Guide for Information Technology Security: Policy for Processing Unclassified Safeguards Information (SGI) on NRC Computers (NUREG/BR-0168, Revision 3)

On this page:

• Publication Information
• Overview

Download complete document

• NUREG/BR-0168, Revision 3 (PDF - 1.0 MB)

Publication Information

Date Published: March 2004

Office of the Chief Information Officer
U.S. Nuclear Regulatory Commission
Washington, DC 20555-0001

Overview

Policy for Processing Unclassified Safeguards Information (SGI) on NRC Computers

Safeguards information (SGI) is sensitive unclassified information about the security measures for the physical protection of special nuclear material, source material, byproduct material, and production and utilization facilities. Under NRC regulations, SGI must be protected and unauthorized disclosures of SGI are subject to civil and criminal sanctions.

The protective measures required for SGI are similar to those required for classified data at the confidential level. SGI may be stored, processed or produced only on a stand-alone personal computer (PC)–that is, a PC not physically or in any other way connected to the NRC or any other unclassified network. The standalone PC unit must have a removable storage medium with a bootable operating system. The bootable operating system must be used to load and initialize the computer. The removable storage medium must also contain the software application programs, and all data must be processed and saved on the same removable storage medium. A mobile device (such as a laptop computer) may also be used for the automated processing of SGI provided the device is secured in an appropriate storage container when not in use.

If a stand-alone or mobile personal computer has a removable drive, the operating system and the applications and data used for SGI processing must all reside on the same removable drive. The removable hard drive must be secured in an approved security container when not in use. SGI files may be transmitted across an unclassified network (e.g., a network not approved for the transmission of classified data), only if they have first been properly encrypted using encryption algorithms approved by the National Institute of Standards and Technology (NIST) or the National Security Agency (NSA). Contact the Computer Security Staff (CSS) in the Office of the Chief Information Officer (OCIO) for assistance in identifying approved methods of encryption. The OCIO CSS phone number is (301) 415-7430.