skip navigation links 
 
 Search Options 
Index | Site Map | FAQ | Facility Info | Reading Rm | New | Help | Glossary | Contact Us blue spacer  
secondary page banner Return to NRC Home Page

Home > Electronic Reading Room > Document Collections > Commission Documents > Commission Papers (SECY) > 2008 > SECY-08-0099

RULEMAKING ISSUE
(Notation Vote)

SECY-08-0099

July 9, 2008

FOR: The Commissioners
FROM: R. W. Borchardt
Executive Director for Operations
SUBJECT: FINAL RULEMAKING - POWER REACTOR SECURITY REQUIREMENTS (RIN 3150-AG63)

PURPOSE:

To request Commission approval for publication of the final rule.

SUMMARY:

The Nuclear Regulatory Commission (NRC) staff is recommending that the Commission amend its regulations governing security requirements for nuclear power plants.  This final rule would amend existing security regulations and add new security requirements pertaining to current and future nuclear power reactors.  This final rule would make security requirements similar to those previously imposed by the Commission orders issued after the terrorist attacks of September 11, 2001, generically applicable.  Additionally, this final rule would add several new requirements developed as a result of insights gained from implementation of the security orders, reviews of site security plans, implementation of the enhanced baseline inspection program, and NRC evaluation of force-on-force exercises.  The final rule would also update the NRC’s security regulatory framework for the licensing of new nuclear power plants.  Finally, three petitions for rulemaking (PRM) were considered during the development of the final rule requirements, consistent with the previous petition resolution and closure process for these petitions (PRM-50-80, PRM-73-11, and PRM-73-13).

BACKGROUND:

The basis for this rulemaking has been derived from several sources. First, prior to the events of September 11, 2001, the NRC had already undertaken an effort to revise its existing security regulations in 10 CFR Part 73, as noted in SECY-01-0101 (June 4, 2001). The existing security regulations in Part 73 have not been substantially revised for nearly 30 years. After September 11, 2001, that rulemaking effort was delayed for obvious reasons, but the need to reorganize, improve, and update the existing security regulations persists.  This rulemaking built upon the efforts of the prior rulemaking. 

Second, following the terrorist attacks on September 11, 2001, the NRC conducted a thorough review of security requirements to ensure that nuclear power plants and other licensed facilities continued to have effective security measures in place given the changing threat environment. Through a series of orders, the Commission supplemented the design basis threat (DBT) as well as established new requirements for specific training enhancements, access authorization enhancements, and enhancements to defensive strategies, mitigative measures, and integrated response. The following four security orders were issued to power reactor licensees:

  • EA-02-026, “Interim Compensatory Measures Order,” issued February 25, 2002;

  • EA-02-261, “Access Authorization Order,” issued January 7, 2003;

  • EA-03-039, “Security Personnel Training and Qualification Requirements Order,” issued April 29, 2003; and,

  • EA-03-086, “Revised Design Basis Threat Order,” issued April 29, 2003.

While the specific’s of the orders are protected as Safeguards Information (SGI), in general, the enhancements resulted in such measures as increased patrols; augmented security forces and force capabilities; additional security posts; additional physical barriers; vehicle checks at greater standoff distances; enhanced coordination with law enforcement and military authorities; augmented security and emergency response training, equipment, and communication; and more restrictive site access controls for personnel including expanded, expedited, and more thorough employee background investigations. Nuclear power plant licensees revised their site-specific physical security plans, access authorization programs, training and qualification plans, and safeguards contingency plans in response to these orders. The NRC completed its review and approval of all of these revised security plans on October 29, 2004.

Finally, the Energy Policy Act of 2005 (EPAct 2005) signed into law on August 8, 2005, contained several provisions relevant to security at nuclear power plants. Section 653, for instance, which added Section 161A to the Atomic Energy Act of 1954, as amended (AEA), concerns use of an expanded arsenal of weapons including machine guns and semi-automatic assault weapons by NRC licensees as well as imposing certain requirements for fingerprint-based firearms background checks. As noted below, because of considerations that have arisen during the course of this rulemaking, the final rule no longer specifically addresses any provisions of the EPAct 2005.

