Text

THIS PRELIMINARY PROPOSED RULE LANGUAGE AND ACCOMPANYING DISCUSSION IS BEING RELEASED TO SUPPORT INTERACTIONS WITH STAKEHOLDERS AND THE ADVISORY COMMITTEE ON REACTOR SAFEGUARDS (ACRS). THIS LANGUAGE HAS NOT BEEN SUBJECT TO COMPLETE NRC MANAGEMENT OR LEGAL REVIEW, AND DOES NOT PROVIDE OFFICIAL AGENCY POSITIONS. THE NRC STAFF PLANS TO CONTINUE WORKING ON THE CONCEPTS AND DETAILS PROVIDED IN THIS DOCUMENT AND WILLCONTINUE TO PROVIDE OPPORTUNITIES FOR PUBLIC PARTICIPATION AS PART OF THE RULEMAKING ACTIVITIES.

THE STAFF IS PRIMARILY SEEKING INSIGHTS REGARDING THE CONCEPTS IN THIS PRELIMINARY LANGUAGE AND SECONDARILY SEEKING INSIGHTS RELATED TO DETAILS FOR VARIOUS CRITERIA.

STAFF DISCUSSION OF PART 73 ACCESS AUTHORIZATION - PRELIMINARY RULE LANGUAGE (November 2021) 2nd Iteration (Redline/Strikeout) of Discussion Preliminary Language

§ 73.120 - Access Authorization The existing regulatory framework for access authorization under §§ 73.55, 73.56, and 73.57, is sufficient to provide reasonable assurance that individuals subject to this program are trustworthy and reliable such that they do not constitute an unreasonable risk to the public health and safety or common defense and security, regardless of the reactor technology.

The proposed language under § 73.120 will provide flexibility through availability of the use of an alternate approach, commensurate with risk and consequence to public health and safety, for Part 53 applicants who demonstrate in an analysis that the offsite consequences meet the criterion defined in

§ 53.830(a)(2)(i). (Note, the criterion in

§ 53.830(a)(2)(i) is written as a reference to the values in § 53.210(b)(1) and (2). However, that reference does not reflect the latest numbering in the most recent iteration of § 53.210 (i.e., Subpart B) and will be updated in the next iteration of

§ 53.830).

As provided for in § 53.830(c), applicants satisfying the criterion in § 53.830(a)(2)(i) may establish, implement, and maintain their access authorization program in accordance with the requirements of

§ 73.120. Applicants not satisfying the criterion

must establish, implement, and maintain a full access authorization program, including an insider mitigation program in accordance with §§ 73.55, 73.56, and 73.57.

Moreover, for applicants satisfying the criterion, the proposed requirements model the existing access authorization programs for non-power reactors and/or materials licensees by applying the most important program elements associated with power reactors access authorization program under § 73.56.

Although research and test reactors currently do not have many specific access authorization requirements in NRC regulations other than those associated with fingerprinting of individuals for a FBI criminal history record check, there are alternate security measures and license conditions in place for these research and test reactor facilities that would be applied in the proposed § 73.120 for commercial nuclear reactors licensed under Part 53.

(a) Introduction and Scope. (1) Each applicant for an operating license Under this proposed approach, should an applicant for an advanced nuclear reactoror a holder of a combined operating for a commercial nuclear reactor license license under 10 CFR part 53, who meets the criterion in 10 CFR demonstrate, pursuant to § 53.830(a)(2)(i), that an 53.830(a)(2)(i), shall must establish, maintain, and implement an offsite release would not exceed doses defined in access authorization program in accordance with before initial fuel load the safety criteria of §§ 53.210(a) and (b), the into the reactor. For licensees who meet the criterion in 10 CFR applicant may implement the access authorization 53.210(a)(2)(i), this access authorization program must be in program requirements under the proposed § 73.120 accordance with the requirements of this section as part of its instead of the existing regulatory framework for Commission-approved Physical Security Plan. Applicantsor 10 CFR access authorization under §§ 73.55, 73.56, and 73.56. For licensees not meeting the criterion in 10 CFR 73.57. The staff notes that this eligibility criterion 53.830210(a)(2)(i) shall establish, maintain, and implement an, this (as provided in § 53.830(a)(2)(i)) is consistent with access authorization program must be in accordance with the one of the eligibility criteria being proposed as part requirements of 10 CFR 73.56. of the limited-scope commercial nuclear reactor security rulemaking, i.e., the most bounding criteria.

(2) [Reserved]

As that rulemaking evolves, so will this criterion for consistency.

Language was added to the original text to provide a threshold for when the access authorization program must be fully established and implemented.

