ML18151A770
| ML18151A770 | |
| Person / Time | |
|---|---|
| Issue date: | 06/07/2018 |
| From: | Williamson A NRC/NSIR/DSO/ISB |
| To: | Darryl Parsons NRC/NSIR/DSO/ISB |
| Williamson A | |
| References | |
| Download: ML18151A770 (6) | |
Text
June 7, 2018 MEMORANDUM TO: Darryl Parsons, Chief Information Security Branch Division of Security Operations Office of Nuclear Security and Incident Response FROM:
Alicia Williamson, Project Manager /RA/
Information Security Branch Division of Security Operations Office of Nuclear Security and Incident Response
SUBJECT:
SUMMARY
OF APRIL 18, 2018, BIWEEKLY INFORMATION SESSION REGARDING INSIDER THREAT PROGRAM AND SECURITY EXECUTIVE AGENT DIRECTIVE 3 FOR U.S. NUCLEAR REGULATORY COMMISSION-LICENSED FACILITIES On April 18, 2018, the U.S. Nuclear Regulatory Commission (NRC) staff held the first public Bi-Weekly Information Session regarding National Industrial Security Program Operating Manual (NISPOM), Change 2 Insider Threat Program (ITP) and the Security Executive Agent Directive (SEAD) 3. The meeting began with introductions of the NRC staff members, followed by a roll call in order to capture all of the telecom participants. A list of meeting participants is enclosed. Approximately 18 people participated in the webinar, which included members of the NRC staff, the nuclear industry, and licensees.
Next, the NRC staff started off the discussion by responding to questions provided by Bill Gross, from the Nuclear Energy Institute (NEI), prior to the meeting. Those questions and NRC responses are below.
Question 1
Background:
The proposed ITP commitment states: Procedures have been developed which establish and maintain an insider threat program that will gather, integrate, and report relevant and available information indicative of a potential or actual insider threat in accordance with the latest change to the Department of Defense (DoD) 5220.22-M, National Industrial Security Program Operating Manual (NISPOM) insider threat program requirements.
Question: Can the words latest change be revised to Change 2?
NRC Response: Yes, we can change that to Change 2.
CONTACTS: D. Parsons, NSIR/DSO/ISB (301) 415-7751 A. Williamson, NSIR/DSO/ISB (301) 415-1878
D. Parsons 2
Question 2
Background:
- The ITP commitment also states: These procedures include at a minimum: training for employees covered under the program.
- NISPOM Section 3-103(b) states: All cleared employees must be provided insider threat awareness training before being granted access to classified information, and annually thereafter.
- The first Commitment in the Standard Practice Procedures Plan (SPPP) states: Initial and refresher briefings (every 3 years) are conducted Question: Is it appropriate to perform ITP training every-three-years per SPPP? We intend to do an initial on ITP and SEAD 3, however, after the initial, can the refresher be included in the 3-year cycle?
NRC Response: The training requirement for the ITP and Security Awareness to be conducted annually, as specified in Chapter 3 of NISPOM, Change 2 (page 3-1-1). Therefore, the NRC must follow the guidance as outlined in the NISPOM.
Question 3
Background:
- The ITP commitment also states: These procedures include at a minimum: annual self-inspections of the insider threat program
- NISPOM Section 1-207(b)(3) states: A senior management official at the cleared facility will certify to the Cognizant Security Agency (CSA), in writing on an annual basis, that a self-inspection has been conducted, that senior management has been briefed on the results, that appropriate corrective action has been taken, and that management fully supports the security program at the cleared facility.
Question: Is it appropriate to maintain the self-inspection records on-site for CSA review in lieu of submitting to the NRC?
NRC Response: The self-assessment remains with each program/facility and is inspectable by the CSA. A letter to the CSA is an annual acknowledgement of the self-assessment and training.
Question 4
Background:
- The ITP commitment also states: These procedures include at a minimum: annual self inspections of the insider threat program
- NISPOM Section 1-207 states reviews are conducted, at intervals consistent with risk management principles.
Question: Can annual be revised to every three years for facilities in the voluntary program?
NRC Response: Annual training is the outlined in SEAD 3, ITP and the NISPOM. Therefore, the NRC must follow the guidance in the NISPOM.
