Text

THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND DOES NOT PROVIDE OFFICIAL AGENCY POSITIONS. THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILL CONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS FOR VARIOUS CRITERIA.

STAFF DISCUSSION OF PART 73 ACCESS AUTHORIZATION - PRELIMINARY RULE LANGUAGE (November 2021) 2nd Iteration (Redline/Strikeout) of Preliminary Language Discussion

§ 73.120 - Access Authorization The existing regulatory framework for access authorization under §§ 73.55, 73.56, and 73.57, is sufficient to provide reasonable assurance that individuals subject to this program are trustworthy and reliable such that they do not constitute an unreasonable risk to the public health and safety or common defense and security, regardless of the reactor technology.

The proposed language under § 73.120 will provide flexibility through availability of the use of an alternate approach, commensurate with risk and consequence to public health and safety, for Part 53 applicants who demonstrate in an analysis that the offsite consequences meet the criterion defined in

§ 53.830(a)(2)(i). (Note, the criterion in

§ 53.830(a)(2)(i) is written as a reference to the values in § 53.210(b)(1) and (2). However, that reference does not reflect the latest numbering in the most recent iteration of § 53.210 (i.e., Subpart B) and will be updated in the next iteration of

§ 53.830).

As provided for in § 53.830(c), applicants satisfying the criterion in § 53.830(a)(2)(i) may establish, implement, and maintain their access authorization program in accordance with the requirements of

§ 73.120. Applicants not satisfying the criterion

must establish, implement, and maintain a full access authorization program, including an insider mitigation program in accordance with §§ 73.55, 73.56, and 73.57.

Moreover, for applicants satisfying the criterion, the proposed requirements model the existing access authorization programs for non-power reactors and/or materials licensees by applying the most important program elements associated with power reactors access authorization program under § 73.56.

Although research and test reactors currently do not have many specific access authorization requirements in NRC regulations other than those associated with fingerprinting of individuals for a FBI criminal history record check, there are alternate security measures and license conditions in place for these research and test reactor facilities that would be applied in the proposed § 73.120 for commercial nuclear reactors licensed under Part

53.

(a) Introduction and Scope. (1) Each applicant for an operating license for an advanced nuclear reactoror a holder of a combined operating license under 10 CFR part 53, who meets the criterion in 10 CFR 53.830(a)(2)(i), shall must establish, maintain, and implement an access authorization program in accordance with before initial fuel load into the reactor. For licensees who meet the criterion in 10 CFR 53.210(a)(2)(i), this access authorization program must be in accordance with the requirements of this section as part of its Commission-approved Physical Security Plan. Applicantsor 10 CFR 73.56. For licensees not meeting the criterion in 10 CFR 53.830210(a)(2)(i) shall establish, maintain, and implement an, this access authorization program must be in accordance with the requirements of 10 CFR 73.56.

(2) [Reserved]

Under this proposed approach, should an applicant for a commercial nuclear reactor license demonstrate, pursuant to § 53.830(a)(2)(i), that an offsite release would not exceed doses defined in the safety criteria of §§53.210(a) and (b), the applicant may implement the access authorization program requirements under the proposed § 73.120 instead of the existing regulatory framework for access authorization under §§ 73.55, 73.56, and 73.57. The staff notes that this eligibility criterion (as provided in § 53.830(a)(2)(i)) is consistent with one of the eligibility criteria being proposed as part of the limited-scope commercial nuclear reactor security rulemaking, i.e., the most bounding criteria.

As that rulemaking evolves, so will this criterion for consistency.

Language was added to the original text to provide a threshold for when the access authorization program must be fully established and implemented.

(b) Applicability. (1) The following individuals shall be subject to an access authorization program under this section:

General applicability statement for those individuals who will be subject to an access authorization program in accordance with this section. Individuals noted in this section are required to be trustworthy and reliable, such that they do not constitute an unreasonable risk to public health and safety or the common defense and security.

(i) Any individual to whom a licensee intends to grant unescorted access to a nuclear power plant protected area, vital area, material access area, or controlled access area where thelicensed material is used or stored; This applicability statement encompasses individuals specified in § 73.56(b)(i) for power reactors and the orders/additional security measures (ASM) and/or license conditions for nonpower reactors whom the licensee intends to grant unescorted access to the facilities most sensitive areas.