(b) Applicability. (1) The following individuals shall be subject to an General applicability statement for those access authorization program under this section: individuals who will be subject to an access authorization program in accordance with this section. Individuals noted in this section are required to be trustworthy and reliable, such that they do not constitute an unreasonable risk to public health and safety or the common defense and security.

(i) Any individual to whom a licensee intends to grant unescorted This applicability statement encompasses individuals access to a nuclear power plant protected area, vital area, material specified in § 73.56(b)(i) for power reactors and the access area, or controlled access area where thelicensed material is orders/additional security measures (ASM) and/or used or stored; license conditions for nonpower reactors whom the licensee intends to grant unescorted access to the facilities most sensitive areas.

(ii) Any individual whose duties and responsibilities permit the This applicability statement is to include in the individual to take actions by electronic means, either on site or access authorization program those individuals who remotely, that could adversely impact the licensee's or applicant's may be on or offsite (e.g., remote operators or operational safety, security, or emergency preparedness; information technology staff) and have virtual access to important plant operational and communication systems based upon assigned duties and responsibilities to have such access. These individuals will be reinvestigated periodically in accordance with (c)(3) of this proposed section.

This requirement is consistent with the intent of current § 73.56, which is to ensure that anyone who has unescorted access to equipment that is important to the operational safety and security of plant operations must be trustworthy and reliable.

An individual who may have remote access to plant equipment and communication systems may have trusted privileges greater than the trusted and authorized personnel at the plant site.

(iii) Any individual who has responsibilities for implementing a This requirement is consistent with § 73.56(b)(1)(iii) licensee's or applicant's protective strategy, including armed security and intended to ensure that security personnel force officers, alarm station operators, and tactical response team responsible for protection of the nuclear power plant leaders but not including Federal, State, or local law enforcement are trustworthy and reliable. This requirement personnel; and includes a clarification that offsite law enforcement personnel on official duty are not subject to the licensee access authorization program.

Section 73.56(b)(1)(iii) specifies that these individuals shall be subject to the access authorization program because of their critical responsibilities with respect to plant security.

(iv) The licensee or applicant access authorization program This is consistent with § 73.56(b)(1)(iv) to ensure reviewing official or contractor or vendor access authorization individuals responsible for access authorization program reviewers. decisions are trustworthy and reliable.

(2) The licensee or applicant may subject other individuals, including This is consistent with § 73.56(b)(2).

employees of a contractor or a vendor who are designated in access authorization program procedures, to an access authorization program that meets the requirements of this section.

(c) General Performance Objectives and Requirements. Each The proposed language establishes general licensee's or applicants access authorization program under this performance objectives and requirements section must provide reasonable assurance that the individuals who providing reasonable assurance that the are specified in paragraph (b) of this section are trustworthy and individuals who are specified in paragraph (b) of reliable, such that they do not constitute an unreasonable risk to this section are trustworthy and reliable. This is public health and safety or the common defense and security. The consistent with the access authorization program design and implementation of the licensees access authorization requirements for nuclear power reactors under program shall establish and maintain the capabilities for meeting the § 73.56.

following performance requirements:

The revised language provides licensees and applicants the flexibility in establishing their access authorization program to meet various specific performance objectives.

(1) Background investigation. Background investigations(i)(A) This section was revised to add paragraph (ii) to Licensees and applicants shall be completed for ensure that any include the requirements to obtain an FBI criminal individual whom a licensee or applicant intends to grantseeking initial history records check under § 37.27 for individuals unescorted access. or to maintain unescorted access is subject to a covered by the access authorization program.

background investigation.

This section is consistent with the background (B) Background investigations shall include the program elements investigation elements under § 37.25, as well as contained under § 73.56(d)37.25 of this part. chapter and must also alternate security measures and license conditions include a credit history evaluation. that are applied to non-power reactor licensees.

(ii) Background investigations must include fingerprinting and an FBI Background investigations include important identification and criminal history records check in accordance with § elements to establish trustworthiness and reliability of 37.27 of this chapter. an individual, such that they do not constitute an (iii) Licensees may not initiate a background investigation without the unreasonable risk to public health and safety or the informed and signed consent of the subject individual. This consent common defense and security. These include:

must include authorization to share personal information with other

• Personal History Disclosure individuals or organizations as necessary to complete the background

• Verification of True Identity investigation. A signed consent must be obtained prior to any

• Employment History Evaluation reinvestigation. The subject individual may withdraw his or her consent

• Unemployment/Military Service/Education at any time. Licensees shall inform the individual that:

• Credit History Evaluation

• Character and Reputation Evaluation (A) If an individual withdraws his or her consent, the licensee may not

• FBI criminal history record check initiate any elements of the background investigation that were not in progress at the time the individual withdrew his or her consent; and (B) The withdrawal of consent for the background investigation is sufficient cause for denial or termination of unescorted access authorization.

