Text

InsiderThreatProgram and SecurityExecutiveAgentDirective3 forNRCLicensedFacilities USNRCPublicMeeting 21February2018 OfficeofNuclearSecurityandIncidentResponse

9:00am

Introductions

• DarrylParsons,BranchChief InformationSecurityBranch DivisionofSecurityOperations OfficeofNuclearSecurityandIncidentResponse Darryl.Parsons@nrc.gov

9:10am-10:00am InformationonSEAD3 andInsiderThreatPrograms

InsiderThreatProgram

• ExecutiveOrder13587wasadoptedbyNational IndustrialSecurityProgramtocoverallcontractors andlicenseeswhohaveexposuretoclassified information.https://www.gpo.gov/fdsys/granule/CFR2012title3vol1/CFR2012 title3vol1eo13587

• TheNationalIndustrialSecurityProgramOperating Manual(NISPOM)Change2incorporatedMay2016 coverstheimplementationofanInsiderThreat Program(ITP) http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf

NonPossessingFacilitySecurityClearance

• Anyfacilitywhichhasclearedindividuals (thosewithpersonnelsecurityclearances)and doesnotpossessclassifiedmaterialonsiteis consideredanonpossessingfacility.

• ThemajorityofNRCscontractorsand licenseesarenonpossessingentities.

PossessingFacilitySecurityClearance TheNRCissuespossessingfacilityclearancesandassociated personnelsecurityclearancestolicenseesandlicenseecontractors thatmeettherequirementsof10CFRPart95,FacilitySecurity ClearanceandSafeguardingofNationalSecurityInformationand RestrictedData,and10CFRPart25,AccessAuthorization,and possessademonstrableneedtostoreclassifiedinformationattheir facility.

Onlytwofacilitieshavepossessingfacilityclearancesissuedbythe NRCastheCognizantSecurityAgency.

Thesefacilitiesneedaccesstoclassifiedinformationinorderto maintaintheirlicense.

NISPOMITPforNonPossessingLicensees FourMinimumRequirements AppointmentbythelicenseeofanITPSeniorOfficialwhoisaU.S.citizen andaseniorofficialofthecompany.

- ThiscanbetheFacilitySecurityOfficer(FSO)asdefinedbythe NISPOM.

AnnualselfrevieworselfinspectionoftheITP.

InsiderThreattrainingforclearedprogrammanagementandcleared individualawareness.

ReportingtotheNRCofanydetectionofaninsiderthreattothelicensee.

(Thisprogramisdesignedforthreatstotheprotectionofclassified information,anddoesnothaveinitsscopeanyotherdetectionofinsider threatsatapowerplant).

AppointmentbythelicenseeofanITPSeniorOfficialwhoisaU.S.citizen andaseniorofficialofthecompany.(sameasnonpossessors)

- ThiscanbetheFacilitySecurityOfficer(FSO)asdefinedbytheNISPOM.

AnnualselfrevieworselfinspectionoftheITP.(sameasnonpossessors)

InsiderThreattrainingforclearedprogrammanagementandcleared individualawareness.(sameasnonpossessors)

ReportingtotheNRCofanydetectionofaninsiderthreattothelicensee.

(Thisprogramisdesignedforthreatstotheprotectionofclassified information,anddoesnothaveinitsscopeanyotherdetectionofinsider threatsatapowerplant).(sameasnonpossessors)

ProvideUserActivityMonitoringonanyclassifiedITsystem.

NISPOMITPforPossessingLicensees FiveMinimumRequirements

ImplementationofNISPOMITP TheNRCstaffarerecommendingtotheCommissionthatwepursuealicensecommitment byincorporatingtherequirementsintotheStandardPracticeProceduresPlaninaccordance with10CFRPart95.

ITPrequirementsplannedimplementationbyJune2018.Thestaffareseekinginputfrom licenseesthroughoutthisprocess.

BymodifyingtheSPPP,whichisalreadycommittedtoineachlicense,thelicenseemakesthe ITPrequirementsalicensecommitmentwithouthavingtodoanamendmenttothelicense itself.

SecurityExecutiveAgentDirective(SEAD)3 InDecember2016,theOfficeoftheDirectorofNationalIntelligence (ODNI)issuedSEAD3,ReportingRequirementsforPersonnelwithAccess toClassifiedInformationorWhoHoldaSensitivePosition,toexecutive branchagenciesandcoveredindividuals;theseindividualsincludeNRC employees,contractors,licensees,licenseescontractors,andother individualssuchasmembersoftheNuclearEnergyInstitutewhomNRC hasgrantednationalsecurityclearances.

SEAD3definescoveredindividualsas:

- certainpersonswhoperformworkonbehalfoftheexecutivebranchandhave beengrantedaccesstoclassifiedinformationorholdsensitivepositions;

- certainpersonswhoperformworkonbehalfofaState,local,Tribe,orprivate sectorentityandhavebeengrantedaccesstoclassifiedinformationorhold sensitivepositions;and

- certainpersonsworkinginorforthelegislativeorjudicialbranchesandhave beengrantedaccesstoclassifiedinformationandtheinvestigationor determinationhasbeenconductedbytheexecutivebranch.

