Text

U.S. Nuclear Regulatory Commission Actions to Address Priority Open U.S. Government Accountability Office Recommendations

1. Addressing the Security of Radiological Sources The U.S. Government Accountability Office (GAO) identified four open priority recommendations for the U.S. Nuclear Regulatory Commission (NRC) from two reports that addressed the security of Category 3 sources (GAO-16-330) and security measures for radioactive materials that could be dispersed through a radiological dispersal device (GAO-19-468).

In the report GAO-16-330, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, GAO recommended that the NRC:

1) Take the steps needed to include Category 3 sources in the National Source Tracking System and add Agreement State Category 3 licenses to the Web-Based Licensing System as quickly as reasonably possible.

2) At least until such time as Category 3 licenses can be verified using the License Verification System, require that transferors of Category 3 quantities of radioactive materials confirm the validity of a would-be purchasers radioactive material license with the appropriate regulatory authority before transferring any Category 3 quantities of licensed material.

In early 2016, the NRC formed a working group, the License Verification and Transfer of Category 3 Sources Working Group (LVWG), to evaluate license verification and transfer requirements for Category 3 sources. The LVWG evaluated the inclusion of Category 3 licenses in the NRCs Web-Based Licensing System and the methods available for verifying the legitimacy of licenses prior to the transfer of material. The working group also evaluated the inclusion of Category 3 sources in the National Source Tracking System (NSTS) for the specific purpose of preventing licensees from aggregating Category 3 sources into Category 2 or higher quantities of radioactive material. The LVWG made recommendations to enhance the existing processes for license verification and source tracking beyond Category 1 and Category 2 thresholds. These recommendations were provided to the Commission as part of the staffs reevaluation of Category 3 sources as outlined below.

On October 18, 2016, the Commission issued the Staff Requirements Memorandum (SRM) for COMJMB-16-0001, Proposed Staff Re-Evaluation of Category 3 Source Accountability, that directed the NRC staff to re-evaluate Category 3 source accountability given the agencys operating experience with higher-risk sources and in response to findings made by GAO. In the SRM, the Commission directed the staff to assess the risks posed by the aggregation of Category 3 sources into Category 2 quantities as part of this effort.

The Category 3 Source Security and Accountability Working Group was formed to: 1) evaluate the merits of different methods for verifying the validity of a license before a Category 3 source is transferred; 2) evaluate the merits of including Category 3 sources in the NSTS; 3) assess additional options for addressing GAO source accountability recommendations; 4) identify changes in the threat environment since 2009 and determine whether those changes support adding Category 3 sources to the NSTS; 5) assess the risks posed when a licensee possesses enough Category 3 sources to require the higher level protections required for Category 2 quantities; and 6) collaborate with Agreement States, non-Agreement States, licensees, public Enclosure

interest groups, and industry groups to fully assess the potential impact of any recommendations made by the working group. The working group also considered recommendations made by the LVWG and informed its evaluation with the results of the NRC staffs 2016 review of the effectiveness of Title 10 of the Code of Federal Regulations Part 37, Physical Protection of Category 1 and Category 2 Quantities of Radioactive Material.

The staff submitted a vote paper that provided the results of this evaluation and recommended options to the Commission in August 2017 (SECY-17-0083, Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001"). This paper also included the LVWGs evaluation and recommendations regarding verification of licenses for Category 3 quantities of radioactive material. The Commission is currently considering the staffs analysis and recommendations.

The NRC continues to work with Agreement States that have expressed interest in utilizing Web-Based Licensing (WBL) as a licensing system, beyond the current use of that system for all licensees that possess Category 1 and 2 sources. Multiple Agreement States are using WBL currently, and multiple other Agreement States are in the process to do so.

In the report GAO-19-468, Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, GAO recommended that the NRC:

1) Consider socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in a radiological dispersal device (RDD).

