Current through Register No. 50, December 12, 2024
Section He-P 4038.15 - General Security Program Requirements(a) The security plan shall require: (1) Each licensee identified in He-P 4038.14(a) to develop a written security plan specific to its facilities and operations. The purpose of the security plan shall be to establish the licensee's overall security strategy to ensure the integrated and effective functioning of the security program required by He-P 4038.14 through He-P 4038.22. The security plan shall, at a minimum: a. Describe the measures and strategies used to implement the requirements of this He-P 4038.14 through He-P 4038.22; andb. Identify the security resources, equipment, and technology used to satisfy the requirements of He-P 4038.14 through He-P 4038.22.(2) A review and approval by the individual with overall responsibility for the security program;(3) The security plan shall be revised by the licensee as necessary to ensure the effective implementation of DHHS/RHS requirements. The licensee shall ensure that: a. The revision has been reviewed and approved by the individual with overall responsibility for the security program; andb. The affected individuals are instructed on the revised plan before the changes are implemented.(4) The current security plan as a record shall be retained by the licensee for 3 years after the security plan is no longer required. If any portion of the plan is superseded, the licensee shall retain the superseded material for 3 years after the record is superseded.(b) The security plan shall be implemented by the following procedures: (1) The licensee shall develop and maintain written procedures that document how the requirements of He-P 4038.14 through He-P 4038.22 and the security plan will be met;(2) The implementing procedures and revisions to these procedures shall be approved in writing by the individual with overall responsibility for the security program; and (3) The licensee shall retain a copy of the current procedure as a record for 3 years after the procedure is no longer needed. Superseded portions of the procedure shall be retained for 3 years after the record is superseded.(c) The security plan shall include the following training requirements: (1) Each licensee shall conduct training to ensure that those individuals implementing the security program possess and maintain the knowledge, skills, and abilities to carry out their assigned duties and responsibilities effectively. The training shall include instruction in: a. The licensee's security program and procedures to secure category 1 or category 2 quantities of radioactive material, and in the purposes and functions of the security measures employed;b. The responsibility to report promptly to the licensee any condition that causes or may cause a violation of DHHS/RHS requirements;c. The responsibility of the licensee to report promptly to the local law enforcement agency and licensee any actual or attempted theft, sabotage, or diversion of category 1 or category 2 quantities of radioactive material; andd. The appropriate response to security alarms.(2) In determining those individuals who shall be trained on the security program, the licensee shall consider each individual's assigned activities during authorized use and response to potential situations involving actual or attempted theft, diversion, or sabotage of category 1 or category 2 quantities of radioactive material. The extent of the training shall be commensurate with the individual's potential involvement in the security of category 1 or category 2 quantities of radioactive material; and(3) Refresher training shall be provided at a frequency not to exceed 12 months and when significant changes have been made to the security program. This training shall include: a. Review of the training requirements of paragraph (c) of this section and any changes made to the security program since the last training;b. Reports on any relevant security issues, problems, and lessons learned;c. Relevant results of DHHS/RHS inspections; andd. Relevant results of the licensee's program review and testing and maintenance.(4) The licensee shall maintain records of the initial and refresher training for 3 years from the date of the training. The training records shall include dates of the training, topics covered, a list of licensee personnel in attendance, and related information.(d) All information and implementing procedures included as part of a security plan shall be protected as follows:(1) Licensees authorized to possess category 1 or category 2 quantities of radioactive material shall limit access to and unauthorized disclosure of their security plan, implementing procedures, and the list of individuals that have been approved for unescorted access;(2) Efforts to limit access shall include the development, implementation, and maintenance of written policies and procedures for controlling access to, and for proper handling and protection against unauthorized disclosure of, the security plan, implementing procedures, and the list of individuals that have been approved for unescorted access;(3) Before granting an individual access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access, licensees shall: a. Evaluate an individual's need to know the security plan, implementing procedures, or the list of individuals that have been approved of unescorted access; andb. If the individual has not been authorized for unescorted access to category 1 or category 2 quantities of radioactive material, safeguards information, or safeguards information-modified handling, the licensee shall complete a background investigation to determine the individual's trustworthiness and reliability. A trustworthiness and reliability determination shall be conducted by the reviewing official and shall include the background investigation elements contained in He-P 4038.09(a) (2) .(4) Licensees need not subject the following individuals to the background investigation elements for protection of information: a. The categories of individuals listed in He-P 4038.11(a) (1) through (a) (13); orb. Security service provider employees, provided written verification that the employee has been determined to be trustworthy and reliable, by the required background investigation in He-P 4038.09(a) (2) , has been provided by the security service provider.(5) The licensee shall document the basis for concluding that an individual is trustworthy and reliable and should be granted access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access;(6) Licensees shall maintain a list of persons currently approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access. When a licensee determines that a person no longer needs access to the security plan or implementing procedures, or the list of individuals that have been approved for unescorted access, or no longer meets the access authorization requirements for access to the information, the licensee shall remove the person from the approved list as soon as possible, but no later than 7 working days, and take prompt measures to ensure that the individual is unable to obtain the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access;(7) When not in use, the licensee shall store its security plan, implementing procedures, and the list of individuals that have been approved for unescorted access in a manner to prevent unauthorized access. Information stored in non-removable electronic form shall be password protected; and(8) The licensee shall retain as a record for 3 years after the document is no longer needed: a. A copy of the information protection procedures; andb. The list of individuals approved for access to the security plan, implementing procedures, or the list of individuals that have been approved for unescorted access.N.H. Admin. Code § He-P 4038.15
Derived From Volume XXXVI Number 23, Filed June 9, 2016, Proposed by #11105, Effective 5/25/2016, Expires 5/25/2026.Amended by Volume XXXIX Number 16, Filed April 18, 2019, Proposed by #12744, Effective 3/20/2019, Expires 3/20/2029.Amended by Volume XXXIX Number 50, Filed December 12, 2019, Proposed by #12931, Effective 11/26/2019, Expires 11/26/2029.