(ii) Any individual whose duties and responsibilities permit the individual to take actions by electronic means, either on site or remotely, that could adversely impact the licensee's or applicant's operational safety, security, or emergency preparedness; This applicability statement is to include in the access authorization program those individuals who may be on or offsite (e.g., remote operators or information technology staff) and have virtual access to important plant operational and communication systems based upon assigned duties and responsibilities to have such access. These individuals will be reinvestigated periodically in accordance with (c)(3) of this proposed section.

This requirement is consistent with the intent of current § 73.56, which is to ensure that anyone who has unescorted access to equipment that is important to the operational safety and security of plant operations must be trustworthy and reliable.

An individual who may have remote access to plant equipment and communication systems may have trusted privileges greater than the trusted and authorized personnel at the plant site.

(iii) Any individual who has responsibilities for implementing a licensee's or applicant's protective strategy, including armed security force officers, alarm station operators, and tactical response team leaders but not including Federal, State, or local law enforcement personnel; and This requirement is consistent with § 73.56(b)(1)(iii) and intended to ensure that security personnel responsible for protection of the nuclear power plant are trustworthy and reliable. This requirement includes a clarification that offsite law enforcement personnel on official duty are not subject to the licensee access authorization program.

Section 73.56(b)(1)(iii) specifies that these individuals shall be subject to the access authorization program because of their critical responsibilities with respect to plant security.

(iv) The licensee or applicant access authorization program reviewing official or contractor or vendor access authorization program reviewers.

This is consistent with § 73.56(b)(1)(iv) to ensure individuals responsible for access authorization decisions are trustworthy and reliable.

(2) The licensee or applicant may subject other individuals, including employees of a contractor or a vendor who are designated in access authorization program procedures, to an access authorization program that meets the requirements of this section.

This is consistent with § 73.56(b)(2).

(c) General Performance Objectives and Requirements. Each licensee's or applicants access authorization program under this section must provide reasonable assurance that the individuals who are specified in paragraph (b) of this section are trustworthy and reliable, such that they do not constitute an unreasonable risk to public health and safety or the common defense and security. The design and implementation of the licensees access authorization program shall establish and maintain the capabilities for meeting the following performance requirements:

The proposed language establishes general performance objectives and requirements providing reasonable assurance that the individuals who are specified in paragraph (b) of this section are trustworthy and reliable. This is consistent with the access authorization program requirements for nuclear power reactors under

§ 73.56.

The revised language provides licensees and applicants the flexibility in establishing their access authorization program to meet various specific performance objectives.

(1) Background investigation. Background investigations(i)(A)

Licensees and applicants shall be completed for ensure that any individual whom a licensee or applicant intends to grantseeking initial unescorted access. or to maintain unescorted access is subject to a background investigation.

(B) Background investigations shall include the program elements contained under § 73.56(d)37.25 of this part. chapter and must also include a credit history evaluation.

(ii) Background investigations must include fingerprinting and an FBI identification and criminal history records check in accordance with § 37.27 of this chapter.

(iii) Licensees may not initiate a background investigation without the informed and signed consent of the subject individual. This consent must include authorization to share personal information with other individuals or organizations as necessary to complete the background investigation. A signed consent must be obtained prior to any reinvestigation. The subject individual may withdraw his or her consent at any time. Licensees shall inform the individual that:

(A) If an individual withdraws his or her consent, the licensee may not initiate any elements of the background investigation that were not in progress at the time the individual withdrew his or her consent; and (B) The withdrawal of consent for the background investigation is sufficient cause for denial or termination of unescorted access authorization.

This section was revised to add paragraph (ii) to include the requirements to obtain an FBI criminal history records check under § 37.27 for individuals covered by the access authorization program.

This section is consistent with the background investigation elements under § 37.25, as well as alternate security measures and license conditions that are applied to non-power reactor licensees.

Background investigations include important elements to establish trustworthiness and reliability of an individual, such that they do not constitute an unreasonable risk to public health and safety or the common defense and security. These include:

Personal History Disclosure Verification of True Identity Employment History Evaluation Unemployment/Military Service/Education Credit History Evaluation Character and Reputation Evaluation FBI criminal history record check

(2) Behavioral observation. Behavioral observation shall be performed to detect behaviors or activities that may constitute an unreasonable risk to the safety and security of the licensees facility. The. (i)

Licensees, applicants, and contractors or vendors shall ensure the access authorization program shall ensure includes provisions that the individuals specified in paragraph (b) of this section are subject to behavioral observation.

(A) Each person subject to behavioral observation shall be responsible for communicating to the licensee or applicant observed behaviors or activities of individuals that may constitute an unreasonable risk to the health and safety of the public and common defense and security.

