RIS 2018-01, Common Violations Cited During First 2 Years of 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, Implementation and Guidance Documents Available to Support.

Common Violations Cited During First 2 Years of 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, Implementation and Guidance Documents Available to Support.
	ML17166A172
Person / Time
Issue date:	01/22/2018
From:	Andrea Kock, Mcginty T, Chris Miller; Office of Nuclear Material Safety and Safeguards, Division of Construction Inspection and Operational Programs, Division of Inspection and Regional Support
To:	;
	Schwab A
References
	TAC MF9830 RIS 2018-01
	Download: ML17166A172 (19)
	v • d • e

UNITED STATES

NUCLEAR REGULATORY COMMISSION

OFFICE OF NUCLEAR MATERIAL SAFETY AND SAFEGUARDS

OFFICE OF NUCLEAR REACTOR REGULATION

OFFICE OF NEW REACTORS

WASHINGTON, DC 20555-0001 January 22, 2018 NRC REGULATORY ISSUE SUMMARY 2018-01 COMMON VIOLATIONS CITED DURING FIRST 2 YEARS OF 10 CFR PART 37, PHYSICAL

PROTECTION OF CATEGORY 1 AND CATEGORY 2 QUANTITIES OF RADIOACTIVE

MATERIAL, IMPLEMENTATION AND GUIDANCE DOCUMENTS AVAILABLE TO

SUPPORT RULE IMPLEMENTATION

ADDRESSEES

All holders of and applicants for U.S. Nuclear Regulatory Commission (NRC) licenses that authorize possession of Category 1 and Category 2 quantities of radioactive material, NRC

master material licensees, Agreement State radiation control program directors, and State liaison officers.

INTENT

The NRC is issuing this regulatory issue summary (RIS) to: (1) provide an overview of the requirements of Part 37 of Title 10 of the Code of Federal Regulations (10 CFR) Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, and highlight differences from the security orders issued prior to the promulgation of

10 CFR Part 37; (2) provide an overview of the NRCs staff assessment of the effectiveness of

10 CFR Part 37; (3) inform addressees of common violations that the NRC has identified during inspections conducted to verify compliance with the requirements of 10 CFR Part 37, in order to raise awareness of these particular violations and reduce their occurrence; and (4) remind addressees of resources available to answer questions and clarify issues regarding rule implementation.

No specific action or written response is required. The NRC is providing this RIS to Agreement States for their information and for distribution to their licensees, as appropriate.

BACKGROUND

The NRC took steps to strengthen the security of Category 1 and Category 2 quantities of radioactive materials after the terrorist attacks of September 11, 2001. Initially, the NRC issued a series of orders requiring implementation of additional security measures as an interim solution until additional security requirements could be established by a public rulemaking process.

Subsequently, on March 19, 2013, after incorporating lessons learned by the NRC and the Agreement States in implementing the orders, as well as extensive stakeholder input, the NRC

published a final rule amending its regulations to establish security requirements for the use and transport of Category 1 and Category 2 quantities of radioactive material (78 FR 16922). The ML17166A172 objective of the rule is to provide reasonable assurance of the security of Category 1 and Category 2 quantities of radioactive material by protecting these materials from theft, diversion, or sabotage. To achieve this objective, the rule established generally applicable physical security requirements for the possession and use of Category 1 and Category 2 quantities of radioactive material. The NRC licensees were required to comply with 10 CFR Part 37 by March 19, 2014, and all Agreement States issued compatible requirements for their licensees on or before the March 19, 2014, deadline.

SUMMARY OF ISSUE

Overview of 10 CFR Part 37 The basic physical protection requirements of 10 CFR Part 37 include:

Background checks to ensure that individuals with unescorted access to Category 1 and Category 2 radioactive materials are trustworthy and reliable

Control of personnel access to areas where Category 1 and Category 2 materials are stored and used

Security programs to detect, assess, and respond to actual or attempted unauthorized access events

Coordination and response planning between the licensee and local law enforcement

Coordination and tracking of Category 1 and Category 2 materials shipments

Security barriers to discourage theft of portable devices that contain Category 1 and Category 2 material In developing the rule, the NRC considered, among other things, lessons-learned during implementation of the orders, stakeholder comments received on the proposed rule, and the draft implementation guidance. Below are a few examples, which are not all-inclusive, where

10 CFR Part 37 requirements differ from the orders1. Regulations in 10 CFR Part 37 impose the following requirements:

Licensees must conduct training to ensure that individuals implementing the security program understand their assigned duties and responsibilities.

Licensees must implement an annual testing and maintenance program for intrusion alarms, associated communication systems, and other physical systems used to secure or detect unauthorized access to ensure such equipment is capable of performing its intended function when needed.

