marking or other means, to indicate clearly which portions are classified (e.g., paragraphs or pages) and which portions are not classified. If this type of portion marking is not practicable, the document must contain a description sufficient to identify the classified information and the unclassified information.

Section 95.37(g) If a document transmitting classified information contains no classified information or the classification level of the transmittal document is not as high as the highest classification level of its enclosures, then the document must be marked at the top and bottom with a classification at least as high as its highest classified enclosure. When the content of the transmittal document warrants a lower classification than the highest classified enclosures(s) or combination of enclosures or requires no classification, a stamp or marking such as the following must also be used on the transmittal document: UPON REMOVAL OF ATTACHMENTS THIS DOCUMENT IS: (classification level of transmittal document standing alone or the word UNCLASSIFIED if the transmittal document contains no classified information).

Section 95.37(h) Persons authorized possession of classified National Security Information who in good faith believe a classification status is too high or too low shall refer the document to the originator or authorized classifier for review. The classifier shall review the document and render a written classification decision to the holders of the information.

This is a required procedure for document custodians to assure that any questions regarding proper classification are referred to the originator and that appropriate steps to safeguard the document are taken. The recordkeeping requirement permits verification through NRC inspections of actions taken when unauthorized disclosures may have occurred.

Section 95.37(j) Drafts of documents and working papers, that contain, or are believed to contain, classified information must be marked as classified information.

This requirement ensures there is accountability for future classification, downgrading, and declassification actions.

Section 95.39(b)(4) This requirement applies to Secret documents prepared for external transmission. It requires document receipts signed by the recipient to be returned to the sender as a way to officially transfer a Secret document to another person.

This requirement permits verification through inspection that Secret documents that have been transferred to another person are properly accounted for.

Section 95.39(d) Licensees, certificate holder or their contractors who may require a secure telecommunication system shall submit a telecommunication plan as part of their request for facility clearance, as outlined in 10 CFR 95.15, or as an amendment to their existing SPPP.

Section 95.39(e) Licensees, certificate holder’s and their contractors that have classified matter that, because of the nature of the material, cannot transmit the classified material via conventional means, must submit a classified matter transportation security plan to the CSA for approval.

The requirement to submit the classified transportation security plan for review ensures that licensees’/certificate holder’s procedures meet minimum security requirements in 10 CFR Part 95.

Section 95.41 Each licensee, certificate holder or contractor possessing classified information shall maintain records of the date of the material, receipt or dispatch, classification, an unclassified description of the material, and the identity of the sender for 2 years after receipt or dispatch.

This procedure and recordkeeping requirement provides assurance that records are available when NRC conducts an inspection.

Section 95.43(a) This section requires that each licensee, certificate holder or contractor possessing classified information shall establish a reproduction control system to ensure that reproduction of classified material is held to a minimum consistent with operational procedures.

Section 95.43(c) The licensee, certificate holder or contractor is required to mark classified reproductions with the same classification markings as the original classified document.

This requirement assures that classified reproductions receive the same protection as other hard-copy classified documents.

Section 95.45(a) Requests for downgrading or declassifying any NRC-classified information should be forwarded to the NRC Division of Security Operations. Requests for downgrading or declassifying Restricted Data should be forwarded to the NRC Division of Security Operations for coordination with the U.S. Department of Energy.

Section 95.45(b) If a change of classification or declassification is approved, the previous classification marking must be canceled and a statement to that effect must be placed on the first page of the document.

Section 95.45(d) of 10 CFR. Any persons making a classification change shall forward a notice of classification change to all known holders of the document.

These reporting and marking procedures in 10 CFR 95.45(a), 10 CFR 95.45(b), and 10 CFR 95.45(d) ensure that documents which may warrant downgrading or declassification are reviewed by the NRC Division of Security Operations or are referred to the U.S. Department of Energy, as may be appropriate, and that all known holders are notified of the action.