In addition to proposing requirements that were similar to those that had previously been imposed on licensees by the various orders, the proposed rule also contains several new provisions that the NRC determined would provide additional assurance of licensees’ capabilities to protect against the DBT. These new provisions were identified during implementation of the security orders while reviewing the revised site security plans that had been submitted by licensees for NRC review and approval, while conducting the enhanced baseline inspection program, and through evaluation of the results of force-on-force exercises. As identified in the proposed rule, these new provisions included such measures as cyber security, safety/security interface, central and secondary alarm stations functional equivalency, uninterruptable backup power for detection and assessment equipment, and real-time play‑back video image equipment (October 26, 2006; 71 FR 62666-62667).

STAKEHOLDER INTERACTION:

Recipients of the post-September 11, 2001, orders were notified that the requirements in those orders were considered interim measures and that the NRC ultimately intended to reassess those requirements and undertake a rulemaking that would codify generically-applicable security requirements and revise the Commission’s existing security regulations. To that end, on October 26, 2006 (71 FR 62664), the Commission published the proposed Power Reactor Security Rulemaking in the Federal Register. The proposed rule was originally published for a 75-day public comment period. However, in response to several requests for extension, the comment period was extended on two separate occasions (January 5, 2007; 72 FR 480; and February 28, 2007; 72 FR 8951), eventually closing on March 26, 2007. The NRC received 48 comment letters. In addition, the NRC staff held two public meetings to solicit public comment in Rockville, Maryland, on November 15, 2006, and in Las Vegas, Nevada, on November 29, 2006. The NRC staff also held a third public meeting in Rockville, Maryland, on March 9, 2007, to facilitate stakeholder understanding of the proposed requirements and thereby result in more informed comment on the proposed rule.

The NRC also published a supplemental proposed rule on April 10, 2008 (73 FR 19443) seeking additional stakeholder comment on two provisions of the rule for which the staff wished to provide additional clarifying rule language. The supplemental proposed rule also moved these two provisions from Part 73, Appendix C, (in the proposed rule) to 10 CFR 50.54 of the final rule.

Both the proposed rule and the supplemental proposed rule received extensive stakeholder feedback. The consideration of stakeholder feedback and development of the final rule provisions resulted in several significant structural and content changes to the final rule provisions, which are briefly discussed below.

SIGNIFICANT CHANGES FROM THE PROPOSED TO FINAL RULE:

The staff has committed to provide a Commission Paper that discusses the advantages and disadvantages of adopting the proposed DOE categorization table.

  1. Separation of the Enhanced Weapons and Firearms Background Check Requirements. As discussed above, Section 161A of the AEA permits the NRC to authorize the use of certain enhanced weapons in the protective strategies of specific designated licensees once guidelines are developed by the NRC and approved by the Attorney General (from Section 653 of EPAct 2005). In anticipation of the completion of those guidelines, the proposed rule contained several provisions that would have described the requirements for the use of enhanced weapons and for firearms background checks for certain security personnel (i.e., proposed § 73.18 and § 73.19). Since the guidelines have not yet received the approval of the Attorney General, the NRC staff has proposed in SECY-08-0055 (April 17, 2008) to separate that portion of the proposed rule to be continued as a separate rulemaking. As a result, this draft final rule does not contain any provisions related to the implementation of Section 161A.

  2. Cyber Security Requirements. Another recommended change to this final rulemaking is the relocation of proposed cyber security requirements. Cyber security requirements had been located in the proposed rule in Paragraph 73.55(m). The staff recommends that these requirements now be placed into a new separate section within Part 73 (§ 73.54). The staff believes that these requirements are better suited for a stand-alone section to enable the cyber security requirements to be made applicable to other types of facilities and applications through future rulemakings. For licensing purposes, the cyber security plans would be dealt with consistent with the treatment of other security plans, generally in §§ 50.34, 50.54, 52.79, and 52.80, as applicable. For current reactor licensees, the staff recommends that the rule require the submission of a cyber security plan to the NRC for review and approval by way of a license amendment within 180 days of the effective date of the rule. For reactor applicants with an application currently before the NRC, they would be required to amend their applications to address the requirements of Section 73.54.