SEAD3

• SEAD3wastobeeffectiveonJune12,2017.TheNRC requestedanextensiontotherequirementsuntilJune 12,2018.

• SEAD3requiresreportingof19newdataelements consistentwiththeStandardForm86,Questionnaire forNationalSecurityPositions,whichapplicantsand clearanceholderscompleteduringtheinitialand periodicreinvestigationprocesses,respectively.

However,SEAD3nowrequirestheseelementstobe reportedpriortoparticipationinsuchactivitiesor otherwiseassoonaspossiblefollowingthestartof theirinvolvement.

SEAD3 Mostnotably,SEAD3requirescoveredindividualstoobtainprior agencyapprovalbeforeconductingunofficialforeigntravel.

Thestaffbenchmarked10otherFederalagenciestounderstandthe differentimplementationapproachesacrosstheGovernment.

- ThestaffsbenchmarkingeffortsconcludedthatotherFederal agenciesapplySEAD3toallclearedstaffandcontractors,andinsome casestoothersdeemedtobeinsensitivepositions.

- Generally,otherFederalagenciesrequirepretravelapprovalfortravel tocountriesthatdonotresideonanagencydevelopedapproved destinationcountrylist.

- Additionally,someotherFederalagenciesdisapprovetravelto destinationcountriesonanagencydevelopedthreatcountrylist.

- Noagenciesareallowingcoveredindividualstotravelwithout pretravelapprovalexceptasnotedinSEAD3,suchastraveltoU.S.

territoriesorshortnoticeemergenttravel.

SEAD3,Element1-UnofficialForeignTravelReporting Completeitinerary Datesoftravel Modeoftransportationand identificationofcarriers Passportdata Namesandassociation(business, friend,relative,etc.)offoreignnational travelingcompanions Plannedcontactswithforeign governments,companies,orcitizens duringforeigntravelandreasonfor contact(business,friend,relative,etc.)

Unplannedcontactswithforeign governments,companies,orcitizens duringforeigntravelandreasonfor contact(posttravelreporting)

Name,address,telephonenumber,and relationshipofemergencypointof contact Unusualorsuspiciousoccurrences duringtravel,includingthoseof possiblesecurityorcounterintelligence significance(posttravelreporting)

Anyforeignlegalorcustomsincidents encountered(posttravelreporting)

SEAD3,Other18ReportingElements Unofficialcontactwithaknownorsuspected foreignintelligenceentity Continuingassociationwithaknownforeign national(s)orforeignnationalroommate(s)

InvolvementinForeignBusiness Foreignbankaccounts(new)

OwnershipofForeignProperty(new)

ForeignCitizenship(new)

Applicationforaforeignpassportoridentity cardfortravel(new)

Possessionofaforeignpassportoridentitycard fortravel(new)

Useofaforeignpassportoridentitycardfor travel Votinginaforeignelection (new)

AdoptionofnonU.S.citizenchildren(new)

Attemptedelicitation,exploitation,blackmail, coercion,orenticementtoobtainclassified informationorotherinformationspecifically prohibitedbylawfromdisclosure(new)

MediaContacts Arrests Financialissuesandanomalies Cohabitant(s)

Marriage Alcohol anddrugrelatedtreatment

• NewtoPart25requirementsbutsimilartorequirementsalreadyinStandardForm86 timeframeforreportinghaschanged

CurrentReportingRequirements under10CFRPart25 Arrests/charges/detentions Involvementincivilcourtactions Changeinmaritalstatus(includinglegal separation)

Changeofname Changeincohabitation Outsideemploymentthatcreatesaconflictof interest Foreignnationalcontactsincludingbusinessor personalcontacts AnytraveltoforeigncountriesforwhichtheU.S.

DepartmentofStatehasissuedatravelwarning Enrollmentinadrugoralcoholtreatment program Changesinfinancialstatus(debtcollection, bankruptcy,foreclosure,federally guaranteed loans,taxliens,orfailuretofileorpayFederal orStatetaxes)

Treatmentforemotional,mental,orpersonality disorders(exceptmarriage,grief,orfamily counselingnotrelatedtoviolencebyyouor strictlyrelatedtoadjustmentsfromserviceina militarycombatenvironment)

Traveltoaforeigncountrywhereapassport otherthanaU.S.passportisusedtoenteror leavethecountry Whileontravel,anyarrests,anddetentions, issueswithcustomsorlawenforcement,or concernsthatyouwerebeingfollowedor monitoredwhileonofficialorunofficialforeign travel

ImplementationofSEAD3 StaffproposedimplementationofSEAD3isconsistentwiththestaffsproposed implementationoftheNISPOMITPaspreviouslydiscussed:

TheNRCstaffarerecommendingtotheCommissionthatwepursuealicensecommitment byincorporatingtherequirementsintotheStandardPracticeProceduresPlaninaccordance with10CFRPart95.

