Comment (061) of Marcus Nichol on Behalf of Nuclear Energy Institute on PR-53 - Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors

ML21244A331
Person / Time
Site:	Nuclear Energy Institute
Issue date:	08/31/2021
From:	Nichol M Nuclear Energy Institute
To:	John Tappert Office of Nuclear Material Safety and Safeguards
SECY/RAS
References
85FR71002, NRC-2019-0062, PR-53
Download: ML21244A331 (13)
v • d • e

Text

From: NICHOL, Marcus To: Tappert, John Cc: Atack, Sabrina; Beall, Bob

Subject:

[External_Sender] NEI Comments on the Preliminary Language for the Physical Security and Cyber Security Requirements included in the Proposed Risk-Informed, Technology Inclusive Regulatory Framework for Advanced Reactors Rule Date: Tuesday, August 31, 2021 4:37:53 PM Attachments: 08-31-21_NRC_NEI comments on security requirements in draft Part 53 rule.pdf THE ATTACHMENT CONTAINS THE COMPLETE CONTENTS OF THE LETTER August 31, 2021 Mr. John Tappert Director, Division of Rulemaking, Environmental, and Financial Support Office of Nuclear Material Safety and Safeguards U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NEI Comments on the Preliminary Language for the Physical Security and Cyber Security Requirements included in the Proposed Risk-Informed, Technology Inclusive Regulatory Framework for Advanced Reactors Rule Project Number: 689

Dear Mr. Tappert:

[1]

The Nuclear Energy Institute (NEI) and its members appreciate the opportunity to engage with the U.S. Nuclear Regulatory Commission (NRC) staff on the proposed Risk-informed, Technology Inclusive Regulatory Framework for Advanced Reactors Rule. This letter transmits to you more detailed comments on the preliminary language for physical security, cyber security, access authorization and fitness-for-duty (FFD) requirements, as a follow-up to our initial observations

[2]

provided during a public meeting on June 10, 2021. We hope the staff will consider these comments, presented below and in the three attachments, as the staff revises the proposed rule language. NEI will submit further comments when the proposed rule is issued for public comment.

If you have questions concerning our input, please contact me at 202-739-8131 or mrn@nei.org, or David Young at 202-739-8127 or dly@nei.org.

Sincerely,

Marcus R. Nichol Senior Director New Reactors Nuclear Energy Institute 1201 F St NW, Suite 1100 Washington, DC 20004 www.nei.org

P: 202.739.8131 M: 202.316.4412 E: mrn@nei.org

[1]

The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

[2]

The meeting agenda and related documents can be found here.

This electronic message transmission contains information from the Nuclear Energy Institute, Inc. The information is intended solely for the use of the addressee and its use by any other person is not authorized. If you are not the intended recipient, you have received this communication in error, and any review, use, disclosure, copying or distribution of the contents of this communication is strictly prohibited. If you have received this electronic transmission in error, please notify the sender immediately by telephone or by electronic mail and permanently delete the original message. IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS and other taxing authorities, we inform you that any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties that may be imposed on any taxpayer or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein.

MARCUS R. NICHOL Senior Director, New Reactors 1201 F Street, NW, Suite 1100 Washington, DC 20004 P: 202.739.8131 mrn@nei.org nei.org August 31, 2021 Mr. John Tappert Director, Division of Rulemaking, Environmental, and Financial Support Office of Nuclear Material Safety and Safeguards U.S. Nuclear Regulatory Commission Washington, DC 20555-0001

Subject:

NEI Comments on the Preliminary Language for the Physical Security and Cyber Security Requirements included in the Proposed Risk-Informed, Technology Inclusive Regulatory Framework for Advanced Reactors Rule Project Number: 689

Dear Mr. Tappert:

The Nuclear Energy Institute (NEI) 1 and its members appreciate the opportunity to engage with the U.S.

Nuclear Regulatory Commission (NRC) staff on the proposed Risk-informed, Technology Inclusive Regulatory Framework for Advanced Reactors Rule. This letter transmits to you more detailed comments on the preliminary language for physical security, cyber security, access authorization and fitness-for-duty (FFD) requirements, as a follow-up to our initial observations provided during a public meeting on June 10, 2021. 2 We hope the staff will consider these comments, presented below and in the three attachments, as the staff revises the proposed rule language. NEI will submit further comments when the proposed rule is issued for public comment.