(2) Behavioral observation. Behavioral observation shall be performed Behavioral observation was revised to clearly to detect behaviors or activities that may constitute an unreasonable establish the licensees and applicants roles and risk to the safety and security of the licensees facility. The . (i) responsibilities to conduct behavioral observation for Licensees, applicants, and contractors or vendors shall ensure the anyone granted or who maintains unescorted access access authorization program shall ensure includes provisions that the as well as the responsibilities of personnel to observe individuals specified in paragraph (b) of this section are subject to the behavior of their peers.

behavioral observation.

(A) Each person subject to behavioral observation shall be responsible In (2)(i)(A), the staff added the language health and for communicating to the licensee or applicant observed behaviors or safety of the public and, which is consistent with the activities of individuals that may constitute an unreasonable risk to the language used in § 73.56 for the power reactor health and safety of the public and common defense and security. behavioral observation program.

(B) Behavioral observation shall include visual observation, in person This section ((2)(ii)(B)) was revised to clarify how or remotely by video, to detect and promptly report to plant supervision behavioral observation may be performed in-person or any concerns arising from behavioral observation, including, but not remotely and to clarify that identified behavior of limited to, concerns related to any questionable behavior patterns or concern is reported to plant supervision.

activities of others.

Remote access alternative to face-to-face interactions (ii)(A) Licensees or applicants shall. was added to the proposed language in (2)(i)(B) to allow for the greatest flexibility to licensees and (B) Behavioral observation shall include self-reporting to plant applicants. This provides reasonable assurance that supervision of legal actions in accordance with § 73.56(g) of this part. persons who maintain unescorted access remain taken by a law enforcement authority or court of law against the trustworthy and reliable. Any video conferencing or individual that could result in incarceration or a court order or that other acceptable electronic means promoting face-to-requires a court appearance, including but not limited to an arrest, an face interaction for those individuals working remotely indictment, the filing of charges, or a conviction, but excluding minor would meet the intent of this regulation.

civil actions or misdemeanors such as parking violations or speeding tickets, for any individual who has applied for unescorted access or This proposed requirement in § 73.120(c)(2) is a who maintains unescorted access. scaled version of the full behavioral observation program as required under § 73.56(f). Moreover, the staff conducted an administrative change and struck the reference to § 73.56(g) for self-reporting of legal actions. However, the staff maintained the self-reporting requirement under behavioral observation as an essential element to strengthen the licensees behavioral observation elements assuring personnel who are granted and maintain unescorted access are trustworthy and reliable. Guidance will provide a glossary definition of legal actions.

Commensurate with the potential lower risk and consequence of a commercial nuclear reactor meeting

certain eligibility requirements, this provision does not require the establishment of a full training program for behavioral observation (i.e., initial and refresher training including knowledge checks) as required for power reactors under § 73.56. However, this requirement would provide licensees greater flexibility to consider behavioral observation options for individuals granted unescorted access to the commercial nuclear reactor protected area. Such options on reporting questionable behavior may include a program similar to the Department of Homeland Securitys program, If you see something, say something or a commensurate corporate behavioral awareness program.

The proposed requirement would allow applicants to consider behavioral observation alternatives to implementing and maintaining a full behavioral observation program. The staffs approach to forgo a training requirement would set the minimal requirement to only report behavior as questionable to the appropriate levels of management that may have adverse actions to the site or to the workforce.

(3) Unescorted access. UnescortedLicensees or applicants shall This section was revised to clarify the reviewing grant unescorted access shall be granted only after the licensee official roles and responsibilities to verify the has verified an individual is trustworthy and reliable. A list of trustworthiness and reliability of personnel prior to persons currently approved for unescorted access to a protected granting unescorted access and for those who area, vital area, material access area, or controlled access area maintain unescorted access.

must be maintained at all times. Unescorted access This revision also clarified that the continued need to determinations shall be reviewed annually in accordance with § maintain unescorted access is evaluated on an annual 73.56(i)(1)(iv). Criminalby the reviewing official. Licensees and basis by the reviewing official. Guidance will address applicants shall conduct an FBI criminal history updatesrecord that this evaluation should be based on a compilation check update, and they shall be completed within 10 years of the of personnel interactions as described in the last review.

licensees or applicants policy and procedures for behavioral observation and the maintenance of an approved access authorization list. Moreover, the FBI criminal history record check update shall be completed within 10 years of the last review. In comparison, the reinvestigation periodicity for personnel at an operating nuclear power plant is 3 years or 5 years based upon job function.

