• , 1' * , , *~ *, -; .. ~ , " * * -, , , _. t *' I attempts. Assessments are made concerning the type of detectors most desirable and which *-

• forms of SNM could logically be spiked to enhance their,deieciabiliiy. 'Aciministrative*and legal restrictions on portal searches and emergency site responses to SNM losses are comprehensively examined. It also addresses methods for searching, sources of difficulty, and estimates of

• sensitivity are made. The legal implications of are*a and _perimeter*searches are examined wi~

particular regard to problems of search and seizure la~. -

• NUREG/CR:2297 TITLE: Security Management Techniques and Evaluative Checklists for Security Force Effectiveness. :Technical Report (fin'al) Sep 80:Jul 8i ** . - ". .

PUBLICATION DATE: April 1982 _.

ABSTRACT: The report presents a system for evaluating and correcting deficiencies'in security-force effectiveness in licensed nuclear facilities.' There.are four checklists ~ hich

• security managers can use as guidelines for developin'g'their o~n checklists. The checklists are keyed to co~ective-action guides.. The report gives background information on the nature of security systems and discussions of variou*s special problems of the licensed nuclear*industry. .

1. ' ,. *

• I j I

• NUREG/CR-2404

• l, ,., . * * , ,' .

TITLE: Analyzing Safeguards Alarms and Response Decisions _

PUBLICATiON DATE: *s ~pte"mber..1982:' ..... - . . ,. . .

ABSTRACT°: .This ieport-describes a quantitative model designea to help'the'NRC and its 0 licensees evaluate and respo~d to alanns indicating that special nuclear material (SNM) may be missing. Thereporrdemon.strates tlm~e' pnric~pal 1uses of tiie AIR Modet.*'Toe hi-st 'is. * .- *.

determining the most likely cause' of an alarm.:~theft, ho'ax, or *erro*r '.

• Possible re'sponses 'include conducting investigations, initiating measures to recover stolen SNM, and replying to extortion threats from individuals claiming to possess SNM. For each possible alann; the inodel identifies the best response, which can"be'used to develop contingency -.

plans.that th~-lice~*see*and

~ I ,

• t the., NRC **

can carry out. The third use is to assist the NRC in setting performance standards, especially detection°requireinents*: ! . '* - * . :,' :..-, '.: ***::F -* 1 ,

• 1 ;r ** ':*.11: :, - "'. ! ,*. . .

. ...- . '," ~ ... ,, ...*: .. 1. :..

NUREG/CR:2472. . . I*

TiTLE: Fin~ Report on Shipping'-Cask Sabotage Source-Term Investigation PUBLiCATION DATE: October 1982 * : *

• 4-25

ABSTRACT: An experimental program sponsored by NRC and BatteJle Columbus Laboratones was designed to estimate the source term resultmg from a sabotage attack on a spent nuclear fuel shipping cask. A precision shaped charge was fired through a subscale model cask loaded with segments of spent PWR fuel rods and the radioactive material released was analyzed.

NUREG/CR-2546 TITLE: Reactor Safeguards Against Insider Sabotage PUBLICATION DATE: March 1982 ABSTRACT: A conceptual safeguards syste m is structured to show how both reactor operations and physical protection resources could be mtegrated to prevent release of radioactive material caused by insider sabotage. Operational recovery capabilities are addressed from the viewpoint of both detection of and response to disabled components. Physical protection capabilities for preventing insider sabotage through the application of work rules are analyzed.

Recommendations for further development of safeguards system structures, operational recovery, and sabotage prevention are suggested.

NUREG/CR-2588 TITLE: Security Officer Response Strategies PUBLICATION DATE: March 1982 ABSTRACT: The Security Officer Response Strategies (SECURORS) approach provides a method for deploying security officers within a nuclear power plant subsequent to an adversary mtrusion detection. The SECURORS method allocates the available officers on the basis of numerical weights and ranking for each of the nuclear power plant vital areas and barners.

NUREG/CR-3191 TITLE: Target Assignment for Security Officers to K Targets PUBLICATION DATE: February 1983 ABSTRACT: A probabilistic algonthm is developed to provide an optimal Target Assignment for Security Officers to K targets (TASK) using a maximum criterion. Under the assumption of only a limited number (N) of security officers, the TASK computer model determines deployment assignments which maxmtize the system protection against sabotage by an adversary who may select any link in the system, including the weakest, for the point of attack. Applying the TASK model to a hypothetical nuclear facility containing a nine-level building reveals that aggregate targets covering multiple vital areas should be utilized to reduce the number of possible target assignments to a value equal to or only slightly larger than N. The TASK model determines the optimal maximum deployment strategy for limited numbers of security officers and calculates a quantitative measure of the resulting system protection.

NUREG/CR-3251 TITLE: Role of Security During Safety-Related Emergencies at Nuclear Power Plants PUBLICATION DATE: March 1984 ABSTRACT: This report provides an analysis of the literature and on-site data gathering relating to the actions of security forces at licensed nuclear power plants during safety-related emergencies. Recommendations as to how improvements can be made in the regulatory approach and hcensee planning and procedures as they relate to the subject matter are exantined.

In addition, certain technological problems and issues are examined within the context of the study.

4-26

NUREG/CR-3351 * * * ., r .. J J

• L: *I ,.. ** *" ,_. '( . *.** * .. -

• TITLE: Security Officer Tactical Training Issues Involving ESS Equipment .

PUBLiCATION DATE:* January. 1984 .. * * *** * . ***.~._ , . . ,

• * * * . ,. , , * * * ., * * * * ... *- ** ,

• 1C ..., * *

• ABSTRACT: Security officer.tactical training Jissues are discussed in relation to the possible

• * * * .. ,I * , f J I * * ** '- I_, * * * *' * * * * ~ , I , *

• implementation of the lactical Improvement * * "" 0 " * * !* * ~ * **

Package (TIP), utilizing the Engagement . . . _

-. * * ., * , * ...- 1 _..

• I *.. *** f.* _ * * * * ..

Simulation System (ESS) equipment, by nuclear power plant licensees for security officer tactical training. The ESS equipment provides the capability to simulate engagement conditions * - /f between adversaries anned with weapons which have laser transmitters..* tA - * . ..  ; .. -

• brief discussion of the 4 TIP!.J.is presented, along with some concerns and considerations in the use of the TIP. , .. , .

• : \"' \_ I * ' * * ,. ,. * 'II : . , # ._ I *

• 1:'" ft,::> : * * * ,? )'! :_ _r_,  !* * . *. ":, *,:., *:H

• t * -\ * ,.,.

NUREG/CR-4298 o

• 0 f - "'

. " i"" ' * * * ,

I ,1, *f

.t

• _,. I * *

, 1 * .) '\,,* * ' I *

. )

• I

. *, t

• t f I TITLE:_~Design -~d ins)allatio_n -ofCompuier Syste~ t~~e~t the ~equirenients of 10 CFR .

73.5? .. ., ,** * *,. :_ *. *-*~ :* .* .. r * .._. . . , * * *. * ** . ,. : , ;

• J , ., ' * * ..

PUBLICATION DATE: July 1985 .

ABSTRACT: The Pacific.Northwest Laboratory has.stiidi~cfih~ design and installati~n of computer~maiiag°ed.systems that'can help.nuclear po'w°erplant licensees to meet the 'physical ..... ** * , _ ... _i ~* * - , _ -- , _ _ _ . _ , . * .. - - - ' * * '

• security requirements of 10 CFR 73.55 (for access control, alann monitoring, and alann recording). Two objectives were to study the power plant security functions ~at f:~-~l~, l;>,~~ _ded,.

by a ~omputer-managed physical security system and to evaluate th~. safe_ty and s~urity ..* . I ** * , * * * * * , _

• considerations of such a system. A further objective was to d~velop guid_ance on system desi~.

selection, and installation._. The design guidance includes safety and security *req'uirements; design alternatives: computer security,',work space design*, and*us'er inte'rface_'design. Guidance is* also .

• *-** . . ...... * ... ~ ....* .. *.. *- - * *=- . .. .- . * . J' * ** * -

prov1ded on writing a system specification for procurement, bid review procedures, and site preparation*. *. . *' * .... * * * ._.:, **-' -/~/-* ., ,. * . *

-"; ...... .: : ! -* .. ~ :..,'J *. r:, . *:_ , 1.!! T rl-= : __ ,. * *... ! * , .....

....... ~  :.. , * * , ._. #-,, *1. -_ - . ~~-*

NUREG/CR-4462 , , .

cif TITLE:' Ranking Saboi~gdfwperirig Avoidarice Techn~logy 'Alte~ati-ves . .

PUBLICATION ..

DATE:

January 1986... * . * * *

..* , ... I * * ,_ _

, . .i * *

• ABSTRACT: Pacific Northwest Laboratory coi:iducted _a study_to eyaluate alternatives to the,. _

• * * * ... * , J ~ - * , I

• I , I

• _ - ' , * - . , o * , I , *

• _,; , , * -( , L ,

1 design and operation of nuclear power plants, emphasizing a reduction of their vulnerability to J.

• • * ** - * * * * *** - ,.. l "

• J * * * ,, * : \:,. * * " * * * * * .t sabotage. Estimates of core melt accident frequency during normal operations and from

• sabotage/tampering events were used to rank the alternatives. Core me~t frequency _for ,n!)rm_al operations.was estimated using sensitivity analysis of results of.probabili.s ticrisk assessments. *_

> o , , * *- - ol J J,,_ , - , f ,_

• 1. l ,.. _I ,.

• II.

• I, 1.

• _

• 1

, * .., o -'- 4 I * " , 1 1 . , ,._

Core melt ~requency for sabotage/tampering was estimated by-~~v~lopi~g Ji ~?4~! .~,~d-~n,risk .

analyses, historic data, engineering judgment, and safeguards analyses of plant locations where .

core melt.e~ents 'could be initiated: *Resulis-*in'tiicate tlie* most effectivd alternatives 'focuson large areas* of the plant: iri~rease*s*afeiy~

• ,. ... . 1 1. 0 ... , ... _ * * ,. i, ... .1. .

sysi~m i-edundan°cy; 1 . .. .. ...... .:.i+_ .... ...;, ; -  ! - .. -- ! - *

~d reduce~eliruice * ' * * *

• o n *single ._ ,..

locations

.,_ \. . .. .

for* ,

mitigation of transients. * .. . .

Less effectiv~ ** *

• options focus _ ,

on.specific areas ('.

of 1!

the plant, reduce ,

reliance on some plant areas for.safe shutdown, and focus on less vulnerable targets.

• ~* *.) ,. ,> * ,! .,' . , * , / - 4 f _1 ,_* **** - ~ .,*

• I *

• • * , .. ," J .,. I * * ** J *: . *..  !

NUREG/CR-4473 ,l * ,. - * - * ** ** __ , .... . *

,* , ** ,

• t -

.a. * "1 "' *

• TITLE: Study of the Operation and Maintenance of Computer Systems to Meet the

• . JI~ '-, ..., .. ,* " ,. *

• I .. ,1 1 I I , ~ ~ , , , * * , 1

• I * * * , ... * *

• Requirements of .IO CFR 73.55 1 * ~ - , .., * * , * * *:!... ~ _ ,._.-. _ , * ') .*:-: .* ,* .*

PUBLicAnoN 0A+/-t:"1ruiuary 1~fa6 *,: .-,

.J , I *

• _. 1 *, * , * * ,1 '* ., *- ,_ *

, ,__

• I * **

1 1 'J * , J,_ I '

ABSTRACT: The Pacific Northwest Laboratory has studied the operation and maintena!Jce of computer-managed systems that crui help nuclear power'p]a~t lic~n~~es to meet the physical - .

secunty requirements of l O CFR 73.55 (for access control, alarm monitoring, and alarm recording). This report of that study describes a computer system quality assurance program that is based on a system of related internal controls. A discussion of computer system evaluation includes verification and validation mechanisms for assuring that requirements are stated and that the product fulfills these requirements. Finally, the report describes operator and security awareness training and a computer system preventive maintenance program.

NUREG/CR-5081 TITLE: Tactical Exercise Planning Handbook PUBLICATION DATE: Apnl 1989 ABSTRACT: This handbook provides guidance for the development, conduct, evaluation, and critique of security force tactical response exercises. Background information pertinent to the development of the handbook and the intent of rulemaking that revises 10 CFR Part 73 to require tactical response exercises is provided. Step-by-step instructions on exercise development, conduct, evaluation, and critique are furnished to assist licensees in meeting regulatory requirements. Needs and resource requirements estimates are addressed in terms of personnel, staff-hours, equipment, weapons, and ammunition.

NUREG/CR-5172 TITLE: Tactical Training Reference Manual PUBLICATION DATE: April 1989 ABSTRACT: This manual provides traming information for NRC licensees to assist in implementation of the Tactical Response Team (TRT) training and exercise requirements of the revised portions of IO CFR Part 73, which requires that licensees possessing formula quantities of strategic special nuclear material establish TRT' s and conduct tactical response exercises to enhance the capabilities of security forces in protecting NRC licensed fuel facilities from potential adversaries postulated in the design basts threat. Step-by-step illustrated instructional material 1s provided concerning both individual and team tactics and skills appropriate to meeting these requirements. The manual addresses adversary attnbutes and essential tactical skills that each TRT member should master to assure personal safety and effective response to adversary actions, and discusses more advanced tactics, command, control, and orders.

NUREG/CR-5227, Suppl. 1 TITLE: Fitness for Duty in the Nuclear Power Industry: A Review of Technical Issues PUBLICATION DATE: May 1989 ABSTRACT: This report presents information gathered and analyzed in support of NRC's efforts to develop a rule that will ensure that workers with unescorted access to protected areas of nuclear power plants are fit for duty. This report supplements information previously published m NUREG/CR-5227, Fitness for Duty in the Nuclear Power Industry: A Review of Technical Issues (Barnes et al., 1988). The primary potential fitness-for-duty concern addressed in both of these reports is impairment caused by substance abuse, although other fitness concerns are discussed. This report addresses issues pertaining to workers' use and misuse of alcohol, prescription drugs, and over-the-counter drugs as fitness-for-duty concerns; responds to several questions raised by NRC Commissioners; discusses subversion of the chemical testing process and methods of preventing such subversion, and examines concerns about the urinalysis cutoff levels used when testing for marijuana metabolites, amphetamines, and phencychdme.

4-28

NUREG/CR-5246 TI'!LE: A Methodology to Assist in Contingency Planning for Protection of Nuclear Power Plants Against Land Vehicle Bombs ri * *.,.,

PUBLICATION DATE: April 1989 , * ... . ,

ABSTRACT: This report provides a methodology which could be used by operators of licensed

_nuclear power reactors to address issues related to contingency pianning for a land vehicle bomb, should such a threat arise. The methodology presented in this report provides a structured framework for understanding factors to be considered in contingency planning for a land :vehicle bomb including: (1) system options available to maintain a safe condition, (2) associated :- **

• components and equipment, (3) preferred system options for establishing and maintaining a safe shutdown conditiol!, an~ (4) contingency-measures to preserv~ th.e preferred system options:

• ,Example applications of the methodology for a boiling water reactor and pressurized water reactor are provided along with an example of contingency plan changes necessary for implementation of this methodology, and a discussion of some contingency measures that can be used to limit land vehicle access. . _,.~, ..

• NUREG/CR-5689 TITLE: Medical Screening Reference Manual for Security Force Personnel at Fuel Cycle Facilities Possessing Formula Quantities of Special Nuclear Materials

• PUBLICATION DATE: September 1991 ABSTRACT: This document contains medical screening information that could be used by physicians *who are evaluating the parameters of the safe partjcipation of guards, tactical response team members (TRTs), and all other armed response personnel in physical*fitness training and in

- physical performance standards testing. :The information provided will help licensees to determine if guards, TRTs, and other armed response personnel can effectively perform their normal and emergency duties without undue hazard to themselves, to fellow employees, to the plant site, and to the general public. The recommendations are similar in content to the medical standards contained in 10 CFR Part 1046 which,-in part, specifies me_dical standards for.the protective force .Perso~nel regulated by the Depart~e~t of Energy.

NUREG/CR-5690 .l .  :

TITLE: Physical Fitness Training Reference Manual for Security Fore~ Personnel at Fuel Cycle J:acilities Possessing Formula Quantities of Special *Jlfuclear Materials

• PUBLICATION DATE: September 1991 _ *:* n .

ABSTRACT: This is.a r~ference manual which can~ used by licensee management as they develop .a program plan for the safe participation of guards, tactical response team members (TRTs}, and all other armed response personnel in physical fitness training and in physical .

performance standards testin_g. The information provided .will help licensees to determine if guards, TRTs, and other armed response personnel can effective!y perform their normal and

• emergency duties wit_~out undue hazard to themselves, to fellow employees,-to the plant site, and to the,general public. The recommendations are similar in part to those contained within the

_Department of,Energy_(POE). Medical ,and *Fitness hnplementation .Ouide w~ich was published in March 1991. * ,-. _*.* ~ _. . . , 1 NUREG/CR-5721 TITLE: Video Systems for Alarm Assessment ,.

PUBLICATION DATE: September 1991 .

• 4-29

ABSTRACT: This document presents technical information for designing closed-circuit television systems for video alarm assessment. Each of the major components in a video system:

camera, lens, lighting, transm1ss10n, synchronization, switcher, monitor, and recorder is discussed and informatio n on component selection, procurement, installation, test, and maintenance 1s provided with considerations for system integration of the components. System emphasis is focused on perimeter intrusion detection and assessment systems.

NUREG/CR-5722 TITLE: Interior Intrusion Deteclion Systems PUBLICATION DATE: October 1991 ABSTRACT: This document presents technical information for designing interior intrusion detection systems. Interior intrusion sensors are discussed according to their primary application:

boundary-penetration detection, volumetric detection, and point protection. Information necessary for implementation of an effective interior intrusion detection system is presented, including principles of operation, performance charactenslics and guidelines for design, procurement, installation, testing, and maintenance.

NUREG/CR-5723 TITLE: Security System Signal Supervision PUBLICATION DATE: September 199 1 ABSTRACT: This document presents technical information for understanding and applying hne supervision techniques to secunty communication links. A review of security communication links is followed by detailed discussions of link physical protection and DC/AC static supervision and dynamic supervision techniques. Material is also presented on security for atmospheric transmission and video line supervision.

NUREG/CR-5758, Vol. 2 TITLE: Fitness for Duty in the Nuclear Power industry PUBLICATION DATE: August 1992 ABSTRACT: This report summarizes data from the semi-annual reports on fitness-for-duty programs submitted to the NRC by 52 utilities for two reporting periods: January l, 1991 to June 30, 1991, and from July I, 199 1, to December 31, 199 1. During 1991, ltcensees reported that they had conducted 262,597 tests for the presence of illegal drugs and alcohol. Of these tests, 1,722 (.66%) were confirmed positive. A comparison of positive test results in 1991 with those found in 1990 found a decrease in the positive test rate for each category of test and worker.

NUREG/CR-5758, Vol. 3 TITLE: Fitness for Duty in the Nuclear Power Industry PUBLICATION DATE: July 1993 ABSTRACT: This report summarizes the data from the semi-annual reports on fitness-for-duty programs submitted to the NRC by 52 utilities for two reporting periods: January 1 through June 30, 1992, and July 1 through December 31, 1992. During 1992, licensees reported that they had conducted 266,55 1 tests for the presence of 11legal drugs and alcohol. Of these test, 1,818 (.68%)

were confirmed positive.

NUREG/CR-5758, Vol. 4 TITLE: Fitness for Duty in the Nuclear Power Industry 4-30

PUBLICATION DATE: August 1994 ABSTRACT: This report summarizes the data from the semiannual reports on fitness-for-duty programs submitted to the NRC by utilities for two reporting periods: January 1 through June 30, 1993, and July 1 through December 31, 1993. During 1993, licensees reported ttiat they had :

• conducted 242,966 tests for the presence of illegal dnigs and *alcohol. *Of these tests; 1,512 *

(.62%)wereconfirmedpositive. * **: *:*,; * : ~'

NUREG/CR-5758, Vol. 5 . * . 1 *** * *

• TITLE: Fitness for Duty in the Nuclear.Power Industry: 'Annual Suinmary of Program - . *:

Performance Reports CY 1994. Volume 5. r*: *--~. :~ .~ - .1 , * , _; 1. ~ .:11*~ - *<j ~ *r. i i.t *,., : . ** -.- - -

• PUBLICATION DATE: August 1995 ABSTRACT: This report summarizes the data from the semiannual reports*on fitness-for-outy .

programs s*ubinitted to the NRC by utilities for two reporting periods:*January 1 through Jurie-30, 1994, and July I through December 31, 1994. During 1994, licensees reported that they.had conducted 163,241 tests for the presence of illegal drugs and alcohol. Of these tests, 1;372

(.84%) were confirmed positive. . ~-* . .. * :*,, ,, ... ,. r, .,

NUREG/CR-5758, Vol. 6 * , : * * *  :, *

• TITLE: Fitness for Duty in the Nuclear Power Industry.*Annual Summary.of Program Performance Reports *-- :. : . . * *. -. * *. 1**_*: ,: ! . *. i: . . ..

PUBLICATION DATE: July 1996 ABSTRACT: This report summarizes the data from the semiannual reports on fitness-for-duty ,

programs submitted-to the NRC by utilities foi iwo reporting perioas: January 1~June 30; 1995;

• and July I-December 31, 1995. During 1995, licensees*reported that they'had conducted 150,121 tests for the presence of illegal drugs and *alcohol. Of these tests; 1,476 (.98%) were*confirmed .

positive. -*The 'overall positive test rate for 1995 (.98%) was higlier than in 1994 (.84%). Several factors had an impact on'the'positive test rate across test categories for,1994 and 1995 compare*d to previous years: These factors'include 'the NRC's reduction in the mandatory random testing .*

rate from*too percent to 50.percent, effective in 1994;*and initiatives by licensees such as

• lowered marijuana screening cutoff levels and reported wprovements in licensees ability to . '*

detect subversion of the process.

NUREG/CR-5899 TITLE: Entry/Exit Control Components for Physical Protection Systems PUBLICATION DATE: November 1992 ~ * ,._ .,* t * * * * ! ~ :

• l: I*-.

• ABSTRACT: This document provides technical information on the major_components_of_entry control systems: identity verifiers,-_weapons detectors, explosives detectors, and special nucl_~ar :

material (SNM) detectors:* For each 'type pf.device, information is presented_~n prin9iple_s.of .

operation;-hardware features, recommended instalfation, testing.methods, and _operational ,* ,.

procedures.:;- Applications.to personnel, hand carried packages, bulk ite~, and _vehicl~s ~e addressed. .: . ,- ,  : > ._ .-.. ,_, .. __

NUREG/CR-5929 TITLE: Locking Systems for Physical Protection and Control PUBLICATION DATE: November 1992 ABSTRACT: This document provides technical information for understanding and applying locking systems for physical protection and control. There are major sections on hardware for

~-31

locks, vaults, safes, and secunty containers. Other topics include management of lock systems and safety considerations.

NUREG/CR-6149 TITLE: Applications of Fiber Optics in Physical Protection PUB LICATION DATE: March 1994 ABSTRACT: This document provides technical information useful for the development of fiber-optic communications and intrusion detection subsystems relevant to physical protection.

There are maJor sections on fiber-optic technology and applications. Other topics include fiber-optic system components and systems engineenng.

NUREG/CR-6190, Vol. 1 TITLE: Protection Against Malevolent Use of Vehicles at Nuclear Power Plants: Vehicle Barrier System Guidance for Blast Protection PUB LICATION DATE: December 1994 ABSTRACT: This manual provides gmdance for determining the minimum safe standoff distance between vital safety related equipment and the design basis vehicle bomb threat adopted by NRC Vital safety related equipment should survive the design basis vehicle bomb attack when the minimum safe standoff distance is provided. Guidance is provided for exposed vital safety related equipment and for equipment housed within vital area barriers.

NUREG/CR-6190, Vol. 2 TITLE: Protection Against Malevolent Use of Vehicles at Nuclear Power Plants PUBLICATION DATE: December 1994 ABSTRACT: This manual provides a simplified procedure for selecting land vehicle barriers that will stop the design basis vehicle threat adopted by NRC. Proper selection and construct10n of vehicle barriers should prevent intrusion of the design basis vehicle. [n addition, vital safety related equipment should survive a design basis vehicle bomb attack when vehicle barriers are properly selected, sites, and constructed. This manual addresses passive vehicle barriers, active vehicle barriers, and site design features that can be used to reduce vehicle impact velocity.

4.4 NUREG/CP Publications NUREG/CP-0107 TITLE: Security Training Symposium PUBLICATION DATE: September 1990 ABSTRACT: These conference proceedings have been prepared in support of NRC's Security Training Symposium on "Meeting the Challenge-Firearms and Explosives Recognition and Detection," November 28 through 30, 1989, in Bethesda, Maryland. This document contains the edited transcripts of the guest speakers, some of the speakers formal papers, and some of the slides that were shown at the symposium.

4-32

5 CHRON.OLOGICAL LIST

..... .l This section'lists the documents included in this report *i n chronological order by *publicatio~-d~te within each document type. As evidenced by the list, some of the documents-~ay'be outdated *

• and not describe current NRC practice or policies. These older documents.are included for ~ -

completeness and because they may be useful from a historical perspective. Thi's'list -also will facilitate the dete.rrnination of where resources can best be ex'penaed'in maintaining the-NRC ..

system of physical protection guidance up-to-date and current. ' * * * **,

5.1 Regulatory *Guides * * * * .

• 1 f .., j . . ., , i .... * .. - . -~ . ., * *--:.*,

1973* R~G:*s .fi * * *,

• General

(' ,.

Use of Locks

~ .

in the .Protection

., .. - .,. and

- Control of Facilities and

• ' -

• Special Nuclear Material; November 1973 1

1974 R.G. 5.17

• Tnick Id; ntification'Markings: J~uary 1974. .

R.G. 5.20 Training, Equipping, and Qualifying of Guards an'd Watchmen, January 1974. .. * ::.. ** '

• R:G. 5*_27 -* J ' Special Nuclear Materi~fDoorway ,.. . , ~ . Monitors,

. . . June 1974.'

1975 R.G. 5.43 Plant Security Force Duties, January 1975.

R.G. 5.31 Spedally'Designed Vehicle'with-'A.rined Guards for Road Shipments of Special Nuclear Material, Rev.I, April 1_975.. . ___ . ,.

R.G. 5.32 Communication with Transport Vehicles;'. Rev:I ; May 1975:

1976 None published ..; .

1977 -None published .. * * .. l i 1978 R.G. 5.54 Standard Format and Content of Safeguards Contingency Plans for

• 1:. t-NuclearPJarits;March1978:*:~ - '!.!::~**  !LI :.*-~ .* .

,.. 'R.G:5.55 '* ..' :*, -~standard Format and Content Guide.for Safeguards Contingency

. :. Plans*forFuel Cycle' Facilities,'March 1978. . ..

R.G. 5.56 Standard Format and Content Guide for Transportation, March 1978.

1979 None publisned  : , ,: . . . . * * : - ,,, ';, i' '- f r , ~~

1980 R.G. 5.60 Standard Foiinat and Cohtent Guide of a Licensee Physical Protection 1

--*. ,.

• Plan for Strategic"Special Nuclear Material in Transit ;AprH i980.

R.G:s.1* ,:-: *: .. *::.*,:*En'try/Exit Controrfor'Protected Areas, Vital Areas;and Material Access Areas, Rev.I, Miy i980.

• 1 * **

- : -R:G. 5.14' ...::,. .::*useofOb'servatio'n (VistialSurveiilance) Techniques'in1Mate.rial Access Areas, Rev. 1, May 1980:ii., '

• R.G. 5.57 Shipping and Receivi°ng"Coritrol'of Strategic Special Nuciear :,*

Material, Rev.l,1June *1980. * * ,? ..

• _,*, .. ;R.G.' 5:61' 1 !:i '.' ,; *: Iriten'rand*Scope-of the*Physicai'Protection Upgrade Rule 1 1

" * ; . ; * *, , ) ** Requireriieiltsfor-FixedSites , June 1980:

1981 *Nonepublislied -~ -' --* ~ '*:, i *' .. :-: : . - : .: * * -.,u

'"'" . -. ~.., . ' -

1982 R.G. 5.63 Physical Protection for Transient Shipments, July 1982.

1983 R.G. 5.59 * -Standard Fonnat*and Coritent for Licensee Physical Security Plans for

'*:-c- tlie.Protection of Special Nucl~ar Material of Moderate .Jr Low' - ~ .

,*, ,!i:.. . * --~ *:sfrii°tegicSignificance,:Rev::1, February' l983. . I-,

1984 None 'pubiished *' .- i_ir.* -- r.;:_,,, ** *i:,w. . . *.-L ., ,.;

1985 None published

. ,. . . . .' ~ . . * . . ; . . !* ,, -, *... .'

.*** t'.. *. J

'5-1.

1986 R.G. 5.65 Vital Area Access Controls, Protection of Physical Security Equipment, and Key and Lock Controls, September 1986.

1987 R.G. 5.62 Reporting of Physical Security Events, Rev. 1, November 1987 1988 None published 1989 None published 1990 None published 1991 R.G. 5.66 Access Authorization Programs for Nuclear Power Plants, June 1991 1992 None published 1993 None published 1994 R G. 5.68 Protection Against Malevolent Use of Vehicles at Nuclear Power Plants, August 1994.

R.G. 5.52 Standard Format and Content of a Licensee Physical Protection Plan for Strategic Special Nuclear Material at Fixed Sites (Other than Nuclear Power Plants), Rev. 3, December 1994.

1995 None published 1996 None published 1997 R.G. 5.15 Security Seals for the Protection and Control of Special Nuclear Material, Rev. I , March 1997.

R.G. 5.44 Perimeter Intrusion Alarm Systems, Rev.3, October 1997.

5.2 NUREG Publications 1977 NUREG-0144 Summary Report of Workshop on Sabotage Protection in Nuclear Power Plant Design, February 1977.

NUREG-01 94 Calculations of Radiological Consequences from Sabotage of Shipping Casks for Spent Fuel and High Level Waste, February 1977.

NUREG-0178 Basic Considerations for Assembling a Closed Circuit Television System, May 1977.

NUREG-0184 User's Guide for Evaluating Physical Security Capab1lit1es of Nuclear Facilities by the EASI Method, June 1977.

NUREG-0271 Physical Protection Equipment Study: Final Report, June 1977.

NUREG-0272 Cross Reference Index for Equipment Catalog and Evaluation Criteria, June 1977.

NUREG-0273 Guide for the Evaluation of Physical Protection Equipment, Book I, Vols. I-ID.

NUREG-0274 Catalog of Physical Protection Equipment, Book I, Vol. I: Barners and Structural Components, Vol. IT: Intrusion Detection Components; Book 2, Vol. III: Energy Control Components; Vol. IV: Surveillance and Alarm Assessment Components; Vol. V: Contraband Detection Components; Book 3, Vol. VI: Automated Response Components; Vol. VII: General Purpose Display Components; Vol. VID: General Purpose Communication Components, June 1977 1978 NUREG-0320 Interior Intrusion Alarm Systems, January 1978.

NUREG-0219 Nuclear Security Personnel for Power Plants: Content and Review Procedures for a Security Training and Qualification Program, June 1978.

NUREG-0459 Generic Adversary Charactenstics: Summary Report, July 1978.

5-2

NUREG-0464 S_ite Security Personnel Training Manual, Vols. 114, October 1978.

NUREG-0465 Transportation Security Personnel Training Manual, Vols. 1-3,

~November-1978. * * , * ;*  : t-:,* :::.* , ._ , ~_; , ; __; .

• 1979 NUREG-0525

• Safeguards Summary Event List; May& November 1979. -

NUREG-0576 . ' ,1Nuclear *P ower Reactor Security Personnel Training and Qualification

• * *: -

• I: *. . ** (' *Plan Reviewer Workbook; Jime-1979.

• 1980 NUREG-0506 Introduction and User's Information for'the Fixed Site Physical

, *, **. :, . Protection Upgrade:Rule'GuidanceCompendhim,June 1980.

. * * .NUREG-0508 .*.!. **,Design*Methodology for the Physical Protection Upgrade Rule Requirements for Fixed Sites, June 1980.

• ** *

• J

• J NUREG~0561 *: . *. Physical Protection *of Shipments of Irradiated Reactor Fuel: Intenm Guidance, June 1980:* 1 ' : ' : * ' * .

NUREG-0703 ,-~Potential Threat to Licensed Nuclear 'Activities'from *Insiders (Insider

• * *::, 1 -:-J ._~**:*: Study), July 1980.:."', * --_; **,  ;-, - ' ..

NUREG-0721 Acceptance Criteria for.the Physical Protection Upgrade Rule

~ . - ... , . .' Requirements for Fixeo Sites, Septembe*r 1980. . 1: i * *; _* * * .

NUREG-0525 .< ,)Safeguards Summary Event List, September & December *1980.

1981 NUREG-0768  : ..People-Related Problems Affecting Security in .the Licensed Nuclear

..... .*,** *:*::-,..:1 ::: -:Industry, March*198J::,!, ... .* . * * ,;. .'

1  ::: *:

NUREG-0725 Infonnation Circular for Shipmerits'of Irradiated Reactor Fuel, Rev. 1,

~.. _ :*' ] u*1y l 98 l: .' *,:-*:.*:,.. *.. *,."" ***. ** !,.,:_* . , ..;* *.. r-. *I ' -*, ...

"NUREG-0525 1 :

• SafeguardsSummaiy,EventList,*Septernberl981.- ' .:* ,* : -* -;:,

NUREG-0794 1 , * *Protection*of.Unclassified Safegiiards Information: Criteria and r_,-Gui9ance,:october 1981. *. - *:: *.*.,.. r. '*

1982 NUREG-0725 , Public Information Circular for Shipments of Irradiated Reactor Fuel,

... . . . * .. , *L*-;:* Rev.2,Jiine1982. , ..*:*., -::

• 1 1 .r,;.~*: .'l, ._ ; , ,

NUREG-0525 Safeguards'Summary Event I.:.ist; July 1982.

.NUREG-0908 u *. Acceptance Criteria"for the Evaluation of Power Reactor Security Plans, August 1982. . * .

1983 NUREG-0907 Acceptance Criteria for.Detenriining Armed Response Force Size at

• Nuc,ear Power Plants, February 1983. *  :._:_: 1 * , ** -:- * * * '

NUREG-0525 * :*

• Safeguards Sumnfary Event List; February & August 1983: -* ., ** * .

NUREG-0992 . , . ,* Report of the Committee to Review Safeguards Requirerrierits at*

. -, . --: . _-,. Power Reactors,-May.1983: , *:.~' ::..: .:

NUREG-0725 Public Infonnation Circular for Shipments of Irradiated Reactor Fuel, Rev. 3, July 1983.

1984 NUREG-1045 Guidance on the Application of Compensatory Safeguaros Measures for Power Reactor Licensees, January 1984.

NUREG-0525 . , ~af~guards S~mmary Event List; March; April &:June 1984:*: .: * : '.

NUREG-0725 Publ_ic ~formation Circular for: Shipments of Irradiated Reactor Fuel,

,. , . -: .. l~ ; i :: : : ,Vol1 1,, June 1984. .*- ,; . . . _ ~ : * *; : * , :~ . ~ ;~ :.-:

1985, l'{UREG-0525 :-:- _:_ ,Safeguards Summary Event List, May 1985. *; . ; . .: * - ..

• NUREG-0725 Public Information Circular for Shipments of Irradiated Reactor Fuel,

,~' ;_ ,. "- * ,., .. -R,ey.-5,fune 1985. _ .. .. ~.. * - ;*-. *.r*

1986 NUREG-0525 Safeguards Summary Event List, January 1986.

1987 NUREG-0525 *** _ Safeguards Summary Event List, February & July :1987. ' _:

'.-5-3

1988 NUREG-1178 Vital Equipment/Area Guidelines Study* Vital Area Committee Report, February 1988.

NUREG-1304 Reporting of Safeguards Events, February 1988.

NUREG-0525 Safeguards Summary Event List, July 1988.

NUREG-1328 Use of Perimeter Alarms at Fuel fabrication Facilities Using or Possessing Formula Quantities of Strategic Special Nuclear Material, December 1988.

NUREG-1329 Entry/Exit Control at Fuel Fabrication Factlilles Using or Possessing Formula Quantities of Strategic Special Nuclear Material, December 1988.

1989 NUREG-1354 Fitness for Duty in the Nuclear Power Industry: Responses to Public Comment, May 1989.

NUREG-0525 Safeguards Summary Event List, July 1989.

NUREG- 1385 Fitness for Duty in the Nuclear Power Industry: Responses to Implementation Questions, October 1989.

1990 NUREG-1404 Licensee Use of Tactical Exercise Results, April 1990.

NUREG-0525 Safeguards Summary Event List, July 1990.

1991 NUREG-0525 Safeguards Summary Event List, July 1991.

1992 NUREG-1456 Alternative Format for Category I Fuel Cycle Facility Physical Protection Plans, June 1992.

NUREG-0525 Safeguards Summary Event List, Vol. I, July 1992.

1993 NUREG-1485 Unauthorized Forced Entry into the Protected Area at Three Mile Island Unit I on February 7, 1993, April 1993.

NUREG-0525 Safeguards Summary Event List, July I 993.

1994 NUREG-0525 Safeguards Summary Event List, July 1994.

NUREG-1497 Interim Licensing Critena for Physical Protection of Certain Storage of Spent Fuel, November 1994.

NUREG-1504 Review Criten a for Physical Fitness Training Requirements in 10 CFR Part 73, September 1994.

1995 NUREG-0525 Safeguards Summary Event List, July 1995.

1996 NUREG-0525 Safeguards Summary Event List, July 1996.

1997 NUREG-0525 Safeguards Summary Event List, Vol. II, July I 997.

1998 NUREG-1619 Standard Review Plan for Physical Protection Plans for the Independent Storage of Spent Fuel and High-Level Radioactive Waste, June 1998 5.3 NUREG/CR Publications 1978 NUREG/CR-0040 Evaluation of Cost Estimates of Physical Secunty Systems for Recycled Nuclear Fuel, January 1978.

NUREG/CR-0027 Capabihty for Intrusion Detection at Nuclear Fuel Sites, March 1978.

NUREG/CR-0099 Evaluation of Road-Transit Physical Protection Systems, May 1978.

NUREG/CR-010 I Physical Protection Systems, May 1978.

1979 NUREG/CR-0923 Sensitivity Studies Using the TRNSM 2 Computerized Model for the NRC Protection Project, August 1979.

NUREG/CR-0510 Duress Alarms for Nuclear Fixed Site Facil ities, September 1979.

NUREG/CR-0921 Programmer's Manual forTRNSM 2, September 1979.

5-4

NUREG/CR-0532 Safeguards Against Insider Collusion: Guide on the Design*of Work Rules for Safeguarding Against the Employee Collusion Threat at Nuclear Fuel Facilities; October 1979: l ' , . .

NUREG/CR-1169 Safeguards Vulnerability'Analysis Pr<;>gram (SVAP), Vol.3: User's Manual, October 1979. ** 1 * - .:

NUREGiCR-1233 Structured Assessment Approach Version 1: License Submittal Document Content and Format for Material Control and Accounting

,,. Assessinent;'*Vol.2~-Octobei- 1979. .

NUREG/CR-1233 -Structures Assessment Approaciiversion !:Applied Demonstration of Output Results, Vol.3, October 1979. * :

1

. . .*. NUREG/CR-1233 : Compilation An-alysis Package.The Structtires'A.ssessinent Approach Version 1, Vol.4, October*197*9,: ~ --. :

'*NUREG/CR-0484 . Vehicle Access and Coriti-ol Plannin*g Docume'ni, November 1979.

NUREG/CR-0485 Vehicle Access and Search Training Manual, November 1979.

• NUREG/CR-0509 , Emergency Power Supplies for Pliysicai Sec1.i'rity'Systems: November 1979.  :

• _; * .'J~

• *

• NUREG/CR-1166 COPS Model Estimates of LLEA A vailabiiity Near Selected Reactor Sites, November 1979. ~ .~:., ** *

' NUREG/CR-1169-:*~safeguards VulnerabilityAnalysis'Program:(SVAP): Executive Summary, December 1979. ! ** ' : * * *.

NUREG/CR-1258 Inspection Methods for.Physical Protedion Project, December 1979.

1980 NUREG/CR-1169 Safeguards Vulnerability Analysis Program (SVAP), Vol Il: Data

,-

• GatheringHandbook'; ianuary 1980.. ' .

NUREG/CR-1226 POST: A Subroutine foi Path Ordering *of Sabotage Targets, February 1980. . <.!) f NUREG/CR~0364 : Simulating Barrier Penetrationl)uiing Combat; April 1980. *.

NUREG/CR-1327 SecuiityLightirig Planning-Document for Nuclear Fixed Site

! * * ' : ' Facilities, April 1980. --* : ':., * : ~-

to NUREG/CR-1234 Insider Threat Secure Facilities: Data Analysis, May.1980.

