DG-5044 Response to Public Comments on Draft Regulatory Guide (DG)-5044 Insider Mitigation Program Proposed Revision 1 of Regulatory Guide (RG) 5.77, Table

ML22152A224
Person / Time
Issue date:	09/08/2022
From:	Mark Resner NRC/NSIR/DPCP/RSB
To:
Resner M
Shared Package
ML16342B012	List: ML22152A224
References
DG-5044, RG-5.077, Rev 1
Download: ML22152A224 (64)
v • d • e

Text

Response to Public Comments on Draft Regulatory Guide (DG)-5044 Insider Mitigation Program Proposed Revision 1 of Regulatory Guide (RG) 5.77 On January 4, 2016, the NRC released Draft Regulatory Guide, DG-5044 (Proposed Revision 1 of RG 5.77) for a 60-day comment period to external stakeholders with a need-to-know. Since DG-5044 was Official Use Only - Security Related Information, the NRC did not make the document publicly available or publish a Federal Register Notice to open a public comment period. To facilitate stakeholder comment, the NRC staff provided DG-5044 to the Nuclear Energy Institute (NEI) for distribution to authorized industry stakeholders. In addition, Dr. Edwin Lyman of the Union of Concerned Scientists (UCS) visited the NRC headquarters office to review a copy of DG-5044 and to provide comments. Dr. Lyman has a clearance and provides perspectives on the security issues set forth in DG-5044 as an informed member of the public. The comment period ended on February 29, 2016. The NRC received 81 comments from NEI and 4 comments from UCS. On October 7, 2016, the NRC received 11 more comments from NEI and 4 more comments from UCS. The NRC has combined all comments and the NRC staff responses in the following table.

Comments were received from the following:

David R. Kline Edwin Lyman, Director, Security Union of Concerned Scientists (UCS)

Nuclear Energy Institute (NEI) ELyman@ucsusa.org 1201 F Street, NW Suite 1100 (Comments were provided at meetings with NRC staff)

Washington, DC 20004 (ADAMS Accession Nos. ML16281A605 and ML16062A349)

For each comment received, the Specific Comments column presents the DG-5044 language referenced by the commenter, if applicable, along with the commenters verbatim comment statement and any suggested revisions proposed by the commenter.

DG-5044 Comment Specific Comments NRC Comment Resolution Section

1. NEI A. Introduction, DG-5044 language: The NRC disagrees with the comment. It appears Applicable Furthermore, 10 CFR 73.55(b)(9)(i) states that there may be confusion about the requirements of Rules and the IMP must monitor the initial and continuing unescorted access authorization (UAA) and Regulations trustworthiness and reliability of individuals unescorted access (UA). UAA is the act of (Page 2) granted or retaining unescorted access certifying by the licensees reviewing official that authorization to a protected or vital area, and the applicants background investigative elements implement defense-in-depth methodologies to within the authorization process have been minimize the potential for an insider to adversely satisfactorily completed and all the required August 2022 1

DG-5044 Comment Specific Comments NRC Comment Resolution Section affect, either directly or indirectly, the licensees elements for granting unescorted access is capability to prevent significant core damage and certified prior to granting access to the protected spent fuel sabotage. area. The UAA determination is evaluated by a licensee reviewing official who then makes a NEI comment: favorable determination relative to the individuals The term unescorted access authorization (UAA) trustworthiness, reliability, and fitness-for-duty.

should be unescorted access as UAA represent the clearance for UA. The word retaining should UA is granted to an individual only after be maintaining. The change represents satisfactorily completing all the regulatory consistency with the industry understanding of the requirements for UAA and the individual has use of the terms. completed plant access training; is subjected to a behavioral observation program; is placed in a The commenter proposed the following edits: random drug and alcohol testing program; and is Furthermore, 10 CFR 73.55(b)(9)(i) states that provided the physical means to gain UA to the the IMP must monitor the initial and continuing protected area. Accordingly, the NRC has made no trustworthiness and reliability of individuals change to DG-5044 based on this comment.

granted or retaining maintaining unescorted access authorization to a protected.