Licensees must develop a written security plan and associated procedures demonstrating compliance with requirements of 10 CFR Part 37.

NRC Assessment of the Effectiveness of 10 CFR Part 37 On December 16, 2014, the President of the United States signed the Consolidated and Further Continuing Appropriations Act, 2015 (Public Law 113-235), which required the NRC to evaluate the effectiveness of the requirements of 10 CFR Part 37 and determine whether those

1 The complete comparison can be found in Enclosure 2 to SECY-11-0170, Final Rule: Physical Protection of Byproduct Material, on the NRC public Web site at https://www.nrc.gov/reading-rm/doc- collections/commission/secys/2011/2011-0170scy.pdf. requirements are adequate to protect high-risk radiological material.2 The legislation also directed the evaluation to consider inspection results and event reports from the first 2 years of implementation of the rules requirements for NRC licensees.

In order to address the congressional mandate, the NRC conducted extensive assessment activities involving the review of nine areas of interest. A few noteworthy areas are: the analysis of 10 CFR Part 37 inspection results from the first 2 years of rule implementation; the review of events from the nuclear material events database and security incident database; and the consideration of comments, questions, and recommendations provided during stakeholder outreach efforts. The report to Congress titled, "Effectiveness of Part 37 of Title 10 of the Code of Federal Regulations is available on the NRC public Web site and can be found in the Agencywide Documents Access and Management System (ADAMS) under Accession No. ML16347A398. The report of the evaluation, Summary of NRC Staff Program Review of

10 CFR Part 37 can be found on the NRCs public Web site at https://www.nrc.gov/security/byproduct/10-cfr-part-37-program-review.html.

The overall results of the program review activities confirmed that 10 CFR Part 37 provides a strong regulatory framework to ensure the security of Category 1 and Category 2 materials.

However, as a result of NRC inspections and the program review, the NRC staff identified areas where licensees compliance with 10 CFR Part 37 and communications with licensees can be enhanced. Specifically, as a result of the analysis of inspection results, the NRC identified the need for further outreach to licensees to ensure implementation of all the aspects of 10 CFR Part 37 that differ from the orders that preceded the rule.

Common Violations Identified During NRC Inspections On March 19, 2014, the NRC began conducting inspections and enforcement of 10 CFR Part 37 for NRC licensees and Agreement State licensees operating under reciprocity3 in areas within NRC jurisdiction. When inspections began, the NRC formed a dedicated subgroup within its internal enforcement program, referred to as the Security Issues Forum (SIF), to discuss various questions and situations regarding implementation of 10 CFR Part 37. The purpose of the SIF

was to resolve issues and to ensure consistent inspection and enforcement of the requirements across the NRC. In addition, the SIF identified areas where the existing guidance could be supplemented to improve licensees understanding of, and compliance with 10 CFR Part 37.

As part of the program review of 10 CFR Part 37, the NRC staff reviewed inspection reports performed in the first 2 years of 10 CFR Part 37 implementation for NRC licensees (March 2014 to March 2016) and documented the results. The majority of inspections, 184 inspections or 72 percent, resulted in no violations. The NRC staff assessed the quantity, type, and severity of findings issued against the rule to identify trends that may be indicative of a need to enhance the rule, guidance, or take other action such as issuance of a generic communication or conducting of training.

2 Although the legislation uses the term high risk, the Radiation Source Protection and Security Task Force and the NRC use the term risk-significant. Risk-significant quantities of radioactive material are defined as those meeting the thresholds for Category 1 and Category 2 as included both in the International Atomic Energy Agency Code of Conduct on the Safety and Security of Radioactive Sources and in Part 37.

3 Reciprocity allows NRC and Agreement State licensees to conduct licensed activities at temporary jobsites in another regulatory jurisdictions. NRC- and Agreement State-specific licensees are responsible for determining, in advance, the jurisdictional status of the temporary jobsite. When the temporary jobsite is in another regulatory jurisdiction, the licensee must submit to the regulator with jurisdiction over their application for reciprocity. The licensee must comply with the requirements of the regulator with jurisdiction when conducting activities at the temporary jobsite. The analysis of the inspection findings and associated violations identified that, in many cases, licensees did not demonstrate an understanding of the difference between the requirements of

10 CFR Part 37 and the orders that preceded it. Specifically, the NRC identified thatdespite outreach effortssome licensees erroneously concluded that 10 CFR Part 37 codified the requirements of the security-related orders and therefore, compliance with the orders was adequate to demonstrate compliance with 10 CFR Part 37. For example, 10 CFR Part 37 requires licensees to develop, document, and implement security plans and access authorization programs that satisfy specific requirements set forth by the rule. The orders did not require this level of documentation. This lack of understanding resulted in a substantial number of violations related to the development and documentation of security plans and procedures as well as documentation related to the access authorization program. Instances such as these accounted for over 60 percent of the total cited violations, with more than 25 percent of the total cited violations representing failures to adequately document program requirements in procedures. The two most frequent violations of the rule were violations related to procedures under the following subsections:

10 CFR 37.23(f), which requires that licensees develop, implement, and maintain written procedures for implementing access authorization program requirements of Subpart B.

