(1) Applicability.
(A) Each licensee that possesses an aggregated category
1 or category 2 quantity of radioactive material shall establish,
implement, and maintain a security program in accordance with the
requirements of this subsection and subsections (j) - (q) of this
section.
(B) An applicant for a new license, and each licensee
that would become newly subject to the requirements of this subsection
and subsections (j) - (q) of this section upon application for modification
of its license, shall implement the requirements of this subsection
and subsections (j) - (q) of this section, as appropriate, before
taking possession of an aggregated category 1 or category 2 quantity
of radioactive material.
(C) Any licensee that has not previously implemented
the Security Orders or been subject to the provisions of this subsection
and subsections (j) - (q) of this section shall provide written notification
to the commission at least 90 days before aggregating radioactive
material to a quantity that equals or exceeds the category 2 threshold.
(2) General performance objective. Each licensee shall
establish, implement, and maintain a security program that is designed
to monitor and, without delay, detect, assess, and respond to an actual
or attempted unauthorized access to category 1 or category 2 quantities
of radioactive material.
(3) Program features. Each licensee's security program
must include the program features, as appropriate, described in subsections
(j) - (p) of this section.
(j) General security program requirements.
(1) Security plan.
(A) Each licensee identified in subsection (i)(1) of
this section shall develop a written security plan specific to its
facilities and operations. The purpose of the security plan is to
establish the licensee's overall security strategy to ensure the integrated
and effective functioning of the security program required by subsection
(i) of this section, this subsection, and subsections (k) - (q) of
this section. The security plan must, at a minimum:
(i) describe the measures and strategies used to implement
the requirements of subsection (i) of this section, this subsection,
and subsections (k) - (q) of this section; and
(ii) identify the security resources, equipment, and
technology used to satisfy the requirements of subsection (i) of this
section, this subsection, and subsections (k) - (q) of this section.
(B) The security plan must be reviewed and approved
by the individual with overall responsibility for the security program.
(C) A licensee shall revise its security plan as necessary
to ensure the effective implementation of the executive director's
requirements. The licensee shall ensure that:
(i) the revision has been reviewed and approved by
the individual with overall responsibility for the security program;
and
(ii) the affected individuals are instructed on the
revised plan before the changes are implemented.
(D) The licensee shall retain a copy of the current
security plan as a record for three years after the security plan
is no longer required. If any portion of the plan is superseded,
the licensee shall retain the superseded material for three years
after the record is superseded.
(2) Implementing procedures.
(A) The licensee shall develop and maintain written
procedures that document how the requirements of subsection (i) of
this section, this subsection, and subsections (k) - (q) of this section
and the security plan will be met.
(B) The implementing procedures and revisions to these
procedures must be approved in writing by the individual with overall
responsibility for the security program.
(C) The licensee shall retain a copy of the current
procedure as a record for three years after the procedure is no longer
needed. Superseded portions of the procedure must be retained for
three years after the record is superseded.
(3) Training.
(A) Each licensee shall conduct training to ensure
that those individuals implementing the security program possess and
maintain the knowledge, skills, and abilities to carry out their assigned
duties and responsibilities effectively. The training must include
instruction in:
(i) the licensee's security program and procedures
to secure category 1 or category 2 quantities of radioactive material
and the purposes and functions of the security measures employed;
(ii) the responsibility to report promptly to the licensee
any condition that causes or may cause a violation of the requirements
of the commission, the NRC, or any Agreement State;
(iii) the responsibility of the licensee to report
promptly to the LLEA and licensee any actual or attempted theft, sabotage,
or diversion of category 1 or category 2 quantities of radioactive
material; and
(iv) the appropriate response to security alarms.
(B) In determining those individuals who shall be trained
on the security program, the licensee shall consider each individual's
assigned activities during authorized use and response to potential
situations involving actual or attempted theft, diversion, or sabotage
of category 1 or category 2 quantities of radioactive material. The
extent of the training must be commensurate with the individual's
potential involvement in the security of category 1 or category 2
quantities of radioactive material.
(C) Refresher training must be provided at a frequency
not to exceed 12 months and when significant changes have been made
to the security program. This training must include:
(i) review of the training requirements of this paragraph
and any changes made to the security program since the last training;
(ii) reports on any relevant security issues, problems,
and lessons learned;
(iii) relevant results of commission inspections; and
(iv) relevant results of the licensee's program review
and testing and maintenance.
(D) The licensee shall maintain records of the initial
and refresher training for three years from the date of the training.
The training records must include dates of the training, topics covered,
a list of licensee personnel in attendance, and related information.
(4) Protection of information.
(A) Licensees authorized to possess category 1 or category
2 quantities of radioactive material shall limit access to and unauthorized
disclosure of their security plan, implementing procedures, and the
list of individuals that have been approved for unescorted access.
(B) Efforts to limit access shall include the development,
implementation, and maintenance of written policies and procedures
for controlling access to, and for proper handling and protection
against unauthorized disclosure of, the security plan and implementing
procedures.
(C) Before granting an individual access to the security
plan or implementing procedures, licensees shall:
(i) evaluate an individual's need to know the security
plan or implementing procedures; and
(ii) if the individual has not been authorized for
unescorted access to category 1 or category 2 quantities of radioactive
material, safeguards information, or safeguards information-modified
handling, the licensee must complete a background investigation to
determine the individual's trustworthiness and reliability. A trustworthiness
and reliability determination shall be conducted by the reviewing
official and shall include the background investigation elements contained
in subsection (d)(1)(B) - (G) of this section.
(D) Licensees need not subject the following individuals
to the background investigation elements for protection of information:
(i) the categories of individuals listed in subsection
(f)(1) of this section; or
(ii) security service provider employees, provided
written verification that the employee has been determined to be trustworthy
and reliable, by the required background investigation in subsection
(d)(1)(B) - (G) of this section, has been provided by the security
service provider.
(E) The licensee shall document the basis for concluding
that an individual is trustworthy and reliable and should be granted
access to the security plan or implementing procedures.
(F) Licensees shall maintain a list of persons currently
approved for access to the security plan or implementing procedures.
When a licensee determines that a person no longer needs access to
the security plan or implementing procedures or no longer meets the
access authorization requirements for access to the information, the
licensee shall remove the person from the approved list as soon as
possible, but no-later-than seven working days, and take prompt measures
to ensure that the individual is unable to obtain the security plan
or implementing procedures.
Cont'd... |