As an overarching comment, we continue to support the NRCs efforts to develop a technology-inclusive, risk-informed, and performance-based framework for advanced reactors. We believe the successful achievement of this goal was furthered by making the preliminary rule language available for stakeholder review and understand that the NRC is continuing to develop the details of the requirements. Industry is encouraged by the general direction that the staff has taken to develop more performance-based physical 1 The Nuclear Energy Institute (NEI) is responsible for establishing unified policy on behalf of its members relating to matters affecting the nuclear energy industry, including the regulatory aspects of generic operational and technical issues. NEIs members include entities licensed to operate commercial nuclear power plants in the United States, nuclear plant designers, major architect and engineering firms, fuel cycle facilities, nuclear materials licensees, and other organizations involved in the nuclear energy industry.

2 The meeting agenda and related documents can be found here.

Mr. John Tappert August 31, 2021 Page 2 security, cyber security, FFD and access authorization requirements, and the staffs intent to gain consistency across these areas (e.g., use of performance criteria).

While the attachments include comments related to the preliminary rule language for physical and cyber security, we are not submitting specific comments on the proposed FFD and access authorization requirements at this time. We do, however, wish to note that some advanced reactors are expected to have source terms and potential offsite consequences similar to non-power production or utilization facilities and fuel cycle facilities (NPUFs and FCFs). Therefore, we suggest that the NRC consider whether aspects of the technical basis underlying the FFD and access authorization requirements applicable to NPUFs and FCFs could also apply to power reactors with similar source terms and offsite consequences. The insights from this review could help inform the development of the FFD and access authorization requirements to be included in the proposed Part 53 rule. In the meantime, we will continue considering the NRCs Criterion A and B for FFD and request for input on the appropriate factors that would form the basis for these criteria If you have questions concerning our input, please contact me at 202-739-8131 or mrn@nei.org, or David Young at 202-739-8127 or dly@nei.org.

Sincerely, Marcus Nichol c: Ms. Sabrina Atack, NSIR/DPCP, NRC Mr. Robert Beall, NMSS/REFS/RRPB, NRC

NEI Comments on Miscellaneous Sections in Proposed Part 53 Rule Cmt. Section/

Comment

1. Paragraph

§ 53.250 Recommend replacing the phrase high confidence with reasonable assurance.

§ 53.530 The reference to 53.120 should be 53.020.

§ 53.600 The two references to 53.xyx should be 53.020.

§ 53.610(a)(10) The reference to 10 CFR 73.54 should be 10 CFR 73.110.

The references to 10 CFR 73.54 and 10 CFR 73.56, should be 10 CFR 73.110 and 10 CFR

§ 53.610(b)(2) 73.120.

§ 53.620(a)(9) The reference to 10 CFR 73.54 should be 10 CFR 73.110.

The references to 10 CFR 73.54, 73.55, and 73.56 do not appear appropriate, and none specifically

§ 53.620(b)(1)(IV)(v) address storage of fresh fuel. However, § 73.55 does address storage of un-irradiated MOX fuel in one statement.

§ 53.620(d) Additional details are needed on how compliance with this requirement may be achieved.

The section titled, For Information: Current Definitions, that follows subpart 53.620(f) should be N/A removed as it is redundant to 53.020.

Page 1 of 1 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph Comments on Proposed SUBPART F - Requirements for Operations 10 CFR 53.830, Security Program

1. (a)(1) and (2) The NRC should consider whether the application of the Design Basis Threat (DBT), and the associated capabilities and attributes of the DBT, to power reactors with relatively low risk profiles (e.g., microreactors) is appropriate. It is noted that the DBT is not applicable to all reactor classes (i.e., certain Non-power Production and Utilization Facilities) and there is demonstrated experience to suggest that they are not attractive targets. Nonpower reactors (e.g., research, test reactors) are significantly smaller and less complex than large light water reactors, and consequently pose a relatively low risk to public health and safety. The requirements for the physical protection of nonpower reactors reflect a graded approach that considers the attractiveness of the reactor fuel as a target, and the risk of radiological release. Similar considerations are warranted for advanced power reactors that demonstrate improved risk profiles over the current operating fleet. More broadly, the NRC should consider whether application of the DBT to low-risk power reactors is consistent with the intent of the NEIMA (e.g., enabling innovation of advanced reactor technologies by reducing regulatory burden when the risk profile of a facility affords it).

2. (a)(2)(i) Stakeholders do not understand the NRC staff expectations (e.g., general approach, key assumptions, etc.) for performing an analysis of a hypothetical unmitigated event, as the term is used in the proposed 10 CFR 53.830. In addition, based on public meeting dialogues, some stakeholders believe the expectations differ between this analysis and one performed to meet the proposed requirements in 10 CFR 73.55(a) (as proposed in the Alternative Physical Security Requirements rulemaking). We continue to believe that an analysis should assess the impacts from an attack bounded by the DBT and credit all safety and security features described in the facility licensing basis, but no operator/manual actions (i.e., unmitigated) and no response from onsite security personnel. The term hypothetical should be removed. Also, please see previous NEI comments on the term hypothetical in ADAMS Accession #ML21175A036 and #ML21175A043.