  3. Performance Evaluation Program Requirements. The staff recommends that these requirements be moved in their entirety from Part 73, Appendix C, to Part 73, Appendix B, because these requirements describe the development and implementation of a program for training the security force in the response to contingency events.

  4. Mitigative Strategies and Response Procedures for Potential or Actual Aircraft Attacks. In accordance with the supplemental proposed rule discussed earlier, the staff recommends that the mitigative measures and potential aircraft attack notification requirements that were initially located in proposed Part 73, Appendix C, now be located in Paragraph 50.54(hh) as a condition of an operating license. The staff made this change in response to stakeholder comments that Part 73, Appendix C, was not the appropriate location for these requirements because the requirements were not specific to the licensee’s security organization and that clarification was needed. The staff clarified the language and added additional language to the proposed rule regarding licensee response to potential aircraft attacks. 

  5. Section 73.71 and Appendix G to Part 73. The proposed rule contained revisions to § 73.71 and Part 73, Appendix G. The NRC staff intended to recommend few changes to these regulations based on public comments. However, the staff recommends that these provisions are not contained in this final rule but that they are instead addressed as part of the enhanced weapons and firearms background checks rulemaking because conforming changes must be made to reporting requirements for licensees with regard to enhanced weapons.

  6. Security Plan Submittal Requirements. The proposed rule would have required current licensees to revise, and submit for NRC review and approval, their physical security plan, safeguards contingency plan, and training and qualification plans to incorporate the new rule requirements. The staff recommends that the final rule no longer require these security plan submittals (with the notable exception of a cyber security plan discussed above) and instead permit current licensees to make changes in accordance with the criteria of §§ 50.54(p) or 50.90, as applicable. The NRC staff judged this approach to be acceptable because the great majority of the requirements in this final rule are substantially similar to the requirements that had been imposed by the orders and because all current licensees have security plans that addressed those requirements which were reviewed and approved by the NRC in 2004. In addition, many of the additional requirements in the final power reactor security rule are already current practices that were implemented in the site-specific plans. For these new rule requirements, the NRC staff is confident that most of these changes are security plan enhancements that could be incorporated into security plans consistent with the change process described in § 50.54(p). For the requirements that go beyond current practices, the staff does not expect that the changes required by this rule would result in a decrease of effectiveness in a licensee’s security plan. If, in a licensee’s judgment, a particular security plan change would reduce the effectiveness of the plan, then the proposed plan revision would be required to be submitted to the NRC for review and approval as a license amendment in accordance with § 50.90. With respect to applicants who have already submitted an application to the Commission for an operating license or combined license as of the effective date of this rule, those applicants would be required by this rule to amend their applications to the extent necessary to address the requirements of the new rule.

  7. Implementation of the Final Rule. The staff recommends that the final rule be effective 30 days following date of publication. This would permit applicability of the rule’s requirements to new reactor applicants at the earliest possible date. However, the staff also recommends that a separate compliance date be specified for current licensees so that those licensees would be not be required to be in compliance with the rule requirements until 180 days following the effective date of the rule. 

  8. Definitions. The proposed rule contained a number of definitions, primarily related to the proposed enhanced weapons requirements. As noted previously, the enhanced weapons provisions and firearms backgrounds checks have been separated into a separate rulemaking so codifying those definitions is no longer appropriate in this rulemaking. Regarding the other proposed rule definitions of safety/security interface, security officer, and target sets, the NRC staff recommends that these terms be addressed in guidance, and accordingly the final rule does not contain these definitions. 

  9. EPAct 2005 Provisions. The proposed rule contained a number of proposed requirements that were designed to address security-related provisions of the EPAct 2005. As noted above, the staff recommended that the EPAct 2005 Section-653 provisions for enhanced weapons and firearms background check requirements be moved to a separate rulemaking. Therefore, the only other provisions of the EPAct 2005 that the NRC had considered during this rulemaking were in Section 651, which concerns matters related to the triennial NRC-evaluated, force-on-force exercises, the NRC’s mitigation of potential conflicts of interest in the conduct of such exercises, and the submission of annual reports by the NRC to Congress. Because the EPAct 2005 requires the NRC to be directly responsible for implementation of those requirements, the staff does not believe that any of these provisions need to be specifically reflected in the NRC’s regulations.

