Home > Electronic Reading Room > Document Collections > Commission Documents > Commission
Papers (SECY) > 2008 > SECY-08-0099
RULEMAKING ISSUE
(Notation Vote)
SECY-08-0099
July 9, 2008
FOR: |
The Commissioners |
FROM: |
R. W. Borchardt
Executive Director for Operations |
SUBJECT: |
FINAL RULEMAKING - POWER REACTOR SECURITY
REQUIREMENTS (RIN 3150-AG63) |
PURPOSE:
To request Commission approval for publication of the final rule.
SUMMARY:
The Nuclear Regulatory Commission (NRC) staff is recommending that the Commission amend its regulations governing security requirements for nuclear power plants. This final rule would amend existing security regulations and add new security requirements pertaining to current and future nuclear power reactors. This final rule would make security requirements similar to those previously imposed by the Commission orders issued after the terrorist attacks of September 11, 2001, generically applicable. Additionally, this final rule would add several new requirements developed as a result of insights gained from implementation of the security orders, reviews of site security plans, implementation of the enhanced baseline inspection program, and NRC evaluation of force-on-force exercises. The final rule would also update the NRC’s security regulatory framework for the licensing of new nuclear power plants. Finally, three petitions for rulemaking (PRM) were considered during the development of the final rule requirements, consistent with the previous petition resolution and closure process for these petitions (PRM-50-80, PRM-73-11, and PRM-73-13).
BACKGROUND:
The
basis for this rulemaking has been derived from several sources. First, prior to the events of September 11,
2001, the NRC had already undertaken an effort to revise its existing security
regulations in 10 CFR Part 73, as noted in SECY-01-0101 (June 4, 2001). The existing security regulations in Part 73
have not been substantially revised for nearly 30 years. After September 11, 2001, that rulemaking
effort was delayed for obvious reasons, but the need to reorganize, improve,
and update the existing security regulations persists. This rulemaking built upon the efforts of the
prior rulemaking.
Second,
following the terrorist attacks on September 11, 2001, the NRC conducted a
thorough review of security requirements to ensure that nuclear power plants
and other licensed facilities continued to have effective security measures in
place given the changing threat environment. Through a series of orders,
the Commission supplemented the design basis threat (DBT) as well as
established new requirements for specific training enhancements, access
authorization enhancements, and enhancements to defensive strategies,
mitigative measures, and integrated response. The following four security
orders were issued to power reactor licensees:
EA-02-026, “Interim Compensatory Measures Order,” issued February 25,
2002;
EA-02-261, “Access
Authorization Order,” issued January 7, 2003;
EA-03-039, “Security
Personnel Training and Qualification Requirements Order,” issued April 29,
2003; and,
EA-03-086, “Revised
Design Basis Threat Order,” issued April 29, 2003.
While
the specific’s of the orders are protected as Safeguards Information (SGI), in
general, the enhancements resulted in such measures as increased patrols;
augmented security forces and force capabilities; additional security posts;
additional physical barriers; vehicle checks at greater standoff distances; enhanced coordination with law enforcement
and military authorities; augmented security and emergency response training,
equipment, and communication; and more restrictive site access controls for
personnel including expanded, expedited, and more thorough employee background
investigations. Nuclear power plant
licensees revised their site-specific physical security plans, access
authorization programs, training and qualification plans, and safeguards
contingency plans in response to these orders. The NRC completed its review and approval of all of these revised
security plans on October 29, 2004.
Finally,
the Energy Policy Act of 2005 (EPAct 2005) signed into law on August 8, 2005,
contained several provisions relevant to security at nuclear power plants. Section 653, for instance, which added
Section 161A to the Atomic Energy Act of 1954, as amended (AEA), concerns use
of an expanded arsenal of weapons including machine guns and semi-automatic
assault weapons by NRC licensees as well as imposing certain requirements for
fingerprint-based firearms background checks. As noted below, because of considerations that have arisen during the
course of this rulemaking, the final rule no longer specifically addresses any
provisions of the EPAct 2005.