Should the staff agree with this comment, the resolution would also apply to the resolution of Comment #9, below, and to the requirements in 10 CFR 73.55(a) (as proposed in the Alternative Physical Security Requirements rulemaking).

Page 1 of 6 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph

3. (b) § 53.830(b) requires compliance with Part 26, Fitness for Duty Programs. These regulations include requirements related to a Protected Area. The proposed 10 CFR 73.100 does not address establishment of a Protected Area. This apparent inconsistency should be addressed. A detailed review may be needed to identify other changes to ensure consistency across regulations.

4. (c) § 53.830(c) requires compliance with § 73.56, Personnel access authorization requirements for nuclear power plants. These regulations include requirements related to a Protected Area (PA) and Vital Areas (VAs). The proposed 10 CFR 73.100 does not address establishment of PAs or VAs. This apparent inconsistency should be addressed. A detailed review may be needed to identify other changes to ensure consistency across regulations.

5. (c) There appears to be a typo - the (1) should be (i).

Comments on Proposed 10 CFR 73.100, Technology neutral requirements for physical protection of licensed activities at advanced nuclear plants against radiological sabotage.

6. General comment New requirements should 1) clearly identify facility design criteria that would permit reliance on local law enforcement or an offsite response force to interdict and neutralize (as is contained in the proposed Alternative Physical Security Requirements rule); 2) be performance-based and minimize prescriptive requirements to the greatest extent possible; and 3) be commensurate with the potential consequences of an attack.

We believe the rule should be structured with general performance objectives and performance-based requirement up front, and then followed by requirements that are contingent upon a facilitys design features. For example:

• General performance objectives

• General performance-based requirements (e.g., detection, assessment, and communications)

• Eligibility criteria for a facility with a detect, assess, and notify security plan (i.e., no onsite armed response force)

• Performance-based requirements for sites that must perform interdiction and neutralization functions

• Eligibility criteria for a facility to not have SSCs for protection against a land or waterborne Page 2 of 6 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph vehicle bomb

• Performance-based requirements for sites that must have SSCs for protection against a land or waterborne vehicle bomb

7. (b)(1)(iii) Suggest changing to read: Security communications. The licensee must be capable of security communications needed to initiate and direct appropriate security responses. Communication systems must account for design basis threats that can interrupt or interfere with continuity or integrity of communications. The design must be sufficient to ensure the reliability and availability of systems and components.

8. (b)(1)(iv) Suggest changing to read: Security delay systems. Structures, systems, and components relied on to provide delay functions must be designed to provide sufficient delay to support timely security responses to adversary attacks with adequate defense-in-depth

9. (b)(1)(v) The proposed 10 CFR 73.100 (in the Part 53 rulemaking) appears to require an onsite armed response force to interdict and neutralize an adversary. The requirements in the proposed 10 CFR 73.55 (in the Alternative Physical Security Requirements rulemaking) permit a licensee to rely on local law enforcement to interdict and neutralize an adversary provided certain eligibility criteria are met. The proposed provisions in 10 CFR 73.55(a)(7) (i.e., eligibility criteria to qualify for alternative requirements) should be carried over to 10 CFR 73.100. NEI previously provided a marked-up version of the proposed 10 CFR 73.100 showing how this comment might be addressed; refer to ADAMS Accession # ML21166A119. Once addressed, provisions for alternative requirements, similar to those in the proposed 10 CFR 73.55(s), should be added to 10 CFR 73.100.

Page 3 of 6 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph

10. N/A As noted above, NEI previously submitted comments on the proposed language in 10 CFR 73.100 (see ADAMS Accession #ML21166A119). The following comment applies to the wording suggested in NEIs markup, at (b)(1)(iv):

Security response. A licensee of a small modular reactor, as defined in 10 CFR 171.5, or non-light water reactor that satisfies one or more of the eligibility criteria in § 73.100(b)(iv)(A),

(B), or (C) may rely on local law enforcement or other offsite response capability to perform security response neutralization functions. The licensee This addition would permit a licensee to use company or contracted responders positioned at an offsite location to perform neutralization functions.