(4) Termination of unescorted access. Unescorted access Licensees This proposed performance requirement would require and applicants shall be promptly terminated terminate unescorted licensees and applicants to determine when a person access when a licensee determines this access is no longer required no longer requires the need for unescorted access or or a reviewing official determines an individual is no longer no longer meets the access authorization requirement trustworthy and reliable in accordance with this section. found within this section. Guidance will further explain that licensees have the flexibility to terminate unescorted access to specific areas of the site based upon an individual lacking the continued need for that access to perform their duties and responsibilities.

(5) Determination basis for access. Any unescorted access This requirement is consistent with the intent of determination shall be made by a(i) The licensees or applicants § 37.23(e) and was revised to include the individuals reviewing official who willshall determine whether to permit, deny, rights to correct and complete information as required unfavorably terminate, maintain, or administratively withdraw an under § 37.23(g).

individual's unescorted access based on an evaluation of all of the Revised language to include a new performance information collected to meet the requirements of this section.

requirement for designating a reviewing official. The (ii) Licensees and applicants shall provide individuals subject to this added language provides clarity regarding the roles subpart, prior to any final adverse determination, the right to and responsibility of a reviewing official, who will be complete, correct, and explain information obtained as a result of the only individual authorized to make unescorted the licensee's background investigation pursuant to § 37.23(g) of access determinations. The process found in § this chapter. 37.23(b)(2) requires licensees or applicants to certify to the NRC that the reviewing official is trustworthy (iii) The licensees or applicants reviewing officials are the only and reliable based on a background check.

individuals authorized to make unescorted access determination decisions. Each licensee or applicant shall name one or more individuals to be reviewing officials pursuant to the requirements of

§ 37.23(b)(2) of this chapter.

(6) Review Procedures. Review procedures shall be established in Language was revised to align with the appropriate accordance with § 73.56(l) 37.23(f) of this partchapter, to include requirements under § 37.23(f). This language provisions for the notification in writing of individuals who are denied addresses the licensees requirement to establish, unescorted access or who are unfavorably terminated. implement, and maintain review procedures for personnel who were denied unescorted access or unfavorably terminated.

(7) Protection of Information. ALicensees, applicants, contractors, Language was revised to align with the appropriate or vendors shall establish and maintain a system of files and requirements under § 37.31. Revised language procedures shall be established and maintained in accordance with encompassed the roles and responsibility for licensee,

§ 73.56(m) 37.31 of this partchapter, to ensure personal information applicant, and if applicable, the contractor/vendors to is not disclosed to unauthorized persons. establish, implement, and maintain a system of files and records to ensure personal information is not disclosed to unauthorized persons.

(8) AuditsAccess Authorization Reviews and corrective action. Language was revised to align with the requirements of ProceduresLicensees and applicants shall develop, implement, and § 37.33. Each licensee shall ensure that access maintain procedures for useconduct of auditsaccess authorization authorization programs are reviewed to confirm reviews and corrective actions shall be established in accordance compliance with the requirements of this section and with § 73.56(n) 37.33 of this partchapter to ensure the continuing that comprehensive actions are taken to correct any effectiveness of the access authorization program and to ensure noncompliance that is identified. The review program that the access authorization program and program elements are in shall evaluate all program performance objectives and compliance with the requirements of this section. Each licensee requirements. Each licensee shall periodically (at least and applicant shall be responsible for the continuing effectiveness annually) review the access program content and of the access authorization program, including access authorization implementation.

program elements that are provided by the contractors or vendors, and the access authorization programs of any of the contractors or vendors that are accepted by the licensee or applicant.

(9) Records. Records Licensees, applicants, and contractors or Revised language to provide clarity and the expectation vendors shall document the processes and procedures for for record retention. Licensees, applicants, and maintaining records used or created to establish an individuals contractors or vendors shall maintain the records that trustworthiness and reliability or to document access determination are required by the regulations in this section for the must be maintained in accordance with § 73.56(o) of this part. period specified by the appropriate regulation. If a determinations. Licensees, applicants, and contractor or vendors retention period is not otherwise specified, these shall: records must be retained until the Commission terminates the facility's license, certificate, or other (1) retain documentation regarding the trustworthiness and regulatory approval.

reliability of individual employees for 3 years from the date the individual no longer requires unescorted access. The revised text is consistent with § 37.23(h) for the record retention period of 3 years. This change (2) retain a copy of the current access authorization program reduces the 5-year retention period under § 73.56(o).

procedures as a record for 3 years after the procedure is no longer needed. If any portion of the procedure is superseded, retain the Moreover, a new requirement was added such that superseded material for 3 years after the record is superseded. records maintained in any database(s) must be available for NRC review. This is consistent with the (3) retain the list of persons approved for unescorted access for 3 requirements found under § 73.56(o)(6)(ii). This years after the list is superseded or replaced. Records maintained provides the NRC access to review records at the in any database(s) must be available for NRC review. Commissions request. The NRC currently uses this process to obtain information from licensees to vet against federal databases.