NUREG/CR-1315 The Feasibility of Field Evaluation of Physical Protection Procedures,

. May 1980. * * : , ,. * ;;_: * .. . , .

NUREG/CR-1381 **Methodology for Evaluating *s afeguards* Capabilities* for Licensed

. .:

• 1 .. * - Nuclear Facilities*, May 1980.

NUREG/CR-0543 Ceiitial-Alaim Station*and Secondary Alarm Station Planning Document, June 1980.~' '. .' Y*~ ~. ~  : '.

• NUREG/CR-1258 Inspection Methods for Physical Protection Project: Annual Report.

,- - * .. - June 1980. " , * !

: : * . :* .,' -=-- :*-.- * ,r - . :-_::.;- . ; ** .

NUREG/CR-1378 Hardening Existing Strategic "Special Nuclear Material Storage Facilities; June 1980. * * * , :.. * * * * * :2 . .:* * :-. : :

NUREG/CR-1385 Development of a Good Physical Protection Plan: Capability

~ *.. * .- * :, 1* '.. 73:45(b);June 1980. . .*. ' ' . .,.

NUREG/CR-0508 Security Communications Systems for Nuclear Fixed Sites Facilities,

. . .... .. .,*:-. ,. . July-1980. > ,/'.l , *.. -~

NUREG/CR-1610 Inspection Methods for Physical.Protection Project, Vol.1, No.1, July

. * : 'I ** * :1980. f) * .*::: * - * * * ' ;

NUREG/CR-1610 Inspection Methods for Physical Protection Project, Vol. 1, No.2, October 1980.

NUREG/CR- 1467 CAS and SAS Operations Work Station Desig n and Procedures, November 1980.

NUREG/CR- 1468 Design Concepts for Independent Central Alarm Station and Secondary Alarm Station Intrusion Detectton Systems, November 1980.

NUREG/CR-1574 Data Requirement Comparison between the Fixed Site Upgrade Rule Guidance Compendium and the Structured Assessment Approach Licensee Submittal Document, December 1980.

NUREG/CR-1610 Inspection Methods for Physical Protection Project, Vol. I, No.3, December 1980 1981 NUREG/CR-1345 Nuclear Power Plant Design Concepts for Sabotage Protect10n, Vols.

l & 2, February, 198 1.

N UREG/CR-1610 Inspection Methods for Physical Protection Project, Vol l , No.4, March 198 1.

NUREG/CR-1610 Inspection Methods for Physical Protection Project, Vol.2, No. 1, June 1981.

NUREG/CR-1744 Structured Assessment Approach Input Package: Data Gathering Handbook, Vol.I, June 1981 NUREG/CR- 1744 Structured Assessment Approach Input Package: User's Manual, Vol.

3, June 1981.

NUREG/CR-2075 Standards for Psychological Assessment of Nuclear Facility Personnel, July 1981.

NUREG/CR-2076 Behavioral Reliability Program for the Nuclear Industry, July 1981 .

NUREG/CR-1610 Inspection Methods for Physical Protection Project, Vol.2, No. 2, September 1981.

NUREG/CR-22 17 Detection of Special Nuclear Materials at Portal Monitors and Location and Recovery of Contraband Special Nuclear Materials:

Legal and Technical Problems, September 1981.

1982 NUREG/CR-1610 Inspection Methods for Physical Protection Project, Vol.2, No.3, January 1982.

NUREG/CR-2546 Reactor Safeguards Agamst Insider Sabotage, March 1982.

NUREG/CR-2588 Security Officer Response Strategies, March 1982.

NUREG/CR-2297 Security Management Techniques and Evaluative Checklists for Security Force Effectiveness, April 1982.

NUREG/CR-2404 Analyzing Safeguards Alarms and Response Decisions, September 1982 NUREG/CR-2472 Final Report on Shippmg Cask Sabotage Source-Term Investtgation, October 1982.

1983 NUREG/CR-3 I91 Target Assessment for Security Officers to K Targets (TASK),

February 1983.

1984 NUREG/CR-335 1 Security Officer Tactical Tram mg Issues Involving ESS Equipment, January 1984.

NUREG/CR-325 I Role of Security During Safety-Related Emergencies at Nuclear Power Plants, March I984.

1985 NUREG/CR-4298 Design and Installat1on of Computer Systems to Meet the Requirements of 10 CFR 73.55, July 1985.

5-6

1986 NUREG/CR-4462 Ranking of Sabotage/fampering Avoidance Technology Alternatives, January 1986.

NUREG/CR-4473 Study of the Operation and Maintenance of Computer Systems to Meet the Requirements of 10 CFR 73.55, January 1986 1987 None published 1988 None published 1989 NUREG/CR-5081 Tactical Exercise Planning Handbook, April 1989.

NUREG/CR-5172 Tactical Training Reference Manual, April 1989.

NUREG/CR-5246 A Methodology to Assist in Contingency Planning for Protection of Nuclear Power Plants Against Land Vehicle Bombs, April 1989.

NUREG/CR-5227 Fitness for Duty in the Nuclear Power Industry: A Review of Technical Issues, May 1989.

1990 None published 1991 NUREG/CR-5689 Medical Screening Reference Manual for*Security Force Personnel at Fuel Cycle Facilities Possessing Formula Quantities of Special Nuclear Materials. September 1991.

NUREG/CR-5690 Physical Fitness Training Manual for Security Force Personnel at Fuel Cycle Facilities Possessing Formula Quantities of Special Nuclear Materials, September 1991.

NUREG/CR-5721 Video Systems for Alarm Assessment, September 1991.

NUREG/CR-5723 Security System Signal Supervision, September 1991.

NUREG/CR-5722 Interior Intrusion Detection Systems, October 1991.

1992 NUREG/CR-5758 Fitness for Duty in the Nuclear Power Industry, Vol. 2, August 1992.

NUREG/CR-5899 Entry/Exit Control Components tor Physical Protection Systems, November 1992.

NUREG/CR-5929 Locking Sy~tems for Physical Protection and Control, November 1992.

1993 NUREG/CR-5758 Fitness for Duty in the Nuclear Power Industry, Vol. 3, July 1993.

1994 NUREG/CR-6149 Applications of Fiber Optics in Physical Protection, March 1994.

NUREG/CR-5758 Fitness for Duty in the Nuclear Industry, Vol. 4, August 1994.

NUREG/CR-6190 Protection Against Malevolent Use of Vehicles at Nuclear Power Plants, Vols. 1 and 2, December 1994.

1995 NUREG/CR-5758 Fitness for Duty in the NuclearJ>ower..Industry, Vol. 5, August 1995.

1996 NUREG/CR-5758 Fitness for Duty in the Nuclear Power Industry, Vol. 6, July 1996.

1997 None published 5.4 NUREG/CP Publications 1990 NUREG/CP-0107 Security Training Symposium: Meeting the Challenge - Firearms and Explosives Recognition and Detection, September 1990 5-7

Printed on recycled paper Federal Recycling Program

UNrrED STATES NUCLEAR REGULATORY COMMISSION ARST CLASS MAIL WASHINGTON, DC 20555-0001 POSTAGE AND FEES PAID USNRC PERMIT NO. ~7 OFACIAL BUSINESS PENALTY FOR PRIVATE USE, $300

Note to requester: This is the second attachment in t he previous email, ML141170225.pdf.

NUREG/BR-0075 Revision 4 NRC Field Policy Manual U.S. Nuclear Regulatory Commission Office of the Executive Director for Operations Washington, DC 20555-0001

UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 March 16, 1999 MEMORANDUM FOR:

FROM:

Distribution List 1MX Frank J. Miraglia, Jr.

Deputy Executive Director for Regulatory Programs A,-aaJz.j +~

SUBJECT:

Field Polley Manual - NUREG/BR-0075 Revision 4 Attached is Revision 4 of the Field Policy Manual (FPM). This revision replaces the existing FPM (NUREG/BR-0075, Revision 3) in its entirety. This manual provides direction on implementation of policy matters that affect a number of NRC offices. The majority of the changes to the manual reflect organizational changes. However, please note that more substantive changes have been made to Field Policy Numbers 2, 8, 10, 11 and 15.

Attachment:

As stated

NUREG/BR-0075 Revision 4 NRC Field Policy Manual U.S. Nuclear Regulatory Commission Office of the Executive Director for Operations Washington, DC 20555-0001

Issue Date: March 1999 NRC FIELD POLICY MANUAL FOREWORD PURPOSE The NRC Field Policy Manual (FPM) provides policy and guidance to Office Directors and Regional Administrators from the Executive Director for Operations (EDO). This Manual is a

• compilation of EDO policies that are Intended to establish the necessary degree of operational consistency among NRC offices and the regions.

OBJECTIVES To aid managers and writers In planning and developing clear, accurate and effective field policies.

To ensure consistency In the format and content of field policies.

DEFINITIONS NRC Field Policy Contains statements of policy, defines responsibilities and authorities and establishes requirements related to managing and Implementing the functions of Headquarters and Regional Offices. Each policy also describes office lnterfaces, coordination and management practices that should be used in implementing field policies.

The FPM will not duplicate material In the NRC Management Directives or guidance documents from the NRC Headquarters Offices such as the NRC Inspection Manual.

RESPONSIBILITIES AND AUTHORITIES Deputy Executive Director for Regulatory Programs (DEDR)

Approves NRC Field Policies.

ChiefI Regional Operations and Program Management Section, OEDO Identifies topics to be addressed In the FPM.

Assigns responsibility for the preparation of NRC field policies on a case-by-case basis.

Administers the NRC FPM.

iii

Regional Administrators Adhere to NRC field policies and the guidance of Headquarters Office Directors in implementing those portions of the NRC programs that have been delegated to the Regions.

Recommend to the DEDR new NRC field policies or appropriate revisions to existing policies.

Headquarters Offices Remain aware of and implement NRC Field Policies that may affect office policy and guidance that apply to regional operations under their purview.

Recommend to the DEDR new NRC field policies or appropriate revisions to existing policies.

FORMAT AND CONTENT OF NRC FIELD POLICIES NRC Field Policies NRC field policies define policy, provide guidance In implementing the policy, and list references to the NRC directives, memoranda or management decisions that are the basis for the pollcy.

Each policy will contain the following:

Policy number and title Statement of Policy Issue date Revision number and date Guidance on implementing the policy References Policy numbers will be assigned by the EDO staff.

PREPARATION, REVISION, DISTRIBUTION, AND REMOVAL OF NRC FIELD POLICIES Preparation New or revised policies will be circulated for review and comment or discussed with the cognizant headquarters offices and Regions during their development.

• Requests for Guidance. Revisions and New Policies Such requests should be addressed to the DEDR.

iv

Distribution Approved policies will be printed and distributed by the Office of Administration and the Office of the Chief Information Officer per distribution list 1 MX.

Effective Dates Each NRC field policy will become effective on the date of Issuance unless otherwise Indicated In the*policy. The Issue date appears on the first page of each policy.

Partial Revisions Revisions will be made by page changes. Hand written changes will not be used for partial changes. Revised material on a page will be indicated by a margin bar in the right-hand margin that encompasses the revised material.

Plain Writing Standards Policies will be written in a readable style that can be readily understood. Requirements for action will be clearly stated and will Include who, when, where, how and why.

Changes Notices A Change Notice will accompany each change to the NRC FPM. The notice will list the material that is transmitted or superseded and will Include an updated Table of Contents. Each notice will be numbered serially in each calendar year; I.e., 90-01, 90-02.

Removal Field policies may become obsolete, be overtaken by events, or be encompassed by another agency program or procedure. Field policies removed under'these circumstances will be so Indicated by a Change Notice.

V

TABLE OF CONTENTS Policy Number Title V 1 Coordination with Federal Bureau of Investigation (FBI) 2 Regional Operating Plans 3 Response to Private Litigants and State or Federal Agencies Seeking Testimony or Documents 4 Board Notification 5 Counterpart Meetings 6 Regional Office Management Meetings 7 Availability of Senior Regional Managers 8 Resident Inspector Relocation Policy 9 NRC Review of Institute of Nuclear Power Operations (INPO) Documents 10 Conduct of Employees 11 Commissioner Travel to Licensee Sites and State Officials 12 Coordination of NRC Activities at Power Reactor Facilities 13 Witnessing Unsafe Situations 14 NRC Interaction with Nuclear Energy Institute (NEI) 15 Release of Senior Management Meeting Information 16 Communications Between the NRC Staff and the Commissioners' Offices 17 Periodic Press Briefings 18 Guidelines for Granting Exceptions to the N+1 Policy for Assigning Resident Inspectors to Multi-Unit Reactor Sites 19 Guidance for Recommending Third Party Assistance to Licensees

\_,j 20 Industry-Sponsored Seminars or Technical Conferences

FIELD POLICY MANUAL NO. 1 - COORDINATION WITH FBI Policy The Office of Investigations (01) Field Office will be the principal contact on licensee/applicant criminal matters involving the FBI.

Guidance

1. With the following exceptions, all contacts with the Federal Bureau of Investigation (FBI) will be referred to the 01 Field Office:

a. Contacts made on internal security matters, Including background Investigations, shall be reported to the Division of Facilities and Security (NRC personnel, when contacted by FBI personnel as part of a background Investigation for security clearances, need not report such contacts).

b. Contacts made on sabotage, attempted sabotage, or attacks at NRC-licensed nuclear facilities or transportation activities; or theft, attempted theft, diversion, or illegal sale of special nuclear material; or threats Involving NRC licensed facilities, materials, or activities shall be referred to the regional Information Assessment Team member who will notify the Office of Nuclear Material Safety and Safeguards *

c. If notified of a field exercise Involving a licensee and the FBI, NMSS should be notified for further coordination at the HQ level between NRC and FBI.

d. Regional Administrators need not report contacts with FBI regional offices and other law enforcement agencies on general matters of NRC coordination, unless substantive matters concerning an 01 or FBI case are discussed.

2. Threats made toward NRC Inspectors shall be promptly and directly brought to the attention of the FBI.

3. 01 shall advise the Regional Administrators of matters of health and safety and will advise the Office of the Inspector General of matters regarding the conduct of NRC employees and contractors.

• References

1. A memorandum from the EDO to Office Directors and Regional Administrators,

Subject:

• Procedures In Dealing with FBI/Department of Justice* dated October 24, 1983.

FPM Rev. 4, Policy No. 1 1-1 Effective: March 1999

2. Memorandum of Understanding (MOU) between the FBI and NRC regarding Nuclear Threat, Incidents invo!ving NRC Licensed Facilities, Materials, or Activities, dated May 29, 1991.

FPM Rev. 4, Policy No. 1 1-2 Effective: March 1999

FIELD POLICY MANUAL NO. 2 - REGIONAL OPERATING PLANS Annually, each regional administrator shall prepare a Regional Operating Plan that will show the

• major program activities to be accomplished in the region during the upcoming fiscal year.

Normally, the Office of Nuclear Reactor Regulation (NRA), the Office of Nuclear Material Safety and Safeguards (NMSS) and other offices provide the regions specific direction for planned program office activities for the upcoming fiscal year. In general, the regional operating plans should incorporate this input. These plans constitute an agreement between the regional administrators and the program office directors as to what should be accomplished In the program area and will be the basis for headquarters' assessments of program Implementation.

These plans will be used to convey expectations, to establish accountability, and to manage resources within budget.

• Guidance

1. Information as to resources available during the upcoming fiscal year should be based on 'The Budget Estimates for Fiscal Year xxxx* or what Is commonly known as the Green Book. The Green Book for the upcoming fiscal year is published In early February of the present fiscal year. Because the resources In

.the Green Book are organized by program areas, NMSS and NRR publish, generally at the end of May/June of the present fiscal year, a more specific breakdown of FTE allocations by region. These data are used In preparing the Regional Operating Plans.

2. Regional Operating Plans are to be prepared by the regional offices with the responsible program offices coordinating the effort for their respective program areas and providing oversight to ensure consistency of the plan, Including the planned accomplishments, measures and metrics among the four regions before submittal to the Deputy Executive Director for Regulatory Programs (DEDR).

3. The Regional Operating Plan for the upcomlng*fiscal year should be submitted to the DEDR by October 1 of the present fiscal year or within three weeks of receipt of the NRR and NMSS program office plans, whichever is sooner, unless exemptions are made otherwise by the DEDR. In addition, quarterly updates to the plans may be requested and should be provided in a format suitable to the DEDR.

4. The following procedure applies to requests from the program offices or the regions to change the allocation of resources Identified in Regional Operating Plans: *

a. The program office and each regional office affected will strive to agree on the reallocation of regional resources.

FPM Rev. 4, Policy No. 2 2-1 Effective: March 1999

b. If the proposed change affects more than one program office, the program office or region proposing the change will seek agreement from the other affected program offices.

c. If the program office directors and regional administrators are unable to resolve disagreements related to the reallocation of resources, then the details of the disagreement should be promptly forwarded to the DEDR for final resolution.

d. This procedure should be used in conjunction with existing agency requirements for staffing plans, reprogramming of funds, and transfer of functions.

e. Revisions to a Regional Operating Plan will be sent to the DEDR after all concurrences.

FPM Rev. 4, Policy No. 2 2-2 Effective: March 1999

FIELD POLICY MANUAL NO. 3 - RESPONSE TO PRIVATE LITIGANTS AND STATE OR FEDERAL AGENCIES SEE.KING TESTIMONY OR DOCUMENTS Policy Periodically, agency employees are subpoenaed by or requested to cooperate with litigants or tribunals seeking NRC testimony or documents for use In litigation In which the NRC Is not a party. For example, these subpoenas might.seek information regarding Commission policies and procedures or facts concerning inspections which NRC Inspectors have performed. It Is the Commission's policy to respond to such requests In a responsible and lawful manner.

However, it Is _not unusual for such requests to seek privileged or irrelevant material or to place an undue burden upon the agency.

The Commission's regulations, specifically 10 CFR Part 9, Subpart D, require that no demand of a court or other judicial or quasi-judicial authority be honored without the prior approval of the General Counsel.

Of particular importance, the regulations require that:

1. No employee disclose, through testimony or other means, material contained In the files of the NRC or informatlon acquired by that employee in performance of his official. duty without prior approval of the General Counsel . (10 CFR §9.201)

2. Prior to or simultaneous with service of a subpoena on an NRC employee, the General Counsel must be served with a detailed summary of the testimony desired, and In appropriate cases, with a discovery plan setting forth, to the extent reasonably foreseeable, the NRC's expected overall Involvement with the litigation at Issue. (10 CFR §9.202)

Guidance

1. Inquiries of Region-based NRC employees by private litigants or State and Federal agencies seeking testimony should be directed to the Regional Counsel who will contact the Solicitor In the Office of General Counsel (OGC). Headquarters employees should direct inquiries to the Solicitor in OGC.

. 2. OGC will review all the summaries of expected testimony and will decide whether the testimony should be allowed. If the agency decides to comply with the request or to negotiate some sort of modification, OGC will then determine, on a case-by-case basis, whether OGC or the Regional Counsel should bear primary responsibility for further negotiations and assistance to the employee in responding to the demand, including a determination as to whether or not an attorney should appear with him or her during a deposition or testimony.

FPM Rev. 4, Policy No. 3 3-1 Effective: March 1999

FIELD POLICY MANUAL NO. 4 - BOARD NOTIFICATION Policy Beginning 30 days prior1 to the start of a hearing, the NRC staff is under an obligation to keep Atomic Safety and Licensing Boards, Presiding Officers, and the Commission apprised of significant new information in pending adjudicatory proceedings.

Guidance

1. For all adjudicatory hearings (civil penalty, operator licensing, license renewal, materials, etc.), the NRC staff Is obligated to send new information relevant and material to safety or environmental issues to the Board regardless of the specific issues that have been placed in controversy.

2. In hearings on operating license amendments, Board Notifications will be limited to Issues under consideration In the hearing.

3. Regional staff should keep apprised of the current hearing status of their plants, particularly when the hearing Is scheduled to begin (consult Regional Counsel).

4. If significant new Information Is developed by.or made known to the applicant, the responsibility to report that Information to the Atomic Safety and Licensing Boards, Presiding Officers, or the Commission lies first with the applicant - If the applicant fails to notify, the NRC should Initiate appropriate board notification via the appropriate Program Office.

Individual office procedures are available to provide more detail and should be consulted for further details.

1 The rationale for this starting date Is that any new information relevant and material to the proceeding which arises prior to that date will be addressed in the SER and other staff documents filed in the record of the case.

FPM Rev. 4, Policy No. 4 4-1 Effective: March 1999

FIELD POLICY MANUAL NO. 5

• COUNTERPART MEETINGS Policy Properly conducted and planned counterpart meetings are an exceptionally valuable means for headquarters and regional management and staff to interact on programs and Issues. Direct and clear.communications between headquarters and the regions Is essential to effective regional Implementation of NRC programs. Effective regional and headquarters office communications and Interactions can ensure a clear understanding of program goals and intent, and Improve program execution and feedback. Regional management should fully support and participate in counterpart meetings with headquarters program offices.

Guidance Program Office Counterpart Meetings

1. Headquarters and regional offices should schedule periodic program office counterpart meetings at the appropriate organizational level (e.g., Division Director) throughout the year when there are substantive Issues that warrant such a meeting. Headquarters and regional representatives are expected to attend counterpart meetings on programs for which they are responsible. Each headquarters program office should schedule at least one Division Director level, or highest management level, (as some program areas like u enforcement, state programs do not have a Division Director level regional counterpart) counterpart meeting with the regional offices each year.

2. If thoroughly planned and effectively conducted, counterpart meetings provide a forum for interchange of new information, for discussion of Issues, and for early resolution of problems (for example, discussion/explanation of program Intent and program changes).

To achieve the objective of the counterpart meetings, it is essential that regional and headquarters representatives be of the same organizational levels. This will help ensure that the participants are able to represent a similar scope of views and positions on Issues and problems.

3.

• Counterpart meetings will be scheduled by headquarters program offices in coordination with the regional offices. The regional offices are expected to request counterpart meetings when needed and provide input to the program office for the agenda. *

4. Copies of schedules and agendas for regional and headquarters counterpart meetings shall be forwarded to the Chief, Regional Operations and Program Management Section, in the Office of the *executive Director for Operations.

FPM Rev. 4, Policy No. 5 5-1 Effective: March 1999

Inspector Counterpart Meetings

5. Regional offices should notify the Deputy Executive Director for Regulatory Programs (DEDR) in advance of any plans to invite an industry or utility representative to a regional counterpart meeting.

6. For purposes of authorizing travel funds, counterpart meetings should be considered to be important mission support functions. To the extent practical, regional offices should authorize travel for employee participation at all appropriate counterpart meetings.

7. Resident Inspectors are authorized to be absent up to three consecutive work days to attend counterpart meetings. Site coverage requirements may be met by any IMC 1245 qualified inspector. Extensions beyond three working days must be approved by the DEDR.

FPM Rev. 4, Policy No. 5 5-2 Effective: March 1999

FIELD POLICY MANUAL NO. 6

• REGIONAL OFFICE RETREATS Policy The frequency of regional office management meetings {retreats) to be held away from the workplace should be limited to no more than two meetings per year and should be scheduled in conformance with the guidance provided below.

Guidance

1. For purposes of this policy, a regional office retreat Is a meeting within a region between senior regional managers generally Including, but not limited to, the Regional Administrator, Deputy Regional Administrator and regional Division Directors to discuss regional operations and areas of concern.

2. Regional office retreats should be planned and scheduled in conformance with the following criteria:

a. The retreat must be sponsored at the Regional Administrator or Deputy Regional Administrator level {not Divlslo~ level or below), and

b. The meeting should be held within 100 miles of the regional office.

3. If all the above criteria are met, meeting approval by the Deputy Executive Director for Regulatory Programs (DEDR) is not required. However, the DEDR should be Informed in writing 3 weeks prior to the meeting.

4. If all the above criteria are not met, then DEDR approval Is required prior to holding the meeting.

5. The Regional Administrator or designee is responsible for Implementing this policy.

FPM Rev. 4, Policy No. 6 Effective: March 1999

FIELD POLICY MANUAL NO. 7 -AVAILABILITY OF SENIOR REGIONAL MANAGERS Policy A reasonable number and mix of senior regional managers should be available at all times to ensure the adequate conduct of routine operations and response to events.

Guidance

1. During normal business hours Either the Regional Administrator (RA), Deputy Regional Administrator (ORA), or the Director, Division of Reactor Projects should be In the Regional Office or Its immediate vicinity.

2. At all times Either the RA, ORA, or the Director of DRP, should be available (as defined in item 3) unless, In Infrequent Instances, a conflict caused by official business or an emergency situation creates a simultaneous unavailability.

3. A manager Is considered avallable when he/she is In the regional office or can be contacted and come to the office within approximately 2 hours2.314815e-5 days <br />5.555556e-4 hours <br />3.306878e-6 weeks <br />7.61e-7 months <br />.

4. Each region shall implement these requirements through a regional procedure.

5. The Deputy Executive Director for Regulatory Programs (DEDR) shall be notified (in advance when possible) of the instances when the above guidance cannot be met.

FPM Rev. 4, Policy No. 7 7-1 Effective: March 1999

FIELD POLICY MANUAL NO. 8- RESIDENT INSPECTOR RELOCATION POLICY Policy All resident Inspectors (Rls) that were In the program as of September 21, 1998, have the option of selecting a seven-year versus a five-year maximum tour length. New Rls assignments made after September 21, 1998 will stipulate a seven-year maximum tour length.

This policy does not preclude Rls from relocating for promotions, voluntary reassignments, or management-directed reassignments.

Guidance

1. Rls are expected to relocate from the site assignment after 7 years. Rls due to rotate during the winter months or early spring may be granted an extension to the summer months with Regional Administrator approval. Any other extensions beyond the 7-year maximum tour length must be approved by the Deputy Executive Director for Regulatory Programs (DEDR).

2. As Rls approach the 7-year point at a site, the agency will consider Inspector requests for a lateral transfer. Earlier transfers can be made when consistent with agency needs.

In either case, Rls are encouraged to make their desires and career goals known to their management as far in advance as possible.

3. Rls should not normally be reassigned to the same facility even after an intervening assignment. Reassignments may*be made to co-located f acllities that would cause Rls to interact with a different licensee.

4. This policy applies to total site tour length and it is not affected by a promotion from resident Inspector to senior resident Inspector at a site.

5. Rls should not be assigned to a different location within the first four years af1er relocating unless specifically approved by the DEDR based on Identified agency needs.

6. This policy applies to the Resident and Senior Resident Inspectors assigned at any of the reactor sites, fuel facilities, and gaseous diffusion plants.

References

1. . SECY-98-152, "Summary of Issues and Recommended Improvements to the Resident Inspector Program," dated June 29, 1998. *

2. Staff Requirements Memorandum, "SECY-98-152, "Summary of Issues and Recommended Improvements to the Resident Inspector Program," dated August 21, 1998.

FPM Rev. 4, Policy No. 8 8-1 Effective: March 1999

3. Implementation of the Seven-Year Relocation Policy for Resident Inspectors ,

Memorandum from Hugh Thompson to all Regional Administrators, dated September 21,.1998 FPM Rev. 4, Policy No. 8 8-2 Effective: March 1999

FIELD POLICY MANUAL NO. 9 - NRC REVIEW OF INPO DOCUMENTS The Institute of Nuclear Power Operations (INPO) operating plant evaluation reports, performance indicators, assistance visit reports, training accreditation reports, Significant Operating Event Reports (SOERs), and Significant Event Reports (SERs) are an independent assessment of licensee activities and events. The specific findings, recommendations, and corrective actions should not normally be referenced or followed-up by the NRC. Only in those cases where a significant safety Issue Is Identified should the NRC conduct Independent follow-up of licensee actions.

GUIDANCE It Is In the best Interest of the NRC that INPO be able to conduct plant evaluations and assistance visits In an effort to improve nuclear safety. In addition to evaluations and assistance visits, INPO Identifies and tracks significant technical Issues through the SOER and SER programs. INPO also manages and Implements the accreditation of licensee training programs. The NRC should ensure that these INPO programs remain Independent from the NRC Inspection program to the maximum extent possible. The following guidelines should be .

adhered to regarding INPO documents:

1. INPO findings, recommendations, and corrective actions should not be referenced In NRC Inspection reports, Plant Performance Reviews (PPR), Plant Issues Matrices (PIM), or other agency documents unless the Issue Is of such safety significance that no other reasonable alternative Is acceptable. INPO findings, recommendations and

• licensee corrective actions should not normally be tracked by the NRC. If the Issue warrants tracking, It should be Independently evaluated, documented and tracked as an NRC Issue.

2. Resident inspectors should promptly read site-specific INPO evaluation and accreditation reports as part of their licensee monitoring and evaluation activities. The objective of this review Is to determine If the results Identify safety or training issues not .

previously identified by NRC evaluations. No inquiries of the INPO final rating should be made of the licensee. The fact that such a review has been conducted and whether additional follow-up is planned should be noted in the next inspection report. This documentation should not Include a recounting or listing of INPO findings. The specifics of any significant differences between NRC and INPO perceptions of performance should be discussed with regional management. The Division of Reactor Projects (DRP) Branch Chief should review these reports during periodic site visits, and other members of the technical staff may review the reports if authorized by regional management or if specified in program Instructions.

FPM Rev. 4, Policy No. 9 9-1 . Effective: March 1999

3. The Deputy Executive Director for Regulatory Programs (DEDR) will be notified by the Regional Administrator when NRC follow-up of INPO findings is necessary to ensure safety. Follow-up activities will be governed by IP 71707.

4. Under no circumstances will the NRC withhold or delay follow-up action on issues involving public health and safety issues.

5. The staff should not focus on the INPO-assigned ratings or pressure licensees to supply that information. If necessary, requests for ratings will be made to INPO through the Executive Director for Operations' office.

6. NRC personnel should not take possession of INPO evaluation documents, or make copies for NRC internal distribution absent extraordinary circumstances, or use these documents to form a basis for regulatory action.

7. NRC inspectors should not normally attend INPO exit meetings as this could stifle the communications exchange between the licensee and INPO.

8. SOERs and SERs should not be followed-up on a plant-specific basis except when a licensee utilizes their response to a SOER or SER to address a regulatory issue, or unless so directed by specific program instructions or the DEOR.

9. Access to Nuclear Plant Reliability Data System (NPRDS)/Equipment Performance and Information Exchange (EPIX) and network data should be coordinated by the Office of Nuclear Reactor Regulation and the Office of the Chief Information Officer in accordance with the INPO-NRC Memorandum of Agreement (MOA) and appropriate contracts. Inspectors should not normally obtain NPRDS/EPIX information through a

,_j licensee..

References:

1. Memorandum of Agreement (MOA) Between the Institute of Nuclear Power Operations and the U.S. Nuclear Regulatory Commission, as amended on November 27, 1996

2. NRC Inspection Procedure 71707, "Operational Safety Verification.*

FPM Rev. 4, Policy No. 9 Effective: March 1999

FIELD POLICY MANUAL NO. 10 - CONDUCT OF EMPLOYEES Policy All NRC employees shall conduct themselves in a manner that bestows credit upon the NRC and the U.S. Government, and avoids the appearance of a conflict of interest.

Guidance Government-wide regulations set forth standards of conduct, such as receipt of gifts and favors, outside actiyities, conflicting financial Interests, the use of government time and resources, seeking future employment, misuse of information, Impartiality in performing duties, financial disclosure, and post-employment restrictions (5 CFR Parts 2634*2640). NRC supplemental conduct regulations (5 CFR Part 5801) prescribe rules on outside employment and security ownership. Criminal conflict-of*lnterest statutes are found at 18 USC 201*209. Volume 7 of the Management Directives provides more guidance on these regulations and Inspection Manual Chapter 1201 provides additional guidance on NRC policy for employees involved in the inspection program.

The following guidance complements and reinforces existing regulations and guidance:

1. NRC employees shall conduct themselves in a professional manner. Unprofesslonal behavior, both during and outside of working hours, can discredit both the individual and the NRC. Examples of areas where there have been problems involving employee conduct Include unauthorized use of government equipment, inappropriate attire, sexual harassment, and conduct of outside business during government time (such as conducting real estate business). The NRC will not tolerate inappropriate regulatory actions by the NRC staff, nor will it tolerate retaliation or the threat of retaliation against those licensees who communicate concerns to the agency. NRC staff whose actions are found to be contrary to this policy could be subject to disciplinary actions In accordance with the NRC Management Directive 10.99, *chapter 4171, Discipline, Adverse Actions and Separations,* or in accordance with the Collective Bargaining Agreement Between the U.S. Nuclear Regulatory Commission and National Treasury Employees Union. *

2. Employees shall not enter any licensee's protected area or other facility If they are experiencing any effects of alcohol consumption. Alcohol should not be consumed during working hours or within 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> preceding any scheduled working hours at licensee or other non-NRC facilities; this includes lunch or other times when return to work at a licensee or other non-NAC facility Is expected after a short time.

FPM Rev. 4, Policy No. 10 10*1 Effective: March 1999

3. While at a licensee site or facility, employees must comply with any additional policies of the licensee (e.g., radiation protection, security, safety, and parking requirements). In some cases, possession of alcohol at an on-site parking lot, even if locked in the trunk of a car, would be a violation of a licensee's policy.

4. NRC employees shall conduct themselves in a manner that avoids even the appearance of a conflict of interest. Social relationships with licensee employees or contractors may also give the appearance of conflict of interest. Further, NRC employees are not to accept food, gifts, entertainment, favors, transportation or anything else that exceeds

$20.00 in value from any party that has interests in NRC activities; even if the value of the item is less than $20.00, employees are encouraged to use appropriate discretion.

However, accepting coffee, a pastry, soft drinks, or other refreshments during a meeting does not demand payment. NRC participants who accept meals should make appropriate adjustments on their travel vouchers consistent with current Federal Travel Regulations.

5. NRC employees shall cooperate with legitimate Office of Investigations investigations so as to not adversely affect the efficient accomplishment of the NRC mission. This cooperation shall Include, but not be limited to, the provision of personal notes when requested by an investigator pursuant to an authorized investigation. Employees should consult with their Regional Counsel or the Assistant General Counsel for Administration regarding any questions or problems.

Because it is impossible to provide guidance on every possible situation that may arise, each employee should exercise sound judgment in their activities both during and outside of working hours.

The Office of the General Counsel (OGC), through its Deputy Ethics Counselors, provides advice, assistance, and counseling on matters covered by the Office of Government Ethics (OGE) regulations and other Federal ethics requirements. Employees should consult with their supervisor, Regional Counsel, or an OGC Deputy Ethics Counselor on any questions or problems.

Each office and region shall ensure that all employees are aware of their responsibilities under 5 CFR Parts 2634 -2640 and 5801, 18 USC 201-209, Volume 7 of the Management Directives, and Inspection Manual Chapter 1201, as applicable, and this field policy manual.

FPM Rev. 4, Policy No. 10 10-2 Effective: March 1999

FIELD POLICY MANUAL NO. 11 - COMMISSIONER VISITS TO LICENSEE FACILITIES AND WITH STATE OFFICIALS Policy Commissioner visits to licensee facilities and with state officials will be coordinated through the responsible Regional Administrator.

The Region Is responsible for coordinating with the Office of Nuclear Reactor Regulation (NRR), and the Office of Nuclear Material Safety and Safeguards (NMSS) (as appropriate) to develop briefing materials to be used for these visits. The Region Is also responsible for providing the required briefing materials to the Office of the Executive Director for Operations (OEDO) at least one week prior to the facility visit.

The Region (normally Regional State Liaison Officer (SLO)) Is responsible for coordinating with Office of State Programs (OSP} to develop briefing materials for Commissioner visits.

Guidance When notified by a Commission office of the planned visit to a licensee's facilities, the responsible EDO Regional Coordinator will notify the regional Division of Reactor Projects (ORP) staff or the regional Division of Nuclear Materials Safety (DNMS), as appropriate, and the responsible Regional Administrator. The regional DRP or DNMS staff Is responsible for coordinating the development of the required briefing materials with the responsible project directorate (PO} or headquarters program office. The PD or program office contact should obtain relevant input from NRA, NMSS, or other offices, as appropriate, and provide to the responsible region the input for Inclusion in the briefing materials. The Region will prepare and submit the required briefing material to the Chief, Regional Operations and Program Management Section, OEDO at least one week prior to the facility visit.

• The briefing materials should be accurate, timely and concise and should be a format consistent with Reference 1. When possible, the packages may use previously prepared material (after appropriate updating) to minimize expenditure of staff resources. Material prepared for the Senior Management Meeting or Plant Performance Reviews may be used; however, caution should be exercised to prevent providing Information that Is predecisional or subject to Ex Parte/Separation of Functions provisions of 10 CFR 2.780 and 10 CFR 2.781 due to a pending adjudicatory proceeding. Regional counsel should be consulted to determine whether a proceeding is pending.

If requested, the responsible PD should verbally brief the Commissioner prior to the trip.

After coordinating with OSP, the regional SLO develops the required briefing materials for Commissioner visits with State officials. The material should be forwarded at least one week prior to the visit and should be a format consistent with Reference 1.

FPM Rev. 4, Policy No. 11 Effective: March 1999

References:

1. A memorandum from Hugh Thompson on "Instructions for Developing Briefing Materials," dated June 9, 1997.

.__,,,I FPM Rev. 4, Policy No. 11 11-2 Effective: March 1999

FIELD POLICY MANUAL NO. 12 - COORDINATION OF NRC ACTIVITIES AT POWER REACTOR FACILITIES NRC activities at licensee facilities are to be coordinated between the headquarters' program offices and the regions in order to ensure (1) efficient use.of NRC and licensee resources, (2) consistency of regulatory activities, and (3) consideration of the impact of NRC activities on the licensee.

Guidance Regional offices have overall responsibility for coordinating and scheduling NRC visits to reactor sites. All NRC visits to licensee facilities shall be coordinated with the appropriate region. To assist In coordinating NRC activities, the NRR project manager will be the focal point for coordinating and scheduling all visits by headquarters personnel with the appropriate region.

All NRC headquarters-led inspections, onsite meetings, and other activities are to be coordinated with the offices having project regulatory oversight responsibility. The office originating the site visit/inspection is responsible for notifying the other offices.

The Office of Nuclear Material Safety and Safeguards (NMSS) and the Office of Nuclear Regulatory Research (RES) will coordinate and schedule visits to commercial reactor sites with the regional office through the NRR project manager. The region will review and evaluate the request with special emphasis on minimizing impact on licensee resources.

After coordinating with the region and resolving any NRC conflicts, the NRR Project Manager will act as the Initial point of contact with the licensee for announced headquarters inspections and visits.

Consistent with the Institute of Nuclear Power Operations (INPO) NRC Memorandum of Agreement, NRC inspections with two or more people that would overlap either preplanned or in progress INPO activities will normally be avoided. When these conflicts are discovered, the responsible EDO coordinator should be contacted. Conflicts will be resolved by the Chief, Regional Operations and Program Management Section, OEDO.

FPM Rev. 4, Policy No. f2 12-1 Effective: March 1999

FIELD POLICY MANUAL V NO. 13 - WITNESSING UNSAFE SITUATIONS When NRC personnel Identify unsafe work practices or violations which could lead to an unsafe situation, they shall make every reasonable attempt to prevent them from occurring or continuing in their presence. When such situations are identified, a licensee representative shall promptly be notified so that corrective or preventive measures can be taken.

Guidance A goal of the NRC inspection program is to witness licensee activities In as close to a normal environment as possible. From the assessment of these observations, conclusions are drawn relative to the licensee's ability to property conduct licensed activities. Notwithstanding this goal, under no circumstances will an NRC Inspector knowingly allow an unsafe work practice or a violation which could lead to an unsafe situation to occur or continue in his/her presence in order to provide a basis for enforcement action. If such a work practice or violation ls in progress, or about to occur, the NRC inspector shall immediately bring the situation to the attention of the appropriate licensee personnel. This action shall be taken without regard for any impact It may have on the ability of the NRC to take future enforcement action.

FPM Rev. 4, Policy No. 13 13-1 Effective: March 1999

FIELD POLICY MANUAL NO. 14 - NRC INTERACTION WITH THE NUCLEAR ENERGY INSTITUTE (NEI)

Policy Meetings held between the NEI, and the NRC staff should normally be public meetings.

Inspection of specific NEI initiatives or NEI programs at NRC licensed facilities should be conducted in accordance with an approved Temporary Instruction {Tl).

Guidance Part of NEl's charter Is to organize and develop *a common industry approach to resolve selected Industry Issues. When 80 percent of the NEI members approve of a proposed formal industry position, a consensus is established and It becomes a binding commitment on the entire NEI membership. It is In the best Interest of the NRC that the Industry and NEI take the lead in developing and Implementing programs to address certain Issues. However, NEI activities In no way offset the NRC's regulatory or safety responsibilities.