In
addition to proposing requirements that were similar to those that had
previously been imposed on licensees by the various orders, the proposed rule
also contains several new provisions that the NRC determined would provide
additional assurance of licensees’ capabilities to protect against the
DBT. These new provisions were
identified during implementation of the security orders while reviewing the
revised site security plans that had been submitted by licensees for NRC review
and approval, while conducting the enhanced baseline inspection program, and
through evaluation of the results of force-on-force exercises. As identified in the proposed rule, these new
provisions included such measures as cyber security, safety/security interface,
central and secondary alarm stations functional equivalency, uninterruptable backup
power for detection and assessment equipment, and real-time play‑back
video image equipment (October 26, 2006; 71 FR 62666-62667).
STAKEHOLDER INTERACTION:
Recipients
of the post-September 11, 2001, orders were notified that the requirements
in those orders were considered interim measures and that the NRC ultimately
intended to reassess those requirements and undertake a rulemaking that would
codify generically-applicable security requirements and revise the Commission’s
existing security regulations. To that
end, on October 26, 2006 (71 FR 62664), the Commission published the proposed
Power Reactor Security Rulemaking in the Federal
Register. The proposed rule was
originally published for a 75-day public comment period. However, in response to several requests for
extension, the comment period was extended on two separate occasions (January
5, 2007; 72 FR 480; and February 28, 2007; 72 FR 8951), eventually closing on
March 26, 2007. The NRC received 48 comment
letters. In addition, the NRC staff held
two public meetings to solicit public comment in Rockville,
Maryland, on November 15, 2006, and in Las Vegas, Nevada,
on November 29, 2006. The NRC staff also
held a third public meeting in Rockville,
Maryland, on March 9, 2007, to
facilitate stakeholder understanding of the proposed requirements and thereby
result in more informed comment on the proposed rule.
The
NRC also published a supplemental proposed rule on April 10, 2008 (73 FR 19443)
seeking additional stakeholder comment on two provisions of the rule for which
the staff wished to provide additional clarifying rule language. The supplemental proposed rule also moved
these two provisions from Part 73, Appendix C, (in the proposed rule) to 10 CFR
50.54 of the final rule.
Both
the proposed rule and the supplemental proposed rule received extensive
stakeholder feedback. The consideration
of stakeholder feedback and development of the final rule provisions resulted
in several significant structural and content changes to the final rule provisions,
which are briefly discussed below.
SIGNIFICANT CHANGES FROM THE PROPOSED TO FINAL RULE:
The staff has committed to provide a Commission Paper that discusses the advantages and disadvantages of adopting the proposed DOE categorization table.
Separation
of the Enhanced Weapons and Firearms Background Check Requirements.
As discussed above, Section 161A of the AEA permits the
NRC to authorize the use of certain enhanced weapons in the protective
strategies of specific designated licensees once guidelines are developed by
the NRC and approved by the Attorney General (from Section 653 of EPAct
2005). In anticipation of the completion of those guidelines, the
proposed rule contained several provisions that would have described the
requirements for the use of enhanced weapons and for firearms background checks
for certain security personnel (i.e.,
proposed § 73.18 and § 73.19). Since the guidelines have not
yet received the approval of the Attorney General, the NRC staff has proposed
in SECY-08-0055 (April 17, 2008) to separate that portion
of the proposed rule to be continued as a separate rulemaking. As a result, this draft final rule does not
contain any provisions related to the implementation of Section 161A.
Cyber Security Requirements.
Another recommended change to this final rulemaking is the relocation of
proposed cyber security requirements. Cyber security requirements had been located in the proposed rule in
Paragraph 73.55(m). The staff recommends
that these requirements now be placed into a new separate section within Part
73 (§ 73.54). The staff believes
that these requirements are better suited for a stand-alone section to enable
the cyber security requirements to be made applicable to other types of
facilities and applications through future rulemakings. For licensing purposes, the cyber security
plans would be dealt with consistent with the treatment of other security
plans, generally in §§ 50.34, 50.54, 52.79, and 52.80, as applicable. For current reactor licensees, the staff
recommends that the rule require the submission of a cyber security plan to the
NRC for review and approval by way of a license amendment within 180 days
of the effective date of the rule. For
reactor applicants with an application currently before the NRC, they would be
required to amend their applications to address the requirements of Section
73.54.