2. NEI A. Introduction, DG-5044 language: The NRC disagrees with the comment. The Applicable 10 CFR Part 26, Fitness for Duty Programs, language contained in this paragraph has been Rules and (Ref. 4), in part states, that fitness for duty taken from the regulation found under 10 CFR Regulations programs must provide reasonable assurance that 26.23 (a)-(e) performance objectives and is (Page 2) individuals are trustworthy and reliable as appropriately applied in this paragraph. Therefore, demonstrated by the avoidance of substance the language suggested by the commentator is not abuse; individuals are not under the influence of necessary. Accordingly, the NRC has made no any substance, legal or illegal, or mentally or change to DG-5044 based on this comment.

physically impaired from any cause, which in any way adversely affects their ability to safely and competently perform their duties; and the workplaces subject to Part 26 are free from the presence and effects of illegal drugs and alcohol, and provide reasonable measures for the early detection of individuals who are not fit to perform 2

DG-5044 Comment Specific Comments NRC Comment Resolution Section the duties that require them to be subject to the Fitness for Duty (FFD) program.

NEI comment:

In the text the term illegal drugs is only one objective component of Part 26. The paragraph should be expanded to include the use of illegal drugs, the abuse of prescribed or over the counter medications, or the excessive, habitual use of alcohol.

The commenter proposed the following edits:

...subject to Part 26 are free from the presence and effects of illegal drugs and alcohol, the use of illegal drugs, the abuse of prescribed or over the counter medications, or the excessive, habitual use of alcohol and provide reasonable measures for...

3. NEI A. Introduction, DG-5044 language: The NRC agrees with the comment to delete the Applicable 10 CFR 50.82, Termination of license, paragraph reference to 10 CFR 50.82, Termination of Rules and (a)(1)(i), requires that when a licensee has license. However, the NRC disagrees that Regulations determined to permanently cease operations the DG-5044 should not include guidance on insider (Page 2) licensee shall, within 30 days, submit a written mitigation programs during decommissioning.

certification to the NRC, consistent with the requirements of § 50.4(b)(8). The NRC did publish in the Federal Register on March 3, 2022, a proposed rule titled, Regulatory NEI comment: Improvements for Production and Utilization The industry believes that decommissioning Facilities Transitioning to Decommissioning should be discussed ins [sic] a separate (87 FR 12254). The proposed rule is seeking to decommissioning document. Delete amend NRC regulations principally related to the decommissioning of nuclear power reactors. As part of this proposed rule, the staff proposes changes to correct inconsistencies in the 3

DG-5044 Comment Specific Comments NRC Comment Resolution Section 10 CFR Part 26 Fitness for Duty (FFD) program requirements and to clarify FFD program provisions pertaining to a licensees insider mitigation program under 10 CFR 73.55(b)(9).

The March 7, 2018, SECY-18-0055 described the relationship of this decommissioning rulemaking to several guidance documents, one of which was RG 5.77 (ADAMS Accession No. ML18012A021).

Enclosure 3 to SECY-18-0055 stated that The NRC staff will ensure that RG 5.77 is revised if necessary to be consistent with the final rule.

(ML18012A228)

4. NEI A. Introduction, DG-5044 language: The NRC agrees with this comment and has Related Regulatory Guide (RG) 5.69, Guidance for the confirmed that the treatment of an active or passive Guidance, Application of the Radiological Sabotage Design- insider in DG-5044 (RG 5.77) is consistent with the 2nd Bullet Basis Threat in the Design, Development, and treatment of an active or passive insider in (Page 2) Implementation of a Physical Security Program RG 5.69. The NRC believes that the commenter that meets 10 CFR 73.55 Requirements, (SGI) inadvertently referred to RG 5.62, Reporting of (Ref. 6), provides a description of and guidance Physical Security Events, instead of RG 5.69, for mitigating the active insider, and passive which addresses an active and passive insider.

insider. Accordingly, the NRC has made no change to DG-5044 based on this comment.

NEI comment:

For consistency between documents ensure that that active insider and passive insider are consistent with Regulatory Guide 5.62.