Section 95.47 This section lists acceptable means of document destruction. The recordkeeping requirements associated with document destruction were eliminated in a final rule published April 1, 1999 (64 FederalRegister (FR) 15653). The reference in 10 CFR 95.8 stating that 10 CFR 95.47 contains an information collection is outdated and in error and will be removed during an upcoming administrative rulemaking.

Section 95.49 This section requires the licensee, certificate holder and their contractors to submit an ADP security proposal to the CSA for approval before classified data or information may be processed or produced on an ADP system. The proposal may be submitted as part of the licensee’s or other person’s request for facility clearance or submitted as an amendment to its existing SPPP for the protection of classified information.

Section 95.53(a) If a facility clearance is terminated, the facility shall submit a certification of non-possession of classified information to the NRC Division of Security Operations within 30 days of termination.

These procedures and notifications ensure that the facility clearance is terminated, suspended or revoked when no longer needed or when continuation would not be in the interest of national security. The certificate of non-possession provides assurance that all classified information and material has been returned to the NRC or destroyed in accordance with NRC security requirements.

Section 95.57(a) Each licensee, certificate holder and their contractors having a facility clearance shall report to the CSA and the Regional Administrator of the appropriate NRC Regional Office listed in 10 CFR Part 73, Appendix A, any alleged or suspected violation of Federal acts or statutes, related to classified information (e.g., deliberate disclosure of classified information to persons not authorized to receive it, theft of classified information) within 1 hour of the event followed by written confirmation within 30 days of the incident.

Section 95.57(b) Any infractions, losses, compromises, or possible compromises of classified information not falling within paragraph (a) of this section must be entered into a written log and provided to the NRC on a monthly basis.

The procedures in 10 CFR 95.57(a) and 10 CFR 95.57(b) are necessary to ensure that possible losses, compromises, violations of law, and disclosures of classified information are investigated and assessed in a timely manner.

Section 95.57(c) Requires an authorized classifier of a licensee, certificate holder and their contractors subject to 10 CFR Part 95 to submit all classified actions (documents classified, declassified, or downgraded) to the NRC either on an Aas completed@ or monthly basis. This information may be submitted either electronically by an on-line system (NRC prefers the use of a dial-in automated system connected to the Division of Security Operations) or by paper copy using the NRC Form 790, "Classification Record." This requirement is cleared under the Office of Management and Budget (OMB) approval number 3150-0052. The electronic collection system, the AClassification Management Action System,” is housed at the NRC, and permits collection of NRC Form 790 information electronically through the use of a personal computer.

2. Agency Use of Information.

The reports, security plans and other security information are submitted to the NRC Division of Security Operations. The information is used to help determine whether a licensee, certificate holder, or their contractor is eligible to use, process, store, transmit or handle NRC-classified information. The information is also used for periodic reviews and inspections to ensure appropriate regulations are continuously followed. If the information collection was not conducted, these determinations could not be made and the licensees, certificate holder, or contractor organizations would not be permitted to maintain this classified information which is pertinent to their activities.

3. Reduction of Burden Through Information Technology.

There are no legal obstacles to reducing the burden associated with this information collection. The NRC encourages respondents to use information technology when it would be beneficial to them. NRC issued a regulation on October 10, 2003 (68 FR 58791), consistent with the Government Paperwork Elimination Act, which allows its licensees, vendors, applicants, and members of the public the option to make submissions electronically via CD-ROM, e-mail, special Web-based interface, or other means. It is estimated that approximately 90% of the potential responses are filed electronically.

4. Effort to Identify Duplication and to Use Similar Information.

Except as noted in 10 CFR 95.57 (CSA could be another Federal agency), there is no duplication of requirements. The NRC has in place an ongoing program to examine all information collections with the goal of eliminating all duplication and/or unnecessary information collections. For the few cases where another agency, normally the U.S. Department of Energy, also has an interest at the facility, this regulation specifically reduces or eliminates duplication through acceptance of the other agency’s security program to protect the NRC-classified information and material.