10 CFR 37.43(b)(1), which requires that licensees develop and maintain written procedures that document how the requirements of 10 CFR 37 Subpart C and the security plan are met.

Most of the violations identified during inspections, including the failure to fully document compliance with 10 CFR Part 37, were Severity Level4 IV.

Of the total violations cited against NRC licensees during the first two years of 10 CFR Part 37 implementation, the majority of violations (90 percent) were Severity Level IV. The remaining

10 percent of violations were Severity Level III; no Severity Level I or II violations were cited.

The Severity Level (SL) III violations generally spanned across 10 CFR Part 37. Six violations related to 10 CFR 37.43(d), Protection of Information, where licensees did not implement the requirements associated with protecting their security plan, implementing procedures, and the list of individuals with unescorted access against unauthorized disclosure. The NRC inspectors found that some licensees did not fully consider how their networked computer systems were managed by information technology (IT) staff. Licensees were using password protection to

4 The NRC applies the guidance in the NRC Enforcement Policy when assessing the significance of license violations. Severity level designations reflect different degrees of significance and include Severity Levels I, II,

III, and IV. Severity Level I violations, those that resulted in, or could have resulted in, serious safety or security consequences are of the highest significance. These violations involve, for example, the theft, diversion, or sabotage of a Category 1 quantity of radioactive material that results from the failure to establish or implement one or more regulatory requirements. Severity Level II violations are those that resulted in or could have resulted in significant safety or security consequences (e.g., the theft, diversion, or sabotage of a Category 2 quantity of radioactive material resulting from the failure to establish or implement one or more regulatory requirements). Severity Level III violations are those that resulted in or could have resulted in moderate safety or security consequences. Severity Level IV violations are those that are less serious, but are of more than minor concern, that resulted in no or relatively inappreciable potential safety or security consequences. The NRC's Enforcement Policy is publicly available at: https://www.nrc.gov/about- nrc/regulatory/enforcement/enforce-pol.html. gain access to their networked system, but did not realize that IT personnel could bypass these measures and gain access to their network.

When reviewing 10 CFR Part 37 inspection results specific to physical protection of Category 1 and Category 2 material, the staff identified six violations of 10 CFR 37.49(a)(3), Monitoring and detection which requires licensees to establish a means to detect unauthorized removal of material from the security zone. In these cases, the licensees were under the impression that the physical protection system in place to monitor, detect, and assess unauthorized access to the material, which was also a requirement of the security-related orders, would be sufficient to demonstrate compliance with 10 CFR 37.49(a)(3). The NRC inspectors found that the licensee could quickly detect unauthorized access; however, the licensee did not have a separate means that would detect unauthorized removal of the material.

Although this was not a finding during the past 2 years of inspections, the NRC staff would like to highlight the requirements of 10 CFR 37.25(c), Reinvestigations. Under 10 CFR 37.25(c)

licensees are required to conduct a reinvestigation every 10 years for an individual with unescorted access to Category 1 or 2 quantities of material. The reinvestigation due date is not linked to the effective date of the 10 CFR Part 37 rule. The 10-year time period is based on the date an individual was first granted unescorted access to Category 1 or 2 materials. For example, if an individual was granted unescorted access to Category 2 material in December 2007; this individuals reinvestigation must be conducted by December 2017.

Enclosure 1 provides a more detailed description of the violations commonly observed in inspections conducted for NRC licensees during the first 2 years of rule implementation. In addition, the NRC reviewed the issuance of post-March 2016 violations in hopes of identifying situations not captured by the March 2014-March 2016 data analysis. One case was identified, and involved the following facts: the licensee was not transporting their own portable device, but instead was preparing a shipment to another licensee and did not fully apply Subpart C for radioactive material when stored interim to transport. The material was stored on the vehicle in its shipping configuration within a locked fenced area owned by the licensee. The licensee did not provide a means to continuously monitor the area (10 CFR 37.47(a)), a means to detect unauthorized removal of the material (10 CFR 37.49(a)(1)), and failed to disable the trailer containing material when not under the direct control and constant surveillance of the licensee

(10 CFR 37.53). This resulted in a Severity Level III violation.

Available NRC Resources for Implementation of 10 CFR Part 37 The NRC published several communications to support implementation of the rule, including issuance of two significant guidance documents, described below:

NUREG-2155, Revision 1, Implementation Guidance for 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material.