5. NEI B. Discussion, DG-5044 language: The NRC disagrees with the comment to remove Reason for In addition, this revision provides licensees with the reference to 10 CFR 50.82(a)(1)(i)-(ii).

Revision, guidance for continuing to meet requirements for However, the NRC has revised DG-5044 to state:

2 Paragraph nd an IMP following the licensees determination to (Page 5) permanently cease operations and permanent In addition, this revision provides licensees with removal of fuel from the reactor vessel in guidance for continuing to meet the requirements 4

DG-5044 Comment Specific Comments NRC Comment Resolution Section accordance with 10 CFR 50.82(a)(1)(i) and for an IMP following the licensees determination to 10 CFR 50.82(a)(1)(ii), respectively. permanently cease operations and remove fuel from the reactor vessel in accordance with 10 CFR NEI comment: 50.82(a)(1).

The industry suggests removal of this section and to include the section within a separate The NRC response to Comment Number 3 also decommissioning rule-making. applies to this comment.

6. NEI C.1. General DG-5044 language: The NRC agrees with the intent of the comment Requirements, (OUO-SRI) Licensees should consider and be but has not accepted the specific revisions 1st Paragraph, observant of subtle changes in an individuals suggested by the commenter. Instead, the NRC Last sentence, behavior or actions over time and use appropriate has revised DG-5044 to state:

(Page 7) IMP elements (e.g., the behavioral observation program) to assess and mitigate potential adverse Licensees should consider and be observant of acts by insiders. subtle changes in an individuals behavior or actions over time and use appropriate IMP NEI comment: elements (e.g., the behavioral observation In this section the licensees BOP is required to program) to assess not only the individuals also take action due to an individuals behavior trustworthiness and reliability but to gain insights that can change quickly so the last sentence into his or her character and reputation should be improved upon to address both, not just (10 CFR 73.56(d)(6)) to aid in the licensee behavior that can happen overtime. The last reviewing officials access authorization sentence is in need of a period at the end of the assessment and perhaps prevent the individual sentence. from executing subversive acts.

The commenter proposed the following edits: The revision provides alignment under the Licensees should consider and be aware of character and reputation requirements of typical conditions which trigger behavioral 10 CFR 73.56(d)(6) to include the typical anomalies such as being observant of subtle conditions that may trigger behavioral anomalies changes in an individuals behavior or actions over that are required to be reported under behavioral time or recognition that changes in emotional state observation.

can happen quickly and use appropriate IMP elements (e.g., the behavioral observation This section in DG-5044 provides a high-level program) discussion of the general requirements for an 5

DG-5044 Comment Specific Comments NRC Comment Resolution Section insider mitigation program. Specific attributes of behavior observation characteristics are provided in Section 4, Behavior Observation Training, of DG-5044.

The Official Use OnlySecurity Related Information (OUO-SRI) portion marking in this section, as well as the markings appearing throughout DG-5044 have been removed by the NRC staff in the Office of Nuclear Security and Incident Response consistent with the Commission direction in the Staff Requirements Memorandum (SRM)SECY-17-0095Review and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (Agencywide Documents Access and Management System (ADAMS) Accession No. ML21195A356). The staff critically examined the designation of all information in DG-5044 and determined that it should not be designated as OUO-SRI. DG-5044 will now be available for public release.

7. NEI C.1. General DG-5044 language: The NRC disagrees with the comment.

Requirements, As set forth in 10 CFR 73.55(b)(9)(i), nuclear 10 CFR 73.55(b)(9)(i) states in part, The insider 2nd Paragraph, power reactor licensees are required to establish, mitigation program must monitor the initial and 2nd Sentence maintain, and implement an IMP to monitor the continuing trustworthiness and reliability of (Page 7) initial and continuing trustworthiness and reliability individuals granted or retaining unescorted access of individuals granted unescorted access or authorization to a protected or vital area.

unescorted access authorization, or retaining Therefore, the language in DG-5044 more closely unescorted access or unescorted access aligns with the regulation under 10 CFR authorization to a protected or vital area. The IMP 73.55(b)(9)(i) than does the comments proposed must implement defense-in-depth methodologies revision. Furthermore, the requirements found to minimize the potential for an insider to under 10 CFR 73.55(b)(9)(i) take into consideration adversely affect, either directly or indirectly, a the requirements for the granting of unescorted 6