SEAD3requirementsplannedimplementationbyJune2018.Thestaffareseekinginputfrom licenseesthroughoutthisprocess.

BymodifyingtheSPPP,whichisalreadycommittedtoineachlicense,thelicenseemakesthe requirementsalicensecommitmentwithouthavingtodoanamendmenttothelicenseitself.

FOCIQuestions

• CommentfromIndustry:

- FOCIprocessistooburdensome.

• NRCsComment:

- Weagree,pleasesendanemailtomeandletme researcheachparticularcase.Wemayhavesome methodstonowaddresstheissue.

- Darryl.Parsons@nrc.gov

10:00am-10:30am QuestionsandAnswers

10:30am-11:00am ProposedSPPPLanguage andDiscussion

NISPOMITPsuggestedlanguagefor SPPPforpossessingfacilities Procedureshavebeendevelopedwhichestablishandmaintainaninsider threatprogramthatwillgather,integrate,andreportrelevantand availableinformationindicativeofapotentialoractualinsiderthreatin accordancewithDepartmentofDefense(DoD)5220.22M,National IndustrialSecurityProgramOperatingManual(NISPOM)insiderthreat programrequirements.

Theseproceduresincludeataminimum:(1)appointmentofaninsider threatprogramseniorofficial(ITPSO);(2)trainingforemployeescovered undertheprogram;(3)annualselfinspectionsoftheinsiderthreat program;(4)timelyreportingforanypotentialoractualinsiderthreat; and(5)useractivitymonitoringonanyclassifiedinformationsystem.

NISPOMITPsuggestedlanguagefor SPPPfornonpossessingfacilities Procedureshavebeendevelopedwhichestablishandmaintainaninsider threatprogramthatwillgather,integrate,andreportrelevantand availableinformationindicativeofapotentialoractualinsiderthreatin accordancewithDepartmentofDefense(DoD)5220.22M,National IndustrialSecurityProgramOperatingManual(NISPOM)insiderthreat programrequirements.

Theseproceduresincludeataminimum:(1)appointmentofaninsider threatprogramseniorofficial(ITPSO);(2)trainingforemployeescovered undertheprogram;(3)annualselfinspectionsoftheinsiderthreat program;and(4)timelyreportingforanypotentialoractualinsider threat.

SEAD3suggestedlanguageforSPPP forbothpossessingandnon possessingfacilities Procedureshavebeendevelopedforindividualswhohaveaccess toclassifiedinformationorholdasensitivepositionwhich establishandmaintainstandardizedreportingrequirementsin accordancewiththe19elementsasrequiredbytheOfficeofthe DirectorofNationalIntelligence(ODNI)SecurityExecutiveAgent Directive3,ReportingRequirementsforPersonnelwithAccess toClassifiedInformationorWhoHoldaSensitivePosition,dated December14,2016.

ExampleofwhattheStaffwillbe lookingforduringSPPPReviews ReviewersChecklistforNonPossessorsSPPP Doesthelicenseecommittohavingproceduresthatestablishandmaintainaninsiderthreatprogramthatwillgather, integrate,andreportrelevantandavailableinformationindicativeofapotentialoractualinsiderthreatinaccordancewith DepartmentofDefense(DoD)5220.22M,NationalIndustrialSecurityProgramOperatingManual(NISPOM)insiderthreat programrequirements?

Dothelicenseesinsiderthreatprogramprocedurescommittoaddressingtheappointmentofaninsiderthreatprogramsenior official(ITPSO)?

Dothelicenseesinsiderthreatprogramprocedurescommittotrainingforemployeescoveredundertheprogram?

Dothelicenseesinsiderthreatprogramprocedurescommittoannualselfinspectionsoftheinsiderthreatprogram?

Dothelicenseesinsiderthreatprogramprocedurescommittotimelyreportingforanypotentialoractualinsiderthreat?

Doesthelicenseecommittohavingproceduresforindividualswhohaveaccesstoclassifiedinformationorholdasensitive positionwhichestablishandmaintainstandardizedreportingrequirementsinaccordancewiththeOfficeoftheDirectorof NationalIntelligence(ODNI)SecurityExecutiveAgentDirective3(SEAD3),ReportingRequirementsforPersonnelwithAccessto ClassifiedInformationorWhoHoldaSensitivePosition,datedDecember14,2016?

Doesthelicenseeaddressthefactthatthereare19requireddataelementsforreportingunderSEAD3andthatthe informationundereachelementmusteitherbeselfreportedorreportedforothers?Seethetablebelowtoensurethe19data elementsareacknowledgedandaddressedinlicenseeprocedures.

MeetingAdjourned Therewillbeasecondpublicmeetingon March12th withafocusonansweringquestionsthathavebeen identifiedtoday.

Thankyouforyourparticipation!