11. (b)(1)(v) The NRC has added a requirement that is not currently included in 10 CFR Part 73. This requirement is for Engineered physical security structures, systems, and components performing neutralization functions and engineered fighting positions relied on to protect security personnel performing neutralization functions must be designed to provide overlapping fields of fire. The design configuration must provide layers of security response, with each layer assuring that a single failure does not result in the loss of capability to neutralize the design basis threat adversary. The NRC should provide a basis for why this requirement is either necessary for the protection of public health and safety or results in reduced burden from a previously applied regulation. If found necessary, we suggest the topic be addressed in NRC guidance as opposed to regulation. In addition, the single failure criterion is overly prescriptive and should be removed.

12. (b)(1)(vii) Suggest changing to read: Access control portals. Access control portals must be designed to detect and deny unauthorized access to persons and the passing-through of contraband materials (e.g.,

weapons, incendiaries, explosives). The design must provide diverse and redundant methods for achieving the intended intrusion access control functions.

13. (b)(1)(vii) The area or boundary to which the access control portal requirement applies should be specified.

Page 4 of 6 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph

14. (b)(5) This paragraph requires compliance with § 73.56, Personnel access authorization requirements for nuclear power plants. These regulations include requirements related to a Protected Area (PA) and Vital Areas (VAs). The proposed 10 CFR 73.100 does not address establishment of PAs or VAs. This apparent inconsistency should be addressed. A detailed review may be needed to identify other changes to ensure consistency across regulations.

15. (b)(7) Proposed 10 CFR 73.100(b)(7) states that the licensee must establish, maintain, and implement an insider mitigation program and must describe the program in the Physical Security Plan. This requirement places an operational and economic burden on some advanced reactors where there may not be reasonable risk from an insider threat. Recommend the NRC consider this requirement, along with other prescriptive requirements related to access authorization and Fitness-for-Duty, and determine if alternative performance-based approaches can be used.

16. (b)(7)(ii) This paragraph requires compliance with § 73.56, Personnel access authorization requirements for nuclear power plants, and Part 26, Fitness for Duty Programs. These regulations include requirements related to a Protected Area (PA) and Vital Areas (VAs). The proposed 10 CFR 73.100 does not address establishment of PAs or VAs. This apparent inconsistency should be addressed. A detailed review may be needed to identify other changes to ensure consistency across regulations.

17. (b)(8) The proposed wording requires the use of a corrective action program. To provide flexibility for future licensees, we suggest making this a performance-based requirement. For example:

The licensee must have the capability to track, trend, correct, and prevent recurrence of failures and deficiencies in the implementation of the requirements of this section.

18. (c) Proposed 10 CFR 73.100(c) requires a security organization that is staffed, trained, qualified, and equipped to implement the physical protection program in accordance with the requirements of this section. Some advanced reactor designs will rely on few or no onsite personnel. Recommend this language be revised to clearly allow for staff who perform other functions to fulfill security functions, including both onsite and offsite personnel.

19. (c)(5) What is the relationship, if any, of this proposed requirement to 10 CFR 73.55, Appendix B?

Page 5 of 6 8/31/21

NEI Comments on Proposed Physical Security Requirements in 10 CFR 53.830 and 10 CFR 73.100 Cmt. Section/

Comment

1. Paragraph

20. (d) The area or boundary to which the search requirement applies should be specified.

21. (e) Proposed 10 CFR 73.100(e) requires Security reviews by individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program. Does the NRC have information concerning the potential value of this requirement (i.e., what is the Operating Experience from the current fleet after doing these reviews for decades)? Can it be time limited? For example, it could be terminated after a certain number of reviews are completed.

22. (e) The proposed wording is confusing - the opening paragraph states, Security reviews must be performed by individuals independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program.

Paragraph (e)(2) then requires, The licensee must establish, maintain, and perform a self-assessment to ensure the effective implementation of the physical protection program functions of detection, assessment, communication, delay, and interdiction and neutralization to protect against the design basis threat of radiological sabotage. The licensee must perform design verification and assessments of the capabilities of active and passive engineering systems relied on to protect against the design basis threat. It is unclear who performs the reviews required by (e)(2) - is it licensee security personnel or an individual(s) independent of those personnel responsible for program management and any individual who has direct responsibility for implementing the onsite physical protection program. We note that the term self-assessment typically means an assessment performed by individuals that do the assessed job functions/tasks.

23. (h) This paragraph references 10 CFR 50.54(x) and (y). Implementation of 10 CFR 50.54(y) requires that a departure from a license condition or a technical specification be approved by a licensed senior operator. Some advanced reactor facilities may not have a licensed operator (or at least not in a form envisaged by 10 CFR 50.54(y)). The proposed language should be revised to add alternative mechanisms for suspending security measures.