NUREG-2155 contains regulatory citations for the requirements in 10 CFR Part 37, a series of frequently asked questions and answers relevant to each citation, and a plain language explanation of the intent of the regulation.

NUREG-2166, Physical Security Best Practices for the Protection of Risk-Significant Radioactive Material. NUREG-2166 provides guidance to licensees on how to create a physical protection program and how to document their security plan. During the course of the program review of 10 CFR Part 37, the NRC staff also identified that many licensees were unaware of the existing documents issued by the NRC that describe the differences between the security-related orders and 10 CFR Part 37 and provide guidance to support Part 37 implementation. In order to facilitate licensee awareness of the availability of these resources, Enclosure 2 provides the list of guidance documents available to licensees and identifies their location on the NRC Web site. The NRC Web site contains implementing guidance and additional helpful information to be considered by licensees when developing and implementing an effective physical protection program that complies with 10 CFR Part 37.

These guidance documents include acceptable methods for licensees to demonstrate compliance with the commonly cited requirements discussed above. The NRC updates this Web site as needed and recommends that licensees review this information periodically.

NRC has also established a dedicated email resource (Part37.Resource@nrc.gov) for stakeholders to ask questions and provide comments directly to the NRC staff members involved. Please use this resource to ask any questions regarding the implementation of

10 CFR Part 37. Any questions regarding licensing, inspection, and/or compliance with

10 CFR Part 37 regulations should be directed to the appropriate NRC office with responsibility for these programs.

BACKFITTING AND ISSUE FINALITY DISCUSSION

This RIS informs addressees of common violations that the NRC has identified during inspections conducted to verify compliance with the requirements of 10 CFR Part 37 and reminds addressees of resources available to answer questions and clarify issues regarding rule implementation. This RIS requires no written action or written response. This RIS does not impose any requirements on NRC licensees, or any other applicants, licensees, or holders of NRC regulatory approvals under 10 CFR Parts 50, 52, 70, 72, or 76, that either constitute backfitting (as defined in those parts) or are inconsistent with the issue finality requirements in

10 CFR Part 52. This RIS reiterates information and requirements contained in the final rulemaking for 10 CFR Part 37 (78 FR 16922). Consequently, the NRC staff did not further address the documentation requirements provisions of those parts.

FEDERAL REGISTER NOTIFICATION

A notice of opportunity for public comment on this RIS was not published in the Federal Register because this RIS is informational and does not represent a departure from current regulatory requirements.

CONGRESSIONAL REVIEW ACT

This RIS is not a rule as defined in the Congressional Review Act (5 U.S.C. §§ 801-808).

PAPERWORK REDUCTION ACT STATEMENT

This RIS does not contain new or amended information collection requirements that are subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget (OMB),

approval number 3150-0214. Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a collection of information unless the document requesting or requiring the collection displays a currently valid OMB control number.

CONTACT

This RIS requires no specific action or written response. Please direct any questions to the technical contact listed below or the appropriate NRC office.

/RA/ (Paul G. Krohn for) /RA/

Timothy J. McGinty, Director Andrea Kock, Acting Director Division of Construction Inspection Division of Material Safety, State, Tribal and Operational Programs and Rulemaking Programs Office of New Reactors Office of Nuclear Material Safety and Safeguards

/RA/ (Michael F. King for)

Christopher G. Miller, Director Division of Inspection and Regional Support Office of Nuclear Reactor Regulation

Technical Contact:

Adelaide S. Giantelli, NMSS/MSTR

(301) 415-7562 E-mail: Adelaide.Giantelli@nrc.gov Enclosures:

1. Common Violations of 10 CFR Part 37 Cited to NRC Licensees from March 2014 to March 2016

2. Guidance Documents Available to Support Implementation of 10 CFR Part 37

3. Recently Issued Office of Nuclear Material Safety and Safeguards Generic Communications

ML17166A172; *via email TAC NO.: MF9830

OFFICE NMSS/MSTR/SMPB QTE* NMSS/MSTR/SMPB NMSS/MSTR/RMSB NMSS/MSTR/SMPB/BC (A)

NAME AGiantelli CHsu GSmith AMcIntosh DWhite DATE 01/08/17 07/27/2017 01/09/17 03/06/17 04/03/17 OFFICE NMSS/MSTR/RMSB/BC NMSS/MSTR/DD NSIR/MSWB/BC* NRR/DPR/PROB/BC* RI/DNMS/D (A)*

NAME DBollock, KWilliams TMossman AMendiola JNick DATE 05/08/17 08/18/17 08/09/17 08/09/17 08/18/17 OFFICE RIII/DNMS/D* RIV/DNMS/D* NRR/DORL/D* OCIO* OE*

NAME JGiessner MShaffer ABoland DCullison JPeralta (LHowell for) (DFurst for)