Performance Evaluation Program
Requirements. The staff recommends
that these requirements be moved in their entirety from Part 73, Appendix C, to
Part 73, Appendix B, because these requirements describe the development
and implementation of a program for training the security force in the response
to contingency events.
Mitigative Strategies and Response
Procedures for Potential or Actual Aircraft Attacks. In accordance
with the supplemental proposed rule discussed earlier, the staff recommends
that the mitigative measures and potential aircraft attack notification
requirements that were initially located in proposed Part 73, Appendix C, now
be located in Paragraph 50.54(hh) as a condition of an operating license.
The staff made this change in response to stakeholder comments that Part 73,
Appendix C, was not the appropriate location for these requirements because the
requirements were not specific to the licensee’s security organization and that
clarification was needed. The staff
clarified the language and added additional language to the proposed rule
regarding licensee response to potential aircraft attacks.
Section 73.71 and Appendix G to Part 73.
The proposed rule contained revisions to § 73.71 and Part 73, Appendix
G. The NRC staff intended to recommend few changes to these
regulations based on public comments. However, the staff recommends that
these provisions are not contained in this final rule but that they are instead
addressed as
part of the enhanced weapons and firearms background checks rulemaking because
conforming changes must be made to reporting requirements for licensees with
regard to enhanced weapons.
Security Plan Submittal Requirements.
The proposed rule would have required current licensees to revise, and submit
for NRC review and approval, their physical security plan, safeguards
contingency plan, and training and qualification plans to incorporate the new
rule requirements. The staff recommends that the final rule no longer
require these security plan submittals (with the notable exception of a cyber
security plan discussed above) and instead permit current licensees to make
changes in accordance with the criteria of §§ 50.54(p) or 50.90, as
applicable. The NRC staff judged this
approach to be acceptable because the great majority of the requirements in
this final rule are substantially similar to the requirements that had been
imposed by the orders and because all current licensees have security plans
that addressed those requirements which were reviewed and approved by the NRC
in 2004. In addition, many of the additional requirements in the final
power reactor security rule are already current practices that were implemented
in the site-specific plans. For these
new rule requirements, the NRC staff is confident that most of these changes
are security plan enhancements that could be incorporated into security plans
consistent with the change process described in § 50.54(p). For the requirements that go beyond current
practices, the staff does not expect that the changes required by this rule
would result in a decrease of effectiveness in a licensee’s security plan. If, in a licensee’s judgment, a particular
security plan change would reduce the effectiveness of the plan, then the
proposed plan revision would be required to be submitted to the NRC for review
and approval as a license amendment in accordance with § 50.90. With respect to applicants who have already
submitted an application to the Commission for an operating license or combined
license as of the effective date of this rule, those applicants would be
required by this rule to amend their applications to the extent necessary to
address the requirements of the new rule.
Implementation of the Final Rule. The staff recommends that the final rule be
effective 30 days following date of publication. This would permit applicability of the rule’s
requirements to new reactor applicants at the earliest possible date. However, the staff also recommends that a
separate compliance date be specified for current licensees so that those
licensees would be not be required to be in compliance with the rule
requirements until 180 days following the effective date of the rule.
Definitions. The proposed rule contained a number of
definitions, primarily related to the proposed enhanced weapons
requirements. As noted previously, the
enhanced weapons provisions and firearms backgrounds checks have been separated
into a separate rulemaking so codifying those definitions is no longer
appropriate in this rulemaking. Regarding the other proposed rule definitions of safety/security
interface, security officer, and target sets, the NRC staff recommends that
these terms be addressed in guidance, and accordingly the final rule does not
contain these definitions.
EPAct 2005 Provisions. The
proposed rule contained a number of proposed requirements that were designed to
address security-related provisions of the EPAct 2005. As noted above, the staff recommended that
the EPAct 2005 Section-653
provisions for enhanced weapons and firearms background check requirements be
moved to a separate rulemaking. Therefore, the only other provisions of the EPAct 2005 that the NRC had
considered during this rulemaking were in Section 651, which concerns
matters related to the triennial NRC-evaluated, force-on-force exercises, the
NRC’s mitigation of potential conflicts of interest in the conduct of such
exercises, and the submission of annual reports by the NRC to Congress. Because the EPAct 2005 requires the NRC to be
directly responsible for implementation of those requirements, the staff does
not believe that any of these provisions need to be specifically reflected in
the NRC’s regulations.