2) Require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

The NRC staff disagrees with GAOs recommendation regarding evacuation effects and maintains that the current regulatory requirements provide for the safe and secure use of radioactive materials, regardless of category. The NRC has encouraged GAO to consider the conclusions of the Radiation Source Protection and Security Task Force (Task Force), which is comprised of independent experts from 14 Federal agencies and one State organization and whose reports represent the coordinated Federal consensus on source security in the United States. The Task Force has determined both the radionuclides and activity thresholds appropriate for enhanced security and has concluded that current measures for the security and control of radioactive sources are appropriately protective of risk-significant quantities of radioactive material . . .. 1 Further, the Task Force found that there are no significant gaps in the area of radioactive source protection and security that are not already being addressed. . .. 2 GAO also considered postulated fatalities that could occur during evacuations in response to the use of an RDD as part of its basis for recommending increased security measures for radioactive materials. The NRC will continue to participate in the wider ongoing efforts in the United States both to educate the public on appropriate responses to emergency situations and 1 U.S. Nuclear Regulatory Commission. The 2018 Radiation Source Protection and Security Task Force Report, January 31, 2019, Agencywide Documents Access and Management System (ADAMS)

ML18276A155, page i.

2 ibid page 1.

to maintain capabilities to mitigate adverse consequences of the misuse of radioactive materials.

With regard to security measures for quantities of category 3 radioactive materials, the NRC is considering actions relevant to this recommendation in connection with the agencys response to GAO-16-330 and the Commissions direction on COMJMB-16-0001. Potential options in response to these efforts are described in the NRC staffs policy paper, SECY-17-0083, which is currently before the Commission for its consideration.

2. Improving the Reliability of Cost Estimates In the report GAO-15-98, Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, GAO stated that the NRC should align its cost-estimating procedures with relevant best practices identified in the GAO Cost Estimating and Assessment Guide.

The NRC is updating its cost-benefit guidance to incorporate cost-estimating best practices, including the treatment of uncertainty, to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices, incorporate cost-estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in SRM-SECY 0087, Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses.

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the NRC staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the updated Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, which the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft final NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, Draft Final NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission).

Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and reference it on the NRCs public website.

3. Improving Strategic Human Capital Management In the report GAO-17-233, Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices, GAO recommended that the NRC set agencywide goals, which could be ranges, for overall workforce size and skills composition that extend beyond the 2-year budget cycle.

In 2017, the NRCs Executive Director for Operations initiated a three-office pilot project of an enhanced Strategic Workforce Planning (SWP) process for the NRC that better integrates workload projections over a five-year period, skills identification, human capital management, individual development, and workforce management activities. Two headquarters offices and one regional office participated in the pilot project, which concluded in June 2018. A lessons-

learned report found that the enhanced SWP process provided a sound, repeatable process that was used to prepare a projection for staff of the anticipated type and amount of work in the pilot organizations. The NRC SWP implementation team thereafter made recommendations for adjusting the process and expanding implementation to additional offices and regions.

In 2019, the agency implemented Phase II of the SWP that expanded the process to cover 11 offices, including all four regions, the Office of Nuclear Reactor Regulation, the Office of New Reactors, the Office of Nuclear Material Safety and Safeguards, the Office of Nuclear Regulatory Research, the Office of Nuclear Security and Incident Response, the Office of the Chief Financial Officer (OCFO), and the Office of the Chief Information Officer. These offices represented approximately 79 percent of the agencys workforce. Phase II, now successfully completed, demonstrated that the enhanced SWP process will support agency efforts to better forecast the amount and type of work now and in the future, and the workforce needed to perform this work.

The NRC conducted the phased implementation of the enhanced SWP process, and the process has now become part of the agencys standard operating procedures. Implementation for the fiscal year (FY) will begin each September and includes all offices that report to the Office of the Executive Director for Operations and three offices that report to the Commission (OCFO, the Office of the General Counsel, and the Office of the Secretary).

4. Ensuring the Cybersecurity of the Nation In GAO-19-384, Cybersecurity: Agencies Need to Fully Establish Risk Management Programs and Address Challenges, GAO recommended that the NRC develop a cybersecurity risk management strategy that includes the key elements identified in the report.

The NRC has developed a cybersecurity risk management strategy that includes and addresses the majority of the key elements identified in the GAO report including the following:

assigning appropriate (cybersecurity) roles, developing an agencywide risk assessment, identifying common controls, maintaining a control monitoring strategy, maintaining system level risk assessments, conducting and maintaining risk determinations for system operations, and conducting risk assessments for control monitoring and plan of action and milestones.

The NRC acknowledges that it has not addressed all the key elements identified by GAO.

Agency policies and procedures currently do not address cybersecurity in agencywide risk assessment and utilizing risk assessment for Plan of Action and Milestone prioritization. The agency is assessing each finding and is updating agency policy, as appropriate, based on the analysis to incorporate the cybersecurity risk management approach into the agency enterprise risk management program. The NRC plans to complete implementation of this recommendation by the end of FY 2020.