DATE 08/16/17 08/15/17 08/18/17 09/08/17 08/25/17 OFFICE NRR/PMDA* OGC* NRR/DIRS/IRGB/PM NRR/DIRS/IRGB/LA NRR/DIRS/IRGB/BC*

NAME LHill NNoelliste ASchwab ELee HChernoff (ASchwab for)

DATE 08/21/17 10/30/17 12/01/17 11/30/17 12/22/17 OFFICE NRO/DCIP/D* NRR/DIRS/D* NMSS/MSTR/D*

NAME TMcGinty (PKrohn for) CMiller (MKing for) AKock DATE 01/11/18 01/09/18 01/22/18

Common Violations of 10 CFR Part 37 Cited to NRC Licensees from March 2014 to March 2016 From March 2014 to March 2016, the U.S. Nuclear Regulatory Commission (NRC) performed

255 inspections to confirm NRC licensee compliance with the requirements of Title 10 of the Code of Federal Regulations (10 CFR) Part 37. The majority of inspections, 184 inspections or

72 percent, resulted in no violations. The remaining 71 inspections resulted in 189 specific violations issued to 61 licensees. Given that there are approximately 1,400 Agreement State and NRC licensees implementing 10 CFR Part 37, these inspections account for 17 percent of Category 1 and 2 licensees in the United States. The NRC cited violations against requirements contained in each of the four subparts of 10 CFR Part 37:

Subpart A, General Provisions

Subpart B, Background Investigations and Access Control Program

Subpart C, Physical Protection Requirements During Use

Subpart D, Physical Protection in Transit In analyzing the violations of 10 CFR Part 37, the NRC assessed the significance of violations as well as their prevalence. No Severity Level (SL) I or SL II violations were cited, which indicates that there were no violations with actual safety or security consequences (i.e., actual theft or sabotage). The majority of the violations (90 percent) cited against the rule were SL IV

violations. The SLIII violations constituted 10 percent of the total cited violations. The majority of the violations of the rule were cited against Subparts B and C and shared a common theme;

they resulted from a lack of transition to the requirements of 10 CFR Part 37 from the previously-in-force orders. In these cases, the licensees had documentation and physical security measures in place that were suitable for compliance with the orders, but did not update NRC ENFORCEMENT ACTIONS:

10 CFR PART 37 OVERSIGHT (MARCH 2014-MARCH 2016)

Enclosure 1

RIS 2018-01 Enclosure 1 or change documentation to reflect the requirements of the new regulation. Below is a description of the common violations by subpart.

Subpart AGeneral Provisions The NRC identified one SL IV violation of Subpart A for a licensee failing to revise the security plan required by 10 CFR Part 73 to include activities related to Category 2 radioactive material stored in the same room as the licensees non-power reactor. In general, Subpart A does not include specific requirements for physical protection of Category 1 and Category 2 materials.

Instead, this subpart generally describes the scope of 10 CFR Part 37, provides definitions of terms used within 10 CFR Part 37, and lists specific exemptions to 10 CFR Part 37. A low incidence of violations of Subpart A is consistent with the nature of the section.

Subpart BBackground Investigations and Access Control Program Five SL III violations and 70 SL IV violations were issued against Subpart B. The majority of Subpart B violations occurred because licensees continued to use the access authorization program prepared for compliance with the orders and failed to review their program for compliance with the requirements of 10 CFR Part 37 upon the rule becoming effective.

Common violations of this subpart are described below.

10 CFR 37.23(a)(2), Granting unescorted access authorization. This requirement states that individuals approved for unescorted access must complete security training prior to first-time unescorted access to Category 1 and Category 2 materials. Inspectors found that some licensees did not conduct security training prior to allowing unescorted access to Category 1 and 2 quantities of materials.

10 CFR 37.23(b)(2), Reviewing officials. Licensee officials have to name a reviewing official, complete a background investigation on the reviewing official, and once complete, provide (under oath and affirmation) a certification to the NRC that the reviewing official has been determined to be trustworthy and reliable. Inspectors found that the oath and affirmations were not submitted to the NRC in some cases.

10 CFR 37.23(c), Informed consent. Each licensee must obtain signed consent from the individual prior to conducting any background investigation (initial or reinvestigation)

activities on the individual. Inspectors found that informed consent forms were not completed by prospective employees prior to initiation of the background investigation in some cases.

10 CFR 37.23(e)(3), Determination basis. The licensees reviewing official must document, based on all the information gathered during the background investigation, whether or not an individual is permitted unescorted access to the Category 1 or Category 2 material. Inspectors found that some licensees may have performed the trustworthiness and reliability review; however, they could not present the basis of their determinations when requested by the inspectors.