FINAL RULE REQUIREMENTS:
This
final rulemaking would amend the security requirements for power reactors and
would include revisions to the following existing sections and appendices in 10
CFR Part 73:
10 CFR 73.55, Requirements for physical protection of licensed
activities in nuclear power reactors against radiological sabotage.
10 CFR 73.56,
Personnel access authorization requirements for nuclear power plants.
10 CFR Part 73,
Appendix B, General criteria for security personnel.
10 CFR Part 73,
Appendix C, Licensee safeguards contingency plans.
The
final rule would also add two new sections to Part 73 and a new paragraph to
10 CFR Part 50:
10 CFR 73.54, Protection
of digital computer and communication systems and networks (i.e., cyber
security requirements).
10 CFR 73.58,
Safety/security interface requirements for nuclear power reactors.
10 CFR 50.54(hh),
Mitigative strategies and response procedures for potential or actual
aircraft attacks.
This
rulemaking, if approved by the Commission, would contain a number of
significant new requirements discussed below.
Safety/Security Interface Requirements. These
requirements would be located in new Section 73.58. The safety/security requirements explicitly
require licensee management to consider potential adverse interactions between
security activities and other plant activities and to assess and manage these
interactions so that neither safety nor security is compromised. These requirements address, in part,
PRM-50-80, which requested the establishment of regulations governing proposed
changes to the facilities which could adversely affect the protection against
radiological sabotage.
Mixed-Oxide
(MOX) Fuel Requirements. The staff recommends that these requirements
be codified as new Paragraph 73.55(l) for reactor licensees who propose to use
MOX fuel in concentrations of 20 percent or less. These new requirements provide enhancements
to the normal radiological sabotage-based physical security requirements for
the protection of the MOX fuel from theft or diversion. These requirements reflect the NRC staff’s
view that application of security requirements for the protection of formula
quantities of strategic special nuclear material set forth in Part 73, which would otherwise apply
because of the MOX fuel=s plutonium content, is, in
part, unnecessary to provide adequate protection for this material because of
the weight and size of MOX fuel assemblies. The MOX fuel security requirements in this rule are consistent with the
approach previously approved by the Commission and implemented at the Catawba
Nuclear Station through the MOX lead test assembly effort in 2004-2005.
Cyber
Security Requirements. The staff recommends that these requirements
be codified as new Section 73.54. These
requirements are designed to provide high assurance that digital computer and
communication systems and networks are adequately protected against cyber
attacks up to and including the DBT as required in § 73.1(a)(1)(v). These requirements would be substantial
improvements of the requirements imposed by the February 25, 2002, order. In addition to requiring that all new
applications for an operating or combined operating license include a cyber
security plan, the rule would also require currently operating licensees to
submit a cyber security plan to the NRC as a license amendment for review and
approval within 180 days of the effective date of this rule. In addition, applicants who have submitted an
application for an operating or combined license currently under review by the
Commission would be required to amend their applications to include a cyber
plan. For both current and new
licensees, the cyber security plan would become part of the licensee’s current
licensing basis (i.e., operating license condition) in the same manner as other
security plans.
Mitigative
Strategies and Response Procedures for Potential or Actual Aircraft Attacks. The staff recommends that these requirements
be set forth in new § 50.54(hh). Section 50.54(hh)(1) would establish the necessary regulatory
framework to facilitate consistent application of Commission requirements for
preparatory actions to be taken in the event of a potential aircraft threat to
a nuclear power reactor facility. The
staff also recommends that § 50.54(hh)(2) require licensees to develop
guidance and strategies for addressing the loss of large areas of the plant due
to explosions or fires from a beyond-design basis event through the use of
readily available resources and identification of potential practicable areas
for the use of beyond-readily-available resources. Requirements similar to these were previously
imposed under Section B.5 of the February 25, 2002, order; specifically, the
“B.5.a” and the “B.5.b” provisions.