(B) Behavioral observation shall include visual observation, in person or remotely by video, to detect and promptly report to plant supervision any concerns arising from behavioral observation, including, but not limited to, concerns related to any questionable behavior patterns or activities of others.

(ii)(A) Licensees or applicants shall.

(B) Behavioral observation shall include self-reporting to plant supervision of legal actions in accordance with § 73.56(g) of this part.

taken by a law enforcement authority or court of law against the individual that could result in incarceration or a court order or that requires a court appearance, including but not limited to an arrest, an indictment, the filing of charges, or a conviction, but excluding minor civil actions or misdemeanors such as parking violations or speeding tickets, for any individual who has applied for unescorted access or who maintains unescorted access.

Behavioral observation was revised to clearly establish the licensees and applicants roles and responsibilities to conduct behavioral observation for anyone granted or who maintains unescorted access as well as the responsibilities of personnel to observe the behavior of their peers.

In (2)(i)(A), the staff added the language health and safety of the public and, which is consistent with the language used in § 73.56 for the power reactor behavioral observation program.

This section ((2)(ii)(B)) was revised to clarify how behavioral observation may be performed in-person or remotely and to clarify that identified behavior of concern is reported to plant supervision.

Remote access alternative to face-to-face interactions was added to the proposed language in (2)(i)(B) to allow for the greatest flexibility to licensees and applicants. This provides reasonable assurance that persons who maintain unescorted access remain trustworthy and reliable. Any video conferencing or other acceptable electronic means promoting face-to-face interaction for those individuals working remotely would meet the intent of this regulation.

This proposed requirement in § 73.120(c)(2) is a scaled version of the full behavioral observation program as required under § 73.56(f). Moreover, the staff conducted an administrative change and struck the reference to § 73.56(g) for self-reporting of legal actions. However, the staff maintained the self-reporting requirement under behavioral observation as an essential element to strengthen the licensees behavioral observation elements assuring personnel who are granted and maintain unescorted access are trustworthy and reliable. Guidance will provide a glossary definition of legal actions.

Commensurate with the potential lower risk and consequence of a commercial nuclear reactor meeting

certain eligibility requirements, this provision does not require the establishment of a full training program for behavioral observation (i.e., initial and refresher training including knowledge checks) as required for power reactors under § 73.56. However, this requirement would provide licensees greater flexibility to consider behavioral observation options for individuals granted unescorted access to the commercial nuclear reactor protected area. Such options on reporting questionable behavior may include a program similar to the Department of Homeland Securitys program, If you see something, say something or a commensurate corporate behavioral awareness program.

The proposed requirement would allow applicants to consider behavioral observation alternatives to implementing and maintaining a full behavioral observation program. The staffs approach to forgo a training requirement would set the minimal requirement to only report behavior as questionable to the appropriate levels of management that may have adverse actions to the site or to the workforce.

(3) Unescorted access. UnescortedLicensees or applicants shall grant unescorted access shall be granted only after the licensee has verified an individual is trustworthy and reliable. A list of persons currently approved for unescorted access to a protected area, vital area, material access area, or controlled access area must be maintained at all times. Unescorted access determinations shall be reviewed annually in accordance with § 73.56(i)(1)(iv). Criminalby the reviewing official. Licensees and applicants shall conduct an FBI criminal history updatesrecord check update, and they shall be completed within 10 years of the last review.

This section was revised to clarify the reviewing official roles and responsibilities to verify the trustworthiness and reliability of personnel prior to granting unescorted access and for those who maintain unescorted access.

This revision also clarified that the continued need to maintain unescorted access is evaluated on an annual basis by the reviewing official. Guidance will address that this evaluation should be based on a compilation of personnel interactions as described in the licensees or applicants policy and procedures for behavioral observation and the maintenance of an approved access authorization list. Moreover, the FBI criminal history record check update shall be completed within 10 years of the last review. In comparison, the reinvestigation periodicity for personnel at an operating nuclear power plant is 3 years or 5 years based upon job function.

(4) Termination of unescorted access. Unescorted access Licensees and applicants shall be promptly terminated terminate unescorted access when a licensee determines this access is no longer required or a reviewing official determines an individual is no longer trustworthy and reliable in accordance with this section.

This proposed performance requirement would require licensees and applicants to determine when a person no longer requires the need for unescorted access or no longer meets the access authorization requirement found within this section. Guidance will further explain that licensees have the flexibility to terminate unescorted access to specific areas of the site based upon an individual lacking the continued need for that access to perform their duties and responsibilities.