10 CFR 37.23(e)(5), Determination basis. Each licensee has to maintain an up-to-date list of individuals approved for unescorted access to Category 1 and Category 2 materials. When individuals are removed from unescorted access, the licensee has seven working days to remove the individual from the list. Inspectors found that some licensees were promptly removing the persons physical ability for unescorted access to Category 1 and Category 2 materials, but did not remove an individual from the list of those approved for unescorted access within the required seven days.

RIS 2018-01 Enclosure 1 * 10 CFR 37.31, Protection of information. Each licensee has to establish a system of files and written procedures to protect information collected during the background investigation from unauthorized disclosure. Inspectors found that some licensees may have been protecting such information; however, the licensee couldnt provide a documented procedure to inspectors when requested.

10 CFR 37.33, Access authorization program review. Each licensee is required to review their access authorization program for compliance with 10 CFR Part 37 on an annual basis. Inspectors found that some licensees did not conduct this review as required.

Subpart CPhysical Protection Requirements During Use Fourteen SL III violations and 98 SL IV violations were cited against Subpart C. In the majority of cases where licensees failed to meet the requirements in Subpart C, as was the case for violations against Subpart B, licensees did not fully document how their security program complied with 10 CFR Part 37. Within inspection reports it was noted, for many inspections citing violations, that the licensee had continued to implement the orders as opposed to implementing the requirements in 10 CFR Part 37, which included more planning, procedural, and process elements than the previously-in-force orders. Because licensees did not review their program for compliance with the requirements of 10 CFR Part 37, violations were identified in this area. Common violations of this subpart are described below.

10 CFR 37.43, General security program requirements. This requirement states that each licensee shall develop a written security plan specific to its facilities and operations that complies with the requirements of Subpart B. Inspectors found that some licensees had in place a physical protection program that complied with 10 CFR Part 37, but licensees could not provide a written security plan when requested by the inspector.

10 CFR 37.43(c), Training. Generally, each licensee is required to conduct training to ensure individuals understand their roles and responsibilities with respect to the physical protection program and ensure that these individuals maintain this understanding.

Inspectors found cases where security training was incomplete. Specifically, some licensees did not capture all individuals that should have received training

(10 CFR 37.43(c)(1)) and did not ensure that individuals were trained commensurate with their assigned duties (10 CFR 37.43(c)(2)). Also, some licensees did not conduct annual security refresher training (10 CFR 37.43(c)(3)).

10 CFR 37.43(d)(7), Protection of information. When not in use, the licensee is required to store their security plan and procedures in a manner that prevents unauthorized access. Inspectors found that some licensees did not fully consider how their networked computer systems were managed by information technology (IT) staff.

In these cases, licensees were using password protection to access their network, but did not realize that IT personnel could bypass these measures. In these situations, the licensee could not demonstrate adequate protection of information to NRC inspectors.

10 CFR 37.45, LLEA coordination. Licensees are required to communicate with their local law enforcement agency (LLEA) on an annual basis about the materials they possess. This annual coordination must be documented (10 CFR 37.45(d)). If a licensee cannot complete this LLEA coordination, the NRC must be notified of the unsuccessful coordination within 3 business days (10 CFR 37.45(b)). Inspectors found that some licensees completed initial coordination with LLEA; however they did not conduct the annual coordination. Also, inspectors found that one licensee, while

RIS 2018-01 Enclosure 1 documenting their attempts to contact LLEA, did not notify the NRC of their unsuccessful coordination as required.

10 CFR 37.49(a), Monitoring and detection. This requirement is in addition to providing physical protection system in place to monitor, detect, and assess unauthorized access to the material. This section requires licensees to establish a separate method for detecting unauthorized removal of material from the security zone. The inspectors found that some licensees believed that their systems to quickly detect unauthorized access could also be used to detect unauthorized removal of the material (10 CFR 37.49(a)(1)).

10 CFR 37.49(c), Personnel communications and data transmissions. In general, this section required that the licensee maintain both a primary and back-up system to ensure that a security event is detected and communicated to LLEA immediately. The back-up system cannot be subject to the same failure mechanism as the primary system.

Inspectors found that in some cases, licensees did not fully understand how their alarm system functioned and did not realize there would be no way to communicate in the event of a power source loss or, for systems that transmitted to a key fob, that the system had limited distance range for transmission. As such, licensees could not demonstrate a dependable and independent means of communication to the NRC

inspector.

10 CFR 37.51, Maintenance and testing. Under this section, in brief, each licensee is required to implement a maintenance and testing program to ensure that each component of their physical protection system is operable and capable of performing its intended function. Each licensee is required to maintain records from this program.

Inspectors generally found that the components of the physical protection system were operable and functioning as designed; however, some licensees did not maintain adequate documentation to demonstrate compliance with this requirement.