While the NRC encourages NEI to take the lead in addressing certain issues, it Is expected that the NRC staff will convene technical coordination meetings with NEI during both the program development and program implementation phases for those NEI programs having an Impact on our regulatory responsibilities. Such NRC-NEI meetings should be open to the public and conducted In a manner similar to NRG-licensee meetings, including pre-noticing pursuant to Management Directive 3.5 and the NRC policy statement on Staff Meetings Open to the Public, which was published In the Federal Register on September 20, 1994. If these meetings are convened for the purpose of developing a consensus between NEI (or other non-governmental parties) and the NRC staff, they are subject to the requirements of the Federal Advisory

• Committee Act (FACA). For information regarding the application of that Act, and methods of minimizing its impact, consult the Assistant General Counsel for Legal Counsel, Legislation and Special Projects, Office of the General Counsel , or the designated FACA attorney.

The NRC may find it necessary to conduct inspections in an area related to a specific NEI initiative (e.g., Performance Based Graded QA Inspections). In this event, NRC management shall issue a Tl providing detailed guidance for NRC inspectors. In general, however, NRC Inspections should focus on regulatory requirements and issues important to safety, regardless of their relationship to NEl's initiatives in the area of concern.

FPM Rev. 4, Policy No. 14 14-1 Effective: March 1999

FIELD POLICY MANUAL NO. 15 - RELEASE OF SENIOR MANAGEMENT MEETING INFORMATION TO THE PUBLIC When a request for information is received under the Freedom of Information Act (FOIA) related to a Senior Management Meeting (SMM), regarding plants removed, placed or retained on the Watch List, or those plants sent a trending letter, most of the information generated for that particular SMM will be subject to disclosure. This information will be released in accordance with standard FOIA guidelines. For all other plants discussed at the SMM, all records will be withheld from disclosure. This policy will also apply to SMM information that is made available to the public through the NRC Public Document Room.

Guidance Specific guidelines to be applied to requests to determine the extent of Information releasable and for processing the request are as follows:

The Office of the Executive Director for Operations (OEDO) approves the release of records pertaining to the NRC SMM process, which Is described in Management Directive 8.14, "Senior Management Meeting." These records include plant performance information, the applicable sections of the SMM Executive Summary, and the minutes of the SMM. When a request Is received for SMM Information, the OEDO shall be notified. Upon collection of the applicable documents by the responsible offices, the records shall be forwarded to the OEDO for release authorization. When SMM Information Is collected under the FOIA process, the FOIA Branch shall forward this information to the OEDO for review prior to release.

1. When there are requests for records related to one or more SMMs, it shall first be determined whether the plant(s} are/were on the Watch List.

• Records pertaining to a plant that Is placed on the Watch List or that received a letter Identifying a declining trend In operational safety performance (trending letter) may be released upon screening and redaction of proprietary material, personal privacy material, and material which might compromise Investigative efforts or reveal the Identity of an alleger. (a)

• Records pertaining to a "discussion plant" - a plant that was discussed at the SMM but was neither placed on the Watch List nor issued a trending letter - shall normally be withheld, except as discussed below, as predecisional Information under Exemption 5 of FOIA. (b)

• Records pertaining to a discussion plant may be released, provided that the plant was placed on the Watch List In subsequent SMMs or received a trending letter.

The records eligible for release should, in general, be only those records supporting or associated with the SMM process that provides a sequential record of Information and deliberations regarding the NRC's decision to place the plant on the Watch list or to Issue the plant a trending letter. The screening process

\J FPM Rev. 4, Policy No. 15 15-1 Effective: March 1999

described in paragraph (a) shall apply. (c)

• Should a plant that has been removed from the Watch List or for which the NRC has issued a follow-up letter indicating that the declining performance trend at the plant has been arrested subsequently be identified as a discussion plant, the SMM records shall normally be withheld under Exemption 5 of FOIA, unless the plant is again placed on the Watch List or issued a trending letter. (d)

2. When a request not specific to a SMM captures documents that were part of SMM preparation or minutes, all applicable documents submitted to the FOIA Branch will be highlighted to indicate their relationship with the SMM and processed in accordance with this Field Policy and standard FOIA guidance.

Footnote:

The above interim guidance will be in effect pending Its incorporation into the Management Directives MD 3.4, "Release of Information to the Public," and MD 3.1, "Freedom of Information Act."

I

.___/

FPM Rev. 4, Policy No. 15 15-2 Effective: March 1999

Fl ELD POLICY MANUAL NO. 16 - COMMUNICATIONS BETWEEN THE NRC STAFF ANO THE COMMISSIONERS' OFFICES Policy Information provided to a Commissioner's office, other than a verbal response to a request for factual information, will be provided via the Office of the Executive Director for Operations (EDO) and will be provided equally to all Commissioners' offices.

If, at any time, a member of the staff discovers that inaccurate or incomplete information has been provided to a Commissioner then appropriate corrections or updates sho*uld be provided.

Guidance The following points of emphasis should be applied when communicating with Commissioner Offices:

1. Any member of the staff should feel free to respond to an Inquiry from a Commissioner's office to provide factual Information. Contacts from Commissioners' offices requesting factual Information should be answered directly and promptly. Staff members will then Inform their supervision about contacts of substance. Supervision, in tum, will notify upper management, including the Deputy Executive Director for Regulatory Programs (DEDR),

through the EDO Staff.

2. Responses that Involve significant staff effort or represent views on policy will be provided formally as described in the EDO Procedures Manual, Part Ill. Any case which requires the provision of documents or a written response will be transmitted via a transmittal note over the signature of the Assistant for Operations/Office of the Executive Director for Operations . The transmittal will Include copies to all other Commissioners' offices, Office of the Secretary of the Commission (SECY), EDO, DEDR and the Deputy Executive Director for Regulatory Effectiveness (DEDE).

3. In some circumstances, documents provided to a Commissioner may be of such a narrow scope or may be so unique to an Individual Commissioner's interests or field activities, that distribution to the other Commissioners' offices would be unwarranted. Examples Include:

(1) Documents taken by Commissioners from meetings while on field visits; (2) Collections or excerpts of publicly available documents provided In response to a specific Commissioner's request (e.g., selected excerpts from all EDSFI Inspection Reports); or FPM Rev. 4, Policy No. 16 16-1 Effective: March 1999

(3) Commissioner's briefing packages for field visits to reactor sites.

4. Given the above Policy, it is important that exclusionary determinations are made

_)

at an appropriate level. Such decisions should be cleared with the AO/OEDO and processed through management and the cognizant EDO Coordinator.

5. Occasions may arise where a member of the staff discovers that information which has been provided to Commissioners has become inaccurate or incomplete, or was inaccurate or incomplete, in the first place. When such a discovery is made, the Commissioners will be formally notified of the error via a transmittal note from the AO/OEDO. Corrections of information provided to the Commissioners will be made in as expeditious a manner as possible.

I

-.._/

FPM Rev. 4, Policy No. 16 16-2 Effective: March 1999

FIELD POLICY MANUAL NO. 17- PERIODIC PRESS BRIEFINGS To increase public understanding of the NRC mission and programs, periodic media briefings will be conducted on regional and agency-wide issues/topics. The briefings will be in addition to those held on specific events or accidents in the Region.

• Guidance Regional Administrators should conduct periodic media briefings on regional and agency-wide issues/topics which will be usefut to the news media. The media briefing should be held at various locations In the region. The briefings are to provide the media, and other interested parties, with an overview of the agency's current activities. An effective technique to generate interest is to relate some of the activities to specific *1ocat* sites; however, the briefings are not intended to be detailed plant specific critiques.

To assist Regional Administrators in the selection of suitable topics, Technical Issue Papers are maintained by the Office of the Executive Director for Operations

• Copies are also available on the NRC Web Site. These papers Include a background discussion for each Issue and a highlights sheet to use as desired during the actual press briefing. These papers are reviewed by the Office of Public Affairs. Each region may adapt this information to fit the circumstances at the briefings.

The Regions have considerable flexibility In implementing this policy. Regional Public Affairs Officers will be actively involved in this program, including notifying the affected media representatives, the public affairs offices of the affected utilities, if appropriate, and arranging for briefing locations.

FPM Rev. 4, Policy No. 17 17-1 Effective: March 1999

FIELD POLICY MANUAL NO. 18 - GUIDELINES FOR GRANTING EXCEPTIONS TO THE N+1 POLICY FOR ASSIGNING RESIDENT INSPECTORS TO MULTl-UNIT REACTOR SITES Policy Exceptions may be granted to the N+1 policy for assigning resident inspectors to multi-unit reactor sites. The Office of the Executive Director for Operations (OEDO) Is responsible for assuring each deviation from N+1 is consistent with Commission policy (see references).

Guidance A Regional Administrator, with Director, Office of Nuclear Reactor Regulation (NRR), approval, has the authority to establish exceptions to the N+1 policy for multi-unit plant sites. The exception will be justified based primarily on site performance. *

• The region Is responsible for requesting approval from the Director, NRR, for proposed exceptions to the N+1 policy. The exception request will Include the Region's basis for the request. A copy will be provided to the Chief, Regional Operations and Program Management Section, OEDO.

• NRR is responsible for reviewing the exception request and for ensuring that the policy for approving exceptions is applied consistently for all regions.

• The Director, NRR, will notify the region, In writing, of NAA's decision. The region may Implement the exception on receiving the Director's approval.

• The regions and NRR are responsible for monitoring exception site performance to assure exception justifications remain valid.

As an oversight function, OEOO will review exceptions granted after NRR's approval has been sent to the Region. This review Is Intended to assure exceptions conform to Commission guidance (SECY-92-354 and associated Staff Requirements Memorandum) and are consistently applied. Concurrence from OEDO Is nQ1 required to Implement the ex(?eption.

• If the region's exception request Is approved, NRR will forward an Information copy of the memorandum granting approval to the Chief, Regional Operations and Program Management Section, OEDO.

• The Chief, Regional Operations a~d Program Management, OEDO will have the package reviewed with emphasis on site performance and for consistency of application across regions.

FPM Rev. 4, Policy No. 18 18-1 Effective: March 1999

References

1. SECY*92-354, "PROCESS FOR OBTAINING EXCEPTIONS TO THE N+1 POLICY,"

dated October 20, 1992.

2. Staff Requirements Memorandum, "SECY-92-354 - PROCESS FOR OBTAINING.

EXCEPTIONS TO THE N+1 POLICY," dated November 20, 1992.

3. Management Directive 8.6, Systematic Assessment of Licensee Performance.

Footnote: The subject policy is undergoing agency review and may change.

I I

-..._,/

FPM Rev. 4, Policy No. 18 18-2 Effective: March 1999

FIELD POLICY MANUAL NO. 19 - GUIDANCE FOR RECOMMENDING THIRD PARTY ASSISTANCE TO LICENSEES Policy On occasion licensees ask agency employees for recommendations for obtaining help solving programmatic problems. This can create problems Inasmuch as agency employees are prohibited from recommending the services of one or more people or organizations for a project under NRC regulatory jurisdiction. Providing such a recommendation violates 5 C.F.R.

2635.702, which prohibits Federal employees from using public office for endorsement of any product, service, or enterprise. However, the agency also has an obligation to provide assistance where possible in helping individual licensees solve problems where the health and safety of the public is Involved.

Guidance The fallowing guidance Is provided to assist employees who receive requests for assistance from licensees. Specific procedures Implementing this guidance should be available In each region, the Office of Nuclear Reactor Regulation , and the Office of Nuclear Material Safety and Safeguards

• There are two cases presented. Case #1 Is for use when a licensee has a programmatic problem. This case allows time for the licensee to conduct research in obtaining assistance. Case #2 Is for use when an Immediate health and safety problem exists.

U Case 1: An NRC employee receives a request for third party assistance from a licensee.

1. The employee shall as soon as practical notify his or her management.

2. Following consultation with management, the staff member may refer the requester to any of the following sources:

a. The current version of the Nuclear News Buyers Guide. If not otherwise available to the requestor, a copy of the Buyers Guide can be obtained by contacting the American Nuclear Society (Attn: Accounting Department), 555 N.

Kensington Ave., La Grange Park, Illinois 60525.

b. A licensee that has solved a similar problem (consult with office/regional management prior to providing the name). When providing the name of a licensee who has solved a similar problem, take special care that a perception of conflict of interest is not created and that the licensee is not under an Office of Investigations investigation for misconduct.

• c. An appropriate professional society such as the American Society for Mechanical Engineers or the Health Physics Society. .

FPM Rev. 4, Policy No. 19 19-1 Effective: February 1999

-.__,/

i

d. For materials or medical licenses, the staff member may recommend the following professional groups as a reference source: (This list is not exhaustive and others may be added after confirming that they are willing to assist in identifying third party sources of assistance.)

American Academy of Health Physics, Secretariat 8000 West Park Drive McLean, Virginia 22102 Telephone: 703-790-1745 American Association of Physicists in Medicine 1 Physics Ellipse College Park, Maryland Telephone: 301-209-3100 Society of Nuclear Medicine/American College of Nuclear Physicians Government Relations 1101 Connecticut Avenue, NW Washington, DC 20036 Telephone: 202-429-5120 American College of Medical Physicists 1891 Preston White Drive Reston, Virginia 22091 Telephone: 703-648-8966 Note: Regions may want to keep a list of local chapters in their regions for referral purposes.

Case 2: An immediate health and safety issue exists and it is not practical to take the action detailed in Case #1 .

1. Refer the licensee to an appropriate equipment manufacturer.

2. Consult with NRC management (NRR, NMSS, or regional office). Following management approval the employee may refer the licensee to one or more qualified consultants/contractors who can provide prompt safety assistance.'

Special care should be taken in connection with providing recommendations concerning consultants with whom the recommending staff has a personal or long standing relationship.

1 1f the issue is so immediate that it would not be practical to consult with NRC management before referring the licensee to someone who could provide the necessary prompt I safety assistance, the employee should make the referral first, and then inform NRC -...__/

management and document the event and justification.

FPM Rev. 4, Policy No. 19 19-2 Effective: February 1999

3. Following the action, document the event and the justification for the action, and provide a copy to the Office of the Executive Director for Operations

• References

1. Letter from J. Taylor to Regional Administrators, NRA, and NMSS dated July 15, 1993, discussing "Recommending Third Party Assistance to Licensees.*

2. SRM dated July 14, 1993, discussing "COMSECY-93-034- Recommending Third Party Assistance to Licensees (OIG Report 91-72.A)."

FPM Rev. 4, Policy No. 19 19-3 Effective: February 1999

FIELD POLICY MANUAL NO. 20 - INDUSTRY-SPONSORED SEMINARS OR TECHNICAL CONFERENCES Policy The staff should participate in Industry-sponsored seminars or technical conferences to facilitate public awareness and understanding of NRC programs.

Guidance Generally, the staff should participate In Industry-sponsored seminars or technical conferences in cases where the seminar or conference:

1. Supports the exchange of lnformati~n or education,

2. Permits the NRC to demonstrate a position of leadership,

3. Provides an opportunity for the staff to establish appropriate contacts, or

4. Discusses subjects where It would be considered beneficial for the NRC mission to exhibit regulatory Interest.

When determining whether or not to participate In Industry sponsored seminars or technical conferences, the staff should consider the following factors: sessions are open to the public; attendees represent a broad range of entities or interests; the agenda is balanced and is expected to present all of the Important aspects of a particular topic; there Is no predominance of a particular sponsor; and the sessions are not near, or do not have an obvious relationship to, an associated vendor demonstration fair or exposition. While these factors are not go/no-go criteria, attendance at any seminar or conference that does not meet all of the factors should be reviewed with management, up to the Deputy Executive Director for Regulatory Programs (DEDR) In highly visible cases or where our attendance could be perceived as an endorsement of a particular position.

• The NRC generally should not participate In conferences where the primary purpose appears to be for the financial or business benefit of the sponsoring entity or the conference is promotional In content.

Since the NRC cannot control the subject matter discussed during an Industry-sponsored conference, if the discussions approach issues that might lead to a specific regulatory decision or action, and the meeting Is closed to the public,. then the NRC attendee should suspend their participation in the conference and contact their management for further guidance regarding continued participation. (See the related guidance on "Public Attendance at Certain Meetings Involving the NRC Staff," Management Directive 3.5, which gives guidance for NRC-controlled meetirigs.)

FPM Rev. 4, Policy No. 20 20-1 Effective: March 1999

~ U.S.NRC U nited Scates N uclear Reg u latory Co m mission NU REG/CR-7 145 Protecting People and the Environment Nuclear Power Plant Security Assessment Guide Note to requester: This is the 3rd attachment in the previous email, ML13122A181 .pdf.

Office of Nuclear Security and Incident Response

AVAILABILITY OF REFERENCE MATERIALS IN NRC PUBLICATIONS NRC Reference Material Non-NRC Reference Material As of November 1999, you may electronically access Documents available from public and special technical NUREG-series publications and other NRC records at libraries include all open literature items, such as books, NRC's Public Electronic Reading Room at journal articles, transactions, Federal Register notices, http://www.nrc.gov/reading-rm.html. Publicly released Federal and State legislation, and congressional reports.

records include, to name a few, NUREG-series Such documents as theses, dissertations, foreign reports publications; Federal Register notices.; applicant, and translations, and non-NRC conference proceedings licensee, and vendor documents and correspondence; may be purchased from their sponsoring organization.

NRC correspondence and internal memoranda; bulletins and information notices; inspection and investigative Copies of industry codes and standards used in a reports; licensee event reports; and Commission papers substantive manner in the NRC regulatory process are and their attachments. maintained at-The NRC Technical Library NRC publications in the NUREG series, NRC Two White Flint North regulations, and Title 10, "Energy," in the Code of 11545 Rockville Pike Federal Regulations may also be purchased from one Rockville, MD 20852- 2738 of these two sources.

1. The Superintendent of Documents These standards are available in the library for reference U.S. Government Printing Office Mail Stop SSOP use by the public. Codes and standards are usually Washington, DC 20402-0001 copyrighted and may be purchased from the originating Internet: bookstore.gpo.gov organization or, if they are American National Standards, Telephone: 202-512-1800 from-Fax: 202-512-2250 American National Standards Institute nd

2. The National Technical Information Service 11 West 42 Street Spr ingfield, VA 22161-0002 New York, NY 10036-8002 www.ntis.gov www.ansi.org 1-800-553-6847 or, locally, 703-605-6000 212-642-4900 A single copy of each NRC draft report for comment is available free, to the extent of supply, upon written Legally binding regulatory requirements are stated request as follows: only in laws; NRC regulations; licenses, including Address: U.S. Nuclear Regulatory Commission technical specifications; or orders, not in NUREG-Office of Administration series publications. The views expressed in Publications Branch contractor-prepared publications in this series are Washington, DC 20555-0001 not necessarily those of the NRC.

E-mail: DISTRIBUTION.RESOURCE@NRC.GOV Facsimile: 301-415-2289 The NUREG series comprises (1) technical and administrative reports and books prepared by the Some publications in the NUREG series that are staff (NUREG- XXXX) or agency contractors posted at NRC's Web site address (NUREG/CR-XXXX), (2) proceedings of http://www.nrc.gov/reading-rm/doc-collections/nuregs conferences (NUREG/CP- XXXX), (3) reports are updated periodically and may differ from the last resulting from international agreements printed version. Although references to material found on (NUREG/IA- XXXX), (4) brochures (NUREG/BR-a Web site bear the date the material was accessed, the XXXX), and (5) compilations of legal decisions and material available on the date cited may subsequently be orders of the Commission and Atomic and Safety removed from the site. Licensing Boards and of Directors' decisions under Section 2.206 of NRC's regulations (NUREG- 0750).

DISCLAIMER: This report was prepared as an account of work sponsored by an agency of the U.S. Government.

Neither the U.S. Government nor any agency thereof, nor any employee, makes any warranty, expressed or implied , or assumes any legal liability or responsibility for any third party's use, or the results of such use, of any information, apparatus, product, or process disclosed in this publication, or represents that its use by such third party would not infringe privately owned rights.

~U.S.NRC United States N u clear Regulato ry Comm ission NUREG/CR-7145 Protecting People and the Environment Nuclear Power Plant Security Assessment Guide Manuscript Completed: April 2013 Date Published: April 2013 Prepared by:

J. Zamanali and C. Chwasz Nuclear Systems Analysis Operations Center Information Systems Laboratories, Inc.

Rockville, MD 20852 James E. Vaughn, NRC Project Manager NRC Job Codes N4110 and N4116 Office of Nuclear Security and Incident Response

ABSTRACT This document provides detailed guidance for the format and content of a security assessment of a commercial nuclear power plant.

The U.S. Nuclear Regulatory Commission (NRC) encourages design certification and combined license applicants to use this guidance to optimize physical security during the design phase.

The expected result is a more robust security posture with less reliance on operational programs (human actions) and potentially costly retrofits. The NRC also encourages operating reactor licensees to use this guidance in planning and executing changes and upgrades of physical protection systems at existing sites.

iii

CONTENTS Section Page ABSTRACT ..... .................... ........................... ............................................................................ iii CONTENTS ................ ........ ........................................................................................................v LI ST OF FIGURES ................................................................... ................................................. vii LI ST OF TABLES ..................................................................... .... ............................................. vii EXECUTIVE

SUMMARY

................................................. ........ ...... .......... .................................. ix ACKNOWLEDGMENTS .... ..... .... .... ................................... .... .... ...... ............ .. .............................. xi ACRONYMS AND ABBREVIATIONS ... .. .. .. ............................................................................. xiii

1. INTRODUCTION ......................................................................................................... 1-1 1.1 Purpose and Applicability ....................................................................... ........... 1-1 1.2 Background ...... .. .. .. ........ .. ............................. .......... .... ........ ..............................1-2 1.3 Use of Standard Format and Content. ....... ... ...... ........................................... .. ..1-2 1.4 Quality Assurance and Security Assessment Team Attributes .......................... 1-3 1.4.1 Quality Assurance Recommendations ........... ................ .. ........ ...........1-3 1.4.2 Security Assessment Team Recommendations ..................................1-4

2. HIGH ASSURANCE EVALUATION GUIDANCE ... .. ...... .. .... ........................................ 2-1 2.1 Overall Description of the High Assurance Evaluation, Security Assessment Process .............. .................. ................................... .... .................. ....................2-1 2.2. 1 Obtain Design-Basis Threat and Guidance .............. ........ .... ........ .......2-3 2.2.2 Obtain List of Security Engineering Publications .............. .... .............. .2-4 2.2.3 Obtain Standard Set of Scenarios ....................................... ...............2-4 2.2.4 Define Objectives .................................................................... ...........2-4 2.3 Establish Facility Design ...................................... ............ .................................2-5 2.3.1 Determine Configuration of Facility and Site Characteristics ............... 2-7 2.3.2 Perform Target Set Analysis ...............................................................2-9 2.4 Design Physical Protection System .................................................................2-10 2.4.1 Design Detection, Delay, and Response Elements ...........................2-11 2.4.1.1 Detection Elements ......................................... ............ 2-12 2.4.1.2 DelayElements ........................................................... 2-12 2.4.1.3 Response Elements ........................................ ........ .... 2-13 2.4.1.4 Safety/Security Interface ..................................... ........ 2-13 2.4.1.5 Insider Threat ...................... ........................................ 2-1 4 2.4.1.6 Other Site Security Design Features ............... .... ........ 2-1 4 2.5 Perform Evaluation ......................................................... ...................... .. ........2-1 5 2.5.1 Apply NRC Developed Scenarios and Evaluate Overall PPS Effectiveness Using an Acceptable Methodology ............ .... .... .... .....2-1 6

2. 5. 1. 1 Overall Scenario Identification ................. .. .. ........ ........ 2-17

2. 5. 1. 2 Blast Effects ................ ................................................ 2-17 2.5.1.3 Scenario Timeline Analysis ... .............................. ........ 2-24

2. 5. 1.4 Neutralization Analysis .................. .............................. 2-27 2.5.1.5 Overall Physical Protection System Effectiveness ....... 2-27 2.5.1.6 Evaluation of Candidate Design Features ................... 2-31 V

2.5.2 Analyze Scenarios to Ensure Adversary Actions are within DBT Capabilities and Credible ..................................................................2-32 2.5.3 Analyze Scenario To Ensure Barrier Delay Times and Protective Force Actions are Credible .. .. .... .. ...... ..... ... .. ...... ....... .............. .. .. .. .... 2-32 2.6 High Assurance Evaluation .. .. .......................... ....... ........................................2-32 2.7 Redesign Physical Security System ... .. .... .. ...... .... .. .. .. ............ .. ................. .. .... 2-33

3. FORMAT AND CONTENT GUIDANCE ....................................................................... 3-1

4. REFERENCES ........ .. ........ .... ..... ... ........... .... ... ..... .... ... ....... .. .... .. .. .. ... ......... ......... .... ... . 4-1 Appendix A Glossary ... .... ... .. .. .. ..... .... ... .. ... .... ... ..... .. .... .... ...... .... .... ..... .. ... ....... ......... ... ... ... ..... . A-1 Appendix B Security Engineering Publications Acceptable for Use .......... .................... .. .. .. .... B-1 Appendix C Security Assessment Modeling Tools ............. .. ............................ .. ......... .. ......... C-1 Appendix D Blast Effects ... ............. .. .... ........... .. .................. ... ... ...... .. ........ .. .. .. ............ .. ..... .. .. D-1 vi

LIST OF FIGURES Figure Page Figure 2-1 Security assessment process - high assurance evaluation ................................... 2-1 Figure 2-2 Security assessment process - step 1: determine objectives ............................... 2-3 Figure 2-3 Security assessment process - step 2: establish facility design ........................... 2-6 Figure 2-4 Security assessment process - step 3: design physical protection system ........ 2-1 1 Figure 2-5 Security assessment process - step 4: perform evaluation ................................ 2-15 Figure 2-6 Example facility ................................................................................................... 2-17 Figure 2-7 Potential adversary entry points ................................................................. ......... 2-19 Figure 2-8 Potential adversary paths for target set A. ........................................................... 2-20 Figure 2-9 Potential adversary paths for target set B ............................................................ 2-21 Figure 2-10 Shortest adversary paths .................................................................................. 2-22 Figure 2-11 Potential adversary paths with tactical advantage ............................................. 2-22 Figure 2-12 Adversary timeline ............................................................................................ 2-24 Figure 2-13 Protective force timeline .................................................................................... 2-26 Figure 2-14 Integrated protective force and adversary timelines .......................................... 2-28 Figure 2-15 Timeline margin ................................................................................................ 2-29 Figure 2-16 Security assessment process - step 5: was high assurance objective met? .... 2-33 Figure 2-17 Security assessment process - step 6: redesign physical security system ....... 2-34 LIST OF TABLES Table 1-1 Quality Assurance Recommendations .................. ,...................................... ........... 1-3 Table 2-1 Example DBT Scenario #1 ................................................................................... 2-18 Table 2-2 Resulting Overall Scenarios ................................................................................. 2-23 Table 2-3 System Effectiveness Inputs ................................................... .................. ... ........ 2-30 Table 3-1 Security Assessment Table of Contents ................................................................. 3-1 vii

EXECUTIVE

SUMMARY

In a staff requirements memorandum (SRM) to SECY-06-0204, dated April 24, 2007 (Ref. 6),

the U.S. Nuclear Regulatory Commission (NRC) staff was directed by the Commission to develop a security assessment guidance document. The Nuclear Power Plant Security Assessment Format and Content Guide was finalized and entered into the agency's Agencywide Documents Access and Management System (ADAMS) document database on October 30, 2007. New reactor designers used this document in the preparation of applications for design certifications. In September 2011, the NRC Office of Nuclear Security and Incident Response, Security Programs Support Branch, initiated an action to convert the Nuclear Power Plant Security Assessment Format and Content Guide into an official NRC NUREG/CR.

The NUREG/CR expanded upon the existing security assessment guidance document and was informed by lessons learned and requests for additional information (RAls) generated during the NRC staff review of security assessments submitted by design certification and combined license applications between 2006 and 2012.

This document provides detailed guidance for the format and content of a security assessment.

The security assessment described in this document is voluntary for licensees and applicants for nuclear power plants. This document should be used in conjunction with the Nuclear Power Plant Security Assessment Technical Manual, SAND2007-5591, September 2007 (Ref. 7). The Standard Review Plan, NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (LWR Edition)" (Ref. 14), Sections 13.6.1, and 13.6.2, also may be used as an aid when performing the security assessment.

The NRC encourages design certification and combined license applicants to use this guidance to optimize physical security during the design phase. The expected result is a more robust security posture with less reliance on operational programs (human actions). Although not required under 10 CFR 52.79, "Contents of Applications; Technical Information in Final Safety Analysis Report," as part of the application for a new nuclear power plant, the security assessment that would result from the method described within this document would provide a strong basis for meeting the general performance objective in 10 CFR 73.55(b)(1). T he NRC also encourages operating reactor licensees to use this guidance in planning and executing changes and upgrades of physical protection systems at existing sites.

ix

ACKNOWLEDGMENTS The authors would like to acknowledge the NRC staff members who provided direction, suggestions, and other assistance in the preparation of this publication.

Office of Nuclear Security and Incident Response

• James E. Vaughn, Security Specialist, Security Programs and Support Branch

• John G. Frost, Security Specialist, Reactor Security and Licensing Branch

• Al Tardiff, Sr. Security Specialist, Fuel Cycles and Transportation Security Branch

• Doug Huyck, Branch Chief, Security Programs and Support Branch

• Dyrk Greenhalgh, Vulnerability Assessment Team Lead, Oak Ridge National Laboratory

• Jack Crockett, Physical Security Engineer, Oak Ridge National Laboratory xi

ACRONYMS AND ABBREVIATIONS ADAMS Agencywide Documents Access and Management System ANSI American National Standards Institute ASSESS Analytic System and Software for Evaluating Safeguards and Security ATLAS Adversary Time Line Analysis System BREs bullet resistant enclosures CAS central alarm station CDP critical detection point CFR Code of Federal Regulations CIP Critical Interruption Point COL combined license DBT design-basis threat DC design certification DCD Design Control Document EASI Estimated Adversary Sequence Interruption FOF force-on-force JCATS Joint Conflict and Tactical Simulation LOCA loss of coolant accident MOX mixed oxide NEI Nuclear Energy Institute NRC U.S. Nuclear Regulatory Commission OCA owner-controlled area PA protected area Po probability of detection P1 probability of interruption PN probability of neutralization PPS physical protection system PRA probabilistic risk assessment RAI request for additional information RG Regulatory Guide RIS Regulatory Issue Summary ROWS remotely operated weapon system RSD required standoff distance SAS secondary alarm station SECY U.S. NRC Office of the Secretary SGI Safeguards Information SNM special nuclear material SRM staff requirements memorandum SSCs structures, systems, and components VA vulnerabil ity analysis VBS vehicle barrier system VISA Vulnerability Integrated Security Assessment xiii

1. INTRODUCTION 1.1 Purpose and Applicability This guide describes a method for developing the format and content of a security assessment for a nuclear plant. While this document has been developed specifically for new nuclear power plant design certification and combined license applicants, the high assurance evaluation described may be applied by existing nuclear power plant licensees when upgrading or modifying their physical protection systems.

The security assessment is an examination of security in a holistic manner, considering the facility design (including the layout of the facility) and physical characteristics of the site. It may serve as part of the technical bases for evaluating the applicant's security program during the licensing phase. Specifically, the security assessment is an evaluation of the reactor facility's physical protection design that: 1) identifies target sets and, for selected scenarios, performs a systematic evaluation using risk evaluation methodologies that demonstrate the ability of the design to meet the performance objectives of 10 CFR 73.55(a) (Ref. 1), and 2) identifies engineered security design features to be incorporated into the design of the reactor facility that provide high assurance that security functions can be accomplished, to the maximum extent practical, without undue reliance upon administrative and operational response actions by response forces.

The primary purpose of the security assessment is to demonstrate that the physical protection system (PPS) design of a new reactor facility provides high assurance of protection against the design-basis threat (DBT). The performance-based physical security requirements to protect against the DBT can be found in 10 CFR 73.55. Performance of a security assessment does not obviate the requirements of 10 CFR Part 73, "Physical Protection of Plants and Materials" (Ref. 2), for force-on-force (FOF) performance assessments for operating nuclear power plants.

The FOF performance assessment serves as a validation tool for the security assessment in that the security assessment should form the basis for the physical protection strategy and identification of target sets. The standard set of DBT scenarios (Ref. 3) provided by the U.S.

Nuclear Regulatory Commission (NRC) encompasses the attributes and characteristics of the adversaries as defined in the DBT for radiological sabotage.

If an applicant submits a design-specific security assessment as part of a design certification license or combined license application, the NRC staff will review it to ensure that the design features identified and described are consistent with the relevant security requirements and that practicable safety and security features have been appropriately considered for integration into the design for new reactors (consistent with the Commission Policy Statement on Regulation of Advanced Reactors - 73 FR 60612; October 14, 2008) (Ref. 4).

Resolution of security-related design issues at the early stage of the regulatory review process should result in a more robust security posture requiring less reliance on human actions.

However, resolution of the security-related design issues would not constitute final NRC approval of an applicant's overall security program. NRC review and approval of an applicant's security program consists of licensing reviews of an application under 10 CFR Part 50 or 10 CFR Part 52, to include security plans, implementation schedules, and additional security technical reports. Inspections during construction and startup, as well as the security baseline inspection program (to include FOF exercises) provide assurance of compliance with all applicable regulations, orders, and licenses.

1-1

1.2 Background

Following the terrorist attacks on September 11, 2001, the NRG conducted a thorough review of security to ensure that nuclear power plants and other licensed facilities continued to have effective security measures in place given the changing threat environment. T hrough a series of orders, the Commission specified additional supplementary information to be included in the current DBT, as well as requirements for training enhancements, access authorization enhancements, restrictions o n security officer work hours and enhancements to defensive strategies, mitigative measures, and integrated response. Since then, the NRG has assessed threats, vulnerabilities, and mitigative strategies for reactor facilities and has required upgrades of physical security and mitigative measures at operating reactors.

The Commission also directed NRG staff to make conforming changes to other rules. As part of this effort, the NRG staff exa mined implementation issues such as the need for guidance documents, changes in the enforcement policy, and a means for dispositioning the post-September 11, 2001 orders. Furthermore, the Commission directed the NRG staff to provide guidance so that applicants and prospective applicants would be able to use DBT information early in the design stage of new reactor facilities to identify potential mitigative measures and design features. In the staff requirements memorandum (SRM) dated September 9, 2005 titled "Security Design Expectation for New Reactor Licensing Activities,"

(Ref. 5), the Commission stated that applicants should be required to submit a security assessment addressing the relevant security requirements, which were established for currently operating plants by order, including the requirements for protection against the revised DBT and the requirements for enhanoed mitigative measures.

In the SRM dated April 24, 2007 titled "Proposed Rulemaking - Security Assessment Requirements for New Nuclear Power Reactor Designs," (Ref. 6), the Commission directed the NRG staff to develop the guidance for the proposed rule to support the 10 CFR 73.55 power reactor security rulemaking ongoing at the time, and to provide regulatory guidance for licensees to meet the requirements of that rulemaking. This document, in conjunction with the "Nuclear Power Plant Security Assessment Technical Manual" (Ref. 7), represents the guidance developed for security assessments. Included in this document are the insights from the Design Certification, Combined License and ongoing operating license reviews conducted between 2007 and 2012.

1.3 Use of Standard Format and Content This document describes a process to ensure that the PPS of the reactor facility design is effective in protecting against the DBT with high assurance.

This guide provides an acceptable means of providing the information for nuclear power reactor security assessment submittals, and a uniform format that the NRG staff considers acceptable for structuring and presenting the required information.

The level of detail in the security assessment should be sufficient to enable the NRG staff to understand and determine the validity of all input data and calculation models used, to enable the NRC to understand the sensitivity of the results to key aspects of the PPS including key analysis assumptions (e.g., identification of critical assumptions for which small changes could significantly affect the overall effectiveness of the PPS), and to audit the calculations. The design information provided in the security assessment slhould reflect the most advanced state 1-2

of the design at the time of submission. It is not necessary to submit all documentation for NRC review, but basis documents, calculations, guidance, and references should be cited and should be available in a clear, methodical, and retrievable format. Properly retained documentation should allow an independent expert analyst to reproduce any portion of the results or calculations in a straightforward, unambiguous manner. To the extent possible, the retained documentation should be organized along the lines identified in the areas of review.

1.4 Quality Assurance and Security Assessment Team Attributes 1.4.1 Quality Assurance Recommendations The security assessment should be complete, defensible, and transparent (i.e., traceable to its source documents). Table 1-1 lists the applicable quality assurance recommendations for this analysis. These quality assurance topics are consistent with the quality assurance criteria contained in Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants," to 10 CFR Part 50 (Ref. 8).

Table 1-1 Quality Assurance Recommendations Topic Recommendation 1 Quality At the earliest practicable time, consistent with the schedule for Assurance developing, modifying, and maintaining the security assessment, a Program quality assurance program should be established with written policies, procedures, or instructions and should be carried out throughout the life cycle of the assessment.

2 Analysis Staff Measures are established to provide for indoctrination, training , and qualification of personnel performing security assessment-related activities to assure awareness in quality assurance processes and controls and to ensure suitable technical proficiency is achieved and maintained.

3 Independent The security assessment control measures should provide for verifying Reviews or checking the adequacy of the assessment, such as by the performance of independent checks and peer reviews. The independent verification or checking process should be performed by individuals or groups other than those who performed the orig inal assessment, but mav be from the same orqanization.

4 Procedures Activities affecting security assessment quality are prescribed by documented instructions or procedures and should be accomplished in accordance with these instructions or procedures.

5 Document Measures are established to control the issuance of security Control assessment documents. These measures should ensure that documents, including changes, are reviewed for adequacy and approved for release by authorized personnel. Changes to documents are reviewed and approved by the same organizations that performed the original review and approval unless assigned to another responsible ori:ianization .

1-3

Table 1-1 Quality Assurance Recommendations Topic Recommendation 6 Corrective Measures are established to ensure that conditions adverse to security Actions assessment quality are promptly identified and corrected. In the case of significant conditions adverse to quality, the measures should ensure that the cause of the condition is determined and corrective action is taken to preclude repetition. The identification of the significant condition adverse to quality, the cause of the condition, and the corrective action taken is documented and reported to appropriate levels of management.

7 Audits A comprehensive system of planned and periodic audits is carried out to verify compliance with all aspects of the quality assurance program and to determine the effectiveness of the program. The audits are performed in accordance with written procedures or checklists by appropriately trained personnel not having direct responsibilities in the areas being audited. Audit resu lts should be documented and reviewed by management having responsibility in the area audited.

Follow-up action, including re-audit of deficient areas, should be taken where indicated.

1.4.2 Security Assessment Team Recommendations Team qualification is an important element supporting the credibility and adequacy of the security assessment. Each team member should have technical expertise in the elements that he or she develops. Therefore, the security assessment team should have subject matter experts knowledgeable in the following areas:

1. Security Systems, to include, but not limited to:

a. Detection and Assessment

b. Alarm Communication and Display

c. Sensors

d. Access Control

e. Delay

f. Communication Systems

g. Cyber Security

2. Protective Force (i.e., Responsive Force)

3. Others as needed to perform specific functions Subject matter experts that should be used for the creation and maintenance of target sets are described in RG 5.81, "Target Set Identification and Development for Nuclear Power Reactors" (Ref. 9), section C.3.

The team members, their qualifications, and their roles sh ould be included in the security assessment submittal and supporting documentation.

1-4

2. HIGH ASSURANCE EVALUATION GUIDANCE This section provides a description of an assessment method to evaluate the effectiveness of the designed physical protection system (PPS). T his eva luation should demonstrate that the reactor facility's physical protection system elements provide defense-in-depth through the integration of systems, technologies, programs, equipment, supporting processes, and implementing procedures to ensure that the capabilities to detect, assess, interdict, and 1

neutralize threats up to and including the design-basis threat of radiological sabotage are maintained at all times (consistent with the general performance requirements in 10 CFR 73.55(b)(3)). These requirements are considered to meet the objective of high assurance (as defined in 10 CFR 73.55(b)), such that the reactor facility, including the PPS elements, provides high assurance of protection against the DBT.

2.1 Overall Description of the High Assurance Evaluation, Security Assessment Process The overall security assessment process is depicted in Figure 2-1 and explained further in this chapter by outlining the objectives, process, and reporting recommendations and acceptance criteria of the security assessment process (Ref. 10).

Figure 2-1 Security assessment process - high assurance evaluation 1

For the purposes of this document, the phrase "detect, delay and respond" are used to reflect the process used in security assessments and security assessment software. This phrase is synonymous with the requirement in 10 CFR 73.55(b)(3)(i) for "detect, assess, interdict, and neutralize".

2-1

The security assessment process is an iterative effort for the applicant. The NRC, through regulation and guidance documents, identifies the protection requirements and performance standards (Step 1), while the the applicant or licensee determines the protective strategy to accommodate site-specific configuration and operations (Step 2), as well as identify targets, or assets. Step 3 addresses the additional PPS characteristics that were not a part of the existing facility design and adds these to the design such that the combination of reactor facility design and these PPS elements would comply with 10 CFR 73.55, "Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors Against Radiological Sabotage."