(5) Determination basis for access. Any unescorted access determination shall be made by a(i) The licensees or applicants reviewing official who willshall determine whether to permit, deny, unfavorably terminate, maintain, or administratively withdraw an individual's unescorted access based on an evaluation of all of the information collected to meet the requirements of this section.

(ii) Licensees and applicants shall provide individuals subject to this subpart, prior to any final adverse determination, the right to complete, correct, and explain information obtained as a result of the licensee's background investigation pursuant to § 37.23(g) of this chapter.

(iii) The licensees or applicants reviewing officials are the only individuals authorized to make unescorted access determination decisions. Each licensee or applicant shall name one or more individuals to be reviewing officials pursuant to the requirements of

§ 37.23(b)(2) of this chapter.

This requirement is consistent with the intent of

§ 37.23(e) and was revised to include the individuals rights to correct and complete information as required under § 37.23(g).

Revised language to include a new performance requirement for designating a reviewing official. The added language provides clarity regarding the roles and responsibility of a reviewing official, who will be the only individual authorized to make unescorted access determinations. The process found in § 37.23(b)(2) requires licensees or applicants to certify to the NRC that the reviewing official is trustworthy and reliable based on a background check.

(6) Review Procedures. Review procedures shall be established in accordance with § 73.56(l) 37.23(f) of this partchapter, to include provisions for the notification in writing of individuals who are denied unescorted access or who are unfavorably terminated.

Language was revised to align with the appropriate requirements under § 37.23(f). This language addresses the licensees requirement to establish, implement, and maintain review procedures for personnel who were denied unescorted access or unfavorably terminated.

(7) Protection of Information. ALicensees, applicants, contractors, or vendors shall establish and maintain a system of files and procedures shall be established and maintained in accordance with

§ 73.56(m) 37.31 of this partchapter, to ensure personal information is not disclosed to unauthorized persons.

Language was revised to align with the appropriate requirements under § 37.31. Revised language encompassed the roles and responsibility for licensee, applicant, and if applicable, the contractor/vendors to establish, implement, and maintain a system of files and records to ensure personal information is not disclosed to unauthorized persons.

(8) AuditsAccess Authorization Reviews and corrective action.

ProceduresLicensees and applicants shall develop, implement, and maintain procedures for useconduct of auditsaccess authorization reviews and corrective actions shall be established in accordance with § 73.56(n) 37.33 of this partchapter to ensure the continuing effectiveness of the access authorization program and to ensure that the access authorization program and program elements are in compliance with the requirements of this section. Each licensee and applicant shall be responsible for the continuing effectiveness of the access authorization program, including access authorization program elements that are provided by the contractors or vendors, and the access authorization programs of any of the contractors or vendors that are accepted by the licensee or applicant.

Language was revised to align with the requirements of

§ 37.33. Each licensee shall ensure that access authorization programs are reviewed to confirm compliance with the requirements of this section and that comprehensive actions are taken to correct any noncompliance that is identified. The review program shall evaluate all program performance objectives and requirements. Each licensee shall periodically (at least annually) review the access program content and implementation.

(9) Records. Records Licensees, applicants, and contractors or vendors shall document the processes and procedures for maintaining records used or created to establish an individuals trustworthiness and reliability or to document access determination must be maintained in accordance with § 73.56(o) of this part.

determinations. Licensees, applicants, and contractor or vendors shall:

(1) retain documentation regarding the trustworthiness and reliability of individual employees for 3 years from the date the individual no longer requires unescorted access.

(2) retain a copy of the current access authorization program procedures as a record for 3 years after the procedure is no longer needed. If any portion of the procedure is superseded, retain the superseded material for 3 years after the record is superseded.

(3) retain the list of persons approved for unescorted access for 3 years after the list is superseded or replaced. Records maintained in any database(s) must be available for NRC review.

Revised language to provide clarity and the expectation for record retention. Licensees, applicants, and contractors or vendors shall maintain the records that are required by the regulations in this section for the period specified by the appropriate regulation. If a retention period is not otherwise specified, these records must be retained until the Commission terminates the facility's license, certificate, or other regulatory approval.

The revised text is consistent with § 37.23(h) for the record retention period of 3 years. This change reduces the 5-year retention period under § 73.56(o).

Moreover, a new requirement was added such that records maintained in any database(s) must be available for NRC review. This is consistent with the requirements found under § 73.56(o)(6)(ii). This provides the NRC access to review records at the Commissions request. The NRC currently uses this process to obtain information from licensees to vet against federal databases.