10 CFR 37.55, Security program review. Each licensee is required to review their security program for compliance with 10 CFR Part 37 on an annual basis. Inspectors found that some licensees did not conduct this review as required.

10 CFR 37.57(b), Reporting of events. This requirement states that each licensee must assess and report suspicious security events to LLEA, followed as soon as possible, but no later than 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br />, with a report to the NRC Operations Center.

Inspectors found that licensees were vigilant about their surroundings and suspicious activities, such as identifying individuals taking photographs or video of their activities, and that licensees notified LLEA as required. However, inspectors found that some licensees notified NRC after LLEA completed their investigation of the event. In these situations, the licensees could not demonstrate compliance with the requirement to notify the NRC within the required timeframe.

Subpart DPhysical Protection in Transit The NRC inspectors identified one Severity Level IV violation of Subpart D, resulting from a licensees failure to perform license verification prior to the transfer of a Category 2 quantity of radioactive material. The violation resulted from a failure to comply with 10 CFR 37.71(b),

which requires licensees to verify with the NRC's license verification system or the license issuing regulatory authority that the transferee's license authorizes the receipt of the type, form, and quantity of radioactive material to be transferred. The inspector found that the licensee did

RIS 2018-01 Enclosure 1 not review the regulations of 10 CFR Part 37 carefully to understand that the requirements of

10 CFR 30.41, Transfer of byproduct material, are not applicable when transferring Category 1 and Category 2 materials and that the more restrictive license verifications requirements in

10 CFR 37.71(b) apply instead.

Guidance Documents Available to Support Implementation of 10 CFR Part 37 The U.S. Nuclear Regulatory Commission (NRC) guidance documents to support licensee implementation of Title 10 of the Code of Federal Regulations (10 CFR) Part 37 are identified on the NRC public Web site, 10 CFR Part 37Physical Protection of Category 1 and Category 2 Quantities of Radioactive Materials, which can be accessed at, https://www.nrc.gov/security/byproduct/10-cfr-part-37.html. Beneath the general description of the 10 CFR Part 37 rule are links to documents. The following list provides a brief description of the documents found on this Web page along with its associated unique Agencywide Documents Access and Management System (ADAMS) Accession Number. In addition, if there are questions or comments about 10 CFR Part 37, stakeholders should contact the NRC at the dedicated email Part37Resource@nrc.gov.

Rule Documents

SECY-11-0170, Final Rule: Physical Protection of Byproduct Material, dated December 8, 2011 (ADAMS Accession No. ML112920070)

This NRC staff paper requests Commission approval to publish a final rule in the Federal Register that adds 10 CFR Part 37 to Title 10 of the Code of Federal Regulations and make conforming changes to 10 CFR Parts 20, 30, 32, 33, 34, 35, 36, 39, 51, 71 and 73.

The final rule amends the regulations to establish security requirements for the use of Category 1 and Category 2 quantities of radioactive material and for the transportation of small quantities of irradiated fuel.

Guidance

NUREG-2155, Revision 1, "Implementation Guidance for 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material," dated January 2015 (ADAMS Accession No. ML15016A172)

This technical report provides guidance on, and assists applicants and licensees in, the implementation of 10 CFR Part 37, "Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material." This document describes methods that the NRC

finds acceptable for implementing the regulations.

NUREG-2166, "Physical Security Best Practices for the Protection of Risk-Significant Radioactive Material," dated May 2014 (ADAMS Accession No.

ML14150A382)

This document provides guidance to NRC licensees or applicants on developing and implementing a physical protection program for the protection of risk-significant radioactive materials (e.g., Category 1 and Category 2 quantities of radioactive material).

The intent of this information is to provide NRC licensees or applicants guidance with specific emphasis on physical security best practices. The approaches and methods in this document are not requirements; however, the NRC considers them to be acceptable for complying with the requirements in 10 CFR Part 37.

Enclosure 2

RIS 2018-01 Enclosure 2 * SECY-11-0170 - Enclosure 2, 10 CFR Part 37 Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material Implementation Plan, dated December 8, 2011 (ADAMS Accession No. ML113290229)

This NRC implementation plan outlines the actions necessary for the successful implementation of 10 CFR Part 37 rulemaking. This plan summarizes each of the security orders issued following the terrorist events of September 11, 2001, and includes a comparison of the 10 CFR Part 37 requirements against the requirements contained in the security orders.

Questions and answers

First Set of Questions and Answers Concerning the Application 10 CFR Part 37 to Licensees with Part 73 Security Plans, dated March 13, 2014 (ADAMS Accession No. ML16335A369)

This memo provides guidance from the NRC staff to implementation questions not included within NUREG-2155 regarding application of 10 CFR Part 37 to nuclear reactors and other facilities with security plans under 10 CFR Part 73.

