The US Nuclear Regulatory Commission (NRC) Staff issued SECY-20-0034 on April 22, informing the NRC Commissioners of the Staff’s plan to exercise enforcement discretion for licensee noncompliance with regulatory requirements resulting from illnesses or other factors caused by the coronavirus (COVID-19) public health emergency (PHE). The Staff’s approach applies to all classes of licensees and provides long-awaited guidance on the subject of enforcement discretion.
The NRC published notice of a draft Regulatory Issue Summary (RIS) (previously published in ADAMS) in the Federal Register on March 31. The draft RIS purports to “clarify” licensees’ requirements pursuant to 10 CFR § 73.56(d)(3) to verify the “true identity” of non-immigrant foreign nationals who are granted unescorted access to nuclear power plants. The NRC issued the RIS to “reinforce” its “expectation” that licensees verify that non-immigrant foreign employees have the correct visa category to perform assigned work inside the nuclear power plant protected area as part of the unescorted access process. Despite the NRC’s claim that the RIS does not transmit any new requirement, the NRC’s position, if unchanged, will likely require licensees to revise their procedures and provide additional training to unescorted access personnel regarding the NRC’s expectations for what is now required to confirm true identity or face additional regulatory scrutiny. The NRC requests in the Federal Register Notice that all comments on the draft RIS be submitted by April 30, 2020.
The Nuclear Regulatory Commission, by a 3-1 vote on August 7, agreed with the NRC Staff’s recommendation to discontinue a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. The decision leaves admitted ambiguity, including a potential enforcement risk in the event that a licensee reinstates an individual’s revoked access authorization or a fitness-for-duty determination.
As we last reported on April 24, the NRC Staff recommended in SECY-19-0033 to withdraw a rulemaking begun in 2015 to revise the NRC’s regulations regarding whether a third-party arbitrator could review a licensee’s access authorization or fitness-for-duty decisions. In SRM-SECY-19-0033, the Commission agreed with that recommendation.
As we last reported on October 5, 2018, the NRC Staff appeared ready to recommend withdrawing a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. On April 4, 2019, the NRC Staff formally made its recommendation in SECY-19-0033. In so doing, the NRC Staff “request[ed] Commission approval to discontinue the rulemaking activity, ‘Access Authorization and Fitness-for-Duty Determinations’,” which began nearly four years ago. As previously reported, this rulemaking activity was a response to a 2012 decision by the US Court of Appeals for the Seventh Circuit in which the court determined that NRC regulations permitted third-party arbitration of unescorted access determinations. At that time, the NRC Staff disagreed with the decision and asked for Commission approval to begin a rulemaking.
At the end of January, the US Nuclear Regulatory Commission (NRC) issued a complete rewrite of Inspection Manual Chapter (IMC) 1240 on unescorted access authorization for NRC employees and contractors. The most major change from the prior version is that the NRC will no longer issue letters to licensees requesting unescorted access for NRC employees. Instead, the NRC will implement and maintain a Site Access List that identifies NRC employees and contractors whom the NRC has certified for unescorted access. Consistent with this change, the revised inspection manual chapter provides information on how the NRC will determine the suitability of its employees and contractors for unescorted access. The revisions also change how behavioral observation and fitness for duty programs apply to NRC employees and contractors and how they should be reported.
The US Nuclear Regulatory Commission (NRC) staff is proposing to discontinue a rulemaking relating to third-party reviews of fitness-for-duty (FFD) and access authorization (AA) determinations. The NRC staff announced this proposal when it released reference material on October 1 in advance of an upcoming November 1 public meeting on the rulemaking. Rather than completing the rulemaking, the NRC staff proposes to “update NRC guidance to describe acceptable means of achieving an appeal process, including arbitration” to resolve disputes regarding FFD and AA denials and revocations. One thing this latest NRC action leaves unclear is how licensees required by an arbitrator to reinstate an individual previously found not to be trustworthy or reliable will be impacted under the NRC regulations and enforcement policy.
The US Department of Homeland Security (DHS) recently confirmed that state-sponsored hackers successfully gained access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The Wall Street Journal report describes the activities as part of a long-running campaign targeting US utilities. These cyberattacks were first disclosed in a Technical Alert issued by DHS earlier this year. The attacks are another example of the need for continued vigilance in protecting industrial control systems and the importance of strong vendor and supply chain cybersecurity controls for utilities.
The attackers reportedly gained access to secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated “air-gapped” networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information, and DHS did not state whether any nuclear power stations were targeted in this latest round of attacks. Importantly, however, DHS stated that some companies may not yet know they were victims of the attacks because the hackers used the credentials of actual employees to access networks, thus making detection more difficult.
On August 15, for the first time, a US court of appeals ruled that the US Nuclear Regulatory Commission’s (NRC’s) fitness-for-duty (FFD) and physical protection regulations trump certain employee protections under the Americans with Disabilities Act (ADA). This decision by the US Court of Appeals for the Third Circuit in McNelis v. Pennsylvania Power & Light Company reaffirms the priority placed on NRC requirements designed to protect public health and safety.
On February 13, the US Nuclear Regulatory Commission (NRC) held a second public meeting regarding the role of third parties in reviewing and possibly reversing licensee access authorization and fitness-for-duty (FFD) determinations. The NRC currently is preparing a draft regulatory basis document to identify issues in the existing regulatory framework, the scope of those issues, and how to resolve them. The regulatory basis will propose one of several possible solutions, which include taking no action, revising regulations, revising guidance, or issuing a Commission Policy Statement.
We previously reported on NRC’s first public meeting on this topic held in November 2016. The NRC also held a closed meeting in December 2016 with representatives from the International Brotherhood of Electrical Workers (IBEW). IBEW requested the closed meeting to discuss and challenge specific details within SECY-15-0149, the NRC staff paper which, among other things, is the underlying basis for the current pre-rulemaking activities. IBEW also requested the February 13 public meeting; however, it is unclear why, as IBEW did not present any views or comments that it had not already presented at prior meetings.
On November 16, the US Nuclear Regulatory Commission (NRC or Commission) held a public meeting at its headquarters to discuss rulemaking activity and public views on the role of third parties in licensee access authorization and fitness-for-duty determinations.
Questions surrounding the role of third parties in this context began when the US Court of Appeals for the Seventh Circuit decided in Exelon Generation Company v. Local 15, International Brotherhood of Electrical Workers (676 F.3d 566 (7th Cir. Ill. 2012)) that NRC regulations permitted third party arbitration of unescorted access denials and revocations. The NRC staff maintains that the Seventh Circuit decision is contrary to NRC regulations and recommended to the Commission in late 2015 that the agency undertake an expedited rulemaking process to clarify that only licensees can make final decisions on access authorization and fitness-for-duty. The Commission rejected the expedited rulemaking recommendation, instead opting for the normal rulemaking process to address this issue. The agency is currently in a “pre-rulemaking” stage as it gathers information to inform its draft regulatory basis document—the document that will ultimately determine whether or not the NRC will propose a rule on this topic.