The PPS elements, along with the previously established facility and site attributes (Step 2), will be evaluated (Step 4) using a security assessment tool or method of assessment acceptable for use. The evaluation will test whether the PPS elements meet the objective of high assurance (Step 5). If the objective of high assurance has been met, the reactor facility including PPS design should be considered to be in compliance with the 10 CFR 73.55 PPS requirements, and the security design characteristics of the plant are acceptable for the purposes of the security 2

assessment

• Otherwise, the reactor facility or PPS design elements of the facility are modified, and the security assessment process is applied again (Step 6).

Changes may be made to the reactor facility design characteristics (Step 2) and to the PPS elements (Step 3). This revised combination of design fe.atures, including the PPS elements, would again be evaluated (Step 4) against the objective of high assurance. This iterative process should continue until the reactor facility design meets the objective of high assurance.

The overall goal of the iterative security assessment process is to efficiently and effectively achieve a reactor facility design, including the PPS elements that meet the objective of high assurance. Furthermore, as designs are developed, anot her goal is to provide physical protection through design features, rather than operational functions, thereby reducingI dependence on security operational programs (i.e., human actions).

2.2 Determine Objectives This section describes the security engineering documentation DST and guidance, and standard set of DST scenarios (Ref. 3) that are provided by NRC. This step in the high assurance evaluation is depicted in Figure 2-2.

2 Acceptability of the facility and PPS design for 10 CFR 73.55 requirements for NRC licensing.

2-2

Step 1: Determine Objectives STEP1 Determine Objectives 1----1 Obtain List of Security Engineering Publications (From NRC)

Obtain Standard Set of Scenarios (From NRC)

Define Objectives Figure 2-2 Security assessment process - step 1: determine objectives 2.2.1 Obtain Design-Basis Threat and Guidance Obtain the described radiological sabotage DBT and DBT guidance established by the NRC.

Defining the threat establishes the performance that is required from the PPS (Ref. 10). By describing the threat, the assumptions that are made to perform the assessment are documented and are used to show how they influence req uired upgrades. The DBT is a general description of the threat, including the type of adversaries, the tactics associated with the threat, and the "tools" the adversary may use. Guidance for the DBT includes 2-3

10 CFR 73. 1(a)(1) (Ref. 11 ), Radiological Sabotage and Regulatory Guide (RG) 5.69, "Guidance for Application of the Radiological Sabotage Design Basis Threat in the Design, Development, and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements" (Ref. 12).

2.2.2 Obtain List of Security Engineering Publications Licensees and applicants are encouraged to use the current set of NRC identified security engineering publications when assessing the effectiveness of the designed physical protection system. These publications provide acceptable methods for many of the variable inputs needed during the security assessment process. For example, documents related to the mitigation of vehicles used by an adversary, such as NUREG/CR-6190, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants" (Ref. 13), detail required (or minimum) standoff distances and vehicle barrier system (VBS) requirements that can support the high assurance evaluation.

If applicants or licensees choose to use different publications or resources than those in the reference list, a detailed justification and an explanation of the other publications' adequacy should be provided. Security engineering publications from the NRC that have been identified as acceptable for use in the security assessment process are included as Appendix B. Before conducting the assessment process, the applicant should contact the NRC to ensure th e reference list used is the most current.

2.2.3 Obtain Standard Set of Scenarios Obtain the current standard set of DBT scenarios from the NRC (Ref. 3). These scenarios include specific attributes and characteristics of the DBT t hat can be used by all applicants for consistency and to ensure that an adequate breadth of the DBT is evaluated. Typical characteristics described will include the number of adversaries, the type of weapons and tools used, the number of teams, and number of adversary entry points. A scenario provides the information necessary to evaluate the performance of the detection, delay, and response elements of the PPS (Ref. 14).

2.2.4 Define Objectives Before starting a security assessment, it is critical to understand protection system objectives.

In 10 CFR 73.55(b), General performance objective and requirements, it states that:

(1) The licensee shall establish and maintain a physical protection program, to include a security organization, which will have as its objective to provide high assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.

(2) To satisfy the general performance objective of paragraph (b)(1) of this section, the physical protection program must protect against the design basis threat of radiological sabotage as stated in § 73. 1.

(3) The physical protection program must be designed to prevent significant core damage and spent fuel sabotage.

In addition, those applicants anticipating the utilization of m ixed oxide (MOX) fuel assemblies will also have as an objective the prevention of theft or diversion of un-irradiated MOX fuel assemblies (Ref. 15).

2-4

The objective of high assurance is met when the licensee's protective strategy provides defense-in-depth through the integration of systems, technologies, programs, equipment, supporting processes, and implementing procedures to ensure that the capabilities to detect, assess, interdict, and neutralize threats up to and including the design-basis threat of radiological sabotage are maintained at all times. 3 Detailed guidance for the development of target sets is found in RG 5.81 (Ref. 9).

High assurance can be simulated through the calculation of an overall system effectiveness of the PPS. The overall system effectiveness is a probabilistic calculation of the effectiveness of the PPS to detect (and assess) the adversary, delay the adversary such that responders can intercept the adversary ideally from their protective positions, and the probability that the responders neutralize the adversary. Scenarios in which the responders reach their required protective positions with adequate margin, such that they prevent the adversary from disabling one or more targets, will likely result in a high calculated overall system effectiveness. In comparison, an overall system effectiveness value of 0.0 indicates that the overall PPS is ineffective in stopping the adversary, whereas a 1.0 indicates that the adversary will always be stopped from completing their objectives. Using these overall system effectiveness values, deficiencies and improvements to the physical protection program can be identified and corrected or implemented so that the physical protection system meets the general performance requirements and attains the objective of high assurance. The applicant should clearly state the objective of high assurance and its bases used in the security assessment.

Mathematically, overall system effectiveness can be defined as a probability as follows:

Equation (1) where:

PE = probability of effectiveness or overall system effectiveness, P 1 = probability of interruption of the adversary (considers the likelihood that detection will occur early enough in the adversary attack sequence that the response force can arrive before the attack is successfully completed), and PN = probability of neutralization of the adversary.

Further discussion of the objective of high assurance can be found in Section 2.5.

2.3 Establish Facility Design Figure 2-3 depicts Step 2 of the high assurance evaluation process. This step establishes the reactor facility design in significant detail to identify potential adversary targets and then identifies these targets using a target set analysis. At this stage, the facility design does not need to include the PPS elements. These elements are added in Step 3 of the assessment process.

"High Assurance," as used in 10 CFR 73.55(a), is deemed to be comparable to the degree of assurance contemplated by the Commission in its safety review for protection against severe postulated accidents having potential consequences similar to the potential consequences from reactor sabotage (44 FR 68185, November 28, 1979).

2-5

Step 2: Establish Facility Design STEP2 Establish Facility Design Determine Configuration of Facility and Site Characteristics Perform Target Set Analysis Figure 2-3 Security assessment process - step 2: establish facility design Applicants for a design certification (DC) should be able to use this process in parallel with other design activities when performing the design process. Applicants for a combined license (COL) referencing a certified design can use this process to identify departures from or additions to the DC. Operating reactor licensees should use this process in parallel with other change processes at the plant (long-term maintenance, upgrades, facility redesign, etc ... ). Site-specific target sets should be created and used because changes or refinements to the design, based on site characteristics, during the design change process could result in cooresponding changes to identified targets. Therefore, the target set analysis should be reviewed and updated as necessary before COL submission and throughout the review period. During the initial 2-6

evaluation of the target set analysis and during updates, applicants and licensees are encouraged to optimize the facility design and minimize the reliance on operational security programs, to the maximum extent practical.

The security assessment process should be iterative. As changes are made to the design of the reactor facility, including the PPS elements, physical protection program performance should be evaluated and optimized. Applicants are expected to begin the assessment with an existing facility design as early in the design process as practical. For COL applicants, the facility design to be assessed most likely will be that which has been approved in the Design Control Document. DC applicants, for which approval is pending, most likely will use the submitted design. In all cases, the initial reactor facility design that is being used at the beginning of this iterative process has been termed as the "existing" design throughout this guide.

2.3.1 Determine Configuration of Facility and Site Characteristics A facility characterization considers the existing nuclear reactor design, including the supporting systems, structures and components; and site characteristics such that the targets at the facility that need to be protected can be identified. The characterization, at this stage, requires limited information about the PPS. The information required would only be that which is requiired to identify or screen targets. The PPS elements will be added during Step 3 of the process.

The extent of the facility characterization process depends on the design status of the facility.

Applicants submitting a DC would only consider the configuration of the design characteristics of the facility. COL applicants and operating reactor licensees will include facility design, site characteristics, and the security operational programs. Note that DC applicants may perform a more comprehensive security assessment by identifying standard physical security characteristics. For example, standard physical security characteristics for a DC applicant could include the location and distance of the protected area perimeter in relation to vital areas.

Elements associated with the topography of the terrain or the geographic location of the site or other site- or applicant-specific enhancements or constraiints would need to be addressed by COL applicants.

Site characteristics or site parameters that are either postulated in the security assessment or are security design features that are outside the scope of the design being addressed at the particular stage of the regulatory process should be identified as security assessment parameters. These parameters would be addressed by a future applicant that references the design and the assessment. Ultimately, any security design issue identified by an assessment, but not addressed by a security design feature at any application stage, should be identified as a security assessment parameter and should be addressed during the development of the security operational programs under the provisions of 10 CFR Part 73.

The following provides guidance on the scope of the security assessment based on the particular stage of the application process in 10 CFR Parts 50 and 52.

1. Construction Permit (10 CFR Part 50). At the construction permit stage, an applicant would have selected a design and the site on which to build the plant. The scope of the assessment should include a description of the applicant's plan for conducting a security assessment that describes the security design features incorporated into the final design of the site based on the design and site characteristics. Scenarios that necessitate evaluation of the security operational programs would be outside the scope of this assessment. An applicant may choose to 2-7

postulate location and numb,er of armed responders to perform a more comprehensive security assessment. Any security design issue identified but not addressed by a security design feature, would be recorded as a security assessment parameter and should be addressed by the future operating license applicant.

2. Operating License (10 CFR Part 50). Generally, applicants for a construction permit and an operating license are the same entity. At the operating license stage, the applicant would have developed the security operational programs. The scope of the assessment should include:

(1) reference to the security assessment for the construction permit, (2) a description of how security design features left unresolved (security assessment parameters) at the construction permit stage were resolved, and (3) scenarios that necessitate evaluation of the security operational programs. Ultimately, any security design issue identified by the assessment that is not resolved by a security design feature should be identified by a security assessment parameter and must be resolved by the operational security program.

3. Design Certification (10 CFR Part 52). At the design certification stage, the applicant would know the design, but not the site or the security operational programs. The scope of the security assessment should include a description of the applicant's plan for conducting a security assessment and describe the security design features incorporated into the design based on the scenarios evaluated by the assessment. Scenarios that necessitate evaluation of site characteristics and the security operational programs would be outside the scope of this assessment. However, the applicant may decide to assess the effectiveness of the plant's security design features at a hypothetical site or sites having characteristics that fall within a set of postulated site parameters (e.g., the location of transportation routes, heat sink, water access ways, and vehicle pathways). A standard set of physical security characteristics may also be used (e.g., distance from the protected area (PA) barrier, to vital areas with delay and detection, VBS at required (or minimum) standoff distance (as described in Reference 1), and number and location of armed responders). Any security design issue identified but not addressed by a security design feature should be recorded as a security assessment parameter and addressed by a future applicant that references the design certification.

4. Manufacturing License. An applicant for a manufacturing license that references a design certification for which a security assessment was done would know the design but not the site or the security operational programs. However, the manufacturing license applicant would not change the information in the design certification. Therefore, a security assessment would not be required at the manufacturing license stage. Any security design issue identified but not addressed by a security design feature at the design certification stage should continue to be recorded as unresolved and addressed by a future applicant that references the manufacturing license.

If the manufacturing license application proposes to use a custom design (i.e., does not reference a design certification), then the scope of the assessment would be the complete design. Any security design issue identified but not addressed by a security design feature should be recorded as a security assessment parameter and addressed by a future applicant that references the manufacturing license.

5. Standard Design Approval. At the standard design approval stage, the applicant would know the design, but not the site or the security operational programs. The application must include a description of the applicant's plan for conducting a security assessment that describes the security design features incorporated into the design based on the scenarios evaluated by the assessment. Scenarios that necessitate evaluation of site characteristics and the security 2-8

operational programs would be outside the scope of this assessment. However, the applicant may desire to assess the effectiveness of the plant's security design features at a hypothetical site or sites having characteristics that fall within a set of postulated security assessment parameters (e.g., the location of transportation routes, heat sink, water access ways, and vehicle pathways). Any security design issue identified but not addressed by a security design feature should be recorded as a security assessment parameter and addressed by a future applicant that uses the standard design approval, in developing its operational security program.

6. Combined License (COL) (10 CFR Part 52). An applicant for a COL that selects a plant design by referencing either a design certification or manufacturing license, for which a security assessment was completed, would have knowledge of the design, the site, and the operational security programs. The scope of the assessment must include: (1) reference to the security assessment for either the design certification or manufacturing license, (2) a description of how security design features left unresolved by design certification or manufacturing license were addressed, and (3) scenarios that necessitate consideration of the site characteristics and the security operational programs. Ultimately, security design issues identified by this or a previous assessment, which are not resolved by a security design feature, should be identified by a security assessment parameter and must be resolved by the operational security program.

If the COL application proposes to use a custom design, then the scope of the security assessment would include a complete security assessment, including what would otherwise have been performed at the design certification stage, as described above. A COL applicant referencing an already-certified design would not be required to make enhancements to the plant design within the scope of the design certification.

If the COL application proposes to use a standard design approval, then the scope of the security assessment would include a complete security assessment, including what would otherwise have been performed at the design certification stage, as described above. A COL applicant referencing an already-certified design would not be required to make enhancements to the plant design within the scope of the design certification.

In addition to the design characterization described above, a part of the facility characterization involves a description of the operational scope that needs to be considered in the target set analysis. Therefore, each applicant should characterize the operational scope that is included in the assessment such as the plant operational modes, security alert levels and maintenance configurations, including phases of construction for multi-unit sites. Note that NRC regulations encompass all modes of operation and maintenance configurations, in accordance with the requirements in 10 CFR 73.55(f)(4) and 10 CFR 73.58, "Safety/Security Interface Requirements for Nuclear Power Reactors. "

2.3.2 Perform Target Set Analysis The security assessment process includes a target set analysis on the facility design as characterized in Section 2.3 ..1. The target set analysis is a systematic approach to identify complete sets of adversary targets.

2-9

With the facility characterized , the targets can now be identified. In this section, the adversary objective being analyzed is radiological sabotage that has the potential to cause radiological release. Theft and diversion of radioactive materials should also be addressed if un-irradiated MOX fuel is present on site.

A radiological sabotage target set is the combination of equipment or operator actions which, if all are prevented from performing their intended safety function or prevented from being accomplished, would likely result in significant core damage (e.g., non-incipient, non-localized fuel melting and core disruption) barring extraordinary actions by plant operators (10 CFR 73.2, "Definitions" (Ref. 16)). By identifying the adversary's obj ectives, target sets can be used to aid in the identification of the strategies necessary to prevent core damage, spent fuel sabotage and theft of radioactive materials, while allowing licensees and applicants the flexibility to better design their security programs with site-specific conditions in mind. Guidance and a methodology to identify and generate target sets are found in RG 5.81 (Ref. 9).

While the goal of the adversary is to disable a complete target set, the goal of the physical protection system is to protect targets with high assurance (Ref. 15).

Iterations of this security assessment process, outlined in Figure 2-1, may require an updated target set analysis. Physical modifications to the facility design (completed in Step 2 of the process in Figure 2-1) may change the targets within specific target sets and warrant an updated target set analysis.

2.4 Design Physical Protection System Figure 2-4 depicts Step 3 of the high assurance evaluation process. The physical protection system at a nuclear power plant integrates people, procedures, and equipment for the protection of assets or facilities against theft, radiological sabotage, theft of special nuclear material, or other malevolent human attacks. T he purpose of this step is to characterize the physical protection system to support the security evaluation to be performed in Step 4. Each element of the PPS (i.e., det,ection, delay, and response) influences its respective probabilistic measures (probability of detection (Po), probability of interruption (P1) , and probability of neutralization (PN), as described in Section 2.2.4). The probabilities that are evaluated in Step 4 of the process are explained in Section 2.5.

2-10

Step 3: Design Physical Protection System STEP3 Design Physical Protection System Design Detection, Delay, and Response Elements Figure 2-4 Security assessment process - step 3: design physical protection system 2.4.1 Design Detection, Delay, and Response Elements This section describes the PPS elements that can be folded into the existing facility design, as discussed in Section 2.3, to obtain a PPS that provides hiigh overall system effectiveness. The final design should include system functions necessary to (1) detect, delay, and respond to an attack against target sets by an adversary possessing the DBT characteristics and (2) provide conditions that facilitate mitigation actions to occur before, during, and after an attack consistent with the requirements in 10 CFR 73.55 (Ref. 1) and the guidance in RG 5.76 (Ref. 17). The applicant should identify candidate security design features that will be assessed using a risk assessment methodology to determine the effectiveness of these features in accomplishing security functions. These candidate security design features should include design concepts contained in "Nuclear Power Plant Security Assessment Technical Manual" (Ref. 7). The assessment of these features is discussed in Section 2.5.1.6.

2-11

In addition to the candidate security design features, applicants may conduct iterative runs of the security assessment process to assess different detection, delay, and response elements that could potentially be added to the design to reach the desired response margin or overall system effectiveness. Each iteration through the process (as PPS elements are added, modified, and deleted from the facility design) may produce insights about which PPS elements are the most efficient and effective (i.e., which elements cost the least while greatly en hancing physical security system effectiveness and vice versa). These insights should be captured and documented in the security assessment submission.

2.4. 1. 1 Detection Elements The detection function in a PPS includes exterior and inte rior sensors, monitoring of barriers by security personnel (as applicable under 10 CFR 73.55(e)(8)(ii)), alarm assessment, access control, and the alarm communication and display subsystems, all working together. An effective PPS should first detect an intrusion, generate an alarm, and then transmit that alarm to a location for assessment and appropriate response (Ref. 14). The intrusion detection should occur as early as possible in the adversary task timeline. The chosen detection functions of the PPS will affect the probability of detection, which is measured both by the probability of sensing adversary action and by the time required for assessing and reporting the alarm (Ref. 18). T he NRC-recommended probabillity of detection for a protected area perimeter intrusion detection system is 90 percent detection with 95 percent confidence, as stated in NUREG 1959, "Intrusion Detection Systems and Subsystems" (Ref. 19). Detection elements should be identified and described in adequate detail to support the security assessment. Lanuage in 10 CFR 73.55 requires the detection of both attempted and actual penetration of the protected area perimeter barrier before completed penetration of the protected area perimeter barrier to ensure that an adequate response by the security organization can be initiated. In addition, 10 CFR 73.55 requires that all vital area access portals and vital area emergency exits have intrusion detection equipment and locking devices. Therefore, high assurance is aided by intrusion paths with additional intrusion sensors. For intrusion paths through barriers without intrusion detection equipment (walls, underground pathways, etc.), information on the patrols or observatiion capabilities of security personnel should be detailed enough for reviewers to determine that detection would occur before exploitation with high probability and confidence. Detection and assessment by personnel should be accompanied by a discussion on communications (primary, secondary, and duress alarms if appropriate), and surveilllance and assessment capabilities during different environmental conditions.

2.4.1.2 Delay Elements An effective PPS should provide sufficient delay after initial detection of the adversary to allow time for a suitable response. The chosen delay functions of the PPS will affect the probability of interruption, which is the probability that the response force arrives at the interruption point (a pre-determined defensive position) before the adversary completes his attack sequence.

Detection is desired to occur such that there is adequate time for the response force to reach the interruption point before the adversaries are beyond the effectiveness of this position. The critical detection point (CDP) is defined as the point on the adversary's path where path delay exceeds response force interruption time. 4 Delay elements should be identified and described in adequate detail to support the security assessment, to include, but not limited to: access The CDP concept and use in assessing overall PPS effectiveness is described in detail in Section 2.5.1 .5 of this guide.

2-12

points (gates, doors, turnstiles); barriers (fences, razor wire, walls, windows, grates, vehicle barriers); and other structures (bullet resistant enclosures (BREs), pipes, "ankle breakers," plant machinery and structures that could provide a pathway). Those delay elements of the PPS that are activated and placed after the detection of a security event should be described in detail, including activation procedure and timeline to full effectiveness of the barrier. Delay characteristics to include traversal times may be found in SAND2001-2168, "Access Delay,"

Volume I, Technology Transfer Manual, August 2001 (Ref. 20), Regulatory Issue Summary (RIS) 2003-06, "High Security Protected and Vital Area Barrier/Equipment Penetration Manual,"

March 20, 2003 (Ref. 21 ), and NEI 09-05, "Guidance on the Protection of Unattended Openings that Intersect a Security Boundary" (Ref. 22).

2.4.1.3 Response Elements The response subsystem of the PPS involves two interrelated factors: the time it takes for the desired responders to arrive at the proper location and the effectiveness of that response once responders are at that location. In combination with the response capability, the response strategy should also be considered. Basic response strategies used include denial, containment, interruption, and recapture and recovery. Deterrence may be a factor, but it is usually because of a robust security posture and difficult to quantify. The chosen response strategies of the PPS will affect both the probability of interruption and the probability of neutralization. Response elements should be identified and described in adequate detail to support the security assessment. This detail should include: armament, personnel armor, BRE design (bullet and blast resistance, field of fire, communications, restricted lines-of-sight/ blind spots), response pathways, positions, and timelines for all response personnel. If remotely operated weapon systems (ROWS) are planned, all aspects of the ROWSs should be detailed in a separate report and nec-essary details for the purposes of the security assessment should be included (command and control, operator locations, system description, fields of view, fields of fire, system limitations, etc.).

2.4. 1.4 Safety/Security Interface The addition of PPS elements may have an effect on reactor safety. Conversely, changes in plant operation or equipment configuration may affect security. Therefore, as the PPS is designed, the applicant should consider the role of safety. This consideration is termed the safety-security interface. Safety and security interface refers to the actual or potential interactions that may advers,ely affect security activities because of design or operational (including maintenance) activities or vice versa. Requirements for managing the safety security interface are found in 10 CFR 73.58 (Ref. 23).

To achieve the objective of optimizing the design features and operational controls and to balance the needs of safety and security, an evaluation of any proposed PPS change using the applicable safety requirements, the probabilistic risk assessment (PRA), and a security assessment is recommended . Further guidance can be found in RG 5.74, "Managing the Safety/Security Interface" (Ref. 24 ).

Operational (Safety) Initiated Changes For each proposed operational-driven change, in addition to the appropriate safety reviews, a review of the change's impact on security should be assessed. This can be done by reviewing the elements of the physical protection systems to determine which, if any, are affected by the proposed change. The type of analysis depends on the element or elements impacted by the 2-13

change and the degree to which they are impacted. The evaluation can range from a simple screening analysis to an integrated benefit analysis. Therefore, before the implementation of a proposed safety change, the change should be evaluated using the security assessment process.

Examples of adverse operations initiated interactions that may have occurred at nuclear power plants include: (1) inadvertent security barrier breaches while performing maintenance activities (e.g., cutting of pipes that provided uncontrolled access to vital areas, removing ventilation fans or other equipment from vita l area boundary walls without taking compensatory measures to prevent uncontrolled access into vital areas), (2) blockage of bullet resisting enclosures (or other defensive firing position's) fields of fire, (3) erection of scaffolding and other equipment without due consideration of its impact on the site's physical protection strategy, (4) staging of temporary equipment within security isolation zones, and (5) extended maintenance outages of equipment, which are identified targets within the target set analysis.

Security Initiated Changes For each proposed security-driven change, its impact on plant safety should be assessed.

Changes made to structures, systems, and components (SSCs) that are out-of-scope of the PRA and are out-of-scope of other deterministic safety requirements that are included in the design or licensing bases of the plant can be screened. Changes made to components within the scope of the PRA or other deterministic safety requirements should be evaluated for adverse safety impact. T herefore, before the implementation of a proposed PPS change, the change should meet appropriate safety criteria.

Examples of security activities that have the potential to adversely affect safe plant operations include: security force staffing changes on backshifts, weekends, and holidays that could adversely impact operations during plant events or emergencies (e.g ., opening and securing vital area access doors to allow operations personnel timely access to safety-related equipment) and the installation of security equipment that interferes with plant operations (e.g., placement of a security fence that blocks the pressure relief blowout panel for the turbine driven auxiliary feed water system and installation of security delay fencing with razor wire preventing access to plant fire hydrants).

2.4. 1. 5 Insider Threat The threat of a passive or active insider should be considered in the evaluation of the physical protection system, consistent with the DBT. The use of a defense-in-depth approach can minimize the effect of an insider by providing redundancies to those physical protection system elements that are vulnerable to a passive or active insider . By omitting a single vulnerable element (e.g., as an armed responder, an alarm station, an intrusion detection sensor) at a time, the defense-in-depth nature of the physical protection system can be determined and iimproved, and thus better protected against an insider threat.

2.4.1.6 Other Site Security Design Features Included for consideration should be those design features that enhance the effectiveness of those PPS elements that detect, delay, and respond to threats. These features can be a part of the original facility design, or added after the evaluation as part of the PPS redesign in Step 6.

Examples include serpentine or channeling barriers, and closed-circuit television systems not used for assessment at the isolation zone.

2- 14

2.5 Perform Evaluation Figure 2-5 depicts Step 4 of the high assurance evaluation process. The evaluation, performed as part of the security assessment process, is intended to demonstrate that a reactor facility, including the PPS design, provides high assurance of compliance with 10 CFR 73.55 and high overall system effectiveness. The evaluation will enable NRC staff to determine whether the applicant has provided defense in depth through the integration of systems, technologies, programs, equipment, supporting processes, and implementing procedures to ensure t hat the capabilities to detect, assess, interdict, and neutralize threats up to and including the design-basis threat of radiological sabotage are maintained at all times.

Step 4: Perform Evaluation STEP 4 Perform Evaluation lJ

..,__-41 Apply NRC Developed Scenarios and Evaluate Ill I PPS Using an Acceptable Methodology IJ 1----tl Analyze Scenarios to Ensure Adversary Actions are 11 I Within DBT Capabilities and Credible IJ

.__-41Analyze Scenario to Ensure Barrier Delay Times and 111 I Protective Force Actions are Credible IJ Figure 2-5 Security assessment process - step 4: perform evaluation 2-15

Methods of evaluation that are acceptable include, but may not be limited to documented table-top analysis (using Vulnerability Integrated Security Assessment (VISA) Manual and pathway analysis (using Analytic System and Software for Evaluating Safeguards and Security (ASSESS)) with Joint Conflict and Tactical Simulation (JCATS) (Ref. 25). The Estimated Adversary Sequence Interruption (EASI) model addresses all of the analysis elements with the exception of the armed protection force's ability to stop an attack. These models are described in Appendix C. Regardless of the method used, a pathway analysis, to determine probability of interruption, and a conflict analysis, to determine probability of neutralization, should be performed.

2.5.1 Apply NRC Developed Scenarios and Evaluate Overall PPS Effectiveness Using an Acceptable Methodology The NRC staff will provide a standard set of scenarios associated with the DBT (Ref. 3) that defines basic characteristics of the adversary force, including force size, equipment, weapons, and tactics. These standard scenarios are the basis for developing adversary timelines and blast effects analyses. Each standard DBT scenario may result in several overall scenarios that vary based on entry points, target sets, timeline analysis techniques, protective force response, etc. The combination of the DBT scenario, target set, and entry and exit points (exit points for theft scenarios) help to define the adversarial pathway that contributes to an attack. Other factors, such as the design of the PPS, will also affect the pathway.

Application of the scenarios using the methods described below can produce either a qualitative or quantitative assessment of overall PPS effectiveness.

The qualitative assessment seeks to determine if there is adequate margin in the time it takes for the protective force to either reach predetermined protective positions with weapons at-the-ready, or for the protective force to activate denial and delay systems, or both, before the adversary disables all the targets for any given target set. As the times used in the assessment are average or mean values, a margin on the order of one standard deviation in the distribution of the differences between the adversary and protective force timelines would indicate high assurance. This margin addresses the most likely variations in adversary and protective force timelines and is necessary to meet the intent of the overall security objectives of preventing significant core damage, spent fuel sabotage, and theft and diversion of radioactive materials.

The quantitative assessment uses a measure of overall system effectiveness to evaluate the objectives of preventing core damage, spent fuel sabotage, and theft of radioactive materials.

This overall system effectiveness is determined in part by evaluating the P1 and the PN, as shown in Equation 1 of Section 2.2.4, where interruption is defined as arrival of responders, or activation of denial systems at a deployed location, to halt adversary progress, and includes the detection, delay, and response elements of the PPS. Neutralization is defined as the defeat of the adversaries by the protective force. Detection elements and the adversary and protective force timelines are used to quantify interruption. The PN is calculated as the measure of the likelihood that the protective force will be successful in overpowering or defeating the adversary, given interruption. A discussion of the range of values that can be associated with system effectiveness and their relationship to the objective of high assurance is included in the following subsections.

The basic steps for the determination of the overall PPS effectiveness include:

• identify the overall scenarios 2-16

• evaluate blast effects

• analyze scenario timelines

• analyze neutralization

• determine overall PPS effectiveness (integration of the first four elements)

• risk-informed evaluation of candidate design features Each of these steps is described in the following sections.

2. 5. 1. 1 Overall Scenario Identification At a given facility, each unique combination of DBT scenario, entry points, exit points, adversary pathways, protective force response, and target sets defines an overall attack scenario. For radiological sabotage, only the entry paths are evaluated; for theft or diversion, both entry and exit paths should be evaluated. The objective of scenario identification is to identify the set of overall scenarios that will be used to determine the effectiveness of the PPS. This section uses a simplified example to illustrate this process.

Assume a security assessment is being performed on the facility shown in Figure 2-6. This simplified facility contains two target sets (Target Set A and B) and has a protective force of two, with two designated tactical positions or CIPs (Critical Interruption Points).

Figure 2-6 Example facility 2.5.1.2 Blast Effects Blast effects should be determined for the specific scenario as described in the standard set of NRC scenarios and the defined overall scenario. A discussion of blast effects is now found in 2-17

RG 5.68, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants" (Ref. 26) and RG 5.69 (Ref. 12).

In addition, assume the DBT scenario, DBT Scenario #1, is as shown in Table 2-1 (used for illustration purposes only-not related to characteristics of an actual DBT scenario).

Table 2-1 Example DBT Scenario #1 Attribute Characteristic Attack type Sabotage Number of adversaries: 1 Weapon load weight carried by each [Based on adversary tactics and objectives]

adversary Body armor Yes (UL Level 4)

Weapons Automatic, AK-47; Ammo: 7.62mm Terrain type Land-based Tactic Overt Transportation method Pedestrian Entry points 1 Exit points N/A (not theft or diversion)

Explosive load per adversary [Based on adversary tactics and objectives]

Insider information obtained Target set equipment and operator action(s) locations Cyber challenges None 2-18

As seen in Figure 2-7, the adversary can enter the facility from any point along the fence perimeter and still be consistent with the DBT scenario of one adversary entering at one location. Therefore, the DBT scenario only establishes the characteristics of the threat, not of the overall attack scenarios. An assessment of the DBT scenario and the facility, including the PPS, should be performed to determine the overall attack scenarios.

~

~

! t **

Figure 2-7 Potential adversary entry points 2- 19

Each entry point creates a potential starting point for one or more overall scenarios. From these entry points, adversary pathways can be postulated for each achievable target set. The objective is to identify potential pathways from the perspective of the adversary. Consideration should be given to target access points, detection devices, travel distances, protective features, and anticipated protection force routes. Figure 2-8 shows examples of potential scenarios for Target Set A and Figure 2-9 shows scenarios for Target Set B.

, 0 0 0 0 0 0 !o O 0 0 0 0 I .

. -: )

'\ **,

Figure 2-8 Potential adversary paths for target set A 2-20

Figure 2-9 Potential adversary paths for target set B It should be noted that in the determination of the overall scenario, both adversary and protective force pathways need to be determined. In this example, only one protective force starting point and response is anticipated. It was also determined (assumed for this example) 5 that this is a bounding response and is consistent with the security plan. If multiple security responses are possible, each would need to be assessed. These multiple responses could be evaluated through detailed scenario analyses that evaluate each response to each target set and adversary pathway. They could also be assessed through a process that identifies one or more bounding responses that maximizes distance, exposure, and response timing of the protective force by establishing the worst case response that remains consistent with the constraints of the security plan.

Even with minimizing the protective force responses, there is a potential for a large number of adversary paths based on different entry points, target sets, and defensive features. To manage the security assessment, a process can be used to determine the most vulnerable path(s) (those with the lowest P1) . These may be the shortest paths (paths that minimize adversary time to the target) as highlighted in Figure 2-10 or paths that provide the adversary with tactical advantages as shown in Figure 2-11 .

For design certification applicants, consistency with the security plan does not apply.

2-21

~

0 @ ~

~

-- if/1 Figure 2-10 Shortest adversary paths Figure 2-11 Potential adversary paths with tactical advantage 2-22

As illustrated by Figure 2-11 , the most advantageous paths to the adversary may not be the shortest paths. Paths where the adversary may have an enhanced tactical position could be paths that give the adversary the ability to engage the responders before reaching their CIPs or that take advantage of cover provided by plant structures that may reduce the effectiveness of the pre-established tactical positions. Paths that minimize detection and combination paths that minimize detection until a likely detection point is reached and then minimize time also could be identified. The most advantageous paths may be through barriers, walls or structures, as the adversary may use equipment or explosives to create new entry points. A breaching analysis of protected area barriers, vital area barriers, and other barriers or delay features, serves an important role in the PPS. The objective of the overall scenario identification process iis, for a given DBT scenario, to identify the overall scenarios that provide the most advantages to the adversary. If high assurance can be demonstrated for these most challenging bounding scenarios, then high assurance may also be demonstrated for lesser challenges.

At this stage in the analysis, the identification of these limiting (or critical) overall scenarios could be done through the use of a documented table-top analysis (using VISA manual), a pathway modeling analysis tool (such as ASSESS), or by documenting hand calculations. ASSESS is described in Appendix C. If a table-top analysis is performed, the methods and assumptions used to identify the limiting overall scenarios need to be clearly stated. ASSESS can determine the critical path for the adversary to take through the facility, which minimizes the adversary's time to target or minimizes the probability that the adversary will be detected. It can search quickly through thousands or millions of paths, using different operating conditions, threats, and targets. The Adversary Time Line Analysis Slstem (ATLAS) is an improved version of ASSESS and could be used as well (see Appendix C).

In the example, it is assumed that four overall scenarios are identified through the scenario assessment process. These scenarios are shown in Table 2-2.

Table 2-2 Resulting Overall Scenarios Overall Scenario 1-1 1-2 1-3 1-4 DBT scenario #1 #1 #1 #1 Target set A A B B Short Tactical Tactical Short Type (minimizes (minimizes (minimizes (minimizes time) time) detection) detection)

North Fence -

West Fence - South Fence - East Fence -

Entry point Target Set B Midpoint Tank Farm Office Complex Entrance The overall scenarios identified in Table 2-2 are examples of the results that could be obtained from a process that limits the number of scenarios analyzed by identifying those that provide the 6

The assessment and modeling-type tools used throughout th1is NUREG and described in detail in Appendix C are for illustration purposes only. The NRC does not endorse any specific assessment or modeling-type tool for security assessments.

2-23

greatest advantage to the adversary. These scenarios would be candidates for the timeline analysis discussed in the next section.

2. 5. 1. 3 Scenario Timeline Analysis Scenario timelines should be developed and analyzed for each of the most challenging bounding scenarios.

Adversary Timeline The adversary timeline is an assessment of the impact of the physical protection functions of detection, delay, and response on the adversary for a given DBT scenario, given specific entry points (and exit points, if applicable) and a given target set. Each unique combination of DBT scenario, entry points, and target set defines an adversary sequence diagram. For radiological sabotage, only the entry paths are evaluated; for theft or diversion, both entry and exit paths should be evaluated. Figure 2-12 shows an example of an adversary timeline for radiological sabotage.

Detection 'i I I

Sensor Detects

~I--

i l

Attack ..... 11111 Ill i Initiated Delay Time t i

+

Adversary Adversary Delay Disables Target 1 Disables Target 2 +

~  :

..-~ ~

I i

Adversary Disables Target 3 r

i T

0 Time Figure 2-12 Adversary timeline Figure 2-12 shows the adversary timelines for disabling a three element target set with two groups of adversaries. Note that delay time is not initiated until a sensor detects the presence of an adversary and terminates when all targets are disabled. Delays before detection should be excluded from the adversary timeline because of the lack of an initiating cue to call the protective force to action. Delays after detection can be associated with passive delay barriers or activated delay systems. As it is expected that for any given adversary path that there will be multiple detection opportunities (regulations require protective area detection and vital area detection), the detection point used for establishing a scenario timeline is the one that has a high probability of detection or high accumulated probability of detection and that yields the 2-24

most effective (i.e., the one with the most margin) response timeline from among the credited detection opportunities.

The adversary timelines can be depicted with several different approaches: logic diagrams, event trees, and adversary or sequence diagrams. All event sequences should be diagramed from the perspective of the adversary as a tactical map of activities and events necessary to achieve its objective. The entire target set should be addressed for a radiological sabotage objective to be complete. This may require activities to be accomplished in parallel, requiring a more complex diagramming tool. When creating the timelines, the assumptions associated with the various design features (i.e., assumptions associated with the effectiveness of detection and delay features) should be clearly stated.

Segmentation Segmentation of the complete pathway may aid the analysis. Pathways are typically composed of multiple segments or a subset of events that contribute to an attack. In the earliest stages of development, the assessment can be organized in coarse pathway diagrams that serve as the basis for judgmental quantification. As more design detail becomes available, more detail is added to the pathways through pathway segments, and engineering analysis replaces judgment in assessing the probabilities and measures (Ref. 27).

Protective Force Timeline The protective force timeline is an assessment of the time it will take for one or more members of the security force to reach a location or activate a system where an adversary's path can be interrupted. This timeline should consider (1) the time it takes the detection signal to process from the sensor to the data gathering panel to the alarm communication and display, (2) the time necessary for the alarm communication and display annunciation to be acknowledged and assessed by the operator and (3) the time taken by the operator to communicate the alarm to the protective force or activate the delay and denial system. At the point of communication, the timeline shifts to the response phase. This phase considers the time it takes for the protective force to respond to their designated positions and/or ready weapons or for the protective force to activate delay and denial systems. Figure 2-13 shows the basic timeline for the protective force.

2-25

Detection Sensor Detects Alarm Panel Annunciates

~'\ ~ ~

Alarm Acknowledged and Assessed Point of Communication -

Attack Initiated *-*-*--4'. Response Force Notified Delay

Response

• -----------*-* '1>

Response Initiated Critical Interruption Point Reached Weapons on Target ' '1>~

~

Time

• Figure 2-13 Protective force timeline Note that the CIP is a predetermined protected location or the location of remotely operated delay and denial systems that provides tactical and strategic advantage to the responding protective force to protect one or more targets. Failure to reach the CIP or activate the systems before the adversary reaches the final target of a target set significantly reduces the likelihood of successful adversary neutralization.

The response timeline should also consider the impact of a cyber attack- if included in the DBT scenario being analyzed-on the security detection and communication systems and its effect on the detection and assessment of and the protective force response to the adversarial attack.

Cyber attacks may also include those that disable a target within a target set. Treatment of cyber attacks in target sets is further described in RG 5.81, "Target Set Identification and Development for Nuclear Power Reactors" (Ref. 9). Additionally, for attack external assault scenarios that include vehicle or boat bombs, the response timeline will need to account for the required standoff (or minimum safe) distance and blast effects. Protection from blast effects is primarily accomplished by keeping the explosive source at a distance from the target. This distance is referred to as standoff distance. The amount of standoff distance required to provide an acceptable level of protection to equipment, personnel, and systems is a function of the quantity of explosives considered and the type of barriers or structures considered, if any. For 2-26

further discussion, see the revised NUREG/CR-6190, "Protection against Malevolent Use of Vehicles at Nuclear Power Plants.".

2. 5. 1. 4 Neutralization Analysis Neutralization analysis is the evaluation of the armed protection force's ability to stop the attack once the protective force has reached an interruption location or reached a location where denial and delay systems may be activated. The objective of the protective force should be to reach or activate systems at the appropriate CIP. Timelines that show the protective force reaching or activating systems at the appropriate CIP with time available to ready weapons or activate systems and engage the adversary with an adequate time margin demonstrate high assurance.