DG-5044 Comment Specific Comments NRC Comment Resolution Section licensees capability to prevent significant core access or maintaining unescorted access damage or spent fuel sabotage. authorization as part of the performance requirement to monitor the continuing NEI comment: trustworthiness and reliability of individuals granted The text discusses individuals granted or retaining unescorted access authorization.

unescorted access or unescorted access Accordingly, the NRC has made no change to authorization, or retaining unescorted access or DG-5044 based on this comment.

unescorted access authorization to a protected or vital area. Consideration should be given to a more consistent use of the terms unescorted access authorization and unescorted access and maintaining (retaining) of each. The suggested change text if [sic] provided for consideration.

The commenter also proposed the following edits:

an IMP to monitor the initial and continuing trustworthiness and reliability of individuals granted unescorted access or unescorted access authorization, or retaining unescorted access granted unescorted access or maintaining unescorted access authorization to a

8. NEI C.1 General NEI comment: The NRC disagrees with the comment. The insider Requirements, This paragraph describes that an important focus mitigation program (IMP) is required by 10 CFR 3rd Paragraph for an IMP program is the implementation of 73.55(9). Consistent with 10 CFR 73.55(b)(9)(i),

(Page 7) measures that control personnel access to digital the IMP must monitor the initial and continuing computer, communication systems, and computer trustworthiness and reliability of individuals granted networks. unescorted access and unescorted access authorization. As stated, the foundation of the Concern: insider mitigation program is to ensure that The scope of digital computer and licensees implement defense-in-depth communications systems and networks included methodologies to minimize the potential for an within the scope of the cyber security rule exceeds insider to adversely affect, either directly or the set of systems and equipment within a nuclear indirectly, the licensees capability to prevent 7

DG-5044 Comment Specific Comments NRC Comment Resolution Section power plant that, if subject to action by an internal significant core damage and spent fuel sabotage.

threat, would be inimical to the common defense and security, or the public health and safety. Consistent with 10 CFR 73.55(b)(9)(ii), the IMP must contain elements from the cyber security For example, there are CDAs (e.g., EP EOF, program described in 10 CFR 73.54. The NRCs certain security telecommunications) that IT cyber security rule specifically requires the supports who do not have unescorted access and protection of those digital computer and are not under the standard IMP for Nuclear communication systems associated with safety-Badged employees. Additionally, in 2010, the related and important to safety-functions, security scope of the term important to safety as used in functions, or emergency preparedness functions, the cyber security rule was expanded to include and support systems that if compromised would SSCs in the balance-of-plant that were not within adversely impact these functions. Therefore, the the scope of the cyber rule when it was NRC has determined that it is appropriate to promulgated. The protection measures of Cyber reference these functions in this guidance.

Security Plans are implemented to provide high Accordingly, the NRC has made no change to assurance that CDAs outside the protected area DG-5044 based on this comment.

will not pose a threat to the safety and security of the plant (Refer to 1.1 pg. 8)

Recommendation:

The RG should provide, as discussed more fully elsewhere in these comments, a graded approach to the implementation of the IMP. The suggested wording provides flexibility to support a graded approach.

The commenter proposed the following edits:

vital areas, and accessible target set locations in addition to digital computer, communication systems, and computer networks that, if compromised by a cyber attack, would be inimical to the common defense and security, or the public health and safety. associated with: safety related and important to safety functions; security 8

DG-5044 Comment Specific Comments NRC Comment Resolution Section functions; emergency preparedness functions, including off site communications; and, support systems and equipment that, if compromised, would adversely impact safety, security, or emergency preparedness functions.

