Frequently Asked Questions About the Protection of Security-Related Sensitive Information
If you do not find your question or suggestion among the following, you may contact us for more information.
On this page:
- What is the purpose of providing the RIS and screening criteria to NMSS applicants, licensees, certificate holders and other entities?
- What type of information does RIS 2005-31 apply to?
- What types of information should be withheld?
- Can applicants conduct a security-related sensitive information review based on the criteria prior to submitting an application or amendment?
- How do I mark submittals that include security-related sensitive information?
- Do I need to submit a public and non-public version of my application?
- How should I submit a document that contain both proprietary and security-related sensitive information?
- What constitutes a detailed design drawing for a transportation package or spent fuel cask?
- Why does the criteria contained in Attachment 2 to RIS 2005-31 allow information for some materials licensees to be withheld while for others it remains available?
- What about information that would be withheld under the RIS and screening criteria, but is already publicly available, or available from other organizations?
- Can licensees doing business with one another (e.g., transferring sources) provide copies of their licenses to one another?
What is the purpose of providing the RIS and screening criteria to NMSS applicants, licensees, certificate holders and other entities?
The main purpose of providing the RIS and screening criteria is to prevent the public release of security-related sensitive information that could be useful, or could reasonably be expected to be useful, to a terrorist in a potential attack.
What type of information does RIS 2005-31 apply to?
RIS 2005-31 applies to "security-related sensitive information" which, if released, could cause harm to the public interest as it could be useful, or could reasonably be expected to be useful, to a terrorist in a potential attack.
RIS 2005-31 and its attachments do not apply to classified information or Safeguards Information. Handling requirements for classified information and Safeguards Information are set forth in various NRC orders, regulations, and generic communications (e.g., requirements for the handling and protection of Safeguards Information are discussed in RIS-2003-08, "Protection of Safeguards Information from Unauthorized Disclosure," dated April 30, 2003).
What types of information should be protected?
Attachment 2 to RIS 2005-31 contains examples of the information that should be protected. Information on the exact location of radioactive material, certain detailed design drawings, information on nearby facilities, emergency planning information, and certain assessments of vulnerability and safety analyses should be protected from public disclosure.
Can applicants conduct a security-related sensitive information review based on the criteria prior to submitting an application or amendment?
Yes, the NRC encourages applicants to review and screen their licensing materials prior to submission for agency review, in order to determine what parts of that submission might meet the screening criteria. If materials meet the screening criteria for protection, they should be marked as noted in the RIS.
How do I mark submittals that include security-related sensitive information?
If it is necessary to include security-related sensitive information in a submitted document (as determined in accordance with the screening criteria in Attachment 2 to RIS 2005-31), the cover letter should clearly state that the document includes security-related sensitive information and the top of every page of the submittal, including the pages that do not have security-related sensitive information, should be marked "Security-Related Information - Withhold Under 10 CFR 2.390" as shown in Attachment 1 of RIS 2005-31. Even though all pages of the submittal should be marked as "Security-Related Information - Withhold Under 10 CFR 2.390," it is understandable that most pages of the application will not have security-related sensitive information. Therefore, use an additional marking, for example, an editorial note box, adjacent to the information that is specifically security-related sensitive information. This method of marking a non-public version is similar to general practices used for proprietary commercial or financial information under 10 CFR 2.390, except that an affidavit is not needed.
Do I need to submit a public and non-public version of my application?
Licensees and others are encouraged to submit both a public and a non-public version of a document, when Security-Related documents need to be submitted. The public version could have the security-related sensitive information marked out or removed with a notation that the information was withheld per 10 CFR 2.390 on the basis that it is "Security-Related Information." This is similar to what is sometimes done for proprietary information.
Alternatively, security-related sensitive information could be segregated from the main body of the document and included only in attachments to the submittal. Only the attachments containing security-related sensitive information would be marked for protection from public disclosure. Using this approach, the public version need not be marked as containing security-related sensitive information but should include for each page that was removed, a blank page with a notation "Security-Related Information-Withheld Under 10 CFR 2.390." Staff should be able to replace the pages from the non-public version into the public version to make a complete application for staff to review.
How should I submit a document that contains both proprietary and security-related sensitive information?
See 10 CFR 2.390(b) regarding submitting proprietary information and related guidance in "Supporting Information Associated with Requests for Withholding Proprietary Information" (RIS 2004-11. Applicants should use the same general guidance for proprietary information for applications that include security-related sensitive information. However, contrary to the requirements for withholding proprietary information, licensees are not required to provide an affidavit for withholding security-related sensitive information.