2.5.1.5 Overall Physical Protection System Effectiveness The assessment of the overall physical protection system effectiveness is determined for each overall scenario. The following attributes are considered in the evaluation of the overall scenario:

• the DBT scenario (radiological sabotage or theft and diversion)

• explosive device blast effects (if applicable)

• an achievable target set

• an adversary timeline (including exit pathway for theft and diversion)

• the probability of detection and communication

• a protective force timeline; probability of interruption

• the probability that an adversary is neutralized given an adversary's pathway is interrupted The measure of the overall system effectiveness assesses the probability that an adversary will be prevented from disabling all targets within a target set to successfully perform radiological sabotage (or theft and diversion of special nuclear materials). If the actions required to complete the pathway are within the resources and capability of the adversary, then the probability of stopping the adversary depends on the capability of the PPS to:

1. detect the unauthorized actions of the adversary,

2. delay the adversary,

3. interrupt the adversary, and

4. neutralize the adversary before the task can be completed.

Defense in depth is demonstrated by effective redundancies to the four actions above for each scenario. A method of evaluating defense in depth is the omission of a PPS element from a scenario and determining the effectiveness of the PPS to protect against the DBT.

2-27

Figure 2-14 shows an integrated adversary and protective force timeline for a single target. In this figure, the protective force is shown to reach the CIP and achieve weapons on target before the adversary disables the target.

Detection Sensor Detects Alarm Panel Annunciates Alarm Acknowledged and Assessed

'\._ Point of Communication -

Response Force Notified Attack ....

Initiated - ~ - - * *

• Delay Adversary

/.

Disables Target Protective Force Adversary Security Force  :

Engages Adversary  :

I I Response I I

I I

I I Response Initiated -----'~

Critical Interruption Point Reached - - - - - - - - - -

Weapons on Target

~ ""

Time Figure 2-14 Integrated protective force a nd adversary timelines A typical approach to analyzing the same timeline is to shift the protective force timeline to the right until the response force engages the adversary force just before the adversary disables the target. The shifted response force timeline now begins at the CDP. The CDP is the point on the path where path delay exceeds protective force interruption time with enough time margin to allow for a high probability of neutralization. This point is found by starting at the end of the adversary path and adding up protective force path delays until this value just exceeds protective force time with an adequate margin. As seen in Figure 2-15, an adequate margin is available, providing high assurance that the protective force can prevent the adversary from achieving its objectives.

2-28

Detection Attack Initiated Delay Adversary Disables Target Protective Force Adversary Security Force Engages Adversary I I Response I I

I I

I I Critical Interruption Point Reached Time Figure 2-15 Timeline margin The CDP approach allows the response timelines to be established independent of all the adversary timelines. For each target or target set, one or more limiting response timelines can be established and these timelines can be compared against the bounding (i.e., worst case or shortest) adversary timeline that challenges the target or target set of interest. If the response timeline began at the detection point associated with each adversary timeline and an adequate margin were to be assessed at the end of the response timeline, then a response timeline would need to be constructed for each adversary timeline. Therefore, the CDP approach reduces the number of response timelines by relating the timelines to the target or target set in conjunction with the bounding adversary timeline associated with each target or target set.

This same scenario can be addressed quantitatively using Equation 1 discussed in Section 2.2.4. To use this equation, each function in the above timeline can be assigned a probability enabling the determination of the overall system effectiveness. Table 2-3 provides an example of a set of functions with their associated success probabilities.

2-29

Table 2-3 System Effectiveness Inputs Timeline Description PPS Phase Probability Step Sensors detect 1 - protected area sensor = .88 Detection (P1) 0.986*

- vital area sensor = .88 2 Alarm panel annunciates 0.99 3 Alarm acknowledqed and assessed 0.95 4 Protective force notified 0.99 5 Adversary neutralized Response (PN} 0.90

• Sensor detection success probability is equal to the combined likelihood that both sensors fail (protected area sensor and vital area sensor). This probability is determined using the following equation:

Pa= 1-((1-Pa,)(1-Pa2) ... (1-PaN)) where Pa = total probability of successful detection Pa1 = probability that Sensor 1 successfully detects an intruder Pa2 = probability that Sensor 2 successfully detects an intruder PaN = probability that the Nth sensor successfully detects an intruder Therefore, the following calculation is used to determine the value of overall probability of successful detection for this example:

Pa= 1- ((1 -0.88)(1-0.88)) = 0.986 Using the example information shown in Table 2-3, the overall system effectiveness can be determined for an overall scenario, consisting of a unique combination of a standard DBT scenario, entry points, exit points (applicable for theft or diversion), protective force response, and a target set. This example assumes that the response time is adequate (i.e., interruption is before the CIP). The probability to detect the adversary is equal to the product of the probability that the credited sensors detect an intruder, the probability that the alarm panel annunciates, the probability that the alarm station operator acknowledges and assesses the alarm and the probability that notice is given to the protective force. People, such as responders, can be credited as detection sensors, as appropriate. Note that if the adversary is able to disable both the central alarm system and secondary alarm system in one act, the probability of detection will likely be small. In this example it is assumed that there is not a single act that can disable both the central alarm station (CAS) and secondary alarm station (SAS). It also assumes that the response time is adequate (i.e., assumes interruption before the CIP). Therefore, the probability to interrupt is:

P1 =0.986 X 0.99 X 0.95 X 0.99 =0.92 The protective force does not necessarily know the adversary's target set strategy for a particular attack; therefore, it needs to be sized such that it can address a range of potential targets. The goal of the adversary is to disable at least one target set while the protective force must defend all the target sets, potentially requiring several CIPs to be manned.

It should be noted that the ability to neutralize the adversary depends on the characterization of the interruption. Failure to interrupt clearly results in a zero probability to neutralize priior to the CIP. Failure to interrupt the adversary prior to the CIP reduces the protective force's tactical advantage and would decrease the 0.90 value in line 5 of Table 2-3.

2-30

In the example, interruption occurs before the CIP with weapons on target and margin. Using Equation 1, the overall system effectiveness can be determined as follows:

PE= 0.92 X 0.90 = 0.83 For a specific PPS and a specific threat scenario, the most vulnerable path (the path with the lowest P1) can be determined. Using P 1 as the measure of path vulnerability, multiple paths can be compared and, when used with PN, an estimate of overall PPS effectiveness can be made.

Computer models such as the Estimated Adversary Sequence (EASI) model address all of these elements with the exception of the armed protection force's ability to stop an attack (PN)-

Therefore, its final output can be equated to P1, the probability of interruption. Other models exist, such as Joint Conflict and Tactical Simulation (JCATS), which, through simulated force-on-force engagements, evaluate the probability of neutralizing the adversary, if multiple runs are performed. Together, th,ese two probabilities determine the probability of overall system effectiveness. These modeling tools are described in Appendix C.

To ensure that the measure for overall system effectiveness is valid when evaluating the facility and PPS design, the applicant should account for the validity of the adversarial action (e.g., traversal times, actions are within DBT capabilities) and PPS element assumptions (e.g., detection probabilities .and delay times are correct) used in the model.

In addition to high assurance that is demonstrated through the PPS evaluation process described above, it is also necessary to demonstrate that no single act can disable the operability of the CAS and SAS in such a manner that would preclude meeting the objective of high assurance.

2.5.1.6 Evaluation of Candidate Design Features As stated in Section 2.4.1, the applicant should identify candidate security design features that will be assessed using a risk-informed methodology to determine the effectiveness of these features in accomplishing security functions. These candidate security design features should include design concepts contained in Chapters 4 and 5 of the "Nuclear Power Plant Security Assessment Technical Manual" (Ref. 7).

This security feature evaluation should use a screening process with the goal of optimizing the inclusion of security design features in the design phase while considering their impact on safety functions. The methodology needs to show a clear result by identifying how the assessment objectives were met and how the screening process eliminated security design features from further consideration.

To assess these features for their impact on the PPS performance, each candidate security design feature should be evaluated against the limiting overall scenarios associated with each standard DBT scenario. Consideration should then be given to the improvement in the overall scenario margin or overall system effectiveness that can be achieved from a given improvement. This performance improvement could then be compared to the impact of the security design feature on the plant's safety functions.

2-31

2.5.2 Analyze Scenarios to Ensure Adversary Actions are within DBT Capabilities and Credible The most transparent and logical way of ensuring that adversary actions are credible and within the DBT capabilities is to use the DBT, its accompanying guidance, and those references provided in the acceptable for use engineering publications listed in Appendix A. For any assumptions used in the creation of the adversary timeline that are not referenced directly to one of the acceptable eng ineering publications, a full description and j ustification should be provided. If an assumption is provided in the NRG publications and an applicant uses a different value, a sensitivity study using the NRG-provided value also should be included.

2.5.3 Analyze Scenario To Ensure Barrier Delay Times and Protective Force Actions are Credible The most transparent and lo,gical means of ensuring that barrier delay times and protective force actions are credible is to use those provided in the acceptable engineering publications listed in Appendix A. For any assumptions used in the creation of the protective force timeline that are not referenced directly to one of the acceptable engineering publications, a full description and j ustification should be included as part of the security assessment. If an assumption is provided in the NRG publications and an applicant uses a different value, a sensitivity study using the NRG-provided value also should be included.

2.6 High Assurance Evaluation Step 5 of the high assurance evaluation process is depicted in Figure 2-16.

High Assurance Evaluation Process DESIGN COMPLETE STEP 2 STEP3 STEP 4 STEP 1 ESTABLISH DESIGN PHYSICAL PERFORM DETERMINE FACILITY PROTECTION EVALUATION OBJECTIVES DESIGN SYSTEM STEP § REDESIGN PHYSICAL SECURITY SYSTEM 2-32

step s: Hiqb Assurance Eyaiyatjon

/ /

HIGH ASSURANCE OBJECTIVE MET?

I/

Yes No

/ / / /

REDESIGN PHYSICAL DESIGN COMPLETE SECURITY SYSTEM I/ /

Figure 2-16 Security assessment process - step 5: was high assurance objective met?

The objective of a nuclear power plant's PPS is to provide high assurance of protection against the DBT of radiological sabotage. The performance-based measure for high assurance is satisfied if the physical protection system is capable of protecting all target sets to an acceptable level of risk of protective system failure. Quantitatively, this would be represented by a PPS with high overall system effectiveness. The applicant should clearly state the objective of high assurance performance and its bases used in the security assessment.

2.7 Redesign Physical Security System (Step 6)

Redesign of the PPS is Step 6 of the high assurance evaluation process as shown in Figure 2-17. If the PPS design does not meet the objective of high assurance as stated in Section 2.5, a redesign of the PPS should be performed. A redesign of the PPS causes an applicant to iterate through the process again, beginning at Step 3, in Section 2.4.

2-33

DESIGN COMPLETE STEP2 STEP 3 STEP 1 STEP4 ESTABLISH DESIGN PHYSICAL DETERMINE PERFORM FACILITY PROTECTION EVALUATION OBJECTIVES DESIGN SYSTEM Figure 2-17 Security assessment process - step 6: redesign physical security system Designing the PPS elements (Step 3) will not change the target sets in Step 2; instead, it will change the overall system effectiveness of protecting against the adversarial attack scenarios.

It may also be possible to improve the physical protection system effectiveness by redesigning parts of the facility itself. If this is the case, the reiteration would begin at Step 2 in Section 2.3, since the facility design should be recharacterized and target sets should be re-screened to obtain the target sets applicable to that design.

After redesigning the PPS and modifying the facility design, the applicant would again undergo the evaluation process as outlined in Section 2.5 and test the design against the objective of high assurance described in Section 2.6. When the facility design and PPS elements meet the objective of high assurance, the evaluation process is complete. The design that meets the objective should be the design submitted to the NRC as part of the security assessment.

The iterative process presented above is designed to create a PPS that is efficient and effective at ensuring high assurance against the DBT. Through this method, applicants will gain insights about how to modify the PPS to better manage threats in the new post-September 11, 2001, environment. Insights gained during the iterations are also valuable and should be documented for submittal.

2-34

3. FORMAT AND CONTENT GUIDANCE This section establishes the format and content guidelines for the security assessment. As described in Section 1.3, the format presented represents one that is acceptable to the NRC staff. Other formats could be acceptable if they provide an adequate basis for the findings. The level of detail needed in the documentation should be sufficient to enable the reader to understand and determine the validity of all input data and calculation models used, to enable the reader to understand the sensitivity of the results to key aspects of the physical protection system (PPS) including key analysis assumptions (i.e., identification of critical assumptions for which small changes could significantly impact the overall effectiveness of the PPS). The design information provided in the security assessment should reflect the most advanced state of the reactor facility design at the time of submission. It is not necessary to submit all the documentation generated while performing a security assessment for an NRC review, but basis documents, calculations, guidance and references should be cited and available in a clear and methodical format.

The following subsections outline the major parts of the security assessment. Note that appendices can be used for supplemental information that may contain more detailed data and diagrams that accompany the main body of the security assessment document.

Table 3-1 Security Assessment Table of Contents Section Title 1.0 Executive Summary 2.0 High A ssurance Evaluation 2.1 Introduction 2.2 Purpose and Objectives 2.3 Scope and Facility Design 2.3.1 Scope/Conduct of the Analysis 2.3.2 Facility Characterization 2.3.3 Security Assessment Parameters 2.4 Target Set Analysis 2.4.1 Methods 2.4.2 Results 2.5 Physical Protection System 2.5.1 Iterative PPS Design Process 2.5.2 Final PPS Design 2.5.2.1 Detection Elements 2.5.2.2 Delay Elements 2.5.2.3 Response Elements 2.5.2.4 Communication Elements 2.5.3 Safety/Security Interface 3-1

Table 3-1 Security Assessment Table of Contents Section Title 2.6 Evaluation Methods and Results 2.6.1 Scenario Identification 2.6.2 Adversary Timeline Results 2.6.3 Protective Force Timeline 2.6.4 Evaluation Results 2.6.4.1 Overall System Effectiveness 2.6.4.2 Risk-informed Evaluation of Candidate Security Features 2.6.4.3 Sensitivity Studies 2.7 Discussion and Conclusions 3.0 References Appendix A Glossary/Abbreviations 8 , C, etc. Supplemental/Supporting Information These sections include:

Section 1.0 Executive Summary The executive summary should contain a brief overview of the security assessment process.

Key results, findings, and insights should be introduced in this section.

Section 2.0 High Assurance Evaluation Section 2.1 Introduction The introduction should detail more information about the facility design being assessed and the assessment methodology. It should provide an overview of the methodology used to perform the security assessment and to evaluate the PPS effectiveness. This section should include a concise description of the major tasks in the methodology and how these interact with each other to generate the results of the capability of the PPS to protect the plant against the threats considered.

Section 2.2 Purpose and Objectives The purpose of the security assessment should be described in this section. It should include information about the design stage of the reactor facility for which the assessment is being performed (e.g., construction permit, operating license, standard design approval, design certification, manufacturing license, or combined license). The scope of the security assessment will differ based on the particular stage of the application process for each reactor facility. For example, the security assessment for COL applicants may have a more comprehensive level of detail and include site-specific information, as compared to a security assessment for a design certification applicant.

3-2

Objectives should be reiterated as described in 10 CFR 73.55 with respect to prevention of significant core damage, sabotage of spent fuel, and theft and diversion of special nuclear materials. This section should also clearly identify the specific performance criteria the applicant used for the determination of high assurance, as discussed in Section 2.2.4 of the security assessment process. These criteria should allow for the determination of whether the PPS is capable of protecting all target sets with high assurance. The ability of the PPS to meet the applicant-defined objective of high assurance will be demonstrated in Section 7.0 of the security assessment.

While the NRC determines and provides the objectives of the security assessment, this section should be used to acknowledge receipt of the external and regulatory-driven information highlighted in Section 2.1 of the high assurance evaluation. This acknowledgment should include the titles and dates of such documents: 1) Regulatory Guide (RG) 5.69, "Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design, Development, and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements," 2) Standard Set of Scenarios (Ref. 3), and 3) security engineering publications acceptable for use. At the onset of performing the assessment, verify with the NRC staff that these are the most current documents to use.

Section 2.3 Scope and Facility Design Section 2.3.1 Scope and Conduct of the Analysis This section should describe how the entire analysis has been conducted, including the quality assurance program, qualifications of the analysis staff (one paragraph resume for each assessment team member), any independent reviews performed and the protective measures used for any sensitive documentation (e.g., safeguards information) reviewed during the analysis.

Discussion of the scope of the assessment should include pertinent information about the applicant or licensee, the facility design or site being assessed, and any limitations that were placed on the assessment. Refer to Section 2.3.1 of this document for guidance on the scope of the security assessment for different stages of the application process. Examples of limitations include any limits imposed by the evaluation methods or model used (e.g., JCATS lacks the ability to model several elevations of a building simultaneously) or the skill or abilities of team members chosen to perform the assessment.

The security assessment should describe applicant staff participation (organization and role) and the extent to which the staff was involved in all aspects of the security assessment program. The security assessment should also contain a description of the peer review(s) performed, the result of the review team's evaluation, and a list of the review team members.

Finally, the validation process of the input data for the security assessment should be described in the security assessment. The applicant should include a list of resources used to supplement the information necessary to perform a proper evaluation . For example, if an alternate source is used as opposed to one of the provided engineering publ1ications listed in Appendix A, this should be cited and validated in this section.

Section 2.3.2 Facility Characterization This section should summarize the results of the facility and site characterization for the design being submitted as part of the security assessment. This summary should focus on facility and 3-3

site characteristics used in the target set analysis. It should include, but is not limited to, relevant facility drawings important to the security assessment (including buildings, room locations, etc.), important operational data, operational and maintenance configurations, the physical and environmental setting of the facility (site and property boundaries, adjacent facilities, etc.), access control points for normal and outage operating modes, types and numbers of employees and response time and capabilities of local law enforcement.

Include a top view drawing ("D" size) of the site that depicts physical security characteristics such as owner-controlled area boundaries, PA (protected area) boundaries, points of intrusion detection, VBS (vehicle barrier system), CAS (central alarm station), SAS (secondary alarm station), sally ports, vehicle checkpoints, delay features, active denial and delay features, hardened posts, delay barriers, fields of fire, anticipated fields of view for assessment devices, etc.

For design certification applicants, certain physical protection characteristics may be used so that a more thorough assessment can be performed. These characteristics include locating the protected area perimeter a minimum distance from vital areas, assuming the vehicle barrier systems are at the required standoff distance (RSD) (or minimum safe standoff distance) (see NUREG/CR-6190 for guidance) and identifying a number of armed responders (as a starting point for the design certification stage only). This section should therefore detail the RSD and the method used to calculate or identify it for the facility.

The design information provided in the security assessment should reflect the most advanced state of the design at the time of submission. Additionally, if the facility design changed as a result of the iterative security assessment process, any insights gained while iterating through the process that are directly related to the facility design also should be included in this section.

Section 2.3.3 Security Assessment Parameters This section should include any security assessment parameters used in the security assessment to assess the PPS. Also included in this section should be features within the scope of the assessment being performed but its design is deferred to a future applicant that would have additional information to improve the security design feature. Ultimately, any security design issue identified by an assessment, but not addressed by a security design feature at any application stage would be identified by a security assessment parameter and should be addressed during the development of the security operational programs under the provisions of 10 CFR Part 73, "Physical Protection of Plants and Materials."

Section 2.4 Target Set Analysis In this section, the assets that have been identified as targets of an adversary attack should be described. See RG 5.81 , "Target Set Identification and Development for Nuclear Power Reactors," for detailed guidance for this section.

Section 2.4.1 Methods Describe procedure(s) for the development and identification of target elements, and the analyses and methodologies used to determine and group the elements into target sets. These descriptions and their associated procedures should include, but are not limited to:

• process of target identification 3-4

• methodologies used to determine and group the target set elements

• screening criteria for achievable targets

• characterization and screening process used for identification of target sets

• if applicable, description and procedures used in a lternative approaches

• target set analysis team qualification

• a listing of target set analysis input documents such as site layout drawings, PRA analyses, table-top analyses, etc.

• the process for considering the effects of cyber attacks upon individual or groups of target elements in each target set

• a listing of screened target sets, and achievable targets, and the associated bases for screening Section 2.4.2 Results Provide the most current set of achievable targets, as well as a list or description of those targets that were considered not achievable.

Verify that no single act, as bounded by the DBT, can disable an entire target set. Use blast affects references such as NUREG/CR-6190 and Regulatory Issue Summary 2003-06, "High Security Protected and Vital Area Barrier/Equipment Penetration Manual," dated March 20, 2003.

For each target set; a unique number should be assigned and the security assessment should include a table with the following information (Ref. 15):

• Target set number.

• Target set objective: a unique title for the target set that describes the overall general objective.

• Initiating event: for each target set, identify the malevolent act initiating event or events.

• Target set equipment: for each target set, the list of SSCs and operator actions that, if all are prevented from performing their safety function or prevented from being accomplished, will likely result in radiological sabotage, theft of special nuclear material or allow offsite release.

• Targeted equipment locations: for each target set, identify the locations of the SSCs and operator actions that are identified as equipment for that particular target set.

• Adversary actions: describe the objectives and actions, in general terms that the adversary force would need to complete to achieve significant core damage, spent fuel sabotage or theft and diversion of radioactive materials.

3-5

• Target resiliency: categorization of target resiliency and bases (based upon resilience to 7

DBT attack).

• Credited operator actions: consider and list appropriate preventative equipment and operator actions in the target set. If operator actions are credited, then provide a listing of the six required provisions (see RG 5.81 for details).

• Estimated time to core damage/spent fuel sabotage: the estimated time after a ll targets that make up a target set to achieving significant core damage or spent fuel sabotage.

• Anticipated results/basis: a brief description of the anticipated outcome and the basis for that outcome with regard to why significant core damage, spent fuel sabotage, or theft of nuclear materials will occur. The anticipated results should occur within a short enough time period, such that effective operator mitigation is prevented.

• Likelihood of exceeding Part 100: determine the potential 10 CFR Part 100 (Ref. 28) exposure impact or need for protective action recommendations.

• Additional considerations: a brief discussion with regard to the basis for potentially achieving mitigation as a result of operator actions (after a target set has been lost).

Additionally, any other noteworthy comments should be included here.

Section 2.5 Physical Protection System Section 2.5.1 Iterative PPS Design Process The applicant should provide information about the final combination of PPS elements. If multiple iterations were necessary through the process, reporting the intermediate PPS elements that were considered during these iterations is unnecessary. It is recommended, however, that these intermediate assessments be held in onsite documentation. Provide a summary of the major insights gained during the iterative evaluation process that are related to the addition of PPS elements.

Section 2.5.2 Incorporation of Security Design Features The applicant should provide a description of the physical protection systems for the plant design, including the people, procedures, and the detection, delay, and response characteristics proposed for the protection of assets or facilities against theft, radiological sabotage, or other malevolent human attacks. This section should detail how and where the security design features, identified as a result of the security assessment, have been integrated into the design.

The applicant should list the security functions for the plant. This listing should include the detection, delay, and response elements of the PPS and systems, structures, and components with their associated security functions (if applicable) for the stage of design being evaluated.

Also included should be an explanation of how each feature provides or enhances the capability of the facility to protect the targets sets and related elements against an adversary possessing the DBT characteristics.

See definition of target resiliency in Appendix A of this report.

3-6

Additional guidance is provided below for each PPS element. The description for these elements should include, but is not limited to, the following areas:

Section 2.5.2.1 Detection Elements A list of intrusion sensors (internal and external) used in the final PPS design should be provided. Consider including humans as detection elements (where appropriate and in accordance with 10 CFR 73.55(e)(4) ). Describe how interactions between sensor hardware and the physical environment were considered and reconciled. Additionally, list the alarm assessment subsystems used in the PPS design. If human alarm assessment was used in place of video alarm assessment subsystems, provide an explanation for this choice, and detail the availability, reliability, environmental, and communications requirements. Describe the entry control subsystems used in the final PPS design. This description should identify a distinction if the subsystems are for personnel or vehicle control and whether they are manual, machine-aided manual, or automatic. Finally, discuss the alarm communication and display subsystem (which transports sensor alarm and video information to a central location and presents the information to a human operator).

Details should be provided about the placement and protection of the CAS and SAS. These should be designed within the PPS so that they have functional equivalent capabilities such that no single act can disable the function of both the CAS and SAS. If applicable, the design can be verified using blast effects guidance such as NUREG-6190, RIS 2003-06, "High Security Protected and Vital Area Barrier/Equipment Penetration Manual," dated March 20, 2003, and RIS 2005-09, "High Security Protected and Vital Area Barrier Breaching Analysis," dated June 6, 2005 (Ref. 29).

Section 2.5.2.2 Delay Elements List the passive and active barriers used in the final PPS design for access delay. Include passive delays such as fences, gates, vehicle barriers, walls, floors, roofs, doors, windows, grilles, utility ports, and other elements. Include active delays such as nonlethal weapons, dispensable materials, and deployable barriers. Note that delay elements located before the first detection point on the adversary pathway are not included because the scenario timelines start at first detection.

Section 2.5.2.3 Response Elements Discuss response capability and strategy used in the final PPS design. Include both immediate and delayed response capability. Additionally, describe how response communication was integrated as a part of the response strategies. This section should also include active denial systems (e.g., remotely operated weapons, munitions based active denial systems).

Section 2.5.2.4 Communication Elements Describe the communication systems related to security that are used for both onsite and offsite communications. Describe duress alarms and methods of secondary onsite communication between the response force personnel and the CAS and SAS.

Section 2.5.3 Inclusion of Security Design Features in Plans and Appendices 3-7

This section should indicate where security design features, identified as a result of the security assessment, are delineated in security plans and appendices required by 10 CFR 73.55.

Design certification applicants should identify those features that are to be included in security plans by future applicants that reference their design.

Section 2.5.4 Safety/Security Interface The applicant should demonstrate that the interface between safety and security was considered when designing PPS elements and that there are no actual or potential interactions in which safety design or operational (including maintenance) activities may adversely affect security activities or vice versa. This section should also include a description of the process used to demonstrate that the safety and security interactions were appropriately addressed.

Specific discussion should b*e included on the impact and treatment of plant operational modes, PPS maintenance, and maintenance for equipment that is included as elements within the target sets.

Section 2.6 Evaluation Methods and Results This section addresses the way the facility design was evaluated and shown able to achieve the high assurance objective of overall physical protection system effectiveness.

Section 2.6.1 Scenario Identification For each of the standard scenarios provided by the NRC, provide a description of the method used to identify the set of overall scenarios that will be used to determine the effectiveness of the PPS. Information should include how potential adversary pathways were identified, including consideration given to target access points, detection devices, traversal distances, protective features, and anticipated protection force routes. For each scenario, the credited detection devices should be clearly identified and include the detection device(s) that is/are used to establish the point of detection in the scenario's timeline (e.g., an accumulation of detection probability acquired along an adversary pathway may identify the point of detection in a scenario timeline) (see Section 2.5. 1.5.). Additionally, any considerations used to determine the most vulnerable pathways should be described in this section. Similar descriptions should be included to explain how the protective force pathways were determined. These descriptions should include the types of security response and how multiple security responses are assessed (e.g., using a bounding response).

Section 2.6.2 Adversary Timeline Results Submit the depictions (e.g., logic diagrams, event trees) of the adversary timelines with the lowest margins for each standard DBT scenario that the NRC provided. For any assumptions used in creation of the adversary timeline that are not referenced directly to one of the acceptable engineering publications listed in Appendix A, full justification should be included. If an assumption is provided in the NRC publications and an applicant uses a different value, a sensitivity study using the NRG-provided value also should be included.

Section 2.6.3 Protective Force Timeline Provide a description of the method used to assess the protective force timeline for each standard DBT scenario that the NRC provided. This description should include the location of each of the CIPs that the applicant has identified. For an existing facility, the method used to 3-8

assess the protective force timeline should be actual protective force response times documented by performance tests. The average or mean times from the performance tests, including one standard deviation, should be used. For assaults other than land-based attacks, the minimum safe standoff (or required) distance for protection against vehicle-borne improvised explosive devices also shoulld be identified. Additionally, a description and a depiction of the milestones in the timeline should also be provided, includling the point of communication, the point in which the CIP is reached, and the point in which weapons are readied. Finally, the time elapsed between each of these milestones also should be reported. For any assumptions used in creation of the protective force timeline that are not referenced directly to one of the acceptable engineering publications listed in Appendix B, full justification should be included. If an assumption is provided in the NRC publications and an applicant uses a different value, a sensitivity study using the NRC-provided value also should be included.

Section 2.6.4 Evaluation Results This section should explain how overall system effectiveness was determined. Describe the analysis method used for the evaluation. If table-top reviews are used, detailed descriptions of the methodologies are recommended. If other analysis tools, such as a JCATS model, are used as a modeling and simulation tool, all assumptions (input variables) used in the model (e.g ., Ph and Pk data) and their sources should be detailed. For any assumptions used in the evaluation of overall system effectiveness that are not referenced directly to one of the acceptable engineering publ1ications listed in Appendix B, full justification should be included. If an assumption is provided in the NRC approved publications and an applicant uses a different value, a sensitivity study using the NRC referenced value also should be included. When making reference to a simulation model list the model revision number.

Section 2.6.4.1 Overall System Effectiveness Overall system effectiveness of the PPS can be reported qualitatively and quantitatively. It should be demonstrated for an overall scenario, defined as a unique combination of target set, entry point, exit point (for theft and diversion), protective force response, and standard DBT scenario. Yet, it should be noted that overall system effectiveness does not need to be demonstrated for each individual target, as long as at least one target in each target set is shown to remain protected with high assurance.

The results in this section should include a list of the most advantageous to an adversary overall scenario, specifically describing those overall scenarios that have the lowest overall system effectiveness values or with timelines demonstrating the least margin. This set should include the worst overall scenario corresponding to each standard scenario. If the applicant chooses to combine or bound overall soenarios (i.e., using the most advantageous adversary pathway for a standard scenario) to simplify the reporting process, adequate bases and description of the approach should be included.

The qualitative results should be provided using an integrated adversary and protective force timeline, with a shifted protective force timeline beginning at the CDP. The results for each of the worst overall scenarios, as well as an integrated timeline, should be depicted with a CDP and a CIP. Additionally, adequate margin (time from the point of detection to the CDP) to enter into a defensible position and ready weapons should be demonstrated. If the security assessment uses average or mean times for the adversary and responder timelines, an adequate margin on the order of one standard deviation should be included in the timeline assessment to demonstrate meeting the objective of high assurance.

3-9

Quantitatively, milestones in the integrated timeline for each of the worst overall scenarios should be assigned probabilities. These values should be provided in a tabular format, such as the example provided in Table 2-3, and should include, but are not limited to, the P0 , P 1, and PN and the bases by which these probabilities were calculated. As the product of these probabilities is the overall system effectiveness for a scenario, this value (PE) also should be provided. The NRG-recommended probability of detection at the protected area boundary is 90 percent detection rate with 95 percent confidence. If this is not met, an explanation is recommended as to why a lesser percentage is acceptable to achieve overall system effectiveness.

Identification of technical knowledge gaps responsible for significant uncertainties in scenarios timelines and quantitative measure values also should be identified in this section.

Section 2.6.4.2 Risk-Informed Evaluation of Candidate Design Features This section addresses the risk-informed assessment of candidate security design features. It should include the process used to select and assess the candidate design features included in the security assessment. The section also should list the features evaluated and the assessment results.

Section 2.6.4.3 Sensitivity Studies This section should be used to highlight any sensitivity studies performed on the assumptions used in the evaluation. Sensitivity studies should be performed when using assumptions not provided in the NRC engineering publications listed in Appendix B.

Section 2.7 Discussion and Conclusion This section should summarize the high assurance evaluation process and results, including a brief discussion of how the security assessment demonstrates that the proposed design, operation, and maintenance of the facility meets the requirements established by 10 CFR 73.55.

Additionally, any insights gained from sensitivity studies can be included in this section.

Any insights gained during the high assurance process, potentially including those from the iterative design process, should be described here. The high assurance evaluation process implemented by the applicant, if iterative, would produce an initial evaluation on the existing facility design and PPS elements, some number of intermediate (trial and error) evaluations, in which facility design or PPS elements are added to the design, and a final evaluation, in which the objective of high assurance is met. If the applicant-performed iterative runs throug1h the process, this section should briefly describe any insights gained from these evaluations. This section should include the methodology the applicant used for the modification and addition of the facility design and PPS elements during the process.

Section 3.0 References This section should list all documents referenced in the security assessment. References should be listed in a methodical fashion (either alphabetically or numbered by chronological order of reference in the security assessment). The analysis methodology used in the assessment should be referenced in this section.

3-10

Appendix A Glossary/Abbreviation An appendix should establish a list of all abbreviations used in the security assessment and any key words that may be appropriate to define in the glossary.

Appendix (Additional)

The applicant should use additional appendices for supplemental information, drawings, diagrams, data tables, calculations (e.g., blast analyses) , etc. that are not directly necessary in the security assessment, but may be pertinent to reproducing calculations or validating information .

3-11

4. REFERENCES

1. Title 10 of the Code of Federal Regulations (10 CFR) 73.55, "Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors against Radiological Sabotage."

2. Title 10 of the Code of Federal Regulations (10 CFR) Part 73, "Physical Protection of Plants and Materials."

3. U.S. Nuclear Regulatory Commission (NRC). "Nuclear Power Plants Security Assessment Standard Set of Scenarios," December 20, 2007.

4. U.S. Nuclear Regulatory Commission (NRC). "Policy Statement on Regulation of Advanced Reactors," 73 FR 60612; October 14, 2008.

5. SECY-05-120, "Security Design Expectations for New Reactor Licensing Activities,"

July 6, 2005, and SRM to SECY-05-120, "Staff Requirements - SECY-05-120 - Security Design Expectations for New Reactor Licensing Activities," September 9, 2005.

6. SRM to SECY-06-0204, "Staff Requirements - SECY-06-0204 - Proposed Rulemaking -

Security Assessment Requirements for New Nuclear Power Reactor Designs,"

April 24, 2007 (ADAMS Accession No. ML070520692).

7. SAND2007-5591, "Nuclear Power Plant Security Assessment Technical Manual,"

Sandia National Laboratories, Albuquerq ue, NM, September 2007.

http://www.sandia.gov (ADAMS Accession No. ML072620172).

8. Title 10 of the Code of Federal Regulations (10 CFR) Part 50, "Domestic Licensing of Production and Utilization Facilities," Appendix B, "Quality Assurance Criteria for Nuclear Power Plants and Fuel Reprocessing Plants."

9. U.S. Nuclear Regulatory Commission (NRC). Regulatory Guide 5.81, "Target Set Identification and Development for Nuclear Power Reactors." (Includes security-related or safeguards information and is not publicly available.)

10. 'The Design and Evaluation of Physical Protection Systems," 2001 , and "Vulnerability Assessment of Physical Protection Systems," 2006, Garcia, Mary Lynn, Sandia National Laboratories, http://www.sandia.gov, published by Elsevier Butterworth-Heinemann, Burlington, MA (were used as a basis for the development of Section 2.0 of this guide, "High Assurance Evaluation Guidance.")

11. Title 10 of the Code of Federal Regulations (10 CFR) 73.1, "Purpose and Scope."

12. U.S. Nuclear Regulatory Commission (NRC). Regulatory Guide 5.69, "Guidance for the Application of Radiological Sabotage Design Basis Threat in the Design, Development, and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements." (Includes security-related or safeguards information and m s not publicly available.)

4- 1

13. NUREG/CR-6190, Revision 1, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants," March 17, 2004, U.S. Army Corps of Engineers, Omaha, NE.

(Includes security-re lated or safeguards information and is not publicly available.)

14. NUREG-0800, "Standard Review Plan for the Review of Safety Analysis Reports for Nuclear Power Plants (LW R Edition)," March 2007 (ADAMS Accession No. ML070660036).

15. SECY-03-0052, "Staff Recommendations for Revisions to the Design Basis Threat Statements (U)," April 7, 2003. (Includes security-related or safeguards information and is not publicly available.)

16. Title 10 of the Code of Federal Regulations (10 CFR) 73.2, "Definitions."

17. U.S. Nuclear Regulatory Commission (NRC). Regulatory Guide 5.76, "Physical Protection Programs at Nuclear Power Reactors." (Includes security-related or safeguards information and is not publicly available.)

18. "A Method to Assess the Vulnerability of U.S. Chemical Facilities," U.S. Department of Justice, Office of Justice Programs, 2002, http://www.justice.gov.

19. NUREG-1959, "Intrusion Detection Systems and Subsystems: Technical Information for NRC Licensees," March 2011 (ADAMS Accession No. ML11112A009).

20. SAND2001 -2168, "Technology Transfer Manual-Access Delay Technology, Volume 1,"

Sandia National Laboratory, Albuquerque, NM, http://www.sandia.gov.

21 . Regulatory Issue Summary (RI S) 2003-06, "High Security Protected and Vital Area Barrier/Equipment Penetration Manual," U.S. Nuclear Regulatory Commission, Washington, DC, March 20, 2003. (Includes security-related or safeguards information and is not publicly available.)

22. Nuclear Energy Institute 09-05 "Guidance on the Protection of Unattended Openings that Intersect a Security Boundary."

23. Title 10 of the Code of Federal Regulations (10 CFR) 73.58, "Safety/Security Interface Req uirements for Nuclear Power Reactors."

24. U.S. Nuclear Regulatory Commission (NRC). Regulatory Guide 5.74, "Managing the Safety/Security Interface," Revision 0, June 2009 {ADAMS Accession No. ML091690036).

25. "Joint Conflict and Tactical Simulation (JCATS)," United States Joint Forces Command, 2006, http://www.jfcom.mil.

26. U.S. Nuclear Regulatory Commission (NRC). Regulatory Guide 5.68, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants" (ADAMS Accession No. ML003739379).

27. International Atomic Energy Agency, Engineering Safety Aspects of the Protection of Nuclear Facilities Against Sabotage, Nuclear Security Series No. 4, Vienna, Austria, January 2007, http://www.iaea.org.

4-2

28. Title 10 of the Code of Federal Regulations (10 CFR) Part 100, "Reactor Site Criteria."

29. Regulatory Issue Summary (RIS) 2005-09, "High Security Protected and Vital Area Barrier Breaching Analysis," June 6, 2005. (Includes security-related or safeguards information and is not publicly available.)

30. ASME/ANS RA-Sa-2009, "Addenda to ASME/ANS RA-S-2008 Standard for Level 1/Large Early Release Frequency Probabilistic Risk Assessment for Nuclear Power Plant Applications," 2009, http://www.asme.org.

31. Title 10 of the Code of Federal Regulations (10 CFR) Part 73, "Physical Protection of Plants and Materials," Appendix C, "Nuclear Power Plant Safeguards Contingency Plans."

32. Title 10 of the Code of Federal Regulations (10 CFR) 100.21, "Non-seismic Site Criteria."

4-3

Appendix A Glossary

APPENDIX A GLOSSARY Achievable Target Element A target element that is within the capabilities included in the design-basis threat.

Adversary Timeline An assessment of the impact of the physical protection functions of detection, delay, and response on the adversary for a given DBT scenario, given specific entry points and a given target set.

Critical Detection Point The point on the path where path delay just exceeds protective force arrival time. This point is found by starting at the end of the adversary path, and adding up path delays until this value just exceeds protective force time (Ref. 10).

Critical Interruption Point A location that maximizes the tactical and strategic capabilities for the response to interrupt and successfully neutralize most threats considered in the DBT (Ref. 27).

Design-Basis Threat (DBT) A description of all the attributes and characteristics of the threat, including the type of adversary and the tactics and capabilities associated with the threat, provided by NRC.

DBT Scenario A description of a specific set of the attributes and characteristics of the DBT provided by the NRC, which may include the number of adversaries, the type of weapons or tools they would use, tactics, and the number and type of entry points.

Event Tree A logical diagram that begins with an initiating event or condition and progresses through a series of branches that represent expected system or operator performance that either succeeds or fails and arrives at either a successful or failed end state (ASME 2005) (Ref. 30).

Initiating Event Any event, either internal or external to the plant, that perturbs the steady state operation of the plant (if operating), thereby initiating an abnormal event such as a transient or loss of coolant accident (LOCA) within the plant (Ref. 30).

Interruption Arrival of responders at a deployed location to halt adversary progress or activation of engineered delay or denial systems at a deployed location to halt adversary progress.

Margin The time elapsed on the integrated adversary and protective force timeline between the point of detection and the critical detection point or the time elapsed, after the response team has entered protective positions with we.apons at the ready, and engagement of the adversary.

A- 1

Neutralization The defeat of the adversaries by responders through the use of a small arms conflict or remote engagement with automated weaponry, or certain containment strategies.

Overall Scenario A unique combination of a DBT scenario, adversary entry point, adversary exit point (for theft and diversion), protective force response and target set.

Overall System A probabilistic calculation of the effectiveness of the physical Effectiveness protection system (PPS) to detect the adversary, delay the adversary such that responders can intercept the adversary, ideally by reaching their protective positions, and neutralize the adversary.

Physical Protection The integration of people, procedures, and equipment for the Systems protection of assets or facilities against theft, radiological sabotage, or other malevolent human attacks (Ref. 10).

Protective Force Timeline An assessment of the time after initial detection of adversarial activity it will take for one or more members of the security force to reach a location where an adversary's path can be interrupted.