9. NEI C.1 General DG-5044 language: The NRC disagrees with the comment. A Requirements, Licensees should perform an analysis of their licensees assessment and maintenance of its 3rd Paragraph, programs and industry or other insider related insider mitigation program cannot be limited to 1st Sentence events to ensure that their policies, actions, and NRC Information Notices and Regulatory (Page 8) measures provide a level of protection that meets Information Summaries. Licensees, through access the IMP requirements. to the daily flow of public information related to terrorist activities, some of which has been NEI comment: perpetrated by an insider, or through information The industry needs a trigger point from which it obtained by a licensee or information shared within can depend upon reliable information. It would the industry, may be presented with opportunities seem that substantiated fact-based events that could rise to the level of consideration for self-contained within Information Notices (IN), assessment and analysis resulting in programmatic Regulatory information summaries (RIS) or other improvement in the licensees insider mitigation official accounts of the events. program. Accordingly, the NRC has made no change to DG-5044 based on this comment.

The commenter proposed the following edits:

Licensees should perform an analysis of their programs and industry or other insider-related events as detailed within NRC Information Notices, Regulatory Information Summaries or other official accounts of the events into ensure that their policies, actions, and measures provide a level of protection that meets the IMP requirements.

10. NEI C.1 General DG-5044 language: The NRC agrees with the intent of the comment Requirements, Licensee management, acting as or through a but has not accepted the specific revision designated reviewing official, may grant, deny, suggested by the commenter. Instead, the NRC suspend, withhold, revoke, or terminate has revised DG-5044 to state:

9

DG-5044 Comment Specific Comments NRC Comment Resolution Section 3rd Paragraph, unescorted access authorization or unescorted 2nd Sentence access; determine what level of access, if any, an The licensees, or applicants, reviewing official (Page 8) individual will have; and, make all final decisions may grant, deny, suspend, withhold, revoke, or regarding unescorted access to its facilities in terminate unescorted access or unescorted access accordance with 10 CFR 73.56, integrated with authorization; determine what level of access, if the performance requirements of 10 CFR 73.57, any, an individual will have; and make all final Requirements for criminal history records checks decisions on unescorted access to its facilities in of individuals granted unescorted access to a accordance with 10 CFR 73.56. These nuclear power facility, a non-power reactor, or requirements are implemented with those of access to safeguards information, and the 10 CFR 73.57, Requirements for criminal history escorted access requirements mandated in 10 records checks of individuals granted unescorted CFR 73.55(g)(7). access to a nuclear power facility, a non-power reactor, or access to safeguards information, and NEI comment: the escorted access requirements mandated in The sentence should be simplified to specify the 10 CFR 73.55(g)(7).

licensees reviewing official as required by regulation. The sentence seems to specify that the licensee management grants, denies, suspends, withholds, revokes, or terminates unescorted access authorization or unescorted access.

The commenter proposed the following edits:

The licensees reviewing official, may grant, deny, suspend, withhold, revoke, or terminate unescorted access authorization or unescorted

11. NEI C.1 General DG-5044 language: The NRC does not agree with the commenters Requirements, Licensees should not allow an individual who suggested use of the term aberrant behavior. The 3rd Paragraph, demonstrates questionable behavior to retain Cambridge Dictionary definition of aberrant is:

3rd Sentence unescorted access. different from what is typical or usual, especially in (Page 8) an unacceptable way. The word aberrant does NEI comment: not take into consideration behaviors that can be associated with acts that rise to the level of unusual or uncommon (e.g., unusual interest in, or 10

DG-5044 Comment Specific Comments NRC Comment Resolution Section The term questionable behavior should be predisposition toward security activities, or change [sic] to aberrant behavior a term already behaviors that would arouse suspicions in a defined in the licensees programs. reasonable person).

The commenter proposed the following edit: The term questionable behavior has a different Licensees should not allow an individual who meaning. It more correctly describes the broader demonstrates aberrant behavior to retain perspective conveyed in the guidance in DG-5044.

unescorted access. This would include behavior that may be a potential threat in the nuclear power plant such as personnel under the influence of drugs or alcohol where the NRC has maintained a drug free work environment under 10 CFR Part 26. Such behavior would be questionable but may not meet the definition of aberrant behavior.

Accordingly, the NRC has made no change to DG-5044 based on this comment.

