Text

1 THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND ITS CONTENTS SHOULD NOT BE INTERPRETED AS OFFICIAL AGENCY POSITIONS.

THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILL CONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS SUCH AS NUMERICAL VALUES FOR VARIOUS CRITERIA.

STAFF DISCUSSION OF SUBPART F (Operations) - PRELIMINARY RULE LANGUAGE (June 2021)

Preliminary Language Discussion SUBPART F - REQUIREMENTS FOR OPERATIONS

§ 53.830 - Security Program (a) Physical Protection Program. Each licensee under this part must establish, maintain, and implement a physical protection program meeting the following requirements:

(1) The licensee must implement security requirements for the protection of special nuclear material based on the form, enrichment, and quantity in accordance with 10 CFR part 73, as applicable, and implement security requirements for the protection of Category 1 and Category 2 quantities of radioactive material in accordance with 10 CFR part 37, as applicable; and (2) The licensee must meet the provisions set forth in either 10 CFR 73.55 or 73.100, unless the licensee meets the following criterion.

(i) The radiological consequences from a hypothetical, unmitigated event involving the loss of engineered systems for decay heat removal and possible breaches in physical structures surrounding the reactor, spent fuel, and other inventories of radioactive materials result in offsite doses below the values in § 53.210(b)(1) and (2) of this chapter.

Operations Security section The proposal for Part 53 will build on the consequence-based approach developed for the limited-scope rulemaking on physical security requirements for advanced nuclear reactors (NRC-2017-0227) by applying a performance-based, graded approach to a range of security areas, including physical security, cyber security, information security, transportation security, fitness for duty, and access authorization.

The phrase hypothetical, unmitigated event is taken from the limited-scope rulemaking and refers to, generally, an adversary attack within the design basis threat (DBT).

If an applicant can demonstrate that potential consequences resulting from a DBT attack would not lead to offsite radiation hazards that would endanger public health and safety (i.e., the resulting consequence is below the first tier safety criteria

2 (ii) The licensee must perform a site-specific analysis to demonstrate that the criterion in § 53.830(a)(2)(i) is met. The licensee must maintain the analysis [consistent with the requirements for maintaining licensing basis information in Subpart I, currently under development] until the permanent cessation of operations under § 53.XXX.

defined in § 53.210(b)) then the DBT of radiological sabotage would not be applicable.

The criterion aligns with the values used in the first-tier safety criteria for unplanned events in Subpart B of the preliminary proposed rule language for Part 53.

Where the criterion is met, the resulting physical protection requirements will be those for protection of material SNM Cat III and Cat II (SSNM Cat I, if applicable) and Cat 1 and Cat 2 material.

For those not able to meet the criterion, the rule text proposed will permit the applicant/licensee to choose one of two paths to provide physical protection. One is the current set of requirements in 10 CFR 73.55, which would include the ongoing limited scope rulemaking that provides pre-determined alternatives.

The other is the performance-based preliminary proposed new rule (10 CFR 73.100) in the Part 53 rulemaking, if approved by the Commission.

(b) Fitness for Duty. Each licensee under this part must establish, maintain, and implement a fitness for duty (FFD) program that meets the requirements in 10 CFR part 26.

Consistent with the approach followed for advanced reactors physical security, the advanced reactor fitness for duty program will be implemented via applicable sections in 10 CFR Part 26.

(c) Access Authorization. Each licensee under this part must establish, maintain, and implement an Access Authorization program that meets the requirements in 10 CFR 73.120 if the criterion in

§ 53.830(a)(2)(1) is met, or § 73.56, if the criterion is not met.

(d) Cyber Security. Each licensee under this part must establish, maintain, and implement a cyber security program that meets the requirements in 10 CFR 73.110.

Consistent with the approach followed for advanced reactors physical security, the advanced reactor cyber security requirements will be proposed in a new 10 CFR Part 73 section as part of the Part 53 rulemaking.

(e) Information Security. Each licensee under this part must establish, maintain, and implement an information protection system that meets the requirements of 10 CFR 73.21, 73.22, and 73.23, as Information concerning the detailed security measures for protection of fixed site facilities and materials in transit requires appropriate controls to

3 applicable.

ensure that information is not disseminated in an unauthorized manner.

Conforming changes would be inserted into §§ 73.21, 73.22, or 73.23, as applicable.