The US Department of Energy (DOE) recently published proposed changes to its Contractor Employee Protection Program in the Federal Register. DOE’s Contractor Employee Protection Program appears in 10 C.F.R. Part 708 (Part 708) and extends employee protections to employees of DOE contractors and subcontractors modeled after the protections for federal employees that appear in the Whistleblower Protection Act (5 U.S.C. § 1201 et seq.).

The NRC on May 3 took the overdue step of withdrawing portions of certain power reactor security requirements—issued via three agency orders in the aftermath of the events of September 11, 2001, which were subsequently captured in agency regulations:

  • EA-02-026, “Order for Interim Safeguards and Security Compensatory Measures” (February 25, 2002)
  • EA-02-261, “Order for Compensatory Measures Related to Access Authorization” (January 7, 2003)
  • EA-03-039, “Order for Compensatory Measures Related to Training Enhancements on Tactical and Firearms Proficiency and Physical Fitness Applicable to Armed Nuclear power Plant Security Force Personnel” (April 29, 2003).

In January, the US Nuclear Regulatory Commission’s (NRC’s) staff hosted a public meeting with industry representatives to discuss the staff’s progress in reviewing recommendations for the NRC’s Reactor Oversight Process (ROP) framework enhancement initiative. The objectives of the ROP enhancement initiative are to evaluate whether the baseline inspection program remains relevant for the current environment, eliminate redundant or unnecessary inspection areas, maximize efficient and effective use of resources, and incorporate flexibility in program implementation, where appropriate.

In 2018, the NRC solicited ideas for enhancing the ROP, which resulted in an industry proposal based on four points: US fleet maturity, improved safety margins, improved risk assessments, and greater use of risk-informed decisionmaking. Part of this proposal includes redefining labels for findings and combining Columns 1 and 2 of the Action Matrix. If the industry proposal prevails, it would mark a paradigm shift, considering Columns 1 and 2 have been in existence since the pilot program for ROP enhancement was introduced in 1999. As was stated at the public meeting, combining Columns 1 and 2 would be a long-term change. A proposal to remove Section 71152 of the Inspection Procedure, for problem identification and resolution, was also raised at the meeting but was generally dismissed.

This blog post is the first in a series that will track further progress on the ROP enhancement initiative.

A divided Commission at the US Nuclear Regulatory Commission (NRC) on January 24 approved the Mitigation of Beyond-Design-Basis Events rulemaking (Final Rule). The NRC began the rulemaking in December 2016 as part of its efforts to evaluate and implement, if necessary, regulatory changes in response to the Fukushima Daichi event in March 2011. In somewhat of a surprise, the majority of Commissioners last week rejected large portions of the proposed rule submitted by the NRC staff over two years ago. The rationale for changing the Final Rule demonstrates a renewed emphasis on applying backfit analyses.

Say hello to CUI and get ready to say goodbye to SUNSI. The commissioners of the Nuclear Regulatory Commission (NRC) have directed the staff to proceed with a rulemaking to implement the governmentwide Controlled Unclassified Information (CUI) program. One impact of this rulemaking will be to eliminate one of our favorite acronyms: Sensitive Unclassified Non-Safeguards Information (SUNSI). But we are still at least a year away from an official change because the staff doesn’t plan to issue a final rule until 2021.

By way of background, the US National Archives and Records Administration (NARA) published the governmentwide CUI rule on September 14, 2016 (81 Fed. Reg. 63,324), seeking to standardize the current patchwork of more than 100 agency-specific policies for handling sensitive unclassified information requiring safeguarding or dissemination controls. That rule (32 CFR Part 2002) establishes specific handling, incident management, inspection, and oversight requirements for covered information. The NRC CUI program will eventually replace the agency’s current SUNSI program, and will retain safeguards information (SGI).