Radiological Sabotage Any deliberate act directed against a plant or transport in which an activity licensed pursuant to the regulations in 10 CFR Part 73, "Physical Protection of Plants and Materials," is conducted, or against a component of such a plant or transport, which could directly or indirectly endanger the public health and safety by exposure to radiation (10 CFR 73.2) (Ref. 16).

Safeguards Contingency A documented plan to give guidance to licensee personnel to Plan accomplish specific defined objectives in the event of threats, thefts, or radiological sabotage relating to special nuclear material or nuclear facilities licensed under the Atomic Energy Act of 1954, as amended. (Appendix C, "Nuclear Power Plant Safeguards Contingency Plans," to 10 CFR Part 73 (Ref. 31.)

Security Assessment An evaluation of the reactor facility design, which: 1) identifies target sets and, for selected scenarios, performs a systematic evaluation using risk evaluation methodologies that demonstrate the ability of the design to meet the performance objectives of 10 CFR 73.55(a), 2) identifies security design features to be incorporated into the design of the reactor facility, which indicate that security functions can be accomplished, to the maximum extent practical, without undue reliance upon operational security programs that are required as a part of the security plans under 10 CFR 73.55, "Requirements for Physical Protection of Licensed Activities in Nuclear Power Reactors Against Radiological Sabotage," and 3) demonstrates that the design features and operational recovery actions incorporated into the nuclear power plant and programs provide for mitigation of the effects of an A-2

attack resulting in a loss of large areas of the facility because of explosions or fires, in accordance with 10 CFR 50.54(hh ).

Security Assessment The characteristics of parameters of a site where the nuclear Parameters power plant or reactor is to, or may, be used either as postulated in the security assessment or as identified in accordance with 10 CFR 100.21 (f) (Ref. 32); security design features which are outside the scope of the design being addressed at the particular stage of the regulatory process, which are postulated in a security assessment, and features of a physical security program under 10 CFR 73.55, which are postulated in a security assessment.

Security Design Features The structures, systems, and components of a nuclear power plant and their layout that are relied upon to either detect, delay, or respond to an attack against target sets of a nuclear power plant by an adversary possessing the characteristics of the DBT Security Functions Those functions necessary to: detect, delay, or respond to an attack against target sets of a nuclear power plant by an adversary possessing the characteristics of the DBT or provide conditions before, during, and after a malevolent event, that facilitate actions to occur that mitigate the effects of circumstances associated with a loss of large areas of the facility of explosions or fires.

Significant Core Damage Non-incipient, non-localized fuel melting and/or core disruption (10 CFR 73.2).

Target Resiliency Describes a target's robustness or resistance to a DBT attack. A resilient target could have characteristics that include multiple barriers, large distances from related targets or from the fence-line, and robust construction.

Target Set The minimum combination of equipment or operator actions which, if all are prevented from performing their intended safety function or prevented from being accomplished, would likely result in significant core damage ( e.g., nonincipient, nonlocalized fuel melting and/or core destruction) or a loss of spent fuel pool coolant inventory and exposure of spent fuel, barring extraordinary actions by plant operations.

Vital Area Any area that contains vital equipment (10 CFR 73.2).

Vital Equipment Any equipment, system, device, or material, the failure, destruction, or release of which could directly or indirectly endanger the public health and safety by exposure to radiation .

Equipment or systems, which would be required to function to protect public health and safety following such failure, destruction, or release are also considered to be vital (10 CFR 73.2).

A-3

Appendix B Security Engineering Publications Acceptable for Use

APPENDIX B SECURITY ENGINEERING PUBLICATIONS ACCEPTABLE FOR USE SECURITY ENGINEERING REFERENCES ACCEPTABLE FOR USE IN THE DESIGN OF PHYSICAL PROTECTION SYSTEMS Blast Effects

1. PDC-TR-01-01, Revision 1, "Structural Assessment of Spent Fuel Pools Attacked with a Sophisticated Sabotage Threat," U.S. Army Corps of Engineers, Omaha, NE, September 2006. Safeguards information.

2. PDC-TR-01-02, Revision 1, "Structural Assessment of Spent Fuel Pools Attacked with an Unsophisticated Sabotage Threat," U.S. Army Corps of Engineers, Omaha, NE, September 2006. Safeguards information.

3. Single Degree of Freedom Blast Design Spreadsheet (SBEDS) Version 4.1 Software and Methodology Manual, U.S. Army Corps of Engineers, Omaha, NE, March 13, 2009.

Unclassified.

4. Regulatory Information Summary 2005-09, "High-Security Protected and Vital Area Barrier Breaching Analysis," U.S. Nuclear Regulatory Commission, Washington, DC, June 6, 2005. Safeguards information.

5. "Waterborne Sub-Surface Blast Effects to the Design-Basis Threat," D. Sulfredge, Oak Ridge National Laboratory, Oak Ridge, TN , November 10, 2003. Safeguards information.

6. "Guidance for Using Underwater Explosion (UNDEX) Data for Estimating Loads on Submerged Targets," D. Sulfredge, Oak Ridge National Laboratory, Oak Ridge, TN, and B. Tegeler, U.S. Nuclear Regulatory Commission, Washington, DC, November 2003.

Unclassified.

7. FM 5-250, "Explosives and Demolitions," Department of the Army, Washington, DC, June 30, 1999. Restricted to government agencies and their contractors, export controlled.

8. Air Force Manual (AFMAN)91-201, "Explosive Safety Standard," U.S. Air Force, Washington, DC, May 1, 1999. Unclassified.

9. DOETIC-11268, "Manual for the Prediction of Blast and Fragment Loading for Structures," U.S. Department of Energy, Washington, DC, July 1992. Unclassified.

10. Conventional Weapons Effects (CONWEP) Software and Manual, U.S. Army Corps of Engineers, Engineering Research and Development Center (ERDC), Vicksburg, MS, August 20, 1992. Restricted to government agencies and their contractors.

11. TM 5-1300, "Structures to Resist the Effects of Accidental Explosions," U.S. Department of Defense, Washington, DC, November 19, 1990. Unclassified. (Also designated as Air Force AFR 08-22 and Navy NAVFAC P-3897.)

B-1

12. Window Glazing Analysis Response and Design (WINGARD) Software, U.S.

General Services Administration (GSA), Washington, DC. Restricted. (Available at www.oca.gsa.gov.)

Vehicle Barrier Systems/Blast Effects

13. NUREG/CR-6190, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants," U.S. Army Corps of Engineers, Omaha, NE, March 17, 2004. Safeguards information.

Vehicle Barrier Systems

14. Department of Defense and Department of State Certified Vehicle Barrier List (updated periodically, available at https://pdc.usace.army.mil/library/BarrierCertification/.)

Unclassified.

15. SD-STD-02.01 , "Certification Standard, Test Method for Vehicle Crash Testing of Perimeter Barriers and Gates," Revision A, Department of State, Washington, DC, March 2003. Unclassified.

16. NUREG/CR-4250, "Vehicle Barriers: Emphasis on Natural Features," U.S. Nuclear Regulatory Commission, Washington, DC, July 1985. Unclassified.

Detection, Delay, Communications, Security Systems, etc.

17. Regulatory Information Summary 2003-06, "High-Security Protected and Vital Area Barrier/ Equipment Penetration Manual," U.S. Nuclear Regulatory Commission, Washington, DC, March 20, 2003. Safeguards information.

18. SAND-2001-2168, "Technology Transfer Manual, Access Delay, Volume 1," Sandia National Laboratories, Albuquerque, NM, August 2001. In addition, the entire Technology Transfer Manual Series: SAND99-2390, SAND-2000-2142, SAND2004-2815P, SAND99-391, SAND99-2388, SAND99-2392, and SAND99-2389.

Unclassified controlled nuclear information.

Ballistics

19. UL 752, "Standard for Bullet-Resisting Equipment," Underwriters' Laboratories, Northbrook, IL, December 21, 2006. Unclassified.

20. NIJ Standard 0108.01, "Ballistic-Resistant Protective Materials," National Institute of Justice, Washington, DC, September 1985. Unclassified.

21. ASTM F2656-07, "Standard Test Method for Vehicle Crash Testing of Perimeter Barriers," American Society for Testing and Materials International, West Conshohocken, PA, 2007. Unclassified.

B-2

Appendix C Security Assessment Modeling Tools

APPENDIX C SECURITY ASSESSMENT MODELING TOOLS 8 Security Assessment Modet;ng Tools This appendix identifies some of the tools acceptable for use as part of the security assessment process. While these tools are identified as acceptable for use, from a performance-based perspective, the applicant may use other methods that are demonstrated to be equally effective.

See the "Nuclear Power Plant Security Assessment Technical Manual," SAND2007-5591, for additional information on security assessment modeling tools.

1.0 Estimate of Adversary Sequence Interruption (EASI)

The EASI model is a quantitative method of evaluating the effectiveness of physical protection resources through segments and the physical protection systems (PPS) as a whole against the adversary's pathway. By evaluating detection and delay capabilities at each segment of the adversary's path and considering the probability of alarm communication and interpretation, and protective force deployment time, EASI measures the capability that the guard force will be able to interrupt the adversary before completing its goal.

The EASI evaluation method considers that the protective force must be notified and be strategically deployed while there is still sufficient time remaining in the adversary sequence.

The EASI probabilistic evaluation sequence evaluates PPS effectiveness by accounting for the following features:

1. The probability of detection at each sequence throughout the PPS based on inherent and adopted measures.

2. The probability and time that the alarm will transmit and be interpreted accurately at the facility alarm station.

3. The probability and time it takes for the alarm to be communicated from the facility alarm station to the PPS protective force.

4. The time it takes for the protective force to deploy to their tactical positions.

The EASI software may be obtained at:

http://www.elsevierdirect.com/v2/companion.jsp?ISBN=9780750683524/.

2.0 Joint Conflict and Tactical Simulation (JCATS)

JCATS is a force-on-force computer-assisted simulation system developed to exercise commanders and their staff in the command and control of combined arms operations in urban terrain environments. It can model up to 10 parties with rules for reactive behaviors, a llowing it to simulate realistic operations. It can compute the probability of the adversary reaching the target, as well as the number of protective and adversarial forces killed . JCATS can additionally 8

The assessment and modeling-type tools used throughout th1is NUREG and described in detail in this Appendix are for illustration purposes only. The NRC does not endorse any specific assessment or modeling-type tool for security assessments.

C-1

assist in defining the minimum number of protective force personnel and optimum response strategy necessary to achieve PPS effectiveness.

It should be noted that JCATS does not calculate a probability of interruption and does not include probabilities of detection in the facility model. It provides an estimate of the outcome of an engagement and if one runs enough engagements, it can aid in the derivation of an estimate for probability of neutralization (PN)-

3.0 Simajin Simajin performs similar functions to JCATS, but addresses a number of limitations found in JCATS before the new post-September 11, 2001, threat environment (Grover, 2006). For example, Simajin can manage the increasing number of adversaries in the new DBT and the additional protective force required to counter these adversaries and their capabilities.

Additionally, Simajin has more thorough data output capabilities, as well as the ability to receive more statistically valid data. It is capable of simulating force-on-force scenarios down to the single person level of detail.

While JCATS is considered acceptable for the purposes of calculating PN, the NRC has not yet certified Simajin as acceptable. Another option the applicant can use to estimate a probability of neutralization is to use expert opinion.

4.0 Analytic System and Software for Evaluating Safeguards and Security (ASSESS)

The Analytic System and Software for Evaluating Safeguards and Security (ASSESS) software was developed for use by U.S Department of Energy sites to determine how effectively physical protection and material control and accountability systems protect against a spectrum of insider, outsider, and some collusion threats. (Effectiveness is measured as a probability, the probability of system effectiveness (PE), which measures how likely it is that an attack by a certain type of adversary will be defeated given that it occurs.) The software addresses theft of special nuclear material and sabotage at these sites. The software was developed jointly by Sandia National Laboratories and Lawrence Livermore National Laboratories.

ASSESS represents protection around a target such as a weapon production facility, reactor facility, or weapon storage site in terms of concentric layers of delay and detection features (up to 10 layers are allowed). Detection features on a layer include intrusion sensors, protective force personnel, contraband checks, and access control features. Up to 15 elements (doors, sensor intrusion zones, walls, etc.) are allowed on each layer. ASSESS then determines the critical path for the adversary to take through the facility, which minimizes the probability of interruption, (P1) , the probability that the adversary will be detected while the security forces have enough time to respond.

ASSESS performance databases, developed based on U.S. national laboratory tests and expertise, describe the effectiveness of delay and detection features against a variety of adversary threats so the analyst does not need to develop all of these values. These default values can be overridden to reflect data from site-specific delay or sensor performance tests.

The description of the critical path also tells the best way for an adversary to penetrate a barrier or sneak contraband past a screening portal; this description suggests performance tests that should be run at the different elements in the facility.

C-2

Some of the strengths of ASSESS include:

• It can search quickly through thousands or millions of paths, different operating conditions, and differ,ent threats and targets; combat simulations can at best evaluate about a dozen different combinations of intrusion paths, conditions, threats, and targets each day.

• It addresses insider and outsider threats, some of which will not attack using a frontal assault (for example, the insider).

• It determines whether potential delay and detection upgrades actually improve overall protection system eff:ectiveness as opposed to just changing the critical path at the same performance level.

Some factors that ASSESS does not address:

• It does not allow for comparison of different response tactics, staffing levels, and weapons.

• It is an analytical model that does not include the natural randomness of battle, such as missed shots, confusion, fatigue, etc.

ASSESS is used to identify paths and conditions with low detection and delay that can then be evaluated in more detail with computer combat simulations or force-on-force exercises.

ASSESS can also screen detection and delay upgrades to find those that actually improve system effectiveness. It includes a very simple model (i.e. , it uses a semi-Markov9 representation of a battle) meant to address basic response issues such as numbers of response units to employ and weapons to use, but it is very crude and doesn't allow the fidelity or detail of a combat simulation. This model was designed to provide a quick, consistent way to determine the PN, the likelihood that the response can defeat or neutralize the adversaries, once they have been detected. ASSESS combines this PN with P1for the critical path to develop probability of system effectiveness (PE)= P1* PN to determine the effectiveness of detection, delay, and response.

5.0 Adversary Time Line Analysis System (ATLAS)

The Adversary Time Line Analysis System (ATLAS) (an improved version of ASSESS) is a software-based program used to compute the most vulnerable paths for both outsider adversary and violent insider attacks. The most vulnerable paths are computed in two different ways. The first minimizes P1. This is called the CDP approach, because it is based on locating the critical detection point (CDP). The second minimizes delay after the practical detection point (PDP).

These two analyses are complementary analyses approaches. The primary approach is the CDP approach. The PDP approach may identify paths that the CDP approach may not. A PDP analysis should never be performed without also performiing comparable CDP analyses.

Another analysis feature identifies elements that are critical to the overall protection system effectiveness. Critical elements that, if individually degraded to a critical performance level on entry, will reduce the PE, 9

A discussion of Markov mathematics is provided in SAND 2007-5591.

C-3

6.0 Vulnerability of Integrated Security Analysis (VISA) Method The Vulnerability of Integrated Security Analysis (VISA) Method is a systems approach to a vulnerability analysis (VA). The VISA manual provides guidance for VA teams to perform tabletop VAs. A copy of the VISA manual may be obtained by contacting an NRC security specialist.

C-4

Appendix D Blast Effects

APPENDIX D BLAST EFFECTS A discussion on blast effects can be found in the NRC Regulatory Guides 5.68, "Protection Against Malevolent Use of Vehicles at Nuclear Power Plants" (SGI) and 5.69, "Guidance for the Application of Radiological Sabotage Design-Basis Threat in the Design , Development, and Implementation of a Physical Security Protection Program that Meets 10 CFR 73.55 Requirements" (SGI).

D-1

NRCfORM335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER (12-20101 (Assigned by NRC, Add Vol., Supp., Rav.,

NRCMD 3.7 and Addendum Numbers, If any.)

BIBLIOGRAPHIC DATA SHEET NUREG/CR-7145 (See instructions on the reverse)

2. TITLE AND SUBTITLE 3. DATE REPORT PUBLISHED Nuclear Power Plant Security Assessment Guide YEAR 20 13

4. FIN OR GRANT NUMBER NRC-42-07-036

5. AUTHOR(S) 6. TYPE OF REPORT J. Zamanali and C. Chwasz D. Greenhalgh and J. Crockett Technical

7. PERIOD COVERED (Inclusive Dates)

8. PERFORMING ORGANIZATION

• NAME AND ADDRESS (If NRC, provide Division, Office or Region, U. S. Nuclear Regulatory Commission, and mailing address; if contractor, provide name and mailing address.)

Nuclear Systems Analysis Operations Center ,

Information Systems Laboratories, Inc.,

11140 Rockville Pike, Rockville, MD 20852

9. SPONSORING ORGANIZATION* NAME AND ADDRESS (If NRC, type "Same as above", if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address.)

Division of Security Policy, Otlice of Nuclear Security and Incident Response, U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738

10. SUPPLEMENTARY NOTES

11. ABSTRACT (200 words or less)

This document provides detailed guidance for the format and content of a security assessment of a commercial nuclear power plant.

The U.S. Nuclear Regulatory Commission (NRC) encourages design certification and combined license applicants to use this guidance to optimize physical security during the design phase. The expected result is a more robust security posture with less reliance on operational programs (human actions) and potentially costly retrofits. The NRC also encourages operating reactor licensees to use this guidance in planning and executing changes and upgrades of physical protection systems at existing sites.

12. KEY WORDS/DESCRIPTORS (List words or phrases that will assist researchers in locating the report.) 13. AVAILABILITY STATEMENT Physical Protection systems unlimited Physical Security 14. SECURITY CLASSIFICATION Assessment (This Page)

Design Certification unclassified (Tllis Report) unclassified

15. NUMBER OF PAGES

16. PRICE NRC FORM 335 (12-2010)

liA.... ntod ecycl~

Federal Recycling Program

r;,,J.P.R REGIJ UNITED STATES

/-.)~-

1/4>o.,..L NUCLEAR REGULATORY COMMISSION

< ('>

... 0 WASHINGTON, DC 20555-0001

"' ~

~  !!

~.,,.., o~"' OFFICIAL BUSINESS

• • • • -I<"'

NUREG/CR-7145 Nuclear Power Plant Security Assessment Guide April 2013 From: Petrucelli Judy To: Cubellis Louis Subject : RE: DoE Assessment of AVERT Date: Tuesday, July 10, 2018 7:59:05 AM Thanks Lou. Good information.

From: Cu bel lis, Louis Sent: Tuesday, June 26, 2018 12:25 PM To: Frost, John <John.Frost@ nrc.gov>; Petrucelli, Judy <Judy.Petrucelli@nrc.gov>

Subject:

FYI: DoE Assessment of AVERT FYI From: Cubel lis, Louis Sent: Wednesday, June 06, 2018 9:29 AM To: Ta rdiff, Al <Al Tardiff@nrc.gov>

Cc: Lee, Pete <Pete Lee@nrc gov>

Subject:

RE: AVERT The February accreditation letter mentioned in the article is attached (as is the associated report). The accreditation was very limited-just facility characterization and some pathway analyses. The letter clearly states AVERT should not be used for combat simulation, system effectiveness, upgrades analyses, or cost-benefits analyses.

From: Lee, Pete Sent: Wednesday, June 06, 2018 9:19 AM To: Cubellis, Louis <Louis Cube llis@nrc gov>; Ta rdiff, Al <Al Tard iff@nrc gov>

Subject:

AVERT bttps ://gen .com/articles/201 8/05/29/si mulatioos-physical-security.aspx Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockvil le, MD 20852-2738 Phone: 301-287-3690 pete.lee@nrc.gov RC

""' Ht ,.,. ti,,, ,,.,-;;;,,.._.,

Website: WWW nrc i:QY

From : Cubell is Louis To : Rockhill Rupert /Rupert Rockhill@nrc gay} : Bustamante Charles /Charles Bustamante@nrc gay} : ~ ;

Diec David Cc: Alison Rivera /A lison.Rivera@nrc.gov} : Rivers Joseph Bee: Cubellis. Louis Subject : FYI : DoE Gave Approval for Report Dissemination Date: Thursday, July 19, 2018 4 :24:00 PM

Gents, Joe Rivers told Alison and me after today's meeting that Sam Callahan , Security Director at DoE, gave his permission for us to disseminate the DoE AVERT V&V Report to our licensees. Now we just need to figure out how best to do that. The report should obviate our need to develop a Security Advisory.

Respectfully, Lou Louis J. Cubellis, Jr Senior Security Specialist U.S. Nuclear Regulatory Comm ission Office of Nuclear Security and Incident Response Phone : (301 ) 287-3670 E-mail: Louis.Cubell is@ nrc.gov

Note to requester: The attachment is immediately following this email record.

From: Cubellis Louis To: J&e....Eili Cc: Rivera Alison Subject : RE: Task No. Security-2

• GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTI VENESS OF A PHYSICAL PROTECTION SYSTEM Date: Thursday, August 02, 2018 12:36:39 PM Attachments: NSIB*PPCP-RSB

• Technjca1 Djrectjon for Securjty Task No SecuriJy-2

• Guide for Applying VA Models

• SNL /7-30-18 PcaU witb L Cubellis" loout 8-2-l 8\ docx imaaePPl coo

Pete, Thanks for allowing me to comment on Task 2. I added some text on pages 4 and 5 for your consideration.

Respectfully, Lou From: Lee, Pete Sent: Wednesday, August 01, 2018 2:02 PM To: Rivera, Alison <Alison.Rivera@nrc.gov>; Cubellis, Louis <Louis.Cubellis@ nrc.gov>

Subject:

RE: Task No. Security GUIDANCE ON APPLICATIONS OF VU LNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Alison, Lou will provide some additions to the write-up for the tasks.

So, you should wait until he gets them to us and use that for your review and transmittal to NRO.

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301-287-3690 pete,!ee@nrc.gov R

,.,. ~ ,~

Wehsite: WWW nrc l);OV From: Lee, Pete Sent: Wednesday, August 01, 2018 8:29 AM To: Rivera, Alison <Alison .Rivera@nrc.gov>

Cc: Cubellis, Louis <Loujs,Cubellis@nrc,gov>; Rockhil l, Rupert <Rupert,Rockhi ll@nrc,gov>

Subject:

Task No. Security GUIDANCE ON APPLICATIONS OF VU LNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM

Attached is the subject for the second task to go to DOE. Please review and make changes necessary for transmittal to NRO.

I got a scheduler to participate in the NRO weekly with DOE today, to give them an overview of what tasks are coming to them.

I will give DOE an overview of the tasks and the expected deliverables .

According to George, the money for this year has already been obligated , so there is not a problem with money

($10 million over this and next year!?) .

We just have to give them these directions. George indicated that had not looked at the first one yet.

I will start on the third and will get them to you. The second one requ ired a bit more thoughts on the specifics tasks and desired deliverables.

Thanks .

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301 -287-3690 pete.lee@nrc.gov Website: www arc 0 ov

NRCHQ####D####-NRCHQ####T####

Non-Light water Reactor Policy and Technical Guidance Support Letter of Technical Direction ##

Date: [INSERT DATE OF FINAL LETTER]

From: George Tartal, 301-415-0016 and Lucieann Vechioli, 301-415-6035 Organization: NRC/NRO/DSRA/ARPB To: [NAME OF LAB PM], [EMAIL OF LAB PM], [PHONE OF LAB PM]

Organization: SANDIA NATIONAL LABORATORIES (SNL)

Subject:

Task 2: Risk-Informed, Performance-Based, Technology-Inclusive Regulatory Infrastructure Sub-Task (#SECURITY-2): GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Introduction The NRG is developing a technology-inclusive, risk-informed, performance-based framework for licensing and regulating non-light water reactors (non-LWRs or advanced reactors). T he current physical security requirements in Title 10 Code of Federal Regulation (10 CFR) Part 73 across different classes of licensees reflects a graded approach that applies the appropriate level of physical security commensurate for the potential of radiological consequences and/or theft and diversion consequences from the use and possession of special nuclear material. These requirements consider whether a DBT must be protected against for radiological sabotage (i.e.,

off-site consequences to public health and safety) and/or the theft and diversion of special nuclear material for other than intended purposes.

The physical security provides the assurance that facilities, such as currently operating LWRs or proposed non-LWRs, can be safety operated within their established design and licensing safety bases. The designers, applicants, and/or licensees determine how to design and establish the necessary physical security to protect their facilities. This provides potential advanced reactor designers and applicants to consider innovative or different methods or approaches that may be applied to meet needs for physical security.

Background

The Nuclear Regulatory Commission (NRC) regulates the construction and operation of new commercial nuclear power facilities. The Office of New Reactors (NRO) serves the public interest by enabling the safe, secure, and environmentally responsible use of nuclear power in meeting the Nation's future energy needs. The Office of Nuclear Security and Incident Response (NSIR), Division of Physical and Cyber Security Policy (DPCP), supports the NRO in leading and managing the security licensing activities associated with advanced reactor non-LWR licensing. The DPCP is responsible for developing and implementing regulations, policies, programs, and procedures pertaining to all aspects of security licensing.

Page 1 of 11

Letter of Technical Direction##

This scope of work will support the NRC's "Non-light Water Reactor (non-LWR) Vision and Strategy Near-Term Implementation Action Plans" (ADAMS Accession No. ML16334A495).

The implementation action plans support the NRC's strategies to assure NRC technical and regulatory readiness related to non-LWR technologies. The strategies include the staff developing requirements and/or guidance for non-LWR designs, which include attributes identified in the NRC's Policy Statement on Advanced Reactor Designs. The attributes for physical security originating in NUREG-1226, "Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants," June 1988, for the Advanced Reactor Policy Statement include:

The Commission intends to make use of the existing and future regulations in reviewing advanced reactors. As such, the vulnerability of advanced reactors to sabotage is an important consideration and advanced reactors wiill be required to meet the same regulations regarding physical protection as LWRs. It is expected that, in some cases, advanced reactors, due to their inherent safety characteristics and simplified safety systems, may be less reliant upon physical security systems and procedures for protection against sabotage than current generation plants.

The policy statement revised in 2008 (73 FR 60612; October 14, 2008) for considerations of physical security in advanced designs (i.e., non-LWRs) indicate:

Designs that include considera}ons for safety and security requirements together in the design process such that security i sues (e.g., newly identified threats of terrorist attacks) can be effectively resolved through facility design and engineered security features, an formulation of mitigation measures, with reduced reliance on human actions.

The NRC's strategies call for the requirements and/or guidance for non-LWR technologies to be developed in ways that are risk-informed and perform~nce-based. A particular challenge is that most NRC guidance and other inf astructure has evolved with a focus on the currently operating LWR fleet. ~ the current, and foreseeable future, threat environment after the events of September 11, 2001, the protection against the design basis threat for radiological sabotage (i.e., minimizing the likelihood or risk of, or preventing, the potential of intentional radiological releases and consequences from such an event to protect public health and safety and the environment) continues to be a atter that must be addressed for non-LWRs where there is potential for unacceptable magnitude of radiological releases and consequences.

The development of this guidance is based on public and non-public information available on security vulnerability assessment models, consisting of methods or approaches that have been applied within the Department of Energy, the Department of Defense, and at some NRC licensed facilities. Although guidance are not requirements, the vulnerability assessment models, if used correctly and within their limitations, may lbe applied by designers, applicants, and/or licensees to assess the design of a physical protection system for meeting performance regulatory requirements and may be used in bases justifying alternatives and/or exemptions to prescriptive regulatory requirements.

Letter of Technical Direction##

TASTK NO. SECURITY-2 GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM SANDIA NATIONAL LABORATORIES (SNL)

1. Objectives The objectives of this task to establish technical guidance on acceptable application of quantitative computational vulnerability assessment (VA) models for assessing vulnera bilities and effectiveness of the design of physical protection system. Quantitative systematic evaluation techniques or methods that are captured in these compu ational models evaluate, analyze, and identify security vulnerabilities and determine the effectiveness of the design of a physical protection system that protect against specified threat (e.g., design basis threat (DBT) for radiological sabotage described in 10 CFR 73.1 ). The quanftative VA models, if used correctly and within their limitations, can evaluate a proposed or an existing design of physical protection system and can evaluate the effect of changes on the system effectiveness to protect against specified threats. This task includes the following :

a. Identify and review available information publically and non-publically available standards, directives, handbooks, implementation guides, and instructions, including validation and verification reports, on VA models for assessing and quantifying the effectiveness of the design of a physical protection. The guidance should address the appropriate applicatiorris of available VA models to characterize the facility, analyze pathways, sim late combat, and determine system effectiveness, and provide guidance to sers of VA models to ensure accurate modeling for as realistic as possible results.

b. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models for characterizing the facility (physical site configurations and physical security structures) systems, and components). The guidance should address the minimum nd necessary steps of a VA model to accurately capture the facility, facility operations, and the design, cap.abilities, and functions of protection systems. Include guidance for user's application of VA models to accuratelly account and characterize as-b ilt detection, assessment, communications, and delay systems or features for the modeling of security response. Provide guidance on how user's application of VA models should consider and address the impacts or effects of inaccuracies and errors of facility characterization and significance of such inaccuracies and errors on the accurate modeling of the physical protection system effectiveness, along with significance to the analyzing pathways and simulating combat.

c. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize facility targets in all operating modes for analyzing pathways and simulating combat. Where identification of the facility targets are not integral to a VA model, establish guidance, criteria, standards, and considerations, for acceptable user determination of all targets for input to VA

Letter of Technical Direction##

models for characterizing the facility, analyzing pathways, and determining physical security system effectiveness.

d. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize protection measures (structures, systems, and components) providing detection, assessment, communications, and delay functions. Establish guidance for users on the appropriate and reasonable application of available generic data on performance of security structures, systems and components to reflect as-built protection measures and the appropriate development and application of site-specific system reliability and performance data for use in VA models.

e. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize of security responses and capabilities of a response force in determining the effectiveness of the physical protection system (e.g., minimum staffing, weapon systems, protective equip ent, deployment locations, fighting positions, training, qualification, task times, etc.}. Establish guidance on application of VA models to address ncertainties due human factors and human performance in combat situations, due to site-specific training on combat performance. Establish user's guidance on how to apply VA models and/or treat site-specific data from table top e ercises, limited scope drills, limited scope exercises, and force-on-force exe~ ises. Also establish guidance on the use and limitations of validation and verification drills and exercises and the use of generic security responder performance data.

f. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize a DBT with the characteristics and attributes described in O CFR 73.1, to include coordinated vehicle borne explosive attacks and the se of motorized vehicles. Establish guidance on the application of VA models to address active and active violent insiders in its evaluation of protection measures, analysis of 12athways, and simulation of combat. Also, include guidance for users on tne consideration of uncertainties of modeling results and how a user hould account fo r the active and active violent insiders where a VA model do not.

g. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze pathways.

Establish guidance should address critical variables, factors, and assumptions applied to characterize and determine pathways vulnerabilities (e.g., design and performance of security structures, systems, and components for detection, assessment, communication, delay and responses, the adversary tactics and task times, security response times, critical detection point, probabilities for detection, probabilities for interruption, etc.). Establish guidance on applying VA models to characterize adversary actions (avoid detection, fastest path, lease firepower, etc.)

and the sensitivity of such force, defeat. and stealth actions on the security elements of detection, delay and response. The guidance should include how to address varying probabilities of detection for perimeter intrusion detection and assessment equipment against typical adversary defeat methods, such as walking, running, jumping, bridging, tunneling, crawling, rolling, or climbing. Establish guidance on acceptable characterization of insiders (passive, active, and active violent) effects on pathway analysis and security response.

Letter of Technical Direction##

h. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze combat and determine effectiveness of security response for neutralization. The guidance should address the application of VA models for combat simulations necessary to represent all plant operating and environmental conditions, including loss of offsite power and its effects on security systems and response. Examples of such effects may include the loss of plant lighting and the inability of the response force to remotely operate barriers or delay features, or use card readers or other automated entry control systems to unlock doors. The guidance should address the determination of the probability of neutralization for each security protection layer for defense-in-depth that addresses uncertainties of combat simulations. Establish guidance for users applying VA models to analyze the effectiveness of the security response force to neutralize the adversary force with the characteristics and attributes described in 10 CFR 73.1. These guidance should include reasonable and acceptable application of VA models for determining possible engagement outcomes, and criteria, standards.

Descriptions should include guidance on acceptable methods and modeling processes (i.e., deterministic and/or stochastic) for determining realistic approximations of possible combat outcomes.

i. Identify and establish minimum criteria, standards and considerations for acceptable application of VA models for determining the system effectiveness of a physical protection system. Guidance should include acceptable application techniques or methods su9)1 as critical detec ion point, cumulative probability of detection, probability of interruption, probability of causality, and probability of neutralization, use of adversary seqU..ence diagrams, or o her techniques or methods for determining system effectiveness. Include guidance for interpreting the specific system effective value or a range of values resulting from application VA models and what system effectiveness va ues represents quality and reliability of a physical protection system to protect against threats analyzed.

Identify and establis~ idance on user's knowledge and areas of expertise needed for applying VA models to assess security vulnerabilities and design of a physical protection systems. Establish guidance should address assuring knowledge, skills and ability of users to ensure quality of input, understanding of VA methods or techniques and limitations (including validation and verification of modeling software) and training resources or the appropriate and acceptable application of VA models and the assurance of reasonable and realistic approximations and results.

The Sandia National Laboratories (SNL), also referred to hereon as contractor, will document results in NU REG (publically available) and if necessary any non-public information in a separate supplemental appendices. The required contractor support should provide access to experts with competencies, accrued knowledge, and highly specialized skills in the areas of, but not limited to: physical security, security system design, human factors and human performance, phycology and physiology of combat, combat training, security tactical operations, structural engineering, mechanical engineering, electrical engineering, cyber security, security systems engineering, systems maintenance, testing, and calibration, computer modeling, and statistics.

2. COORDINATION

Letter of Technical Direction##

This task involves coordination of activities with the NRC staff. The contractor may, to the degree practical in terms of willingness of parties to voluntarily cooperate, consult with subject matter experts from other national laboratories, department of defense, inter-agency working groups, subject matter experts, and vendors in gathering available information and developing the deliverables.

3. WORK REQUIREMENTS, SCHEDULE AND DELIVERABLES Deliverables The kick-off meeting will be scheduled by the NRC and held via teleconference or face-to-face meeting. The NRC will develop the kickoff meeting agenda, and contractor will develop and deliver the kickoff meeting summary. Contractor will prepare an initial outline, scope, and approach to performing the task stated above. The outline will be provided to the NRC staff and discussed during a teleconference. Contractor will prepare a summary of he interaction and agreements reached on the outline and approaches to performing the task within the resources available for this task. Contractor will prepare a draft technical report documenting the results from this task. The NRC will provide comments on the draft report. Contractor will address the NRC comments and provide a final report. The contractor shall provide the following deliverables associated with task order (TO} requirements per Table below:

Tasks/Standards Scheduled Deliverables Completion*

1. REQUIREMENT~ come familiar with NRC Start: Start NLT 14 E-mail documenting preparation and issuance of NUREG technical calendar days after that assigned report and general information currently available authorization of personnel have information publically, and not publically. available work. reviewed references standards, directives, handbooks, implementation or under status guides, and instructions (including validation and reporting required verification reports) on VA models for assessing End: Complete under NRO and quantifying the effectiveness of the design of NLT 14 calendar umbrella contract.

a physical protection system. days after receipt of provided STANDARD: Written confirmation that information.

familiarization is complet . Familiarization is defined as sufficient knowledge of purpose and content guidance to facilitate administrative and processing of tasks and general working level knowledge of format and content for documenting information in a NUREG technical reports.

2. REQUIREMENT: Participate in kick-off Start: Start NLT 14 Participate in kick-meeting (in person or via conference call) with the calendar days after off meeting with NRC staff to discuss the scope of the work, authorization work. NRC staff.

expectations and contract management.

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

STANDARD: Participate by travel to NRC HQ or End: Complete NLT teleconference call, by Project Manager and one than 14 calendar Principal Investigator assigned to this task. days after start date.

3. REQUIREMENT:

3.a. Prepare draft outline capturing the tasks Start: Start Nl!T at Provide draft outline indicated above and this table, using NRC the end date of of technical report guidance on preparing NUREG technical re13ort. Task 1) and descriptions of how the contractor 3.b. Identify and review available information will proceed with tasks STANDARD: Prepare and submit draft outline of technical report on application guidance on security vulnerability assessment mo~ ls.

3.c. REQUIRMENT: Establisn guidanc}_to End: Complete Provide 35% draft comprehensively address the appropriate NLT 60 calendar report documenting application of available VA models to characterize days) Tasks 3.a and 3.b.,

the facility, analyze pathways, simulate combat, and 3.c.

evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consideF to ensure accurate and realistic results.

STANDARD: Document and provide su mary guidance addressing applications of available VA models to characterize the facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what VA model users of VA models should be considered to ensure accurate and realistic results

4. REQUIREMENT:

Identify and establish minimum criteria, Start: Starts NLT Provide 80% draft standards, and considerations for acceptable the end date of report documenting application of VA models to characterize the Task 3). Task 4.

facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, End: Complete Bi-Weekly project and evaluate security upgrades and changes and Tasks NLT 90 status telephone what VA model users of VA models should be calendar da s call at a mutuall

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

considered to ensure accurate and realistic agreed upon time results, as specified in Task No. 1.b through No. and need.

1.j .

STANDARD: Document results from above in NUREG technical report format.

5. REQUIREMENT:

5.a. Prepare final report in NUREG format that Start: Starts NLT Provide 100% draft capture the for criteria, standards, and the end date of report documenting considerations for acceptable application of 'wA Task 4). the performance of models to characterize the facility, analyze tasks 3 and 4 pathways, simulate combat, evaluate and determine system effectiveness to ensure End: Complete Bi-Weekly project accurate and realistic results. Task 5.a N LT 60 status telephone calendar days and call at a mutually 5.b. Resolve comments and provide final 100% Task 5.b NLT 120 agreed upon time draft report to the NRC calendar days). and need.

STANDARD: Information documented shall be treated public, with the exception of appendices that may be required to document non-public information (i.e., classified). The craft document shall be marked Official Use O y - Internal Use Only The NRC Technical Monitor (TM) may issue technical instruction from time to time throughout the duration of this TO. Technic I instructions must be within the general statement of work (SOW) delineated in the TO and shall not constitute new assignments of work or changes of such a nature as to justify an adjustment in cost or period of performance. Any modifications to the scope of work, cost or period of performance of this TO must be issued by the Contracting Officer (CO) and will be coordinated with the NRO Project Officer.

The contractor shall submit a cost estimate, staffing plan, and project plan with a schedule for deliverables within 10 days of receipt of this TO, unless otherwise directed by the NRC technical assistance project manager (TAPM). The NRC TM will review the plan based on the forecast of the NRC LPP Integrated Schedule. If the laboratory estimate and plans submission are consistent with the LPP forecast schedule, then the NRC TAPM will authorize commencement of the work effort. The NRC staff will negotiate estimate and plan adjustments with the laboratory if the estimate and plans are not consistent with the LPP forecasts. Examples of the staffing plan and project plan are provided in the basic task ordering agreement SOW (see Attachments 2 and 3).

The contractor shall provide the following information prior to initiation of a TO:

Letter of Technical Direction##

• A staffing plan that specifically reflects services to be provided

• The laboratory shall a lso provide a statement of professional qualifications for staff proposed to work under this TO.

4.0 TECHNICAL AND OTHER SPECIAL QUALIFICATIONS REQUIRED The NRC staff is seeking individuals with expertise and competencies, accrued knowledge, and highly specialized skills in the areas of VA models and applications of models to characterize the facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consider to ensure accurate and realistic results. All personnel performing work under this contract shall have pertinent technical experience by discipline and technical area. The individuals should have knowledge of the subject effects and design, ins allation, and maintenance and operations of a physical protection system. It is the responsibility ofthe contractor to propose technical staff, employees, subcontractors or specialists who have the required educational background, experience, or combination thereof, to meet both the technical and regulatory objectives of the work specified in the TO SOW. The number of personnel required will vary during the course of the contract.

The contractor shall provide a contractor project manager (PM) to oversee the e ort and ensure the timely submittal of quality deliver bles so that all information is accurate and complete as defined in the base contract.

5.0 REPORTING REQUIREMENTS Task Order Progress Report The contractor shall provide a bi-weekly progress report summarizing accomplishments, expenditures, contractor staff hours expended, percent completed for each task under this TO, and any problems encountered by the contractor. The report shall be sent via e-mail to the NRC TM, TO Contracting Officer's Representative (COR) and CO.

Technical reporting requirements Unless otherwise specified above, the contractor shall provide all deliverables as draft products.

The NRC COR will review al l draft deliverables (and coordinate any internal NRC staff review, if needed) and provide comments back to the contractor. The contractor shall revise the draft deliverable based on the comments provided by the COR, and then deliver the final version of the deliverable. When mutually agreed upon between the contractor and the COR, the contractor may submit preliminary or partial drafts to help gauge the contractor's understanding of the particular work requirement.