Second Set of Questions and Answers Concerning the Application of 10 CFR Part

37 to Licensees with Part 73 Security Plans, dated November 7, 2014 (ADAMS

Accession No. ML14307B321)

This memo provides guidance from the NRC staff to additional implementation questions on how to implement 10 CFR Part 37 at nuclear reactors and other facilities with security plans under 10 CFR Part 73.

Third Set of Questions and Answers Concerning the Application of 10 CFR Part 37 to Licensees with Part 73 Security Plans, dated August 26, 2015 (ADAMS Accession No. ML15237A129)

This memo provides guidance from the NRC staff to additional implementation questions on how to implement 10 CFR Part 37 at nuclear reactors and other facilities with security plans under 10 CFR Part 73.

Addressees

02/8/2017 RIS-2017-02 Applicability of Title 10 of All holders of, and applicants seeking, the Code of Federal NRC licenses that authorize the Regulations Part 37 to possession of Category 1 or 2 Non-Manufacturing and quantities of radioactive materials Distribution Service (including licenses authorizing Provider Licensees possession of Category 1 or 2 quantities of radioactive materials incidental to service), NRC Master Materials licensees, Agreement State Radiation Control Program Directors, and State Liaison Officers.

01/03/2017 SA-17-01 National Special Security NRC licensees, Agreement State Event for the 2017 Radiation Control Program Directors SA-17-02 Presidential State of the and State Liaison Officers in the SA-17-03 Union Address Washington, DC area.

11/13/2016 RIS-2016-11 Requests to Dispose of All NRC licensees. All Agreement Very Low-Level State Radiation Control Program Radioactive Waste Directors and State Liaison Officers Pursuant to 10 CFR

20.2002

9/28/2016 IN-2016-13 Uranium Accumulation All holders of and applicants for a fuel in Fuel Cycle Facility facility license under 10 CFR Part 70

Ventilation and and 10 CFR Part 70, Subpart H. All Scrubber Systems holders of and applicants for a construction permit or operating license for a production facility, including facilities dedicated to the production of medical radioisotopes such as Mo-99, under 10 CFR Part 50,

except those who have permanently ceased operations.

08/26/2016 SA-16-12 National Special NRC licensees. Agreement State Security Event for the radiation control program directors and SA-16-11

71st United Nations State liaison officers in the New York General Assembly City area Enclosure 3

RIS 2018-01 Enclosure 3 05/9/2016 RIS-2016-06 NRC Regulation of All Agreement State Radiation Control Radium-226 Under Program Directors and State Liaison Military Control and for Officers; all Radiation Control Program Coordination on Directors and State Liaison Officers;

CERCLA Response U.S. Department of Defenses Director Actions at DOD sites of Environment, Safety and with Radioactive Occupational Health; all U.S. Air Force Materials and U.S. Navy master materials license contacts; all U.S. Army contacts with specific NRC licenses.

04/7/2016 GL-2016-01 Monitoring of Neutron All nuclear power reactors with a Absorbing Materials in license issued under 10 CFR Part 50

Spent Fuel Pools except those that have permanently ceased operations with all reactor fuel removed from onsite spent fuel pool storage. All holders of an operating license for a non-power reactor (research reactor, test reactor, or critical assembly) under 10 CFR Part

50 who have a reactor pool, fuel storage pool, or other wet locations designed for the purpose of fuel storage, except those who have permanently ceased operations with reactor fuel removed from onsite wet storage.

Note: This list contains the six most recently issued generic communications, issued by the Office of Nuclear Materials Safety and Safeguards. A full listing of all generic communications may be viewed at the NRC public Web site at the following address: http://www.nrc.gov/reading-rm/doc- collections/gen-comm/index.html

RIS 2018-01, Common Violations Cited During First 2 Years of 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, Implementation and Guidance Documents Available to Support.

Contents

ADDRESSEES

INTENT

BACKGROUND

SUMMARY OF ISSUE

BACKFITTING AND ISSUE FINALITY DISCUSSION

FEDERAL REGISTER NOTIFICATION

CONGRESSIONAL REVIEW ACT

PAPERWORK REDUCTION ACT STATEMENT

CONTACT

Technical Contact:

Addressees

Navigation menu

RIS 2018-01, Common Violations Cited During First 2 Years of 10 CFR Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material, Implementation and Guidance Documents Available to Support.

ADDRESSEES

INTENT

BACKGROUND

SUMMARY OF ISSUE

BACKFITTING AND ISSUE FINALITY DISCUSSION

FEDERAL REGISTER NOTIFICATION

CONGRESSIONAL REVIEW ACT

PAPERWORK REDUCTION ACT STATEMENT

CONTACT

Technical Contact:

Addressees

Navigation menu

Search