The US Nuclear Regulatory Commission’s (NRC’s) revised regulations regarding the medical use of byproduct material became effective on January 14, 2019—six months after being published in final form, and nearly a decade after the proposed rulemaking. See Medical Use of Byproduct Material—Medical Event Definitions, Training and Experience, and Clarifying Amendments, 83 Fed. Reg. 33,046 (July 16, 2018). The revised regulations amend 10 CFR Parts 30, 32, and 35. The NRC also issued guidance to provide additional detail regarding the substance of the revised regulations and to assist licensees with compliance. See Guidance for the Final Rule, Medical Use of Byproduct Material—Medical Events, Definitions, Training and Experience, and Clarifying Amendments, 83 Fed. Reg. 33,759 (July 16, 2018). Among other things, the amendments change the requirements associated with

On November 19, the Nuclear Regulatory Commission (NRC) Commissioners approved the Staff’s proposed rulemaking plan for expanding physical security licensing options for advanced reactors.

As we previously reported, the NRC Staff sent a report to the Commission on August 1, 2018, that evaluated four options for revising regulations and guidance on physical security for advanced reactors. The report recommended revising applicable regulations and guidance and attached a proposed rulemaking plan. The report noted that the rulemaking would retain the current framework for security requirements in 10 CFR Part 73, but would provide alternatives for the physical security of advanced reactors. According to the report, changes to physical security for advanced reactors would

  • eliminate the need for future applicants to propose alternatives or request exemptions from physical security requirements;
  • recognize technology advancements and design features associated with the NRC-recommended attributes of advanced reactors; and
  • replace prescriptive regulations with risk-informed, performance-based requirements, among other benefits.

The National Labor Relations Board (Board) published a Notice of Proposed Rulemaking and Request for Comments in the Federal Register on September 14. The proposed rule seeks to reestablish the standard for determining joint-employer status that existed before the Board’s 2015 Browning-Ferris Industries of California decision.

This is a potentially significant development for companies in the nuclear industry, particularly for those with unionized workforces. But the proposed rule is also important for nuclear companies with nonunion workforces because joint-employment issues frequently arise in whistleblower cases, in which contract employees seek to hold the utility liable under Section 211 of the Energy Reorganization Act, as well as their actual employer (the contracting company). Although the US Department of Labor (DOL)—not the Board—adjudicates Section 211 claims, DOL sometimes considers Board decisions in its adjudications. Consequently, the proposed rule, if ultimately promulgated, will likely inform future Section 211 cases.

The US Department of Homeland Security (DHS) recently confirmed that state-sponsored hackers successfully gained access to the control rooms of US electric utilities and likely had the ability to disrupt power flows. The Wall Street Journal report describes the activities as part of a long-running campaign targeting US utilities. These cyberattacks were first disclosed in a Technical Alert issued by DHS earlier this year. The attacks are another example of the need for continued vigilance in protecting industrial control systems and the importance of strong vendor and supply chain cybersecurity controls for utilities.

The attackers reportedly gained access to secure networks by first exploiting the networks of trusted third-party vendors through the use of familiar tactics, such as spear-phishing emails and watering-hole attacks. Armed with vendor access credentials, the attackers then pivoted into the utilities’ isolated “air-gapped” networks and began gathering information on their operations and equipment. The extent of the attack remains unclear based on publicly available information, and DHS did not state whether any nuclear power stations were targeted in this latest round of attacks. Importantly, however, DHS stated that some companies may not yet know they were victims of the attacks because the hackers used the credentials of actual employees to access networks, thus making detection more difficult.

The times they are a-changin’ and we need to change with them. Colloquially speaking, this is the overarching theme of SECY-18-0060, “Achieving Modern Risk-Informed Regulation,” an NRC Staff-authored paper that seeks Commission approval of several significant proposed revisions to the NRC’s regulatory framework. The May 2018 paper, only recently released to the public, represents another milestone in the agency’s “transformation initiative,” which seeks to identify and implement potential enhancements to the NRC’s regulatory framework, culture, and infrastructure. Such changes are intended to facilitate the NRC’s “effective, efficient and agile regulation of new technologies”—particularly advanced non-light water reactors (non-LWRs)—in a manner that still advances the Commission’s core safety and security missions under the Atomic Energy Act of 1954, as amended.