The Nuclear Regulatory Commission’s (NRC’s) Assistant Inspector General for Audits issued a memorandum on August 20 on the status of recommendations based on the Office of Inspector General’s (OIG’s) Audit of NRC’s Cyber Security Inspections at Nuclear Power Plants (OIG-19-A-13). As previously reported on Up & Atom, OIG recommended that the NRC work to close the critical skill gap for future cybersecurity inspection staffing, and develop and implement cybersecurity performance measures for licensees to use to demonstrate sustained program effectiveness. Based on the NRC’s July 3, 2019, response, OIG has issued this status of recommendations.
Following the July 12, 2019, release of “Power Reactor Cyber Security Program Assessment,” the Nuclear Regulatory Commission’s (NRC’s) Director of Physical and Cyber Security Policy in the Office of Nuclear Security and Incident Response issued a memorandum to NRC Staff on August 6, 2019.
The memorandum provides guidance to Staff on next steps, but also cautions that when initiating changes to the Cyber Security Program they keep several points in mind. Specifically, the Director asks Staff to ensure that changes do not adversely impact other areas of the program; that guidance revisions are consistent and incorporated throughout all documents; that, where necessary, a backfit analysis is performed; and that no changes constitute an unreasonable risk to public health and safety.
The memorandum reminds Staff that their next step, per the assessment, is to present a draft action plan by September 20, 2019. The action plan should identify enhancements to the Cyber Security Program that promote regulatory efficiency and effectiveness, while continuing to provide for reasonable assurance of public health and safety and promote common defense and security. The memorandum also praises NRC Staff for its efforts in conducting the assessment.
We will continue to monitor developments for cybersecurity at the NRC.
The Nuclear Regulatory Commission (NRC) held a public meeting on August 8 to provide information and receive comments on the regulatory basis supporting the NRC’s rulemaking on physical security requirements for advanced reactors. The public meeting was the latest step in the NRC’s rulemaking process, which began on August 1, 2018, with the NRC Staff’s report to the Commission evaluating options for revising physical security regulations for advanced reactors. The Commission approved the NRC Staff’s proposed rulemaking plan on November 19, 2018. We previously reported on the NRC Staff’s report, the Commission’s Approval, and the publication of the regulatory basis for comment.
During the public meeting, NRC Staff summarized the regulatory basis and their recommendation for a limited-scope rulemaking. NRC Staff explained that the purpose of the rulemaking is to provide requirements and guidance for advanced reactor physical security and reduce the need for physical security exemptions—specifically from regulations requiring each site to have at least 10 armed responders for emergency security response (10 CFR § 73.55(k)(5)(ii)), and an on-site secondary alarm station to monitor potential issues (10 CFR § 73.55(i)(4)(iii)).
The Nuclear Regulatory Commission, by a 3-1 vote on August 7, agreed with the NRC Staff’s recommendation to discontinue a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. The decision leaves admitted ambiguity, including a potential enforcement risk in the event that a licensee reinstates an individual’s revoked access authorization or a fitness-for-duty determination.
As we last reported on April 24, the NRC Staff recommended in SECY-19-0033 to withdraw a rulemaking begun in 2015 to revise the NRC’s regulations regarding whether a third-party arbitrator could review a licensee’s access authorization or fitness-for-duty decisions. In SRM-SECY-19-0033, the Commission agreed with that recommendation.
The Nuclear Regulatory Commission (NRC) published a Federal Register notice on July 16 requesting comments on a regulatory basis supporting a “limited scope” rulemaking to develop physical security requirements for advanced reactors. For this rulemaking, “advanced reactors” means “light-water small modular reactors (SMRs) and non-light water reactors (non-LWRs)” which includes, but “is not fully coextensive with,” the definition of an “Advanced Nuclear Reactor” in the recently enacted Nuclear Energy Innovation and Modernization Act. The deadline to submit comments is August 15.
We previously reported on this rulemaking process, which started with the NRC Staff’s August 1, 2018, report to the Commission, evaluating options for revising physical security regulations for advanced reactors. We also reported on the Commission’s approval of the NRC’s Staff’s proposed rulemaking plan, which occurred on November 19, 2018. The NRC’s physical security requirements for large LWRs—in 10 CFR § 73.55>—is focused on preventing significant core damage and spent fuel sabotage. Current regulations require each site to have at least 10 armed responders for emergency security response (10 CFR § 73.55(k)(5)(ii)), and an on-site secondary alarm station to monitor potential issues (10 CFR § 73.55(i)(4)(iii)).
To address national security interests and prevent the unauthorized transfer of scientific and technical information to certain foreign entities, the US Department of Energy (DOE) issued Order No. 486.1 on June 7. The order prohibits DOE employees and contractors from participating in certain “talent recruitment programs” – specifically “talent recruitment programs” of foreign governments determined by the DOE to be a “foreign country of risk.” DOE contractors and subcontractors within the utility and nuclear sectors should be prepared to implement controls to ensure that neither they nor their employees or subcontractors participate in these foreign-sponsored programs for identified countries, which apparently include China and Russia.
Staff members from the US Nuclear Regulatory Commission’s (NRC’s) Office of Nuclear Security and Incident Response and Office of Nuclear Reactor Regulation held a public meeting on June 17 to discuss a summary of the Assessment of the NRC’s Power Reactor Cyber Security Program. In response to the Nuclear Energy Institute’s (NEI’s) PRM-73-18, “Petition to Amend 10 CFR 73.54, ‘Protection of Digital Computer and Communication Systems and Networks’,” and based on NRC guidance, this Assessment marked 10 years since the publication of 10 CFR 73.54.
The NRC on May 3 took the overdue step of withdrawing portions of certain power reactor security requirements—issued via three agency orders in the aftermath of the events of September 11, 2001, which were subsequently captured in agency regulations:
- EA-02-026, “Order for Interim Safeguards and Security Compensatory Measures” (February 25, 2002)
- EA-02-261, “Order for Compensatory Measures Related to Access Authorization” (January 7, 2003)
- EA-03-039, “Order for Compensatory Measures Related to Training Enhancements on Tactical and Firearms Proficiency and Physical Fitness Applicable to Armed Nuclear power Plant Security Force Personnel” (April 29, 2003).
As we last reported on October 5, 2018, the NRC Staff appeared ready to recommend withdrawing a rulemaking on third-party arbitration of access authorization and fitness-for-duty determinations. On April 4, 2019, the NRC Staff formally made its recommendation in SECY-19-0033. In so doing, the NRC Staff “request[ed] Commission approval to discontinue the rulemaking activity, ‘Access Authorization and Fitness-for-Duty Determinations’,” which began nearly four years ago. As previously reported, this rulemaking activity was a response to a 2012 decision by the US Court of Appeals for the Seventh Circuit in which the court determined that NRC regulations permitted third-party arbitration of unescorted access determinations. At that time, the NRC Staff disagreed with the decision and asked for Commission approval to begin a rulemaking.
The NRC, with the approval of the US attorney general, recently published a second revision to its guidelines on the use of weapons by licensee security personnel whose official duties include the protection of designated facilities, certain radioactive material or other licensee property, and licensee material or property that is being transported to or from a licensee facility. The changes were made to ensure consistency with existing FBI procedures on appeals of background check delays or denials. The updated guidelines were published in the Federal Register on March 8, 2019, and took effect the same day.