Marking the non-public version
RIS 2005-31 suggests that each page of a document containing security-related sensitive information be marked, "Security-Related Information Withhold Under 10 CFR 2.390." The marking requirements for a proprietary document are described in 10 CFR 2.390(b)(1)(i)(A), which states that "the top of the first page of the document and the top of each page containing such information must be marked with a statement substantially similar to the following to indicate it contains information the submitter seeks to have withheld.
- confidential information submitted under 10 CFR 2.390
- withhold from public disclosure under 10 CFR 2.390 or
One way of meeting the requirements in 10 CFR 2.390 for proprietary markings and the guidance in RIS 2005-31 for documents that contain both proprietary and security-related sensitive information is to place the following mark at the top of each page: "Proprietary and/or Security-Related Information-Withhold Under 10 CFR 2.390."
Marking the Public Version
As stated in RIS 2004-11, the NRC encourages you to provide a nonproprietary version of proprietary submittals, suitable for public disclosure. Similarly, the NRC encourages you to provide non-sensitive versionsof submittals that contain security-related sensitive information. Generally, you may blacken over or remove the exact proprietary information in the public version of a proprietary submittal with a notation that the information was withheld per 10 CFR 2.390 and the basis as "Trade Secret" or "Proprietary." Use a similar method to remove security-related sensitive information from the public version of the document. Remove the security-related sensitive information from the public version with a notation that the information was withheld per 10 CFR 2.390 and specify the basis as "Security-Related Information."
For documents containing a mix of proprietary and security-related information, the NRC must be able to clearly understand what information in the submittal is considered proprietary and subject to the affidavit that accompanies a proprietary submittal. This will allow the NRC to pass judgment on your proprietary claim.
What constitutes a detailed design drawing for a transportation package or spent fuel cask?
Detailed design drawings for transportation or spent fuel cask are typically submitted in the safety analysis report (SAR) associated with the design. Traditionally, some of these detailed design drawings are withheld from the public because they are considered proprietary. The NRC staff now believes most drawings that show how a package is assembled and that contain minor dimensions should be protected. High-level drawings such as the one below are not considered to be detailed design drawings by the staff. The information in the drawing below is generally well-known, and aids the public in understanding the design.
|Representative Figure of a spent fuel cask from the Final Safety Analysis Report for the HI-STORM 100 Cask System|
Why do the criteria contained in Attachment 2 to RIS 2005-31 allow information for some materials licensees to be protected from public disclosure while for others it remains publicly available?
The agency established screening criteria in attachment 2 to RIS 2005-31 based on the potential usefulness of information to terrorists in planning or carrying out attacks. However, this was not the NRC's only consideration in determining whether to protect information. In SECY-04-0191, the NRC described a general approach to assessing whether information should be designated sensitive because it could be used by terrorists. In this approach, the NRC considered factors such as the possible threat, the consequences of an attack, the relationship of the information to security programs, and the availability of information from other sources. This approach was applied to materials licensees and led to information being withheld by some materials licensees while similar information is released by other materials licensees.
What about information that would be protect under the RIS and screening criteria, but is already publicly available, or available from other organizations?
The NRC would not typically be able to protect information that is already publicly available. In certain cases however, the agency has requested that information be withdrawn (as much as possible) from public availability if it is particularly useful to terrorists.
Can licensees doing business with one another (e.g., transferring sources) provide copies of their licenses to one another?
Yes. The guidance in the RIS is not intended to limit the ability of licensees to comply with the provisions of 10 CFR Part 30.41, which requires licensees to verify that entities to which they transfer material have licenses authorizing the receipt of the type, form, and quantity of material to be transferred. One of the methods for verification is for the company sending the material to have a current copy of the license of the licensee to which they are transferring the material. NRC does not restrict licensees’ ability to exchange license information for business reasons.
While the RIS recommends that licensees protect the information in question, not make it publicly available, and mark it appropriately, the language on p. 4, under "3. Protection of Security-Related Sensitive Information" discusses the circumstances in which license information can be shared: "Licensees and others should ensure that similar controls are in place when security-related sensitive information is provided to outside parties such as contractors or other Government agencies, and that the information is made available only to such parties who have a need to know the information to perform their jobs and who are made aware of the security-related nature of the information" (emphasis added). While this statement gives the examples only of contractors or other Government agencies, it should be understood to include other licensees. Attachment 1 says that the appropriate control for access to documents that have the information of concern is "Need-to-know in order to perform official licensee, applicant or entity functions." Licensees who are transferring or receiving material in the course of business clearly have the requisite need to know. Note that licensees who share sensitive information, whether contained in the license or elsewhere, should verify that the recipient will protect the information.