Page 6 of 6 8/31/21

NEI Comments on Proposed Cyber Security Requirements in 10 CFR 53 and 10 CFR 73.110 Cmt. Section/

Comment

1. Paragraph The preliminary rule language in 10 CFR 53.610(a)(10) requires that construction activities conform to a

1. 10 CFR cyber security program in accordance with 10 CFR 73.54. Additional guidance is needed regarding 53.610(a)(10) whether a cyber security program is required prior to construction. Also, two recommendations are provided for NRC consideration.

• The NRC should clarify if it is the intent that a licensee must comply with both 10 CFR 73.54 and 10 CFR 73.110 or if intent is that all applicants comply with 10 CFR 73.110.

• It is unclear why construction activities must conform to a cyber security program. This appears to be an expansion of in the scope of requirements from those in 10 CFR Part 50 and 10 CFR Part 52, and should therefore be justified prior to being included.

The NRC should consider adding an option for a licensee to follow the requirements in 10 CFR 73.54.

2. 10 CFR 53.830(d)

For example: (d) Cyber Security. Each licensee under this part must establish, maintain, and implement a cyber security program that meets the requirements in 10 CFR 73.110 or 10 CFR 73.54.

The preliminary rule language in 10 CFR 73.110(a)(1) appears to combine both a physical and cyber-

3. 10 CFR attack. The NRC should consider establishing a different criterion regarding the impacts of a cyber-73.110(a)(1) & 10 attack. This criterion would consider the consequence criteria in 10 CFR 53.210(b)(1) & (2) and whether CFR 53.210(b) the attack would lead to an exceedance of the specified dose values, rather than exceeding the dose values in 10 CFR 53.830(a)(2)(i). This would clearly differentiate the threshold of a cyber-attack scenario from a combined physical and cyber security attack scenario. Additionally, 10 CFR 53.210(b)(1)

& (2) references the need to comply with frequency criteria; it is recommended that the language be clarified as it is unclear whether an applicant must now quantify the frequency of cyber attacks.

It is unclear if this language is referring to all physical security features or just those used for Material

4. 10 CFR Control and Accounting (MC&A). If it is the former, then it should be explained why 10 CFR 73.110(a)(1)&(2) 73.110(a)(1) is not already sufficient as it encompasses the dose criteria. If it is the latter, 10 CFR 73.110(a)(2) should be clarified to better state how it is only focused on MC&A security features.

The proposed requirements do not appear to be aligned:

5. 10 CFR 73.110(a) &

• Each licensee under 10 CFR part 53 shall establish, implement, and maintain a cyber security (b) program that is commensurate with the potential consequences resulting from cyber attacks.

• The licensee shall protect digital computer and communication systems and networks associated with the functions listed in [§ 73.54(a)(1)] in a manner that is commensurate with the potential consequences resulting from cyber attacks.

Page 1 of 2 8/31/21

NEI Comments on Proposed Cyber Security Requirements in 10 CFR 53 and 10 CFR 73.110 Cmt. Section/

Comment

1. Paragraph The first requirement addresses a program commensurate with potential consequences while the second requires protection of systems and networks, performing specific functions, commensurate with potential consequences. Consider using wording as in 10 CFR 73.110(e)(3) to describe the consequences as adverse effects.

The current preliminary rule language in 10 CFR 73.110(a) and (b) attempts to establish a performance-

6. 10 CFR 73.110(b) based approach to cybersecurity while at the same time maintaining prescriptive portions of 10 CFR 73.54. Using language like commensurate with the potential consequences is good language, but ultimately still requires assessing against both dose impacts and the pre-defined systems in 10 CFR 73.54. The NRC should re-evaluate whether 73.110(b) is needed at all, considering 73.110(a)(1) subsumes the required equipment necessary to ensure an applicant does not exceed dose criteria.

Additional industry engagement may be needed to define what needs to be protected, due to the broadness of the SSEP functions within 10 CFR 73.54.

The current preliminary rule language in 10 CFR 73.110(f)(2) requires a licensee to establish,

7. 10 CFR implement, and maintain a cyber security plan that implements the cyber security program in 73.110(f)(2) & 10 accordance with 73.54(e). The graded approach based on dose consequences, discussed in 73.110, will CFR 73.110(f)(3) result in fewer critical digital assets. The NRC should consider eliminating the separate cyber security plan, and have the implementing guidance reside in the physical security plan, similar to that proposed in 73.120(a)(1) for access authorization. The reference to 73.54(e) would be removed in this instance.

Similarly, 10 CFR 73.110(f)(3) requires the licensee to develop and maintain written policies and procedures to implement the cyber security plan. Consolidating cyber security program implementing guidance within the physical security plan would justify removing the reference to 73.54(f).

Page 2 of 2 8/31/21