Access Authorization Enhancements. The staff is recommending substantial
revisions to existing § 73.56. The
revisions would incorporate lessons-learned from the Commission’s
implementation of the January 7, 2003, order requirements and would improve
integration of the access authorization requirements and security program
requirements. The recommended final rule
includes an increase in rigor for many elements of existing access
authorization program requirements. In
addition, the final rule requirements would include access authorization
measures for individuals who could employ electronic means to adversely impact
facility safety, security, or emergency preparedness; enhancements to the
psychological assessment requirements; use of information sharing systems
between reactor licensees; expanded behavioral observation requirements;
reinvestigations of criminal and credit history records for all individuals
with unescorted access; and 5-year psychological reassessments for individuals
with certain critical job functions.
Training
and Qualification Enhancements. These recommended requirements are set forth in the revised Part 73,
Appendix B, and would include modifications to the training and qualification
requirements based on insights from implementation of the security orders, NRC
reviews of site security plans, implementation of the enhanced baseline
inspection program, and insights gained from evaluation of licensee
force-on-force exercises. These new
requirements would include additional physical fitness standards for unarmed
security personnel to assure that personnel performing these functions meet
minimum physical requirements commensurate with their duties. The new requirements also include a minimum
age requirement of 18 years for unarmed security officers, increased minimum
qualification scores for testing required by the training and qualification
plan, enhanced qualification requirements for security trainers as well as
drill and exercise controllers, personnel responsible for assessing
psychological qualifications, armor certification requirements, and program
requirements for on-the-job training.
Physical
Security Enhancements. The
staff recommends that the final rule impose new physical security measures in
the revised §73.55 that have been identified by the staff during implementation
of the security orders, reviews of site security plans, implementation of the
enhanced baseline inspection program, and evaluations of licensee
force-on-force exercises. Significant
new requirements in §73.55 would include a requirement that the central alarm
station (CAS) and secondary alarm station (SAS) have functionally equivalent
capabilities such that no single act of radiological sabotage could disable the
key functions of both CAS and SAS. Other
significant recommended changes include requirements for new reactor licensees
to locate the SAS within the site’s protected area, ensure that the SAS is
bullet resistant, and limit visibility into the SAS from the perimeter of the
protected area. Revisions to
§ 73.55 would also include requiring uninterruptible backup power supplies
for detection and assessment equipment, real-time play-back video image
equipment, and protection from waterborne vehicles.
PETITIONS FOR RULEMAKING:
Three
petitions were considered during the development of the final rule requirements
consistent with previous petition resolution and closure process for these
petitions.
PRM-50-80. This PRM was submitted by the Union of
Concerned Scientists (UCS) and the San Luis Obispo Mothers for Peace and was
originally docketed and noticed for comment on June 16, 2003 (68 FR
35568). The petition requested that the
NRC take two actions, the second of which was resolved as part of the final DBT
rulemaking on March 19, 2007 (72 FR 12705). The first requested action to require
licensees to evaluate whether proposed changes, tests, or experiments cause
protection against radiological sabotage to be decreased and, if so, to conduct
such actions only with prior NRC approval. It was consolidated for consideration with the power reactor security
rulemaking on November 17, 2005 (70 FR 69690). Proposed language addressing the issues raised in the petition was
published as proposed Section 73.58, “Safety/security interface requirements
for nuclear power reactors.” This
section remains in the final rule.
PRM-73-11. This PRM was submitted by Scott Portzline,
Three Mile Island Alert, and was noticed for public comment on November 2, 2001
(66 FR 55603). In short, the petitioner
requested that the NRC regulations governing physical protection of plants and
materials be amended to require NRC licensees to post at least one armed guard
at each entrance to the ‘‘owner controlled areas’’ (OCA) surrounding all U.S.
nuclear power plants. As noted in a Federal Register Notice published
December 27, 2006 (72 FR 481), the NRC consolidated PRM-73-11 and the
public comments filed on the petition for consideration in this rulemaking. As noted in the draft final rule, the staff
does not recommend incorporating the petitioner’s suggestion into Part 73. The NRC staff concluded that establishing a
prescriptive requirement to post armed security personnel in the OCA is not
necessary. Instead, the final physical
security requirements in § 73.55(k) would allow licensees the flexibility
to determine the need for armed security personnel in the OCA, as a function of
site-specific considerations, such that the licensee can defend against the DBT
with high assurance.