5. Effort to Reduce Small Business Burden.

No licensees, certificate holder, or contractor organizations effectively qualify as a small business enterprise or entity.

6. Consequences to Federal Program or Policy Activities if the Collection is not Conducted or Conducted Less Frequently.

Required reports and infor­mation are collected and evaluated on a continuing basis as events occur. Applications for new facility clearances may be submitted at any time. If not submitted, approval to store NRC-classified information will not be processed. Other information collection requirements ensure that once placed at the facility that information continues to receive the required protection. Less frequent collection of this information may impact negatively on NRC's responsibility to ensure proper protection and may endanger the United States common defense and national security.

7. Circumstances Which Justify Variation from OMB Guidelines.

Section 95.34(b) of 10 CFR and 10 CFR 95.36(d) requires that licensees, certificate holders, and their contractors shall retain records of foreign visits for 5 years beyond the date of the visit. This requirement is needed to check the history of foreign visitors in case they become targets of interest by the United States Government.

8. Consultation Outside the NRC.

Opportunity for public comment on the information collection requirements for this clearance package was published in the Federal Register on June 6, 2013, 78 FR 34134. No comments were received.

9. Payment or Gift to Respondents.

Not applicable.

10. Confidentiality of Information.

Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17(a) and 10 CFR 2.390(b).

11. Justification for Sensitive Questions.

Most information requested under these regulations is considered Security-Related Information and is withheld from the public.

12. Estimate of Burden.

The NRC estimates that total annual reporting burden is 816 hours and recordkeeping burden is 152 hours, for a total of 968 burden hours for the collection. The total cost to those required to respond to this collection is estimated to be $265,232 (968 hours x $274/hr). Details of reporting and recordkeeping burden and cost estimates to the respondents are reflected in Tables 1 and 2.

1. Estimate of Other Additional Costs.

The NRC has determined that the quantity of records to be maintained is roughly proportional to the recordkeeping burden and, therefore, can be used to calculate approximate records storage costs. Based on the number of pages maintained for a typical facility clearance, the records storage cost has been determined to be equal to 0.0004 times the recordkeeping burden cost. Because the recordkeeping burden is estimated to be 152 hours, the storage cost for this clearance is $16.66 (152 hours x 0.0004 x $274/hour).

1. Estimated Annualized Cost to the Federal Government.

The estimated annual cost to the Federal Government in administering the program and procedures contained in these requirements is:

Annual cost ‑ professional effort

(1,543 hrs. X $274/hr.) = $422,782

Annual cost ‑ clerical effort

(269 hrs. X $47/hr.) = $12,643

Annual cost ‑ record holding requirement

for ongoing program

(3/4 cubic ft. X $209/cubic ft.) = $157

Total annual cost = $435,582

These costs are fully recovered through fee assessments to NRC licensees and the one certificate holder pursuant to 10 CFR Part 170 and/or 10 CFR Part 171.

15. Reasons for Change in Burden or Cost.

The overall burden decreased by 119 hours from 1,087 to 968 hours because the number of cleared facilities has decreased. Approximately six cleared contractor facilities were terminated because their services were no longer required by the licensees who sponsored them for a facility clearance. The reporting burden increased slightly by 9 hours from 805 to 816 hours, and the recordkeeping burden increased slightly from 149 to 152 hours. The reporting burden had a slight increase in the responses for facility clearance terminations and changes in security practices and procedures. The record keeping burden increased slightly in the area of key and lock accountability records because two licensee contractors’ added key and lock programs to their standard practice procedures plans. The hourly fee rates increased from $257/hr. to $274/hr. for professional effort in this clearance.

16. Publication for Statistical Use.

There is no application of statistics in the information collected. There is no publication of this information.

17. Reason for Not Displaying the Expiration Date.

The requirement will be contained in a regulation. Amending the Code of Federal Regulations to display information that, in an annual publication, could become obsolete would be unduly burdensome and too difficult to keep current.

18. Exceptions to the Certification Statement.

There are no exceptions.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

12