The comment period for the NRC’s draft Regulatory Issue Summary (RIS) on true identity verification requirements closed on June 15, 2020. The industry had asked for and received a 45-day extension from the original April 30 deadline to provide comments. As we previously reported, the draft RIS purports to “clarify” licensees’ requirements pursuant to 10 CFR § 73.56(d)(3) to verify the “true identity” of nonimmigrant foreign nationals who are granted unescorted access to nuclear power plants. Comments from the nuclear industry on the draft RIS strongly disagreed with the guidance and emphasized that the guidance “would substantially expand the existing requirement to verify the true identity of non-immigrant foreign nationals.” The industry suggests that the guidance should not be finalized because the draft RIS’s interpretation is unsupported by the language of the regulation and because the NRC did not conduct a backfit analysis under 10 CFR § 50.109. It remains to be seen, however, whether the NRC will be persuaded by the industry’s comments.

The US Nuclear Regulatory Commission (NRC) Staff issued SECY-20-0034 on April 22, informing the NRC Commissioners of the Staff’s plan to exercise enforcement discretion for licensee noncompliance with regulatory requirements resulting from illnesses or other factors caused by the coronavirus (COVID-19) public health emergency (PHE). The Staff’s approach applies to all classes of licensees and provides long-awaited guidance on the subject of enforcement discretion.

The NRC published notice of a draft Regulatory Issue Summary (RIS) (previously published in ADAMS) in the Federal Register on March 31. The draft RIS purports to “clarify” licensees’ requirements pursuant to 10 CFR § 73.56(d)(3) to verify the “true identity” of non-immigrant foreign nationals who are granted unescorted access to nuclear power plants. The NRC issued the RIS to “reinforce” its “expectation” that licensees verify that non-immigrant foreign employees have the correct visa category to perform assigned work inside the nuclear power plant protected area as part of the unescorted access process. Despite the NRC’s claim that the RIS does not transmit any new requirement, the NRC’s position, if unchanged, will likely require licensees to revise their procedures and provide additional training to unescorted access personnel regarding the NRC’s expectations for what is now required to confirm true identity or face additional regulatory scrutiny. The NRC requests in the Federal Register Notice that all comments on the draft RIS be submitted by April 30, 2020.

The Nuclear Regulatory Commission, by a 3-1 vote on August 7, agreed with the NRC Staff’s recommendation to discontinue a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. The decision leaves admitted ambiguity, including a potential enforcement risk in the event that a licensee reinstates an individual’s revoked access authorization or a fitness-for-duty determination.

As we last reported on April 24, the NRC Staff recommended in SECY-19-0033 to withdraw a rulemaking begun in 2015 to revise the NRC’s regulations regarding whether a third-party arbitrator could review a licensee’s access authorization or fitness-for-duty decisions. In SRM-SECY-19-0033, the Commission agreed with that recommendation.

As we last reported on October 5, 2018, the NRC Staff appeared ready to recommend withdrawing a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. On April 4, 2019, the NRC Staff formally made its recommendation in SECY-19-0033. In so doing, the NRC Staff “request[ed] Commission approval to discontinue the rulemaking activity, ‘Access Authorization and Fitness-for-Duty Determinations’,” which began nearly four years ago. As previously reported, this rulemaking activity was a response to a 2012 decision by the US Court of Appeals for the Seventh Circuit in which the court determined that NRC regulations permitted third-party arbitration of unescorted access determinations. At that time, the NRC Staff disagreed with the decision and asked for Commission approval to begin a rulemaking.

At the end of January, the US Nuclear Regulatory Commission (NRC) issued a complete rewrite of Inspection Manual Chapter (IMC) 1240 on unescorted access authorization for NRC employees and contractors. The most major change from the prior version is that the NRC will no longer issue letters to licensees requesting unescorted access for NRC employees. Instead, the NRC will implement and maintain a Site Access List that identifies NRC employees and contractors whom the NRC has certified for unescorted access. Consistent with this change, the revised inspection manual chapter provides information on how the NRC will determine the suitability of its employees and contractors for unescorted access. The revisions also change how behavioral observation and fitness for duty programs apply to NRC employees and contractors and how they should be reported.

The US Nuclear Regulatory Commission (NRC) staff is proposing to discontinue a rulemaking relating to third-party reviews of fitness-for-duty (FFD) and access authorization (AA) determinations. The NRC staff announced this proposal when it released reference material on October 1 in advance of an upcoming November 1 public meeting on the rulemaking. Rather than completing the rulemaking, the NRC staff proposes to “update NRC guidance to describe acceptable means of achieving an appeal process, including arbitration” to resolve disputes regarding FFD and AA denials and revocations. One thing this latest NRC action leaves unclear is how licensees required by an arbitrator to reinstate an individual previously found not to be trustworthy or reliable will be impacted under the NRC regulations and enforcement policy.

The US Department of Homeland Security (DHS) recently confirmed that state-sponsored hackers successfully gained access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The Wall Street Journal report describes the activities as part of a long-running campaign targeting US utilities. These cyberattacks were first disclosed in a Technical Alert issued by DHS earlier this year. The attacks are another example of the need for continued vigilance in protecting industrial control systems and the importance of strong vendor and supply chain cybersecurity controls for utilities.

The attackers reportedly gained access to secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated “air-gapped” networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information, and DHS did not state whether any nuclear power stations were targeted in this latest round of attacks. Importantly, however, DHS stated that some companies may not yet know they were victims of the attacks because the hackers used the credentials of actual employees to access networks, thus making detection more difficult.

On August 15, for the first time, a US court of appeals ruled that the US Nuclear Regulatory Commission’s (NRC’s) fitness-for-duty (FFD) and physical protection regulations trump certain employee protections under the Americans with Disabilities Act (ADA). This decision by the US Court of Appeals for the Third Circuit in McNelis v. Pennsylvania Power & Light Company reaffirms the priority placed on NRC requirements designed to protect public health and safety.

Read the full LawFlash.

On February 13, the US Nuclear Regulatory Commission (NRC) held a second public meeting regarding the role of third parties in reviewing and possibly reversing licensee access authorization and fitness-for-duty (FFD) determinations. The NRC currently is preparing a draft regulatory basis document to identify issues in the existing regulatory framework, the scope of those issues, and how to resolve them. The regulatory basis will propose one of several possible solutions, which include taking no action, revising regulations, revising guidance, or issuing a Commission Policy Statement.

We previously reported on NRC’s first public meeting on this topic held in November 2016. The NRC also held a closed meeting in December 2016 with representatives from the International Brotherhood of Electrical Workers (IBEW). IBEW requested the closed meeting to discuss and challenge specific details within SECY-15-0149, the NRC staff paper which, among other things, is the underlying basis for the current pre-rulemaking activities. IBEW also requested the February 13 public meeting; however, it is unclear why, as IBEW did not present any views or comments that it had not already presented at prior meetings.