FINAL RULE REQUIREMENTS:

This final rulemaking would amend the security requirements for power reactors and would include revisions to the following existing sections and appendices in 10 CFR Part 73:

  • 10 CFR 73.55, Requirements for physical protection of licensed activities in nuclear power reactors against radiological sabotage.

  • 10 CFR 73.56, Personnel access authorization requirements for nuclear power plants.

  • 10 CFR Part 73, Appendix B, General criteria for security personnel.

  • 10 CFR Part 73, Appendix C, Licensee safeguards contingency plans.

The final rule would also add two new sections to Part 73 and a new paragraph to 10 CFR Part 50:

  • 10 CFR 73.54, Protection of digital computer and communication systems and networks (i.e., cyber security requirements).

  • 10 CFR 73.58, Safety/security interface requirements for nuclear power reactors.

  • 10 CFR 50.54(hh), Mitigative strategies and response procedures for potential or actual aircraft attacks.

This rulemaking, if approved by the Commission, would contain a number of significant new requirements discussed below.

  1. Safety/Security Interface Requirements. These requirements would be located in new Section 73.58. The safety/security requirements explicitly require licensee management to consider potential adverse interactions between security activities and other plant activities and to assess and manage these interactions so that neither safety nor security is compromised. These requirements address, in part, PRM-50-80, which requested the establishment of regulations governing proposed changes to the facilities which could adversely affect the protection against radiological sabotage.

  2. Mixed-Oxide (MOX) Fuel Requirements. The staff recommends that these requirements be codified as new Paragraph 73.55(l) for reactor licensees who propose to use MOX fuel in concentrations of 20 percent or less. These new requirements provide enhancements to the normal radiological sabotage-based physical security requirements for the protection of the MOX fuel from theft or diversion. These requirements reflect the NRC staff’s view that application of security requirements for the protection of formula quantities of strategic special nuclear material set forth in   Part 73, which would otherwise apply because of the MOX fuel=s plutonium content, is, in part, unnecessary to provide adequate protection for this material because of the weight and size of MOX fuel assemblies. The MOX fuel security requirements in this rule are consistent with the approach previously approved by the Commission and implemented at the Catawba Nuclear Station through the MOX lead test assembly effort in 2004-2005.

  3. Cyber Security Requirements. The staff recommends that these requirements be codified as new Section 73.54. These requirements are designed to provide high assurance that digital computer and communication systems and networks are adequately protected against cyber attacks up to and including the DBT as required in § 73.1(a)(1)(v). These requirements would be substantial improvements of the requirements imposed by the February 25, 2002, order. In addition to requiring that all new applications for an operating or combined operating license include a cyber security plan, the rule would also require currently operating licensees to submit a cyber security plan to the NRC as a license amendment for review and approval within 180 days of the effective date of this rule. In addition, applicants who have submitted an application for an operating or combined license currently under review by the Commission would be required to amend their applications to include a cyber plan. For both current and new licensees, the cyber security plan would become part of the licensee’s current licensing basis (i.e., operating license condition) in the same manner as other security plans.

  4. Mitigative Strategies and Response Procedures for Potential or Actual Aircraft Attacks. The staff recommends that these requirements be set forth in new § 50.54(hh). Section 50.54(hh)(1) would establish the necessary regulatory framework to facilitate consistent application of Commission requirements for preparatory actions to be taken in the event of a potential aircraft threat to a nuclear power reactor facility. The staff also recommends that § 50.54(hh)(2) require licensees to develop guidance and strategies for addressing the loss of large areas of the plant due to explosions or fires from a beyond-design basis event through the use of readily available resources and identification of potential practicable areas for the use of beyond-readily-available resources. Requirements similar to these were previously imposed under Section B.5 of the February 25, 2002, order; specifically, the “B.5.a” and the “B.5.b” provisions.