12. NEI C.1 General DG-5044 language: The NRC agrees with the intent of the comment Requirements, This degrades the licensees ability to prevent but has not accepted the specific revision 3rd Paragraph, adverse acts. suggested by the commenter. Instead, the NRC 4th Sentence has revised DG-5044 to state:

(Page 8) NEI comment:

The industry recommends a change in the Licensees should not allow an individual who sentence to more clearly define the impact. demonstrates questionable behavior (as discussed in 10 CFR Part 26 and 10 CFR 73.56) to retain The commenter proposed the following edits: unescorted access because doing so degrades the This degrades the licensee programs licensees ability to prevent adverse acts.

preventative measures to provide high assurance that an individuals behavior does not constitute The high assurance1 standard is addressed in an unreasonable risk to public health and safety, DG-5044 in response to Comment Number 15.

1 In Staff Requirements Memorandum (SRM) SRM-SECY-16-0073, Options and Recommendations for the Force-on-Force Inspection Program in Response to SRM-SECY-14-0088, the Commission stated that the concept of high assurance of adequate protection found in our security 11

DG-5044 Comment Specific Comments NRC Comment Resolution Section including the potential to commit radiological sabotage.

13. NEI C.1 General DG-5044 language: The NRC disagrees with this comment. The Requirements, As described in 10 CFR 73.56(a), a licensee is location of the sentence ensures that licensees and 4th Paragraph required to establish, implement, and maintain an applicants are provided with guidance on the (Pages 7-8) AA program, as a part of its physical security plan, source requirements for the insider mitigation for granting unescorted access to protected and program. Accordingly, the NRC has made no vital areas of a nuclear power plant. This change to DG-5044 based on this comment.

programs objective is to provide high assurance that individuals granted unescorted access are trustworthy and reliable and do not constitute an unreasonable risk to public health and safety, including the potential to commit radiological sabotage.

NEI comment:

This is a repeat statement and not required.

Delete.

14. NEI C.1 General DG-5044 language: The NRC agrees with the comment and has Requirements, As described in 10 CFR 73.56(f), Behavioral revised DG-5044 accordingly. In addition, the NRC 2nd Paragraph observation, 10 CFR 73.56(g), Self-reporting has revised this paragraph to improve readability (Page 8) legal actions, 10 CFR 73.56(i), Maintaining by removing the section titles associated with each unescorted access or unescorted access regulatory requirement. The NRC also removed the authorization, and 10 CFR 73.56(j), Access to sentence Efforts undertaken to ensure the vital areas, in conjunction with IMP program continued trustworthiness and reliability of requirements, licensees are required to ensure, individuals granted unescorted access also following their initial determination of unescorted supports the IMP.

access or access authorization, continued trustworthiness and reliability of those with The paragraph states:

unescorted access to a facility, as well as to regulations is equivalent to reasonable assurance when it comes to determining what level of regulation is appropriate.

(ADAMS Accession No. ML16279A345).

12

DG-5044 Comment Specific Comments NRC Comment Resolution Section maximize opportunities to identify insider activity. As described in 10 CFR 73.56(f), (g), (i), and (j), in Efforts undertaken to ensure the continued conjunction with the IMP requirements, licensees trustworthiness and reliability of individuals must ensure, following their initial determination of granted unescorted access also supports the IMP. unescorted access, continued trustworthiness and reliability of those individuals with unescorted NEI comment: access to a facility, as well as maximize Delete or access authorization. opportunities to identify insider activity.

15. NEI C.1.1, DG-5044 language: The NRC agrees with the intent of the comment but 1st sentence (OUO-SRI) Licensees are required to implement has not accepted the specific revision suggested (Page 8) the requirements contained in 10 CFR 73.54, in by the commenter. Instead, the NRC has revised conjunction with 10 CFR 73.55(b)(9) and 10 CFR DG-5044 to state:

Part 26, to provide high assurance that a person with access to digital computer and Licensees must implement the required elements communications systems and networks from of their cyber security plans as they address the outside the protected area will not pose a requirements in 10 CFR 73.54, 10 CFR significant threat to the safety and security of a 73.55(b)(9), and 10 CFR Part 26, to provide high nuclear power plant. assurance that a person with access to digital computer and communications systems and NEI comment: networks from outside the protected area will not Reference to the licensee Cyber Security Plan as pose a significant threat to the safety and security a key document is appropriate. 10 CFR 26 only of a nuclear power plant.

requires reasonable assurance.

