(2) Fingerprinting, and the identification and criminal
history records checks required by §149 of the Atomic Energy
Act of 1954, as amended, are not required for an individual who has
had a favorably adjudicated U.S. Government criminal history records
check within the last five years, under a comparable U.S. Government
program involving fingerprinting and an FBI identification and criminal
history records check provided that he or she makes available the
appropriate documentation. Written confirmation from the agency/employer
that reviewed the criminal history records check must be provided
to the licensee. The licensee shall retain this documentation for
a period of three years from the date the individual no longer requires
unescorted access to category 1 or category 2 quantities of radioactive
material. These programs include, but are not limited to:
(A) National Agency Check;
(B) Transportation Worker Identification Credentials
under 49 CFR Part 1572;
(C) Bureau of Alcohol, Tobacco, Firearms, and Explosives
background check and clearances under 27 CFR Part 555;
(D) Health and Human Services security risk assessments
for possession and use of select agents and toxins under 42 CFR Part
73;
(E) Hazardous Material security threat assessment for
hazardous material endorsement to commercial drivers license under
49 CFR Part 1572; and
(F) Customs and Border Protection's Free and Secure
Trade Program.
(g) Protection of information.
(1) Each licensee who obtains background information
on an individual under subsections (b) - (f) of this section, this
subsection, and subsection (h) of this section shall establish and
maintain a system of files and written procedures for protection of
the records and the personal information from unauthorized disclosure.
(2) The licensee may not disclose the record or personal
information collected and maintained to persons other than the subject
individual, his or her representative, or to those who have a need
to have access to the information in performing assigned duties in
the process of granting or denying unescorted access to category 1
or category 2 quantities of radioactive material, safeguards information,
or safeguards information-modified handling. No individual authorized
to have access to the information may disseminate the information
to any other individual who does not have a need to know.
(3) The personal information obtained on an individual
from a background investigation may be provided to another licensee:
(A) upon the individual's written request to the licensee
holding the data to disseminate the information contained in his or
her file; and
(B) the recipient licensee verifies information such
as name, date of birth, social security number, gender, and other
applicable physical characteristics.
(4) The licensee shall make background investigation
records obtained under subsections (b) - (f) of this section, this
subsection, and subsection (h) of this section available for examination
by an authorized representative of the commission to determine compliance
with the regulations and laws.
(5) The licensee shall retain all fingerprint and criminal
history records (including data indicating no record) received from
the FBI or a copy of these records if the individual's file has been
transferred on an individual for three years from the date the individual
no longer requires unescorted access to category 1 or category 2 quantities
of radioactive material.
(h) Access authorization program review.
(1) Each licensee shall be responsible for the continuing
effectiveness of the access authorization program. Each licensee shall
ensure that access authorization programs are reviewed to confirm
compliance with the requirements of subsections (b) - (g) of this
section and this subsection and that comprehensive actions are taken
to correct any noncompliance identified. The review program shall
evaluate all program performance objectives and requirements. Each
licensee shall periodically (at least annually) review the access
authorization program content and implementation.
(2) The results of the reviews, along with any recommendations,
must be documented. Each review report must identify conditions that
are adverse to the proper performance of the access authorization
program, the cause of the condition(s), and, when appropriate, recommend
corrective actions, and corrective actions taken. The licensee shall
review the findings and take any additional corrective actions necessary
to preclude repetition of the condition, including reassessment of
the deficient areas where indicated.
(3) Review records must be maintained for three years.
(i) Security program.
(1) Applicability.
(A) Each licensee that possesses an aggregated category
1 or category 2 quantity of radioactive material shall establish,
implement, and maintain a security program in accordance with the
requirements of this subsection and subsections (j) - (q) of this
section.
(B) An applicant for a new license, and each licensee
that would become newly subject to the requirements of this subsection
and subsections (j) - (q) of this section upon application for modification
of its license, shall implement the requirements of this subsection
and subsections (j) - (q) of this section, as appropriate, before
taking possession of an aggregated category 1 or category 2 quantity
of radioactive material.
(C) Any licensee that has not previously implemented
the Security Orders or been subject to the provisions of this subsection
and subsections (j) - (q) of this section shall provide written notification
to the commission at least 90 days before aggregating radioactive
material to a quantity that equals or exceeds the category 2 threshold.
(2) General performance objective. Each licensee shall
establish, implement, and maintain a security program that is designed
to monitor and, without delay, detect, assess, and respond to an actual
or attempted unauthorized access to category 1 or category 2 quantities
of radioactive material.
(3) Program features. Each licensee's security program
must include the program features, as appropriate, described in subsections
(j) - (p) of this section.
(j) General security program requirements.
(1) Security plan.
(A) Each licensee identified in subsection (i)(1) of
this section shall develop a written security plan specific to its
facilities and operations. The purpose of the security plan is to
establish the licensee's overall security strategy to ensure the integrated
and effective functioning of the security program required by subsection
(i) of this section, this subsection, and subsections (k) - (q) of
this section. The security plan must, at a minimum:
(i) describe the measures and strategies used to implement
the requirements of subsection (i) of this section, this subsection,
and subsections (k) - (q) of this section; and
(ii) identify the security resources, equipment, and
technology used to satisfy the requirements of subsection (i) of this
section, this subsection, and subsections (k) - (q) of this section.
(B) The security plan must be reviewed and approved
by the individual with overall responsibility for the security program.
(C) A licensee shall revise its security plan as necessary
to ensure the effective implementation of the executive director's
requirements. The licensee shall ensure that:
(i) the revision has been reviewed and approved by
the individual with overall responsibility for the security program;
and
(ii) the affected individuals are instructed on the
revised plan before the changes are implemented.
(D) The licensee shall retain a copy of the current
security plan as a record for three years after the security plan
is no longer required. If any portion of the plan is superseded, the
licensee shall retain the superseded material for three years after
the record is superseded.
(2) Implementing procedures.
(A) The licensee shall develop and maintain written
procedures that document how the requirements of subsection (i) of
this section, this subsection, and subsections (k) - (q) of this section
and the security plan will be met.
(B) The implementing procedures and revisions to these
procedures must be approved in writing by the individual with overall
responsibility for the security program.
(C) The licensee shall retain a copy of the current
procedure as a record for three years after the procedure is no longer
needed. Superseded portions of the procedure must be retained for
three years after the record is superseded.
(3) Training.
Cont'd... |