As we last reported on October 5, 2018, the NRC Staff appeared ready to recommend withdrawing a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. On April 4, 2019, the NRC Staff formally made its recommendation in SECY-19-0033. In so doing, the NRC Staff “request[ed] Commission approval to discontinue the rulemaking activity, ‘Access Authorization and Fitness-for-Duty Determinations’,” which began nearly four years ago. As previously reported, this rulemaking activity was a response to a 2012 decision by the US Court of Appeals for the Seventh Circuit in which the court determined that NRC regulations permitted third-party arbitration of unescorted access determinations. At that time, the NRC Staff disagreed with the decision and asked for Commission approval to begin a rulemaking.
At the end of January, the US Nuclear Regulatory Commission (NRC) issued a complete rewrite of Inspection Manual Chapter (IMC) 1240 on unescorted access authorization for NRC employees and contractors. The most major change from the prior version is that the NRC will no longer issue letters to licensees requesting unescorted access for NRC employees. Instead, the NRC will implement and maintain a Site Access List that identifies NRC employees and contractors whom the NRC has certified for unescorted access. Consistent with this change, the revised inspection manual chapter provides information on how the NRC will determine the suitability of its employees and contractors for unescorted access. The revisions also change how behavioral observation and fitness for duty programs apply to NRC employees and contractors and how they should be reported.
The US Nuclear Regulatory Commission (NRC) staff is proposing to discontinue a rulemaking relating to third-party reviews of fitness-for-duty (FFD) and access authorization (AA) determinations. The NRC staff announced this proposal when it released reference material on October 1 in advance of an upcoming November 1 public meeting on the rulemaking. Rather than completing the rulemaking, the NRC staff proposes to “update NRC guidance to describe acceptable means of achieving an appeal process, including arbitration” to resolve disputes regarding FFD and AA denials and revocations. One thing this latest NRC action leaves unclear is how licensees required by an arbitrator to reinstate an individual previously found not to be trustworthy or reliable will be impacted under the NRC regulations and enforcement policy.
The US Department of Homeland Security (DHS) recently confirmed that state-sponsored hackers successfully gained access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The Wall Street Journal report describes the activities as part of a long-running campaign targeting US utilities. These cyberattacks were first disclosed in a Technical Alert issued by DHS earlier this year. The attacks are another example of the need for continued vigilance in protecting industrial control systems and the importance of strong vendor and supply chain cybersecurity controls for utilities.
The attackers reportedly gained access to secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated “air-gapped” networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information, and DHS did not state whether any nuclear power stations were targeted in this latest round of attacks. Importantly, however, DHS stated that some companies may not yet know they were victims of the attacks because the hackers used the credentials of actual employees to access networks, thus making detection more difficult.
On August 15, for the first time, a US court of appeals ruled that the US Nuclear Regulatory Commission’s (NRC’s) fitness-for-duty (FFD) and physical protection regulations trump certain employee protections under the Americans with Disabilities Act (ADA). This decision by the US Court of Appeals for the Third Circuit in McNelis v. Pennsylvania Power & Light Company reaffirms the priority placed on NRC requirements designed to protect public health and safety.
On February 13, the US Nuclear Regulatory Commission (NRC) held a second public meeting regarding the role of third parties in reviewing and possibly reversing licensee access authorization and fitness-for-duty (FFD) determinations. The NRC currently is preparing a draft regulatory basis document to identify issues in the existing regulatory framework, the scope of those issues, and how to resolve them. The regulatory basis will propose one of several possible solutions, which include taking no action, revising regulations, revising guidance, or issuing a Commission Policy Statement.
We previously reported on NRC’s first public meeting on this topic held in November 2016. The NRC also held a closed meeting in December 2016 with representatives from the International Brotherhood of Electrical Workers (IBEW). IBEW requested the closed meeting to discuss and challenge specific details within SECY-15-0149, the NRC staff paper which, among other things, is the underlying basis for the current pre-rulemaking activities. IBEW also requested the February 13 public meeting; however, it is unclear why, as IBEW did not present any views or comments that it had not already presented at prior meetings.
On November 16, the US Nuclear Regulatory Commission (NRC or Commission) held a public meeting at its headquarters to discuss rulemaking activity and public views on the role of third parties in licensee access authorization and fitness-for-duty determinations.
Questions surrounding the role of third parties in this context began when the US Court of Appeals for the Seventh Circuit decided in Exelon Generation Company v. Local 15, International Brotherhood of Electrical Workers (676 F.3d 566 (7th Cir. Ill. 2012)) that NRC regulations permitted third party arbitration of unescorted access denials and revocations. The NRC staff maintains that the Seventh Circuit decision is contrary to NRC regulations and recommended to the Commission in late 2015 that the agency undertake an expedited rulemaking process to clarify that only licensees can make final decisions on access authorization and fitness-for-duty. The Commission rejected the expedited rulemaking recommendation, instead opting for the normal rulemaking process to address this issue. The agency is currently in a “pre-rulemaking” stage as it gathers information to inform its draft regulatory basis document—the document that will ultimately determine whether or not the NRC will propose a rule on this topic.
The US Nuclear Regulatory Commission (NRC) recently announced that it will hold a public meeting titled The Role of Third Parties in Access Authorization and Fitness-for-Duty Determination. The meeting will take place at NRC headquarters on November 16, 2016, from 1:00 to 4:00 p.m. The rulemaking on this topic will eventually resolve whether third parties, or only licensees, can make final determinations on who may have unescorted access to nuclear reactor plants.
The NRC’s Access Authorization and Fitness-for-Duty Rules play an important role in the NRC’s framework by ensuring that reactor licensees have the ability to protect their facilities against security threats, including “insider” assistance. Recent confusion about arbitration’s role or other employment-related dispute resolution mechanisms has led to questions about these mechanisms’ respective roles vis-à-vis the NRC’s licensees in ensuring reactor facilities’ security.