The contractor shall provide the following deliverables in llard copy and electronic formats. The electronic format shall be provided in MS Word or other word processing software approved by the TM . For each deliverable, the contractor shall provide one hard copy and electronic copy to both the PM and the TM . The schedule for deliverables shall be contained in the approved project plan for the TO effort.

6.0 MEETINGS AND TRAVEL

Letter of Technical Direction##

For planning purposes, it is estimated the contractor may be expected to make 2 trips, 2 days, 1 person per trip (include the principal investigator) to NRC HQ, Rockville, Maryland, for the performance of this task. Additional meetings between the contractor and the NRC staff at the Southwest Research Institute may also be required . Travel in excess of the total number of person-trips must be approved by the NRC TAPM; travel within the work scope limits will be approved by the NRC TM .

7.0 NRC FURNISHED MATERIAL Any reports, documents, equipment, and other materials required by the contractor to perform the work will be stated in the NRG-furnished materials section of the TO. In general, the TPM will provide those NRC documents related to the TO that is readily available. Contractor staff will identify any additional NRC documentation that is needed and t e TPM will determine whether it will be provided by NRC or obtained directly by the contractor f om the ADAMS, the NRC Public Document Room, or the NRC public Web site. Any materials fulnished by the NRC must be returned to the NRC upon completion of th TO, at the discretion of the NRC TPM.

NRC will provide the following information to the contractor as appropriate:

• NRC guidance on preparing NUREG document 8.0 LEVEL OF EFFORT The estimated level of effort in professional staff days apportioned among the subtasks and by labor category is as follows:

)l \.

Level of Effort FY Level of Effort Task(s) Labor Category 2018 (hours) [travel] FY 2019 (hours) [travel]

Task 1-5 Project Manage~ 10 [+16] 30 [+16]

Task 1 Task 2 Task 3.a Principal Te6hnical Investigator 16 4 [+16]

80 Task 3.b -- 80 Task 3.c -- 80 Task 4 -- 270 Task 5 -- 100 [+16]

Task 5 Technical Editor 0 60 [+O]

Total 100 [32] 620 [32]

Letter of Technical Direction##

9.0 PERIOD OF PERFORMANCE The projected period of performance is 16 months from authorization of work.

From: w....fm To: Rockhill Rupert: Rivera Alison Cc: Cubems Louis

Subject:

RE: Task No. Security-2

• GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTI VENESS OF A PHYSICAL PROTECTION SYSTEM Date: Wednesday, August 01, 2018 9:52:01 AM Attachments: iroaoeoo1 coo The VA models should account for the as-built and as-found conditions and predict realistic outcomes to the extent possible. All models have limitations and uncertainties and both are accounted in models and the user have to account for them in interpreting the results.

There is lots of uncertainties with modeling or simulation of combat. The human performance (physiological and psychological responses) in combat situations - extreme stress) is difficult to predict. So the training is a key factor and drives outcome for modeling the human performance in combat. I think the phrase is "perfect training makes perfect" and not just "training makes perfect." Certainly bad training does not make perfect.

Will correct the typo.

Thanks.

From: Rockhill, Rupert Sent: Wednesday, August 01, 2018 8:51 AM To: Lee, Pete <Pete.Lee@n rc.gov>; Rivera, Alison <Alison.Rivera@nrc.gov>

Cc: Cubellis, Louis <Louis.Cubellis@nrc.gov>

Subject:

RE: Task No. Security GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Pete this looks good. I am glad the realistic combat modelling wording is in there . On page #3 there is a typo: TASTK NO. SECURITY-2 TASK?

Rocky From: Lee, Pete Sent: Wednesday, August 01, 2018 8:29 AM To: Rivera, Alison <Alison.Rjvera@nrc.gov>

Cc: Cubellis, Louis <Loujs.Cubellis@nrc gov>; Rockh il l, Rupert <Rupert Rockhill@nrc.gov>

Subject:

Task No. Security GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Attached is the subject for the second task to go to DOE. Please review and make changes necessary for transmittal to NRO.

I got a scheduler to participate in the NRO weekly with DOE today, to give them an overview of what tasks are coming to them.

I will give DOE an overview of the tasks and the expected deliverables.

According to George, the money for this year has already been obligated, so there is not a problem with money

($1 O million over this and next year!?).

We just have to give them these directions. George indicated that had not looked at the first one yet.

I will start on the third and will get them to you. The second one required a bit more thoughts on the specifics tasks and desired deliverables.

Thanks .

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301 -287-3690 pete.lee@nrc.gov Website : www arc 0 ov

Note to requester: The attachment is immediately following this email record.

From: w....fm To: Rivera Alison Cc: Cubems Loujs: Rockhill Rupert

Subject:

Task No. Security GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Date: Wednesday, August 01, 2018 8:29:30 AM Attachments: NSIB-PPCP-B$6 - Jechnjcai Picectxion for security Task No secucilv Guide for Aoolvioa YA ModeJs - $NL - oz-30-201 Bdocx imaaeoo1 000 Attached is the subject for the second task to go to DOE. Please review and make changes necessary for transmittal to NRO.

I got a scheduler to participate in the NRO weekly with DOE today, to give them an overview of what tasks are coming to them.

I will give DOE an overview of the tasks and the expected deliverables.

According to George, the money for this year has already been obligated, so there is not a problem with money

($1 O million over this and next year!?).

We just have to give them these directions. George indicated that had not looked at the first one yet.

I will start on the third and will get them to you. The second one req uired a bit more thoughts on the specifics tasks and desired deliverables.

Thanks.

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301-287-3690 pete,lee@nrc.gov

(

Website: www nrc eov

NRCHQ####D####-NRCHQ####T####

Non-Light water Reactor Policy and Technical Guidance Support Letter of Technical Direction ##

Date: [INSERT DATE OF FINAL LETTER]

From: George Tartal, 301-415-0016 and Lucieann Vechioli, 301-415-6035 Organization: NRC/NRO/DSRA/ARPB To: [NAME OF LAB PM], [EMAIL OF LAB PM], [PHONE OF LAB PM]

Organization: SANDIA NATIONAL LABORATORIES (SNL)

Subject:

Task 2: Risk-Informed, Performance-Based, Technology-Inclusive Regulatory Infrastructure Sub-Task (#SECURITY-2): GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Introduction The NRG is developing a technology-inclusive, risk-informed, performance-based framework for licensing and regulating non-light water reactors (non-LWRs or advanced reactors). T he current physical security requirements in Title 10 Code of Federal Regulation (10 CFR) Part 73 across different classes of licensees reflects a graded approach that applies the appropriate level of physical security commensurate for the potential of radiological consequences and/or theft and diversion consequences from the use and possession of special nuclear material. These requirements consider whether a DBT must be protected against for radiological sabotage (i.e.,

off-site consequences to public health and safety) and/or the theft and diversion of special nuclear material for other than intended purposes.

The physical security provides the assurance that facilities, such as currently operating LWRs or proposed non-LWRs, can be safety operated within their established design and licensing safety bases. The designers, applicants, and/or licensees determine how to design and establish the necessary physical security to protect their facilities. This provides potential advanced reactor designers and applicants to consider innovative or different methods or approaches that may be applied to meet needs for physical security.

Background

The Nuclear Regulatory Commission (NRC) regulates the construction and operation of new commercial nuclear power facilities. The Office of New Reactors (NRO) serves the public interest by enabling the safe, secure, and environmentally responsible use of nuclear power in meeting the Nation's future energy needs. The Office of Nuclear Security and Incident Response (NSIR), Division of Physical and Cyber Security Policy (DPCP), supports the NRO in leading and managing the security licensing activities associated with advanced reactor non-LWR licensing. The DPCP is responsible for developing and implementing regulations, policies, programs, and procedures pertaining to all aspects of security licensing.

Page 1 of 10

Letter of Technical Direction##

This scope of work will support the NRC's "Non-light Water Reactor (non-LWR) Vision and Strategy Near-Term Implementation Action Plans" (ADAMS Accession No. ML16334A495).

The implementation action plans support the NRC's strategies to assure NRC technical and regulatory readiness related to non-LWR technologies. The strategies include the staff developing requirements and/or guidance for non-LWR designs, which include attributes identified in the NRC's Policy Statement on Advanced Reactor Designs. The attributes for physical security originating in NUREG-1226, "Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants," June 1988, for the Advanced Reactor Policy Statement include:

The Commission intends to make use of the existing and future regulations in reviewing advanced reactors. As such, the vulnerability of advanced reactors to sabotage is an important consideration and advanced reactors wiill be required to meet the same regulations regarding physical protection as LWRs. It is expected that, in some cases, advanced reactors, due to their inherent safety characteristics and simplified safety systems, may be less reliant upon physical security systems and procedures for protection against sabotage than current generation plants.

The policy statement revised in 2008 (73 FR 60612; October 14, 2008) for considerations of physical security in advanced designs (i.e., non-LWRs) indicate:

Designs that include considera}ons for safety and security requirements together in the design process such that security i sues (e.g., newly identified threats of terrorist attacks) can be effectively resolved through facility design and engineered security features, an formulation of mitigation measures, with reduced reliance on human actions.

The NRC's strategies call for the requirements and/or guidance for non-LWR technologies to be developed in ways that are risk-informed and perform~nce-based. A particular challenge is that most NRC guidance and other inf astructure has evolved with a focus on the currently operating LWR fleet. ~ the current, and foreseeable future, threat environment after the events of September 11, 2001, the protection against the design basis threat for radiological sabotage (i.e., minimizing the likelihood or risk of, or preventing, the potential of intentional radiological releases and consequences from such an event to protect public health and safety and the environment) continues to be a atter that must be addressed for non-LWRs where there is potential for unacceptable magnitude of radiological releases and consequences.

The development of this guidance is based on public and non-public information available on security vulnerability assessment models, consisting of methods or approaches that have been applied within the Department of Energy, the Department of Defense, and at some NRC licensed facilities. Although guidance are not requirements, the vulnerability assessment models, if used correctly and within their limitations, may lbe applied by designers, applicants, and/or licensees to assess the design of a physical protection system for meeting performance regulatory requirements and may be used in bases justifying alternatives and/or exemptions to prescriptive regulatory requirements.

Letter of Technical Direction##

TASTK NO. SECURITY-2 GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM SANDIA NATIONAL LABORATORIES (SNL)

1. Objectives The objectives of this task to establish technical guidance on acceptable application of quantitative computational vulnerability assessment (VA) models for assessing vulnera bilities and effectiveness of the design of physical protection system. Quantitative systematic evaluation techniques or methods that are captured in these compu ational models evaluate, analyze, and identify security vulnerabilities and determine the effectiveness of the design of a physical protection system that protect against specified threat (e.g., design basis threat (DBT) for radiological sabotage described in 10 CFR 73.1 ). The quanftative VA models, if used correctly and within their limitations, can evaluate a proposed or an existing design of physical protection system and can evaluate the effect of changes on the system effectiveness to protect against specified threats. This task includes the following :

a. Identify and review available information publically and non-publically available standards, directives, handbooks, implementation guides, and instructions, including validation and verification reports, on VA models for assessing and quantifying the effectiveness of the design of a physical protection. The guidance should address the appropriate applicatiorris of available VA models to characterize the facility, analyze pathways, sim late combat, and determine system effectiveness, and provide guidance to sers of VA models to ensure accurate modeling for as realistic as possible results.

b. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models for characterizing the facility (physical site configurations and physical security structures) systems, and components). The guidance should address the minimum nd necessary steps of a VA model to accurately capture the facility, facility operations, and the design, cap.abilities, and functions of protection systems. Include guidance for user's application of VA models to accuratelly account and characterize as-b ilt detection, assessment, communications, and delay systems or features for the modeling of security response. Provide guidance on how user's application of VA models should consider and address the impacts or effects of inaccuracies and errors of facility characterization and significance of such inaccuracies and errors on the accurate modeling of the physical protection system effectiveness, along with significance to the analyzing pathways and simulating combat.

c. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize facility targets in all operating modes for analyzing pathways and simulating combat. Where identification of the facility targets are not integral to a VA model, establish guidance, criteria, standards, and considerations, for acceptable user determination of all targets for input to VA

Letter of Technical Direction##

models for characterizing the facility, analyzing pathways, and determining physical security system effectiveness.

d. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize protection measures (structures, systems, and components) providing detection, assessment, communications, and delay functions. Establish guidance for users on the appropriate and reasonable application of available generic data on performance of security structures, systems and components to reflect as-built protection measures and the appropriate development and application of site-specific system reliability and performance data for use in VA models.

e. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize of security responses and capabilities of a response force in determining the effectiveness of the physical protection system (e.g., minimum staffing, weapon systems, protective equip ent, deployment locations, fighting positions, training, qualification, task times, etc.}. Establish guidance on application of VA models to address ncertainties due human factors and human performance in combat situations, due to site-specific training on combat performance. Establish user's guidance on how to apply VA models and/or treat site-specific data from table top e ercises, limited scope drills, limited scope exercises, and force-on-force exe~ ises. Also establish guidance on the use and limitations of validation and verification drills and exercises and the use of generic security responder performance data.

f. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize a DBT with the characteristics and attributes described in O CFR 73.1, to include coordinated vehicle borne explosive attacks and the se of motorized vehicles. Establish guidance on the application of VA models to address active and active violent insiders in its evaluation of protection measures, analysis of 12athways, and simulation of combat. Also, include guidance for users on tne consideration of uncertainties of modeling results and how a user hould account fo r the active and active violent insiders where a VA model do not.

g. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze pathways.

Establish guidance should address critical variables, factors, and assumptions applied to characterize and determine pathways vulnerabilities (e.g., design and performance of security structures, systems, and components for detection, assessment, communication, delay and responses, the adversary tactics and task times, security response times, critical detection point, probabilities for detection, probabilities for interruption, etc.). Establish guidance on applying VA models to characterize adversary actions (avoid detection, fastest path, lease firepower, etc.)

and the sensitivity of such actions on the secu rity elements of detection, delay and response. Establish guidance on acceptable characterization of insiders (passive, active, and active violent) effects on pathway analysis and security response.

h. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze combat and determine effectiveness of security response for neutralization. The guidance should

Letter of Technical Direction##

address the application of VA models for combat simulations necessary to represent all plant operating and environmental conditions, including loss of plant lighting. The guidance should address the determination of the probability of neutralization for each security protection layer for defense-in-depth that addresses uncertainties of combat simulations. Establish guidance for users applying VA models to analyze the effectiveness of the security response force to neutralize the adversary force with the characteristics and attributes described in 10 CFR 73.1. These guidance should include reasonable and acceptable application of VA models for determining possible engagement outcomes, and criteria, standards. Descriptions should include guidance on acceptable methods and modeling processes (i.e., deterministic and/or stochastic) for determining realistic approximations o( possible combat outcomes.

i. Identify and establish minimum criteria, standards, and_.. considerations for acceptable application of VA models for determining the system effectiveness of a physical protection system. Guidance should include acceptable application techniques or methods such as critical detection._ point, cumulative probabilitY, of detection, probability of interruption, probability of causal ity, and probability of neutralization, use of adversary sequence diagrams, or other techniques or methods for determining system effectiveness. Include guidance for interpretinQ, the specific system effective value or a range of values resulting from application VA models and what system effectiveness values represents'quality and reliability of a physical protection system to protect against threats analyzed.

j. Identify and establish guidance on user's knowledge and areas of expertise needed for applying VA models to assess security vulnerabilities and design of a physical protectio systems. Establish guidance should address assuring knowledge, skills and ability of users to ensure quality of input, understanding of VA methods or techniques and limitations (including validation and verification of modeling software) and training resources for the appropriate and acceptable application of VA models and the assurance of reasonable and realistic approximations and results.

The Sandia National Laboratories (SNLL, also referred to hereon as contractor, will document results in NUREG (publically available) and if necessary any non-public information in a separate supplemental appendices. The required contractor support should provide access to experts with competencies, accrued knowledge, and highly specialized skills in the areas of, but not limited to: physica security, security system design, human factors and human performance, phycology and physiology of combat, combat training, security tactical operations, structural engineering, mechanical engineering, electrical engineering, cyber security, security systems engineering, systems maintenance, testing, and calibration, computer modeling, and statistics.

2. COORDINATION This task involves coordination of activities with the NRC staff. The contractor may, to the degree practical in terms of willingness of parties to voluntarily cooperate, consult with subject matter experts from other national laboratories, department of defense, inter-agency working groups, subject matter experts, and vendors in gathering available information and developing the deliverables.

Letter of Technical Direction##

3. WORK REQUIREMENTS, SCHEDULE AND DELIVERABLES Deliverables The kick-off meeting will be scheduled by the NRC and held via teleconference or face-to-face meeting. The NRC will develop the kickoff meeting agenda, and contractor will develop and deliver the kickoff meeting summary. Contractor will prepare an initial outline, scope, and approach to performing the task stated above. The outline will be provided to the NRC staff and discussed during a teleconference. Contractor will prepare a summary of the interaction and agreements reached on the outline and approaches to perfor:ming the task within the resources available for this task. Contractor will prepare a draft technical report documenting the results from this task. The NRC will provide comments on the draft report. Contractor will address the NRC comments and provide a final report. The contractor. shall provide the following deliverables associated with task order (TO) requirements per Tab e below:

Tasks/Standards Scheduled Deliverables Com letion*

1. REQUIREMENT: Become familiar with NRC Start: Start NLT 14 E-mail documenting preparation and issuance of NUREG technical calendar days after that assigned report and general information currently available authorization of personnel have information publically, and not publically. available work. reviewed references standards, directives, handbooks, implementation or under status guides, and instructions (including validation and reporting required verification reports) on VA models for assessin End: Complete under NRO and quantifying the effectiveness of the design of NLT 14 calendar umbrella contract.

a physical protection system. days after receipt of provided STANDARD: Written confirmation that information.

familiarization is complete. Fam'liarization is defined as sufficient knowledge of purpose and content guidance to facilitate administrative and processing of tasks and general working level knowledge of format and content for documenting information in a NUREG techn1ca reports.

2. REQUIREMENT: Participate in kick-off Start: Start NLT 14 Participate in kick-meeting (in person or via conference call) with the calendar days after off meeting with NRC staff to discuss the scope of the work, authorization work. NRC staff.

expectations and contract management.

STANDARD: Participate by travel to NRC HQ or End: Complete NLT teleconference call, by Project Manager and one than 14 calendar Principal Investigator assigned to this task. days after start date.

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

3. REQUIREMENT:

3.a. Prepare draft outline capturing the tasks Start: Start NLTat Provide draft outline indicated above and this table, using NRC the end date of of technical! report guidance on preparing NUREG technical report. Task 1) and descriptions of how the contractor 3.b. Identify and review available information will proceed with tasks STANDARD: Prepare and submit draft outline of technical report on application guidance on security vulnerability assessment models.

3.c. REQUIRMENT: Establish guidance to End: Complete Provide 35% draft comprehensively address the appropriate NLT 60 calendar report documenting application of available VA models to characterize days) Tasks 3.a and 3.b.,

the facility, analyze pathways, simulate combat, and 3.c.

evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consider to ensure accurate and realistic results.

STANDARD: Document and provide summai:y guidance addressing applications of available VA models to characterize t he facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what VA model users of VA models should be considered to ensure accurate and realistic results

4. REQUIREMENT:

Identify and establish minimum criteria, Start: Starts NLT Provide 80% draft standards, and considerations for acceptable the end date of report documenting application of VA models to characterize the Task 3). Task 4.

facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, End: Complete Bi-Weekly project and evaluate security upgrades and changes and Tasks NLT 90 status telephone what VA model users of VA models should be calendar days) call at a mutually considered to ensure accurate and real istic agreed upon time results, as specified in Task No. 1.b through No. and need.

1.j .

STANDARD: Document results from above in NUREG technical report format.

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

5. REQUIREMENT:

5.a. Prepare final report in NUREG format that Start: Starts NLT Provide 100% draft capture the for criteria, standards, and the end date of report documenting considerations for acceptable application of VA Task 4). the performance of models to characterize the facility, analyze tasks 3 and 4 pathways, simulate combat , evaluate and determine system effectiveness to ensure End: Complete Bi-Weekly project accurate and realistic results. Task 5.a N LT 60 status telephone calendar days and call at a mutually 5.b. Resolve comments and provide final 100% Task 5.b NLT 120 agreed upon time draft report to the NRC calendar days). and need.

STANDARD: Information documented shall be treated public, with the exception of appendices that may be required to document non-public information (i.e., classified). The draft document shall be marked Official Use Only - Internal Use Only The NRC Technical Monitor (TM) may issue tech ical instruction from time to time throughout the duration of this TO. Technic<1/4 instructions must be within the general statement of work (SOW) delineated in the lO and shall not constitute new assignments of work or changes of such a nature as to justify an adjustment in cost or period of performance. Any modifications to the scope of work, cost or period of performance of this TO must be issued by the Contracting Officer (CO) and will be coordinated with the NRO Project Officer.

The contractor shall submit a cost estimate, staffing plan, and project plan with a schedule for deliverables within 10 days of receipt of this TO, unless otherwise directed by the NRC technical assistance project manager (TAPM). The NRC TM will review the plan based on the forecast of the NRC LPP Integrated Sche~ule. If the laboratory estimate and plans submission are consistent with the LPP forecast schedule, then the NRC TAPM will authorize commencement of the work effort. The NRC staff will negotiate estimate and plan adjustments with the laboratory if the estimate and plans are not consistent with the LPP forecasts. Examples of the staffing plan and project plan are provided in the basic task ordering agreement SOW (see Attachments 2 and 3).

The contractor shall provide the following information prior to initiation of a TO:

• A staffing plan that specifically reflects services to be provided

• The laboratory shall a lso provide a statement of professional qualifications for staff proposed to work under this TO.

4.0 TECHNICAL AND OTHER SPECIAL QUALIFICATIONS REQUIRED

Letter of Technical Direction##

The NRC staff is seeking individuals with expertise and competencies, accrued knowledge, and highly specialized skills in the areas of VA models and applications of models to characterize the facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consider to ensure accurate and realistic results. All personnel performing work under this contract shall have pertinent technical experience by discipline and technical area. The individuals should have knowledge of the subject effects and design, installation, and maintenance and operations of a physical protection system. It is the responsibility of the contractor to propose technical staff, employees, subcontractors or specialists who have the required educational background, experience, or combination thereof, to meet both the technical and regulatory objectives of the work specified in the TO SOW. The number of personnel required will vary during the course of the contract.

The contractor shall provide a contractor project anager (PM) to oversee the effort and ensure the timely submittal of quality deliverables so tha all information is accurate and complete as defined in the base contract.

5.0 REPORTING REQUIREMENTS Task Order Progress Report The contractor shall provide a bi-weekly progress report summarizing accomplishments, expenditures, contractor staff hours expended, percent completed for each task under this TO, and any problems encountered by the contra,.ctor. "Ire report shall be sent via e-mail to the NRC TM, TO Contracting Officer's Representative (COR) and CO.

Technical reporting requirements Unless otherwise specified above, the contractor sha I provide all deliverables as draft products.

The NRG COR will review all dra deliverables (and coordinate any internal NRC staff review, if needed) and provide comments back to the contractor. The contractor shall revise the draft deliverable based on the comments provided by the COR, and then deliver the final version of the deliverable. When mutually agreed upon between the contractor and the COR, the contractor may submit preliminary or partial drafts to help gauge the contractor's understanding of the particular work requirement\

The contractor shall provide the following deliverables in lhard copy and electronic formats. The electronic format shall be provided in MS Word or other word processing software approved by the TM . For each deliver ble, the contractor shall provide one hard copy and electronic copy to both the PM and the TM . The schedule for deliverables shall be contained in the approved project plan for the TO effort.

6.0 MEETINGS AND TRAVEL For planning purposes, it is estimated the contractor may be expected to make 2 trips, 2 days, 1 person per trip (include the principal investigator) to NRC HQ, Rockville, Maryland, for the performance of this task. Additional meetings between the contractor and the NRC staff at the Southwest Research Institute may also be required . Travel in excess of the total number of person-trips must be approved by the NRC TAPM ; travel within the work scope limits will be approved by the NRC TM.

Letter of Technical Direction##

7.0 NRC FURNISHED MATERIAL Any reports, documents, equipment, and other materials required by the contractor to perform the work will be stated in the NRG-furnished materials section of the TO. In general, the TPM will provide those NRC documents related to the TO that is readily available. Contractor staff will identify any additional NRC documentation that is needed and the TPM will determine whether it will be provided by NRC or obtained directly by the contractor from the ADAMS, the NRC Public Document Room, or the NRC public Web site. Any materials furnished by the NRC must be returned to the NRC upon completion of the TO, at the discretion of the NRC TPM.

NRC will provide the following information to the contractor as ap

• NRC guidance on preparing NUREG document 8.0 LEVEL OF EFFORT The estimated level of effort in professional staff days apportioned among the subtasks and by labor category is as follows:

Level of Effort FY Level of Effort Task(s) Labor Category 2018 (hours) [travel] FY 2019 hours0.0234 days <br />0.561 hours <br />0.00334 weeks <br />7.682295e-4 months <br /> travel Task 1-5 10 [+16) 30 [+16)

Principal Technical Investigator Task 1 16 Task 2 4 [+16]

Task 3.a 80 Task 3.b 80 Task 3.c 80 Task 4 270 Task 5 100 [+16)

Task 5 Technical Editor 0 60 [+0]

Total 100 [32) 620 [32]

9.0 PERIOD OF PERFORMANCE The projected period of performance is 16 months from authorization of work.

Note to requester: The attachment is immediately following this email record.

From: Cubellis Louis To: J&e....Eili Cc: Rivera Alison

Subject:

RE: Task No. Security-2

• GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTI VENESS OF A PHYSICAL PROTECTION SYSTEM Date: Thursday, August 02, 2018 12:36:39 PM Attachments: NSIB*PPGP*B$6 - JechnjcaI Pirectjon tor securiJY Task No securiJY Guide for AoPIYiA YA Models - $NL <z-30-18 Draft witb L Cubellis" loout 8-2-l 8\ docx imaaePPl coo

Pete, Thanks for allowing me to comment on Task 2. I added some text on pages 4 and 5 for your consideration.

Respectfully, Lou From: Lee, Pete Sent: Wednesday, August 01, 2018 2:02 PM To: Rivera, Alison <Alison.Rivera@nrc.gov>; Cubell is, Louis <Lou is.Cubellis@nrc.gov>

Subject:

RE: Task No. Security GUIDANCE ON APPLICATIONS OF VU LN ERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Alison, Lou will provide some additions to the write-up for the tasks.

So, you should wait until he gets them to us and use that for your review and transmittal to NRO.

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301-287-3690 pete,!ee@nrc.gov R

,.,. ~ ,~

Wehsite: WWW nrc l);OV From: Lee, Pete Sent: Wednesday, August 01, 2018 8:29 AM To: Rivera, Alison <Alison .Rivera@nrc.gov>

Cc: Cubellis, Louis <Loujs,Cubellis@nrc,gov>; Rockhill, Rupert <Rupert,Rockhi ll@nrc,gov>

Subject:

Task No. Security GUIDANCE ON APPLICATIONS OF VU LNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM

Attached is the subject for the second task to go to DOE. Please review and make changes necessary for transmittal to NRO.

I got a scheduler to participate in the NRO weekly with DOE today, to give them an overview of what tasks are coming to them.

I will give DOE an overview of the tasks and the expected deliverables .

According to George, the money for this year has already been obligated , so there is not a problem with money

($10 million over this and next year!?) .

We just have to give them these directions. George indicated that had not looked at the first one yet.

I will start on the third and will get them to you. The second one requ ired a bit more thoughts on the specifics tasks and desired deliverables.

Thanks .

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301 -287-3690 pete.lee@nrc.gov Website: www arc 0 ov

NRCHQ####D####-NRCHQ####T####

Non-Light water Reactor Policy and Technical Guidance Support Letter of Technical Direction ##

Date: [INSERT DATE OF FINAL LETTER]

From: George Tartal, 301-415-0016 and Lucieann Vechioli, 301-415-6035 Organization: NRC/NRO/DSRA/ARPB To: [NAME OF LAB PM], [EMAIL OF LAB PM], [PHONE OF LAB PM]

Organization: SANDIA NATIONAL LABORATORIES (SNL)

Subject:

Task 2: Risk-Informed, Performance-Based, Technology-Inclusive Regulatory Infrastructure Sub-Task (#SECURITY-2): GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM Introduction The NRG is developing a technology-inclusive, risk-informed, performance-based framework for licensing and regulating non-light water reactors (non-LWRs or advanced reactors). T he current physical security requirements in Title 10 Code of Federal Regulation (10 CFR) Part 73 across different classes of licensees reflects a graded approach that applies the appropriate level of physical security commensurate for the potential of radiological consequences and/or theft and diversion consequences from the use and possession of special nuclear material. These requirements consider whether a DBT must be protected against for radiological sabotage (i.e.,

off-site consequences to public health and safety) and/or the theft and diversion of special nuclear material for other than intended purposes.

The physical security provides the assurance that facilities, such as currently operating LWRs or proposed non-LWRs, can be safety operated within their established design and licensing safety bases. The designers, applicants, and/or licensees determine how to design and establish the necessary physical security to protect their facilities. This provides potential advanced reactor designers and applicants to consider innovative or different methods or approaches that may be applied to meet needs for physical security.

Background

The Nuclear Regulatory Commission (NRC) regulates the construction and operation of new commercial nuclear power facilities. The Office of New Reactors (NRO) serves the public interest by enabling the safe, secure, and environmentally responsible use of nuclear power in meeting the Nation's future energy needs. The Office of Nuclear Security and Incident Response (NSIR), Division of Physical and Cyber Security Policy (DPCP), supports the NRO in leading and managing the security licensing activities associated with advanced reactor non-LWR licensing. The DPCP is responsible for developing and implementing regulations, policies, programs, and procedures pertaining to all aspects of security licensing.

Page 1 of 11

Letter of Technical Direction##

This scope of work will support the NRC's "Non-light Water Reactor (non-LWR) Vision and Strategy Near-Term Implementation Action Plans" (ADAMS Accession No. ML16334A495).

The implementation action plans support the NRC's strategies to assure NRC technical and regulatory readiness related to non-LWR technologies. The strategies include the staff developing requirements and/or guidance for non-LWR designs, which include attributes identified in the NRC's Policy Statement on Advanced Reactor Designs. The attributes for physical security originating in NUREG-1226, "Development and Utilization of the NRC Policy Statement on the Regulation of Advanced Nuclear Power Plants," June 1988, for the Advanced Reactor Policy Statement include:

The Commission intends to make use of the existing and future regulations in reviewing advanced reactors. As such, the vulnerability of advanced reactors to sabotage is an important consideration and advanced reactors wiill be required to meet the same regulations regarding physical protection as LWRs. It is expected that, in some cases, advanced reactors, due to their inherent safety characteristics and simplified safety systems, may be less reliant upon physical security systems and procedures for protection against sabotage than current generation plants.

The policy statement revised in 2008 (73 FR 60612; October 14, 2008) for considerations of physical security in advanced designs (i.e., non-LWRs) indicate:

Designs that include considera}ons for safety and security requirements together in the design process such that security i sues (e.g., newly identified threats of terrorist attacks) can be effectively resolved through facility design and engineered security features, an formulation of mitigation measures, with reduced reliance on human actions.

The NRC's strategies call for the requirements and/or guidance for non-LWR technologies to be developed in ways that are risk-informed and perform~nce-based. A particular challenge is that most NRC guidance and other inf astructure has evolved with a focus on the currently operating LWR fleet. ~ the current, and foreseeable future, threat environment after the events of September 11, 2001, the protection against the design basis threat for radiological sabotage (i.e., minimizing the likelihood or risk of, or preventing, the potential of intentional radiological releases and consequences from such an event to protect public health and safety and the environment) continues to be a atter that must be addressed for non-LWRs where there is potential for unacceptable magnitude of radiological releases and consequences.

The development of this guidance is based on public and non-public information available on security vulnerability assessment models, consisting of methods or approaches that have been applied within the Department of Energy, the Department of Defense, and at some NRC licensed facilities. Although guidance are not requirements, the vulnerability assessment models, if used correctly and within their limitations, may lbe applied by designers, applicants, and/or licensees to assess the design of a physical protection system for meeting performance regulatory requirements and may be used in bases justifying alternatives and/or exemptions to prescriptive regulatory requirements.

Letter of Technical Direction##

TASTK NO. SECURITY-2 GUIDANCE ON APPLICATIONS OF VULNERABILITY ASSESSMENT MODELS FOR ASSESSING THE EFFECTIVENESS OF A PHYSICAL PROTECTION SYSTEM SANDIA NATIONAL LABORATORIES (SNL)

1. Objectives The objectives of this task to establish technical guidance on acceptable application of quantitative computational vulnerability assessment (VA) models for assessing vulnera bilities and effectiveness of the design of physical protection system. Quantitative systematic evaluation techniques or methods that are captured in these compu ational models evaluate, analyze, and identify security vulnerabilities and determine the effectiveness of the design of a physical protection system that protect against specified threat (e.g., design basis threat (DBT) for radiological sabotage described in 10 CFR 73.1 ). The quanftative VA models, if used correctly and within their limitations, can evaluate a proposed or an existing design of physical protection system and can evaluate the effect of changes on the system effectiveness to protect against specified threats. This task includes the following :

a. Identify and review available information publically and non-publically available standards, directives, handbooks, implementation guides, and instructions, including validation and verification reports, on VA models for assessing and quantifying the effectiveness of the design of a physical protection. The guidance should address the appropriate applicatiorris of available VA models to characterize the facility, analyze pathways, sim late combat, and determine system effectiveness, and provide guidance to sers of VA models to ensure accurate modeling for as realistic as possible results.

b. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models for characterizing the facility (physical site configurations and physical security structures) systems, and components). The guidance should address the minimum nd necessary steps of a VA model to accurately capture the facility, facility operations, and the design, cap.abilities, and functions of protection systems. Include guidance for user's application of VA models to accuratelly account and characterize as-b ilt detection, assessment, communications, and delay systems or features for the modeling of security response. Provide guidance on how user's application of VA models should consider and address the impacts or effects of inaccuracies and errors of facility characterization and significance of such inaccuracies and errors on the accurate modeling of the physical protection system effectiveness, along with significance to the analyzing pathways and simulating combat.

c. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize facility targets in all operating modes for analyzing pathways and simulating combat. Where identification of the facility targets are not integral to a VA model, establish guidance, criteria, standards, and considerations, for acceptable user determination of all targets for input to VA

Letter of Technical Direction##

models for characterizing the facility, analyzing pathways, and determining physical security system effectiveness.

d. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize protection measures (structures, systems, and components) providing detection, assessment, communications, and delay functions. Establish guidance for users on the appropriate and reasonable application of available generic data on performance of security structures, systems and components to reflect as-built protection measures and the appropriate development and application of site-specific system reliability and performance data for use in VA models.

e. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize of security responses and capabilities of a response force in determining the effectiveness of the physical protection system (e.g., minimum staffing, weapon systems, protective equip ent, deployment locations, fighting positions, training, qualification, task times, etc.}. Establish guidance on application of VA models to address ncertainties due human factors and human performance in combat situations, due to site-specific training on combat performance. Establish user's guidance on how to apply VA models and/or treat site-specific data from table top e ercises, limited scope drills, limited scope exercises, and force-on-force exe~ ises. Also establish guidance on the use and limitations of validation and verification drills and exercises and the use of generic security responder performance data.

f. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize a DBT with the characteristics and attributes described in O CFR 73.1, to include coordinated vehicle borne explosive attacks and the se of motorized vehicles. Establish guidance on the application of VA models to address active and active violent insiders in its evaluation of protection measures, analysis of 12athways, and simulation of combat. Also, include guidance for users on tne consideration of uncertainties of modeling results and how a user hould account fo r the active and active violent insiders where a VA model do not.

g. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze pathways.

Establish guidance should address critical variables, factors, and assumptions applied to characterize and determine pathways vulnerabilities (e.g., design and performance of security structures, systems, and components for detection, assessment, communication, delay and responses, the adversary tactics and task times, security response times, critical detection point, probabilities for detection, probabilities for interruption, etc.). Establish guidance on applying VA models to characterize adversary actions (avoid detection, fastest path, lease firepower, etc.)

and the sensitivity of such force, defeat. and stealth actions on the security elements of detection, delay and response. The guidance should include how to address varying probabilities of detection for perimeter intrusion detection and assessment equipment against typical adversary defeat methods, such as walking, running, jumping, bridging, tunneling, crawling, rolling, or climbing. Establish guidance on acceptable characterization of insiders (passive, active, and active violent) effects on pathway analysis and security response.

Letter of Technical Direction##

h. Identify and establish minimum criteria, standards, and considerations for acceptable application of VA models to characterize, determine, and analyze combat and determine effectiveness of security response for neutralization. The guidance should address the application of VA models for combat simulations necessary to represent all plant operating and environmental conditions, including loss of offsite power and its effects on security systems and response. Examples of such effects may include the loss of plant lighting and the inability of the response force to remotely operate barriers or delay features, or use card readers or other automated entry control systems to unlock doors. The guidance should address the determination of the probability of neutralization for each security protection layer for defense-in-depth that addresses uncertainties of combat simulations. Establish guidance for users applying VA models to analyze the effectiveness of the security response force to neutralize the adversary force with the characteristics and attributes described in 10 CFR 73.1. These guidance should include reasonable and acceptable application of VA models for determining possible engagement outcomes, and criteria, standards.

Descriptions should include guidance on acceptable methods and modeling processes (i.e., deterministic and/or stochastic) for determining realistic approximations of possible combat outcomes.

i. Identify and establish minimum criteria, standards and considerations for acceptable application of VA models for determining the system effectiveness of a physical protection system. Guidance should include acceptable application techniques or methods su9)1 as critical detec ion point, cumulative probability of detection, probability of interruption, probability of causality, and probability of neutralization, use of adversary seqU..ence diagrams, or o her techniques or methods for determining system effectiveness. Include guidance for interpreting the specific system effective value or a range of values resulting from application VA models and what system effectiveness va ues represents quality and reliability of a physical protection system to protect against threats analyzed.

Identify and establis~ idance on user's knowledge and areas of expertise needed for applying VA models to assess security vulnerabilities and design of a physical protection systems. Establish guidance should address assuring knowledge, skills and ability of users to ensure quality of input, understanding of VA methods or techniques and limitations (including validation and verification of modeling software) and training resources or the appropriate and acceptable application of VA models and the assurance of reasonable and realistic approximations and results.

The Sandia National Laboratories (SNL), also referred to hereon as contractor, will document results in NU REG (publically available) and if necessary any non-public information in a separate supplemental appendices. The required contractor support should provide access to experts with competencies, accrued knowledge, and highly specialized skills in the areas of, but not limited to: physical security, security system design, human factors and human performance, phycology and physiology of combat, combat training, security tactical operations, structural engineering, mechanical engineering, electrical engineering, cyber security, security systems engineering, systems maintenance, testing, and calibration, computer modeling, and statistics.

2. COORDINATION

Letter of Technical Direction##

This task involves coordination of activities with the NRC staff. The contractor may, to the degree practical in terms of willingness of parties to voluntarily cooperate, consult with subject matter experts from other national laboratories, department of defense, inter-agency working groups, subject matter experts, and vendors in gathering available information and developing the deliverables.

3. WORK REQUIREMENTS, SCHEDULE AND DELIVERABLES Deliverables The kick-off meeting will be scheduled by the NRC and held via teleconference or face-to-face meeting. The NRC will develop the kickoff meeting agenda, and contractor will develop and deliver the kickoff meeting summary. Contractor will prepare an initial outline, scope, and approach to performing the task stated above. The outline will be provided to the NRC staff and discussed during a teleconference. Contractor will prepare a summary of he interaction and agreements reached on the outline and approaches to performing the task within the resources available for this task. Contractor will prepare a draft technical report documenting the results from this task. The NRC will provide comments on the draft report. Contractor will address the NRC comments and provide a final report. The contractor shall provide the following deliverables associated with task order (TO} requirements per Table below:

Tasks/Standards Scheduled Deliverables Completion*

1. REQUIREMENT~ come familiar with NRC Start: Start NLT 14 E-mail documenting preparation and issuance of NUREG technical calendar days after that assigned report and general information currently available authorization of personnel have information publically, and not publically. available work. reviewed references standards, directives, handbooks, implementation or under status guides, and instructions (including validation and reporting required verification reports) on VA models for assessing End: Complete under NRO and quantifying the effectiveness of the design of NLT 14 calendar umbrella contract.

a physical protection system. days after receipt of provided STANDARD: Written confirmation that information.

familiarization is complet . Familiarization is defined as sufficient knowledge of purpose and content guidance to facilitate administrative and processing of tasks and general working level knowledge of format and content for documenting information in a NUREG technical reports.

2. REQUIREMENT: Participate in kick-off Start: Start NLT 14 Participate in kick-meeting (in person or via conference call) with the calendar days after off meeting with NRC staff to discuss the scope of the work, authorization work. NRC staff.

expectations and contract management.

