Robert L. Norman
Sr. Program Manager, Safeguards Information
As part of its role in protecting health and safety, the NRC uses information security procedures to prevent sensitive information from getting into the wrong hands. The NRC puts sensitive information in three categories: classified, Safeguards Information (SGI), and Sensitive Unclassified Non-Safeguards Information (SUNSI).
Each category has specific marking requirements and security procedures. Although the NRC is the only agency with the authority to set requirements for protecting SGI, most agencies have requirements for the protection and designation of unclassified sensitive information.
You’ve probably heard the terms Top Secret, Secret, and Confidential; these are categories of classified information. Each category has a corresponding federal security clearance level needed for access. Executive Orders, Security Classification Guides and the Atomic Energy Act of 1954, as amended, lay out criteria for protecting information and identifying what nuclear information is classified at a particular level. A breach of classified information could threaten national security.
SUNSI, while generally unavailable to the public, does not require a federal security clearance. This category of information contains various types of information, including Personally Identifiable Information and attorney-client privilege. SUNSI is protected by the Privacy Act, NRC and other federal agency regulations.
While classified information and SUNSI are broad categories, SGI is much narrower. The SGI designation covers the physical protection of nuclear facilities and materials. This includes operating reactors, spent fuel shipments, and radioactive material at certain levels. Nuclear facilities require high security measures. Armed guards, physical barriers, and surveillance systems are just some of the ways we protect nuclear plants. Information about these detailed security measures is carefully guarded. Without SGI protection, people could use this information to attempt to circumvent physical barriers and break into security systems.
Section 147 of the Atomic Energy Act requires the NRC to regulate SGI. The NRC is in charge of deciding what qualifies as SGI and how to protect it. A specially trained group of personnel, called SGI Designators, create and/or check documents for SGI. Even though a federal security clearance isn’t needed for access, SGI is treated similarly to Confidential information. Individuals must pass a background check and have a “need to know” to access SGI.
The use of SGI has often come into question. The Office of the Inspector General conducted an audit in 2004 of the NRC’s protection of SGI. According to the audit, the Confidential classification could protect SGI without seriously affecting costs. However, NRC staff concluded the proposal would require the government to perform thousands of expensive federal security clearances and change how information is stored and encrypted. A switch to a lower designation, such as standard official use only, would put security at risk. Current regulations already protect SGI without breaking the bank.
Another OIG audit revisited the topic in 2012. This audit discussed giving people outside of the NRC and its licensees access to SGI. The OIG recommended setting up a specific plan for granting outsider access. Based on the recommendations, outsiders will still need to undergo background checks and have a “need to know.”
The NRC strives to be as open and transparent as possible. However, when it comes to safeguarding sensitive information for the good of the country, and our licensees, information protection will always take priority over transparency.