  5. Access Authorization Enhancements. The staff is recommending substantial revisions to existing § 73.56. The revisions would incorporate lessons-learned from the Commission’s implementation of the January 7, 2003, order requirements and would improve integration of the access authorization requirements and security program requirements. The recommended final rule includes an increase in rigor for many elements of existing access authorization program requirements. In addition, the final rule requirements would include access authorization measures for individuals who could employ electronic means to adversely impact facility safety, security, or emergency preparedness; enhancements to the psychological assessment requirements; use of information sharing systems between reactor licensees; expanded behavioral observation requirements; reinvestigations of criminal and credit history records for all individuals with unescorted access; and 5-year psychological reassessments for individuals with certain critical job functions.

  6. Training and Qualification Enhancements. These recommended requirements are set forth in the revised Part 73, Appendix B, and would include modifications to the training and qualification requirements based on insights from implementation of the security orders, NRC reviews of site security plans, implementation of the enhanced baseline inspection program, and insights gained from evaluation of licensee force-on-force exercises. These new requirements would include additional physical fitness standards for unarmed security personnel to assure that personnel performing these functions meet minimum physical requirements commensurate with their duties. The new requirements also include a minimum age requirement of 18 years for unarmed security officers, increased minimum qualification scores for testing required by the training and qualification plan, enhanced qualification requirements for security trainers as well as drill and exercise controllers, personnel responsible for assessing psychological qualifications, armor certification requirements, and program requirements for on-the-job training.

  7. Physical Security Enhancements.  The staff recommends that the final rule impose new physical security measures in the revised §73.55 that have been identified by the staff during implementation of the security orders, reviews of site security plans, implementation of the enhanced baseline inspection program, and evaluations of licensee force-on-force exercises. Significant new requirements in §73.55 would include a requirement that the central alarm station (CAS) and secondary alarm station (SAS) have functionally equivalent capabilities such that no single act of radiological sabotage could disable the key functions of both CAS and SAS. Other significant recommended changes include requirements for new reactor licensees to locate the SAS within the site’s protected area, ensure that the SAS is bullet resistant, and limit visibility into the SAS from the perimeter of the protected area. Revisions to § 73.55 would also include requiring uninterruptible backup power supplies for detection and assessment equipment, real-time play-back video image equipment, and protection from waterborne vehicles.

PETITIONS FOR RULEMAKING:

Three petitions were considered during the development of the final rule requirements consistent with previous petition resolution and closure process for these petitions.  

  1. PRM-50-80. This PRM was submitted by the Union of Concerned Scientists (UCS) and the San Luis Obispo Mothers for Peace and was originally docketed and noticed for comment on June 16, 2003 (68 FR 35568). The petition requested that the NRC take two actions, the second of which was resolved as part of the final DBT rulemaking on March 19, 2007 (72 FR 12705). The first requested action to require licensees to evaluate whether proposed changes, tests, or experiments cause protection against radiological sabotage to be decreased and, if so, to conduct such actions only with prior NRC approval. It was consolidated for consideration with the power reactor security rulemaking on November 17, 2005 (70 FR 69690). Proposed language addressing the issues raised in the petition was published as proposed Section 73.58, “Safety/security interface requirements for nuclear power reactors.” This section remains in the final rule.

  2. PRM-73-11. This PRM was submitted by Scott Portzline, Three Mile Island Alert, and was noticed for public comment on November 2, 2001 (66 FR 55603). In short, the petitioner requested that the NRC regulations governing physical protection of plants and materials be amended to require NRC licensees to post at least one armed guard at each entrance to the ‘‘owner controlled areas’’ (OCA) surrounding all U.S. nuclear power plants. As noted in a Federal Register Notice published December 27, 2006 (72 FR 481), the NRC consolidated PRM-73-11 and the public comments filed on the petition for consideration in this rulemaking. As noted in the draft final rule, the staff does not recommend incorporating the petitioner’s suggestion into Part 73. The NRC staff concluded that establishing a prescriptive requirement to post armed security personnel in the OCA is not necessary. Instead, the final physical security requirements in § 73.55(k) would allow licensees the flexibility to determine the need for armed security personnel in the OCA, as a function of site-specific considerations, such that the licensee can defend against the DBT with high assurance.