Question 5 When reviewing the SEAD 3 document, is it reasonable to assume that all references to agency, heads of agency or their designee, refer to the NRC?
NRC Response: Yes, the SEAD 3 document is direction to Federal agencies.
Question 6 SEAD 3 indicates training be provided annually, however, SPPP says triennial - is triennial acceptable?
NRC Response: Annual training is the outlined in SEAD 3, ITP and the NISPOM. Therefore, the NRC must follow the guidance in the NISPOM.
D. Parsons 3
Question 7 SEAD 3 discusses that pre-foreign travel defensive security and counterintelligence briefings and debriefings, as appropriate. Will these be conducted by the NRC? If our programs are going to perform this function - would we transmit the brief/debrief record/report to NRC?
NRC Response: Once Commission direction is received on this topic, the staff will provide implementation details on how the briefings may occur and where information should be sent.
Question 8 SEAD 3 reports are submitted directly to the NRC by cleared individuals, correct?
Where SEAD 3 reports should be sent? By email to: PSBReporting.Resource@nrc.gov?
NRC Response: Implementation details will be provided at a later date. Current cleared individuals should submit reports to PSBReporting.Resource@nrc.gov until additional or new guidance has been provided.
Question 9 Foreign Travel: Would it be possible for an individual to get authorization to travel to a specific country/region BEFORE booking the full itinerary? Once the itinerary is booked, getting a denial (though anticipated to be rare) could be a pain. If they can get authorization, then they can book and submit the full itinerary information?
NRC Response: It will probably be okay to submit an early authorization before booking a full itinerary. However, staff will provide implementation details once Commission direction is received.
Question 10 Regarding Foreign Contacts - SEAD 3 Section F.2 specifies NRC will determine requirements for reporting foreign contacts related to official duties. Is it acceptable for NEI to exclude reporting foreign contacts that are for official NEI business?
NRC Response: Additional details and clarification will be provided during implementation of SEAD 3.
The following questions were received from webinar participants. Those questions are below:
Question 11 Will NRC be requesting a formal extension from Office of the Director of National Intelligence (ODNI)? NRC indicated to ODNI the new requirements would be implemented by June 2018.
NRC Response: The staff recognizes the June 2018 implementation date will likely not be met.
The staff plans to communicate any additional dates or information during these sessions to keep stakeholders fully informed.
Question 12 Looking at Department of Homeland Security (DHS) State, Local, Tribal, and Private Sector Entities (SLTPS) entity program, will there be a distinction on folks who are covered under the new NISPOM Change 2 for the NRC program as well?
NRC Response: The staff appreciates the feedback and will look into the DHS program. No additional comments can be made on the question.
Question 13 Any status update on the SEAD 3 data entry tool?
NRC Response: There are no updates on the data entry tool for SEAD 3.
D. Parsons 4
Question 14 Any update on when a letter to licensees regarding implementation of SEAD 3 requirements will be sent?
NRC Response: No update on when a letter to licensees will be sent.
The meeting concluded with the NRC staff indicating a website dedicated to ITP and SEAD 3 would be going public soon as well as informing the participants the next meeting would be held on Wednesday, May 2, 2018, at 2:30pm (EST). The conference telephone number and Go-To meeting web link would remain the same for the following meeting.
Enclosed to this memo is a list of meeting attendees.
Enclosure:
List of Attendees
ML18151A770 OFFICE NSIR/DSO/ISB TA: NSIR/DSO ADM/DFS/SMOB BC: NSRI/DSO/ISB NAME AWilliamson TKeene DBrady DParsons DATE 6/ 07/2018 5/18/2018 5/17/2018 5/17/2018
Wednesday, April 18, 2018 Bi-Weekly Information Session Meeting Attendees:
Denis Brady, NRC Amy Roundtree, NRC Sandra Caesar, NRC David Cullison, NRC Darryl Parsons, NRC Alicia Williamson, NRC Tim Tate, Framatone Cynthia Heimbach, Genco-Nuclear Larry Wilson, Generation Six Richard Lawson Bill Gross, NEI Hilary Lane Leonard Sueper Walter Fulton Kevin Deyette Cheryl Olson Brian Bellamy James Barnette Enclosure