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

STANDARD: Participate by travel to NRC HQ or End: Complete NLT teleconference call, by Project Manager and one than 14 calendar Principal Investigator assigned to this task. days after start date.

3. REQUIREMENT:

3.a. Prepare draft outline capturing the tasks Start: Start Nl!T at Provide draft outline indicated above and this table, using NRC the end date of of technical report guidance on preparing NUREG technical re13ort. Task 1) and descriptions of how the contractor 3.b. Identify and review available information will proceed with tasks STANDARD: Prepare and submit draft outline of technical report on application guidance on security vulnerability assessment mo~ ls.

3.c. REQUIRMENT: Establisn guidanc}_to End: Complete Provide 35% draft comprehensively address the appropriate NLT 60 calendar report documenting application of available VA models to characterize days) Tasks 3.a and 3.b.,

the facility, analyze pathways, simulate combat, and 3.c.

evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consideF to ensure accurate and realistic results.

STANDARD: Document and provide su mary guidance addressing applications of available VA models to characterize the facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what VA model users of VA models should be considered to ensure accurate and realistic results

4. REQUIREMENT:

Identify and establish minimum criteria, Start: Starts NLT Provide 80% draft standards, and considerations for acceptable the end date of report documenting application of VA models to characterize the Task 3). Task 4.

facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, End: Complete Bi-Weekly project and evaluate security upgrades and changes and Tasks NLT 90 status telephone what VA model users of VA models should be calendar da s call at a mutuall

Letter of Technical Direction##

Tasks/Standards Scheduled Deliverables Com letion*

considered to ensure accurate and realistic agreed upon time results, as specified in Task No. 1.b through No. and need.

1.j .

STANDARD: Document results from above in NUREG technical report format.

5. REQUIREMENT:

5.a. Prepare final report in NUREG format that Start: Starts NLT Provide 100% draft capture the for criteria, standards, and the end date of report documenting considerations for acceptable application of 'wA Task 4). the performance of models to characterize the facility, analyze tasks 3 and 4 pathways, simulate combat, evaluate and determine system effectiveness to ensure End: Complete Bi-Weekly project accurate and realistic results. Task 5.a N LT 60 status telephone calendar days and call at a mutually 5.b. Resolve comments and provide final 100% Task 5.b NLT 120 agreed upon time draft report to the NRC calendar days). and need.

STANDARD: Information documented shall be treated public, with the exception of appendices that may be required to document non-public information (i.e., classified). The craft document shall be marked Official Use O y - Internal Use Only The NRC Technical Monitor (TM) may issue technical instruction from time to time throughout the duration of this TO. Technic I instructions must be within the general statement of work (SOW) delineated in the TO and shall not constitute new assignments of work or changes of such a nature as to justify an adjustment in cost or period of performance. Any modifications to the scope of work, cost or period of performance of this TO must be issued by the Contracting Officer (CO) and will be coordinated with the NRO Project Officer.

The contractor shall submit a cost estimate, staffing plan, and project plan with a schedule for deliverables within 10 days of receipt of this TO, unless otherwise directed by the NRC technical assistance project manager (TAPM). The NRC TM will review the plan based on the forecast of the NRC LPP Integrated Schedule. If the laboratory estimate and plans submission are consistent with the LPP forecast schedule, then the NRC TAPM will authorize commencement of the work effort. The NRC staff will negotiate estimate and plan adjustments with the laboratory if the estimate and plans are not consistent with the LPP forecasts. Examples of the staffing plan and project plan are provided in the basic task ordering agreement SOW (see Attachments 2 and 3).

The contractor shall provide the following information prior to initiation of a TO:

Letter of Technical Direction##

• A staffing plan that specifically reflects services to be provided

• The laboratory shall a lso provide a statement of professional qualifications for staff proposed to work under this TO.

4.0 TECHNICAL AND OTHER SPECIAL QUALIFICATIONS REQUIRED The NRC staff is seeking individuals with expertise and competencies, accrued knowledge, and highly specialized skills in the areas of VA models and applications of models to characterize the facility, analyze pathways, simulate combat, evaluate and determine system effectiveness, and evaluate security upgrades and changes and what users of VA models should consider to ensure accurate and realistic results. All personnel performing work under this contract shall have pertinent technical experience by discipline and technical area. The individuals should have knowledge of the subject effects and design, ins allation, and maintenance and operations of a physical protection system. It is the responsibility ofthe contractor to propose technical staff, employees, subcontractors or specialists who have the required educational background, experience, or combination thereof, to meet both the technical and regulatory objectives of the work specified in the TO SOW. The number of personnel required will vary during the course of the contract.

The contractor shall provide a contractor project manager (PM) to oversee the e ort and ensure the timely submittal of quality deliver bles so that all information is accurate and complete as defined in the base contract.

5.0 REPORTING REQUIREMENTS Task Order Progress Report The contractor shall provide a bi-weekly progress report summarizing accomplishments, expenditures, contractor staff hours expended, percent completed for each task under this TO, and any problems encountered by the contractor. The report shall be sent via e-mail to the NRC TM, TO Contracting Officer's Representative (COR) and CO.

Technical reporting requirements Unless otherwise specified above, the contractor shall provide all deliverables as draft products.

The NRC COR will review al l draft deliverables (and coordinate any internal NRC staff review, if needed) and provide comments back to the contractor. The contractor shall revise the draft deliverable based on the comments provided by the COR, and then deliver the final version of the deliverable. When mutually agreed upon between the contractor and the COR, the contractor may submit preliminary or partial drafts to help gauge the contractor's understanding of the particular work requirement.

The contractor shall provide the following deliverables in llard copy and electronic formats. The electronic format shall be provided in MS Word or other word processing software approved by the TM . For each deliverable, the contractor shall provide one hard copy and electronic copy to both the PM and the TM . The schedule for deliverables shall be contained in the approved project plan for the TO effort.

6.0 MEETINGS AND TRAVEL

Letter of Technical Direction##

For planning purposes, it is estimated the contractor may be expected to make 2 trips, 2 days, 1 person per trip (include the principal investigator) to NRC HQ, Rockville, Maryland, for the performance of this task. Additional meetings between the contractor and the NRC staff at the Southwest Research Institute may also be required . Travel in excess of the total number of person-trips must be approved by the NRC TAPM; travel within the work scope limits will be approved by the NRC TM .

7.0 NRC FURNISHED MATERIAL Any reports, documents, equipment, and other materials required by the contractor to perform the work will be stated in the NRG-furnished materials section of the TO. In general, the TPM will provide those NRC documents related to the TO that is readily available. Contractor staff will identify any additional NRC documentation that is needed and t e TPM will determine whether it will be provided by NRC or obtained directly by the contractor f om the ADAMS, the NRC Public Document Room, or the NRC public Web site. Any materials fulnished by the NRC must be returned to the NRC upon completion of th TO, at the discretion of the NRC TPM.

NRC will provide the following information to the contractor as appropriate:

• NRC guidance on preparing NUREG document 8.0 LEVEL OF EFFORT The estimated level of effort in professional staff days apportioned among the subtasks and by labor category is as follows:

)l \.

Level of Effort FY Level of Effort Task(s) Labor Category 2018 (hours) [travel] FY 2019 (hours) [travel]

Task 1-5 Project Manage~ 10 [+16] 30 [+16]

Task 1 Task 2 Task 3.a Principal Te6hnical Investigator 16 4 [+16]

80 Task 3.b -- 80 Task 3.c -- 80 Task 4 -- 270 Task 5 -- 100 [+16]

Task 5 Technical Editor 0 60 [+O]

Total 100 [32] 620 [32]

Letter of Technical Direction##

9.0 PERIOD OF PERFORMANCE The projected period of performance is 16 months from authorization of work.

From: Rivera Alison To: Cubellis Louis Subject : RE: Please Review: VA modeling information Date: Monday, August 13, 2018 2:47:29 PM Hi Lou, (b)(6) }9~ IOn the transmit ta l document, I think we will be told to remove t he specific limit at ions. Probably the next to last paragraph will get moved up to replace t he first, 2 nd wil l st ay, first pa rt of t hi rd, t hen contact. Just m y guess. Having a lot of problems connecting today but will t ry to mark up t he document in track changes after my 3 pm ca ll.

-Alison From: Cubel lis, Louis Sent: M onday, August 13, 2018 1:43 PM To: Rivera, Alison <Alison.Rivera@nrc.gov>

Subject:

FYI: Please Review: VA modeli ng information Good afternoon, Alison, I haven't been able to reach Joe via telephone, so I thought you may want to see what I put together for an e-mail or memo to accompany the dissemination of the DoE report. I'd be interested in any feedback you have.

Respectfully, Lou From: Cubel lis, Louis Sent: Monday, August 13, 2018 1:39 PM To: Bustamante, Charles <Charles Bustamante@nrc gov>

Subject:

Please Review: VA modeling information Good afternoon, Joe, Would you mind looking at the attachment and telling me what you thi nk? The plan is to disseminate the attachment with the AVERT V&V report from DoE. Additional details are below.

V/R Lou From: Rivera, Alison Sent: Friday, August 10, 2018 12:01 PM To: Cubellis, Louis <Louis.Cubellis@nrc.gov>

Subject:

RE: VA modeling informat ion

Hi Lou, yes, David sa id he hadn't bothered us before today because he knew we were working the other materia ls for the DEDR briefs - sti ll haven't read the LLEA ones yet but they are next on my list.

Have a great weekend, Alison From: Cubel lis, Louis Sent: Friday, August 10, 2018 11:53 AM To: Rivera, Alison <Alison Bivera@nrc gov>

Subject:

RE: VA modeli ng information Good morning, Alison, I put this on the back burner so I could produce the DEDR briefing materials. I can put something together, but it will likely not be ready for dissemination by Tuesday. Pete Lee and I have discussed approaches several times, and whatever I create will have to express our concerns without inferring DBT info (my and Pete's concern) or giving the impression NRC was prohibiting the use of AVERT (John L's concern). Maybe I'll just write 1-2 paragraphs indicating we've seen the same shortcomings in version 8.2, and licensees need to be mindful that their analyses need to account for all elements of the DBT.

V/R Lou From: Rivera, Alison Sent: Friday, August 10, 2018 11:36 AM To: Cubellis, Louis <Louis Cubellis@nrc gov>

Subject:

VA modeling information Hi Lou, FYI - David just asked me abo ut what we were doing for transmitting the DoE report and his thought that we could send via AMROEC safe. I sa id we probably can but mentioned you were working on the cover piece - w hatever form that takes, advisory, memo, etc - because we were concerned without context the information may be misconstrued. Joe Rivers also came by and they agreed to that; David also indicated they were going to ta lk to John about it at t he DPCP (Jim and David) SP next Tuesday so we may get more di rection after that but if we could have a draft of something by then, it may be helpful for t heir conversation with Joh n.

Tha nks, Alison Alison L. Rivera Chief, NSIR/DPCP/RSB 301-287-3750 Office: 3WFN - 08B12

Alison .Rivera@nrc.gov From: Cubellis Louis To : Rivera Alison Cc : Bustamante Charles: Rockhill Rupert : ~  ; Diec David Subject : ADAMS Numbers for the DoE AVERT Report and Letter to DTRA Date: Wednesday, August 22, 2018 5:18:33 AM Good morning , Alison, The 2018 DoE report and the letter to DTRA regarding the verification , validation, and accreditation of AVERT 5 are in ADAMS. Here are the ML #s:

• Package : ML18233A525

• Report: ML18233A586

• Letter: ML18233A574 I added these two documents and the DoD counterparts to the Computer Modeling Section of our New Technologies page in SharePoint:

http://fusion .nrc.gov/NSIR/TEAM/DSP/RSB/NEWTECH/default.aspx.

Respectfully, Lou Louis J. Cubellis, Jr Senior Security Specialist U.S. Nuclear Regulatory Commission Office of Nuclear Security and Incident Response Phone : (301) 287-3670 E-mail: Louis.Cubellis@nrc.gov

From: Rivera Alison To: Cubellis Louis Subject : FW: VA Tool Report Date: Wednesday, August 22, 2018 3:23:43 PM I didn't get a copy of his email. I uploaded the document to AMR DEC and sent it to Jonathan Laplante, Entergy; Mark Fencl, FPL (NextEra); and Bi ll Gross, NEI. They have until 9/1 to down load and I did ask for notification back.

From: Andersen, James Sent: Wednesday, August 22, 2018 3:09 PM To: Rivera, Alison <Alison .Rivera@nrc.gov>

Subject:

RE : VA Tool Report Alison, all three e-mails have been sent.

Thanks, Jim A.

From: Rivera, Alison Sent: Wednesday, August 22, 2018 12:18 PM To: Andersen, James <James Andersen@nrc gov>

Subject:

RE: VA Tool Report Entergy-Laplante, Jonathan JLaplan@entergy.com NextEra - Fencl, Mark Mark Fencl@fpl com We were also wondering if we should provide the information to the Regions.

I have a branch meeting at 1, but am free after that until 4. It doesn't take long to send through t he SAFE system - maybe send yours at 2:30 and let me know when to push send on the AMRDEC system?

Thanks, Alison From: Andersen, James Sent: Wednesday, August 22, 2018 10:43 AM To: Rivera, Alison <Alison Rivera@nrc gov>

Subject:

VA Tool Report Alison, can you get me the POC e-mails for NextEra and Entergy. Also let me know when a good time to send the e-mails will be. I would like to send my e-mails out first, then shortly after the e-mails would be sent from the AMR DEC SAFE system.

Thanks,

Jim A.

From: w....fm To: Cubellis Louis: Rockhill Rupert: Bustamante Charles Subject : Re: FYI: DoE Report on AVERT Sent to NEI, NextEra Energy, Entergy, and NRC Regions Date: Friday, August 24, 2018 9:03:33 AM Lou I think this is progress. After the review of Monticello with the Region on the changes, we will have specifics application the AVERT and should have the evidents of problems.

I believe this is the beginning of trouble for those licensees that did not apply the due diligent (whether intentional or unintentional) needed in applying the AVERT model - not questioning the inputs or the assumptions inside the blackbox - and using the results as gospel for changes.

This is a good thing and more to come.

Pete From: Cu bel lis, Louis Sent: Friday, August 24, 2018 7:28 AM To: Lee, Pete; Rockhill, Rupert; Bustamant e, Charles

Subject:

FYI: DoE Report on AVERT Sent to NEI, NextEra Energy, Entergy, and NRC Regions Good morning, For your awareness regarding the recent dissemination of the DoE report on AVERT 5...

The e-mail Jim sent to NEI, NextEra Energy, and Entergy is at the bottom of the 2 nd e-mail (FW: RE: Vulnerability Assessment Tool Report).

V/R Lou Louis J. Cubellis, Jr Senior Securit y Specialist U.S. Nuclear Regulatory Commission Office of Nuclear Security and Incident Response Phone: (301) 287-3670

E-mail: Louis.Cubellis@nrc.gov Note to requester: The attachment is immediately following this email record .

From: Buckley Michael To: cubellis Louis

Subject:

Simajin .docx Date: Wednesday, September 27, 2017 1:29 :31 PM Attachments: Simaj~

Greetings Lou, I'm providing what I put together to refresh my memory later and it's what I used to brief Doug on the Simajin training in Albuquerque. He liked it enough to insist we put it in our Vulnerability Assessment folder in SharePoint. OK.

Avert was definitively not as formal.

Doug and I are supposed to brief Drew on what the training (Simajin and Avert) in the near future. I'll KYIL on that.

KYIL (keep you in loop)

God Bless America, Michael Buckley, Jr.

Michael Buckley, Jr.

Senior Security Risk Analyst U.S. Nuclear Regulatory Commission Division Security Operations, NSIR Security Training and Support Branch W: (301) 287-3604 Tyrannus Caveo

SimajinNanguard Physical Security Analyst Training This provides a summary and evaluation of the training and SimajinNanguard process with recommendations for potential NRC use.

Summary:

The RhinoCorp training attended August 21 - 25, 2017 teaches and explains the use of the Simajin/Vanguard physical security analysis framework components and how to run and analyze physical security simulations. This included the modeling of facilities, development of scenarios, and a mythology used to analyze simulations using the tools provided within Simagin/Vanguard.

The simulations are an approximation of the real world, how assumptions are used for the world and how interactions between entities are represented in mathematical and algorithmic terms. Simagin/Vanguard endeavors to credibly balance fidelity and efficiency to provide a practical representation of combat in urban and industrial sites.

The simajin application suite includes a collection of tools to provide the simulation engine and supporting programs necessary to configure, run, view, interact, and analyze simulations. These include programs provide the basic physic of working, sensing, affecting, jamming , arnd communication, and provide a base cognitive model (Simulate +Imagine),

simulation management tools that configure and simulation input, run simulations, and gathers outcomes for analysis (Simulate+ Manage), a three dimensional visualization tool with playback functionality (Jasmin), and tools that transform drawings into Simajin instructions (Conversion Utilities).

Computer Added Design (CAD) is the system used for input to the program for the modeling of the site and opposing force characteristics. A working knowledge of CAD is essential to effectively use this program. Future NRC staff should consider this a prerequisite for attending the training course.

After modeling the site and the response force, attack plans can be programed into the system. The attack plan is validated with a run against no response forces to ensure that success is possible. Based on a library of human behavior and interaction with the site model, assigned equipment, tools, and weapons shared runs are made to determine the probability of success with the one exact attack plan. The information in the libraries and loadouts for the attack plans would need to be controlled appropriately depending on the classification of the information. Each attack plan is determined and loaded separately and i s based on precise location of events in the model.

Evaluation:

Some of the salient caveats for this process include the importance of high fidelity of the site for significant structures, equipment, and components, and likewiise for modeling the response force characteristics and locations. Keep in mind that the attack plans are precisely modeled and success or failure probability is only for that particular attack plan. To be meaningful, several attack plans from different directions, with varying pathways and loadouts would need to be run to effectively determine the overall effectiveness of the site response strategy keeping in mind that validation with real world exercises would still be very necessary. Extensive review and analysis and comparison to actual on-site executed exercises would be required to evaluate the use of this process as part of the basis to determine if those changes reduced effectiveness as part of review of a physical security plan or strategy changes.

Recommendation:

Considering that several CAD based models are already developed for NRC power reactors, the use of this program would be very effective as an aid in development of challenging scenarios for force-on-force performance evaluations. It's recommended that this program and process be considered as described above for a pilot for the development of NRG force-of-force exercise scenarios.

From: Biley Jeffrey To : cubellis Louis Subject : RE: Notes From the AVERT Course (Attachment is QUO)

Date: Thursday, October 19, 2017 2 :30 :00 PM

Lou, After reading through your notes (particularly what the program .c.an'.1 do), and as we discussed, it is difficult for me to imagine why the NRG would accept any AVERT simulations for licensing decisions or to inform an inspection at all. Like you, safe to say I am "underwhelmed" at the program's capabilities. As more licensees move toward vulnerability assessment modeling tools such as AVERT and SIMAJIN, it is critical that the staff understand what these programs can and cannot do.

Thank you for sharing.

Best Regards, Jeff From: Cubellis, Louis Sent: Thursday, Octob er 19, 2017 9 :00 AM To: Riley, Jeffrey <Jeffrey. Riley@nrc.gov>

Subject:

FYI: Notes From the AVERT Course (At tac hment is QUO)

Notes from the training Mike Buckley and I took last month ...

Note to requester: The attachment is immediately following this email record.

From: Rivers Joseph To: Huyck Doug: Piec David: ~

Cc: Held Wesley: Cubellis Louis: Prescott Peter

Subject:

RE: QUESTION: DSP Input tor NSIR-15-0481 Date: Wednesday, November 04, 2015 7:47:45 AM Attachments : Pratt User Need on RI Security Nov 3 2015 docx See attached From: Huyck, Doug Sent: Wednesday, November 04, 2015 7:45 AM To: Rivers, Joseph <Joseph.Rivers@n rc.gov>; Diec, David <David.Diec@ nrc.gov>; Lee, Pete

<Pete.Lee@n rc.gov>

Cc: Held, Wesley <Wes ley.Held @nrc.gov>; Cubell is, Louis <Louis.Cubellis@ nrc.gov>; Prescott, Peter

<Peter.Prescott@nrc.gov>

Subject:

RE : QUESTION: DSP Input for NSIR-15-0481 Thanks Joe. Can I get a copy of the draft user need? I would like to review the latest version.

Doug From: Rivers, Joseph Se nt: Wednesday, November 04, 2015 7:20 AM To: Huyck, Doug; Diec, David; Lee, Pet e Cc: Held, Wesley; Cubell is, Louis; Prescott, Peter

Subject:

RE: QUESTION: DSP Input for NSIR-15-0481

Doug, As far as VA Tools, We have a draft user need focused on VA Tools that we will be discussing with RES later this month. In general, our needs are more near-term and we should probably use the user need approach rather than the long-term approach.

Joe From: Huyck, Doug Se nt: Tuesday, November 03, 2015 4:28 PM To: Diec, David <David Piec@nrc gov>; Lee, Pete <Pete Lee@nrc gov>

Cc: Rivers, Joseph <Joseph Rivers@nrc gov>; Held, Wesley <Wesley Held@nrc gov>; Cubel li s, Louis

<Louis Cubell is@nrc gov>; Prescott, Peter <Peter Prescott@nrc.gov>

Subject:

Fw: QUESTION: DSP Input for NSIR-15-0481 Anything on t he NRO front to include SM Rs? Also, how about VA Tools?

David, please take the lead.

Doug Sent from NRC blackberry From: Held, Wesley Sent : Tuesday, November 03, 2015 04:20 PM To: Gott, William; Huyck, Doug; Mossman, Timothy ; Wastler, Sandra Subject : FW: QUESTION: DSP Input for NSIR-15-0481

BCs, We received a request to provide suggestions for the FY18 long term research plan. If you

do have input, there is a template attached to tell you what type of information you need to provide.

NSIR's due date is Nov. 6. Please provide responses by COB Nov. 5 so I can get it back to DPR and they can package up ou r responses, if we have any.

Thanks, Wes From: Lewis, Doris Sent: Tuesday, November 03, 2015 3:40 PM To: Held, Wesley

Subject:

QUESTION: DSP Input for NSIR-15-0481 Hi Wes, NSIR's response to RES is due on Nov. 6th for suggestions for their FY18 long term research plan.

Please let me know if DSP will have any input. I have attached the documents associated with this ticket.

Thanks, Doris

MEMORANDUM TO: Michael Weber, Director Office of Nuclear Regulatory Research FROM: Brian Holian, Director Office of Nuclear Security and Incident Response

SUBJECT:

USER NEED REQUEST - MORE EXPLICIT AND SYSTEMATIC USE OF RISK INFORMATION AND RISK ANALYSIS APPROACH IN THE SECURITY REGULATORY PROGRAM The purpose of this memorandum is to request assistance of the Office of Nuclear Regulatory Research (RES) on (1) examining how risk information and risk analysis approach and tools could be more explicitly and systematically used in the security regulatory program, and (2) identifying opportunities to more consistently use the risk analysis methods, tools and concepts between the safety and security regulatory programs to support integrated decisionmaking at the U.S. Nuclear Regulatory Commission (NRC).

Background

The current security regulatory requirements were promulgated largely based on assuring licensees' protective programs could effectively deny potential adversaries in achieving the intended consequences. The required levels of protection are generally commensurate with the potential consequences caused by successful sabotage or theft/diversion of the materials at a facility, a job site or while in transit. These consequences are postulated for a set of security scenarios derived from threat assessments of available and applicable intelligence information, specifics of the physical layout and protective postures implemented by the licensees.

The NRC has typically analyzed safety and security scenarios separately due to the different initiating conditions. For many analyzed nuclear power plant (NPP) scenarios, the structures, systems and components (SSCs) needed to protect against any core damage, mitigate the subsequent accident progression if core damage occurs and minimize any resulting consequences are quite similar for comparable scenarios regardless of the initiators. While the agency and NPP licensees have used computer tools to perform probabilistic risk analyses (PRA) in the safety programs, such tools have not been routinely applied in the security program. Currently, a number of NPP licensees are using modeling and simulation computer tools to perform more integrated assessments of their protective postures with more NPP licensees showing similar interest to pursue such an approach. These licensees plan to use the

insights gained from the modeling and simulation approach as part of the overall demonstration of an effective site protective strategy and to justify planned adjustments to their site protective strategy. In response to this industry initiative, the staff needs to promptly acquire the knowledge of the associated tools, modeling approaches, assumptions, datasets and quantification processes to enable the agency to perform the necessary reviews in an efficient and effective manner.

While a PRA and a security vulnerability assessment (VA) share the same analytical approach, i.e., risk triplet, estimating quantitatively the likelihood of security-related initiating events presents a challenge at this time. Adversary capabilities, intentions, motivations and target of opportunities are not static. They are dynamic with a varying degree of detail and have a very high level of uncertainty. Furthermore, a knowledgeable adversary would selectively target those SSCs most pertinent to maintain safe operations of a NPP. Consequently, these SSCs might not become unavailable or fail in an independent manner, as many of the existing PRA performed for safety-related initiators would assume. Additionally, depending on the timeline and the engagement process, the status of a particular SSC might not be stagnant if there continues to be adversaries capable of causing further damages to the SSCs and/or plant personnel is capable of performing recovery functions.

Many of these issues have surfaced in the focused workshops, professional conferences and other technical forums held previously. The Office of Nuclear Security and Incident Response (NSIR) is seeking RES support to address these analytical issues to enable the development of a more complete security risk assessment by using advanced risk analysis methods and modeling approaches. Given that the plant evolution would be determined by the status of the SSCs and not the distinction of the accident initiators, the guidance on the use of the computer tools and the related risk-informed decisionmaking approach will move the security regulatory program forward and facilitate an improved safety/security program interface. Ultimate ly, a more realistic and quantitative security risk analysis paralllel to a PRA would provide insights on balancing safety and security regulatory considerations and facilitating a more consistent and transparent decisionmaking framework.

Area of Needed Assistance We anticipate that this effort be separated into the following activities:

(1) On an ongoing and as needed basis, NSIR will assist in increasing RES staffs' awareness and understanding of security approaches at NRG-regulated facilities through the conduct of site visits, visibility of the threat assessment process, interactions with other Federal agencies, familiarization with commercially available VA tools and observation of Force on Force activities, as well as participation in security related training.

(2) Identify existing consistent and inconsistent terminology used between PRA and VA and suggest improvements to the inconsistent usage with the objective to facilitate a more transparent communication of security risk analysis results and to promote safety/security interface.

(3) Based on the understanding of the threat assessment process and available operating experience, explore and propose possible approaches to more explicitly estimate the likelihood of security-related initiating events to support regulatory decisionmaking.

(4) Based on the understanding of site protective strategies, identify analytical elements, assumptions and any other considerations that would constitute a realistic security risk assessment.

(5) Discuss and identify the types of analysis, e.g., uncertainty analysis, sensitivity analysis and importance analysis, that would provide specific insights to support risk-informed decisionmaking.

(6) Evaluate the adequacy of human performance modeling in the commercially available VA tools and discuss the important modeling attributes that impact performance. To the extent feasible, draw generic insights on human performance modeling approaches to support a sound security risk analysis.

(7) Evaluate the adequacy of existing PRA to account for dynamic plant conditions for the intended application in security risk analysis. If improvements are needed, suggest possible approaches.

(8) Formulate appropriate risk-informed criteria that parallel the equivalent criteria applied in the safety regulatory program to aid decisionmaking, for example, determining the necessary effectiveness of the protective strategy.

(9) Evaluate the adequacy of the commercially available VA tools for regulatory applications.

To the extent feasible, prnpose validation and verification criteria to support a sound security risk analysis.

(10) Collaborate with NSIR staff to identify the necessary documentation to support the intended regulatory use.

(11) Continue to keep awareness of advancement in the modeling approaches and data sources for both physica I and cyber security analysis for any potential regulatory applications.

Products could be in the forms of trip reports, meeting summaries, training sessions, workshops, desk guides, whitepapers, technical reports, interim staff guidance or Regulatory Guides. Where feasible and applicable, analytical results, guidance and approaches developed for the safety regulatory program should be used or with minimal modifications to support this User Need. Our staffs will work together to determine the most suitable product type to support the regulatory needs on a timely basis subject to the available resources .

We have worked with your staff in Division of Risk Analysis to discuss this user need. NSIR is looking forward to the improvements in a more systematic use of risk information in the security regulatory program and to continue to promote safety and security integration.

Contact:

Joe Rivers, NSIR/DSP (301) 287-xxxx

Note to requester: The presentation on the next page was included with this email record as rovided to the NRC FOIA staff.

From: w....fm To: Cubellis Louis: Bustamante Charles

Subject:

FW: ACRS Member"s View on VA Date: Thursday, December 13, 2018 1 :43:14 PM Attachments: image001 .ong Information not shared.

From: Rivera, Alison Sent: Thursday, December 13, 2018 1:37 PM To: Lee, Pete <Pete. Lee@ nrc.gov>

Subject:

RE: ACRS M em ber's View on VA I think he was an outside presenter, not a member of the ACRS. Here's the agenda from that meeting: https://www.nrc.gov/docs/ML1609/ML16095A357.pdf and all the materials -

transcripts, slides etc.: https://www.nrc.gov/docs/ML1614/ML16141A133.pdf From: Lee, Pete Sent: Thursday, December 13, 2018 12:49 PM To: Rivera, Alison <Alison Rjvera@nrc gov>

Subject:

ACRS Member's View on VA Found the attached while I was looking at files on various white papers on security for SRM and advanced reactors.

It appears that the ACRS, at least this member (present or former), has the expertise and provided some very valid points.

It. the ACRS, could potentially look at how the VA tool will be or are being applied by industry/licensees as it is being relied on for changes to safety and EP bases (e.g., SBT, coping time, etc.).

Senior Security Program Manager U.S. Nuclear Regulatory Commission 11545 Rockville Pike, Rockville, MD 20852-2738 Phone: 301-287-3690 p et e,lee@nrc,gov Website: wwwnrc i:ov

e HARVARDKennedySchool w BELFER CENTER FOR SCIENCE AND INTERNATIONAL AFFAIRS Complexities of Vulnerability Assessment Matthew Bunn Professor of Pradice, Harvard Kennedy School Advisory Committee on Reador Safeguards, NRC 6April 20H belfercenter.org/managingtheatom Compute*r tools for vulnerability as essment are extremely helpful Computer tools, If properly developed and used, al ow:

8:) Higher fidelity in simulation 8:) Greater east in considering different security options (ca identify cheaper, more efficient solutions) 8:) Greater east for regulators seeking to confirm tfftctivtn ss of proposed exemption approaches 8:) Greater east in exploring new advtrsary pathway scena ios (can lead to more co*mplttt coverage of potential v11lnerabilitits) a:> Greater east in considering impact of changes in advers ry capabilities, tactiu (can make It possible to assess Impact of patentia changes to the DBT, design systems to offer some protection against thr ats beyond the DBT)

But it is crucial to understand the lim ts of these tools "All models are wrong. Some are useful." Some can ~lso be dangerous - they can create false impressions that a I key fadors are included Vulnerability assessment models are useful for ident fylng fadors to be addressed, approaches to address them

~ NOT lilctly to pro,idt rtliablt absolute estimates of rislc, ~ caHt of lart*

uncertainties and complexities Key complexities and uncertainties include:

~ Cotllpltxity of owtrall ste1rity system

~ limittcl by assessor's ability to thlnlc of complttt stt of dtfi stratt1ies adwtrsaries co,lcl ust tfftctlwtly

~ H1*an Hd or9ani1ational factors Hally poorly modeled

~ lsidtr tllrtats mort difficult to modtl I

~ Cyber threats (and intt1rattd cybtr-physical thirtats) mort r ifficult to modtl Key assumptions built into vulnerabi ity assessment tools

-- Technological elements will perform as estimated I Humans and organizations will perform as estimate!

Adversary capabilities and tactics will be within the BT Adversaries will not use defeat strategies the defen e has not thought of Any of these assumptions could turn out to be wron1 8:) Technoloty my bt Improperly lnatalltcl, operated, malntai1td 8:> H1mas 111ay become comploctnt, or9ani1ations may pit prloritlts tlsewhert 8:> Adwtrsarits may bt beyond tht DBT 8:> Adwtrsaries may dtftat tht system with unlma9intd strat* 9lts 2

1: Difficult to model complex syste11 IS O Security systems include many elements a:.> Technical elements (e.g., barriers, cameras, alarms) a:.> Human ond organi1ational elements 8:) Interactions among elements are complex and poorly unt erstoadd - e.g.,

under what circumstances will employffs report concerni ng behavior? What factors lead to complacent behaviors that undermine sys*!em performance?

O Y-12 example:

8:) Installation of ARGUS system Intended to improve securi y - but led to many unexpeded false alarms 8:) Cameras to check alarms had bffn broken for months 8:) Guards had gotten sick of checking out false alarms ro Resuh: protestors penetrated to HEU building, spent subi ltantial period there, before being accosted by a single guard ro VulMrability assessment tools would not have shown pri blems i---

2: Difficult to imagine adversary tac tics 0 Tools are only as good as the people who use them 0 Need creative, "hacker" mentality to envision appr, aches adversaries may use to defeat security systems 8:) Real systems have many potential vulnerabilities - most ,t which will never be discovered, either by defenders or by adversaries ro Partial solution: operators should establish "red teams" ssigned to find vulnerabilities - and rewarded for doing so 3

Rivera, Alison From: Andersen, James Sent: Thursday, August 23, 2018 11 :40 AM To: Rivera, Alison; Rivers, Joseph; Curtis, David

Subject:

FW: RE: Vu lnerability Assessment Tool Report FYI From: Fencl, Mark [1]

Sent: Thursday, August 23, 2018 9:20 AM To: Andersen, James <James.Andersen@nrc.gov>

Subject:

[External_Sender] RE: Vulnerability Assessment Tool Report Thanks for the info. We understand the limitations with the software, so no further information is required at this time.

From: Andersen, James [2]

Sent: Wednesday, August 22, 2018 3:08 PM To: Fencl, Mark

Subject:

Vulnerability Assessment Tool Report CAUTION - EXTERNAL EMAIL

Mark, During the June 27th , NSIR Security Update Session at the NEI National Security and Emergency Preparedness Summit, I commented generally about vulnerability assessment software. A participant at the summit requested more specific information related to vulnerability assessment software. NRC staff obtained permission from the Office of Security, within the DoE Office of Environment, Health, Safety, and Security, to release to the industry copies of the DoE report titled, "ARES Security Corporation's Automated Vulnerability Evaluation for Risks of Terrorism (AVERT) Security Modeling System: Verification, Validation, and Accreditation Effort," dated January 2018.

DoE analyzed several releases of AVERT version 5. We believe the report's analyses and conclusions may still be relevant for other versions that licensees are using or considering. The report is designated as Official Use Only and will be disseminated to you via the NRG-approved method, AMRDEC SAFE. You will receive an e-mail from that system (i.e., "usarmy.redstone.rdecom-amrdec.mbx.safe-team@mail.mil", "no-reply@amrdec.army.mil", or a similar address) with instructions on how to download the report.

We would be happy to discuss the r,eport with you and discuss some of the limitations that are identified in the report. Let us know if you want to discuss further.

Thanks, Jim A .

Jim Andersen, Director Division of Physical and Cyber Security Policy

Office of Nuclear Security and Incident Response U.S. Nuclear Regulatory Commission 301-287 -3598 james .andersen@nrc.gov 2

Improving physical security with simulations -- GCN Note to requester: This article is also available at https://gen. com/ articles/2018/05/29/sim ulations-physical-security.aspx E-MAIL THIS PAGE PRINTABLE FORMAT Improving physical security with simulations BY STEPHANIE KANOWITZ I MAY 29, 2018 To assess the physical security of sites such as nuclear reactors, facilities are increasingly turning to modeling and simulation software that tests their security against external and internal threats.

Traditionally, subject-matter experts performed security assessments, but their accuracy https://gcn.com/articles/2018/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]

Improving physical security with simulations -- GCN depends on their knowledge and carrying out force-on-force attacks, or simulated attacks.

Those efforts can go only so far because "you're not really going to blow a hole in a fence or knock down doors," said Bob Scott, senior vice president of business development and marketing at ARES Security, the firm behind ARES Security's Automated Vulnerability Evaluation for Risks of Terrorism software. AVERT was recently accredited by the Department of Energy after undergoing testing conducted in conjunction with the Defense Department.The industry and technological capabilities have evolved to go beyond such qualitative assessments to create a science based on computerized modeling and simulation, ARES Security Senior Vice President Blane Schertz said.

[Advertisement]

googletag.cmd.push(function() { googletag.display('div-gpt-ad-BOX_ C1 -0005') ; }) ;

"You're dealing with thousands and thousands of pieces of data, and quite frankly , it's impossible for any one individual subject-matter expert to be able to put all those pieces together and to know for sure that you're protecting the site against the threats that are possible," Schertz said.

AVERT team members work with site security officials to collect data on details such as terrain, walls, fences, guard posts, towers, door types and weapons with the goal of creating a timeline for potential attack scenarios.

All of that information goes into the software to build a virtual model of the site. Then AVERT runs multiple attack scenarios, calculating the path attackers would take to get to their target, whether it's a data center or nuclear controls. Using the resulting data, officials can see vulnerabilities, seal off breach points and test the scenario again using the Monte Carlo probability simulation process, which involves a random-number generator that can help users understand the likely length of time it would take an adversary to pull off an attack in each situation.

"That's how we start to achieve a probabilistic, performance-based outcome and how well the security system achieves the goal," Scott said.

For instance, guard costs at a nuclear reactor are $350,000 to $500,000 per year, he said, so if a facility can find a redundant post, it stands to make a significant savings.

"We can go in and play the 'what if' game," Scott said. "We'll model the site, and we'll put in exactly what their security capabilities are today. We'll run hundreds of simulations, we'll put in different scenarios, different attack types, and we'll take a look at how well the site does, and that gives us a baseline capability."

https://gcn.com/articles/20 l8/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]

Improving physical security with simulations -- GCN Then officials can analyze the potential for removing a post. AVERT has helped one site reduce 14 posts and another halve its security costs, he said.

ARES Security employees help customers set up AVERT by spending about three days doing a walk-down inspection of the site, constructing a first version of the model over a three-month period and editing it for accuracy. Then security officials are trained so they can use the tool themselves.

Although the simulation and modeling could be done in the cloud, "traditionally in the security domain , we tend to run on fixed computers that are not connected to the network,"

Scott said. "You're modeling and identifying all the vulnerabilities, all the protective strategies, all the stuff that you really don't want the bad guys to have access to, so we tend to run on a non-networked environment."

AVERT is the first commercial software to receive verification, validation and accreditation after undergoing testing that DOE conducted in conjunction with the Defense Department.

This adds to AVERT's certification in accordance with to the Homeland Security Department's Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which it has held since 2010. That certification gives the company insurance protection, Scott said, against consequential damages if somethingi goes awry.

Sandia National Laboratory performed the verification part of the testing, while the Johns Hopkins Physics Lab handled validation. In 2012, DOD validated the product for use, but a security breach by protesters at Oak Ridge National Laboratory's nuclear plant in 2013 slowed DOE's accreditation process. It was approved in February.

In the future , AVERT may be applied at agencies outside the defense and homeland security areas. Transportation departments have expressed interest in using it for critical infrastructure, Scott said.

Editor's note: This article was changed June 4 to correct the name of ARES Security.

About the Author Stephanie Kanowitz is a freelance writer based in northern Virginia.

RELATED ARTICLES https://gcn.com/articles/20l8/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]

Improving physical security with simulations -- GCN White House takes on cyber workforce gap Energy orders up most powerful supercomputer Symantec joins defense industrial base cyber program

• DOE dials up funding for quantum research Stop chasing ghosts and build a threat hunting strategy MORE FROM 1105 PUBLIC SECTOR MEDIA GROUP Campus Technology Study: Online Schools Have Not 'Dethroned' Faculty Upcoming Events, Webinars & Calls for Papers (Week of May 20, 2019)

UConn Launches Coding Boot Camp Defense Systems DOD's $8.2 billion back-office cloud contract expected this summer New defense cyber commission plans for future threats Air Force slows roll out of new cyber career category https://gcn.com/articles/20l8/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]

Improving physical security with simulations -- GCN Federal Soup Is reorganizing OPM the answer?

Weichert says IT woes drive planned OPM merger V1iew the May 13, 2019 FEND issue as a PDF Thornberry's proposes consequences for DOD's failed reforms GSA sets cloud hub, plans major acquisition conference OPM-GSA merger plan detailed in legislative proposal THE Journal Teacher Qualifications the 'Most Significant Factor' in Improving Student Achievement Grants & Upcoming Events (Week of May 20, 2019)

Abl Acquires School by Design https://gcn.com/articles/20l8/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]

Improving physical security with simulations -- GCN Washington Technology NASA taps industry to study future space comms ideas BAE adds president title to COO Arsenault DOD expects DEOS award this summer https://gcn.com/articles/20l8/05/29/simulations-physical-sccurity.aspx[05/20/2019 2:45:57 PM]