  3. PRM-73-13. This PRM was submitted by the Union of Concerned Scientists and was noticed for public comment on April 9, 2007 (72 FR 17440). In summary, the petitioner requested several changes to the Commission’s regulations related to unescorted and escorted access including requiring licensees to deny escorted or unescorted access to certain individuals and to require armed escorts for individuals for whom licensees are unable to acquire sufficient background information. The NRC determined that the issues raised in PRM-73-13 were appropriate for consideration in this rulemaking and consolidated the petition. For the reasons set forth in the attached Federal Register Notice, the staff does not recommend adoption of either proposal in the final rule.

RESOURCES:

Resources to complete the rulemaking (excluding inspection) are in the budget. Estimates follow:
FY 2009 NRR 0.6 FTE and $50K, NSIR 1.7 FTE
FY 2010 NSIR 0.5 FTE and $100K

NRR has requested 0.6 FTE and $50K for FY 2009 and NSIR has requested 1.7 FTE in their FY 2009 budget to Congress.  For FY 2010, NSIR is requesting 0.5 FTE and $100K through the FY 2010 Planning, Budgeting, and Performance Management Process.

COMMITMENTS:

Fourteen draft regulatory guides have been developed or revised to support this rulemaking.  The draft guides are prioritized into two groups.  The first group of ten draft guides is directly tied to the new rule.  They are drafted and have been distributed for public comment where appropriate or to limited-authorized interested persons where necessary to protect Safeguards Information.  The staff plans to finalize the first group of guidance by February 2009.  The second group of four draft guides must be revised and/or updated.  The staff plans to finalize these guides by March 2009.

RECOMMENDATIONS:

That the Commission:

  1. Approve for publication in the Federal Register the enclosed final rule (Enclosure 1 PDF Icon).

  2. To satisfy the requirement of the Regulatory Flexibility Act, 5 U.S.C. 605 (b), certify that this rule, if promulgated, will not have significant impact on a substantial number of small entities. This certification is included in the enclosed Federal Register Notice.

  3. Notes:

    1. The Chief Counsel for Advocacy of the Small Business Administration will be informed of the certification and the reasons for it, as required by the Regulatory Flexibility Act, 5 U.S.C. 605(b).

    2. That a final Regulatory Analysis has been prepared for this rulemaking (Enclosure 2 PDF Icon).

    3. The staff has determined that this action is not a “major rule” as defined in the Congressional Review Act of 1996 [5 U.S.C 804(2)] and has confirmed this determination with the Office of Management and Budget (OMB). The appropriate Congressional and Government Accountability Office contacts will be informed. The final rule imposes one-time costs that exceed $100 million. However, when those costs are annualized (i.e., spread out over an average 30-year lifetime of impacted facilities), the costs (as an annual impact on the economy) are much less than $100 million.

    4. The appropriate Congressional committees will be informed.

    5. A press release will be issued by the Office of Public Affairs when the final rulemaking is filed with the Office of the Federal Register.

    6. The final rule contains amended information collection requirements subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501, et seq.) that must be submitted to the OMB for its review and approval before publication of the final rule in the Federal Register.

COORDINATION:

The Office of the General Counsel has no legal objection to this final rulemaking. The Office of the Chief Financial Officer has reviewed this Commission paper for resource implications and has no objections. An information copy of this final rule was provided to the Committee to Review Generic Requirements. An information and status briefing was provided to the Advisory Committee on Reactor Safeguards (ACRS) on June 4, 2008. The ACRS review of the portions of this rulemaking within the committee’s scope (i.e., §§ 50.54(hh), 73.58, and 73.54) was deferred until July 9, 2008, to expedite delivery of this final rule. The ACRS will provide its views and conclusions directly to the Commission.

 

/RA/

R. W. Borchardt
Executive Director for Operations

Enclosures:
  1. Federal Registery Notice PDF Icon
  2. Regulatory Analysis and Backfit Analysis PDF Icon
  3. Integrated Comment Responses Supporting Final Rule PDF Icon
  4. Environmental Assessment Supporting Final Rule PDF Icon

CONTACTS:

Bonnie Schnetzler, NSIR/DSP
(301) 415-7883
 

Timothy Reed, NRR/DPR
(301) 415-1462


Privacy Policy | Site Disclaimer
Monday, July 14, 2008