PRM-73-13. This PRM was submitted by the Union of
Concerned Scientists and was noticed for public comment on April 9, 2007 (72 FR
17440). In summary, the petitioner
requested several changes to the Commission’s regulations related to unescorted
and escorted access including requiring licensees to deny escorted or
unescorted access to certain individuals and to require armed escorts for
individuals for whom licensees are unable to acquire sufficient background
information. The NRC determined that the
issues raised in PRM-73-13 were appropriate for consideration in this
rulemaking and consolidated the petition. For the reasons set forth in the attached Federal Register Notice, the staff does not recommend adoption of
either proposal in the final rule.
RESOURCES:
Resources
to complete the rulemaking (excluding inspection) are in the budget. Estimates follow:
FY
2009 NRR 0.6 FTE and $50K, NSIR 1.7 FTE
FY
2010 NSIR 0.5 FTE and $100K
NRR
has requested 0.6 FTE and $50K for FY 2009 and NSIR has requested 1.7 FTE in
their FY 2009 budget to Congress. For FY 2010, NSIR is requesting 0.5 FTE and $100K through the FY 2010
Planning, Budgeting, and Performance Management Process.
COMMITMENTS:
Fourteen draft regulatory guides have been developed or revised to support this rulemaking. The draft guides are prioritized into two groups. The first group of ten draft guides is directly tied to the new rule. They are drafted and have been distributed for public comment where appropriate or to limited-authorized interested persons where necessary to protect Safeguards Information. The staff plans to finalize the first group of guidance by February 2009. The second group of four draft guides must be revised and/or updated. The staff plans to finalize these guides by March 2009.
RECOMMENDATIONS:
That
the Commission:
-
Approve for publication in the Federal Register the enclosed final rule
(Enclosure 1 ).
To
satisfy the requirement of the Regulatory Flexibility Act, 5 U.S.C. 605 (b),
certify that this rule, if promulgated, will not have significant impact on a
substantial number of small entities. This certification is included in the enclosed Federal Register Notice.
Notes:
- The
Chief Counsel for Advocacy of the Small Business Administration will be
informed of the certification and the reasons for it, as required by the
Regulatory Flexibility Act, 5 U.S.C. 605(b).
- That
a final Regulatory Analysis has been prepared for this rulemaking
(Enclosure 2 ).
- The
staff has determined that this action is not a “major rule” as defined in the
Congressional Review Act of 1996 [5 U.S.C 804(2)] and has confirmed this
determination with the Office of Management and Budget (OMB). The appropriate Congressional and Government
Accountability Office contacts will be informed. The final rule imposes one-time costs that
exceed $100 million. However, when those
costs are annualized (i.e., spread out over an average 30-year lifetime of
impacted facilities), the costs (as an annual impact on the economy) are much
less than $100 million.
- The appropriate
Congressional committees will be informed.
- A
press release will be issued by the Office of Public Affairs when the final rulemaking
is filed with the Office of the Federal
Register.
- The
final rule contains amended information collection requirements subject to the
Paperwork Reduction Act of 1995 (44 U.S.C. 3501, et seq.) that must be
submitted to the OMB for its review and approval before publication of the
final rule in the Federal Register.
COORDINATION:
The Office of the General Counsel has no legal objection to this final rulemaking. The Office of the Chief Financial Officer has reviewed this Commission paper for resource implications and has no objections. An information copy of this final rule was provided to the Committee to Review Generic Requirements. An information and status briefing was provided to the Advisory Committee on Reactor Safeguards (ACRS) on June 4, 2008. The ACRS review of the portions of this rulemaking within the committee’s scope (i.e., §§ 50.54(hh), 73.58, and 73.54) was deferred until July 9, 2008, to expedite delivery of this final rule. The ACRS will provide its views and conclusions directly to the Commission.
|
/RA/
R. W. Borchardt
Executive Director for Operations |
CONTACTS: |
Bonnie Schnetzler, NSIR/DSP
(301) 415-7883 |
|
Timothy Reed, NRR/DPR
(301) 415-1462 |
|