Based on administrative renumbering, this revision The commenter proposed the following edits: now appears under Section C.1 as the last (OUO-SRI) Licensees are required to implement paragraph on page 8 of DG-5044.

the requirements contained in 10 CFR 73.54 within a licensee cyber security plan, in Licensees are required to provide high assurance conjunction with 10 CFR 73.55(b)(9) and 10 CFR that a person with access to digital computer and Part 26, to provide high assurance along with communications systems and networks from 10 CFR 26 that a person with access to digital outside the protected area will not pose a computer and communications systems and significant threat to the safety and security of a networks from outside the protected area will not nuclear power plant. The high assurance requirement found in 10 CFR 73.54 is supported in 13

DG-5044 Comment Specific Comments NRC Comment Resolution Section pose a significant threat to the safety and security part, by licensees implementing associated of a nuclear power plant. requirements in 10 CFR 73.55(b)(9) and 10 CFR Part 26. In SRM-SECY-16-0073, Options and Recommendations for the Force-on-Force Inspection Program in Response to SRM-SECY-14-0088, the Commission stated that the concept of high assurance of adequate protection found in our security regulations is equivalent to reasonable assurance when it comes to determining what level of regulation is appropriate (ADAMS Accession No. ML16279A345). Accordingly, the NRC has added a footnote to the term high assurance, as it appears in the Applicable Rules and Regulations section of DG-5044 for the discussion of 10 CFR 73.54, that reflects the SRM-SECY-14-0088 information.

The NRC staff also removed the (OUO-SRI) portion marking from this paragraph, consistent with the Commission direction in the Staff Requirements Memorandum (SRM)SECY 0095Review and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

16. NEI C.1.1, DG-5044 language: The NRC agrees with the intent of the comment 4th Paragraph, The potential for significant harm demonstrates but has not accepted the specific revision Last sentence the need for an IMP that ensures the suggested by the commenter. The potential for (Page 8) trustworthiness and reliability of specific significant harm from malicious and willful individuals working at, for, or supporting nuclear tampering of sensitive safety- and security-related power plant operations. equipment demonstrates the need for an insider mitigation program that ensures the trustworthiness NEI comment: and reliability of specific individuals working at, for, 14

DG-5044 Comment Specific Comments NRC Comment Resolution Section The paragraph relies upon the trustworthiness and or supporting nuclear power plant operations. The reliability of individuals to mitigate acts of NRC has instead revised the sentence to state:

wrongdoing or overt acts of tampering are particularly serious matters because of the Mitigation of opportunities for insider tampering is potential adverse impact to the safety and security particularly important because an insider may know of the nuclear power plant that could adversely how to manipulate various systems in ways that affect the protection of the public health and safety are difficult to detect. Any acts of wrongdoing or and the common defense and security. It would tampering are particularly serious matters because appear that the text acknowledges that the IMP of the potential adverse impact on nuclear power mitigates some cyber activities. If this is true then plant safety and security that could adversely affect the sentence is not needed. Delete sentence. the protection of public health and safety and the common defense and security.

Based on administrative renumbering, the revised sentence now appears under Section C.1 as the first paragraph on page 9.

17. NEI C.1.2, DG-5044 language: The NRC agrees with the commenters request to 1st Paragraph It is important to recognize that the IMP program revise the phrase mitigate cyber attack vectors to (Pages 8-9) alone does not address all cyber threats and mitigate outside cyber attack vectors. An insider attack vectors. As a result, the IMP alone does not mitigation program (IMP) alone does not address take the place of other cyber security all cyber threats and attack vectors. As a result, the requirements and controls used to mitigate cyber IMP cannot take the place of other cyber security attack vectors and pathways that pose a threat to requirements and controls used to mitigate outside equipment. cyber-attack vectors and pathways that pose a threat to equipment.

NEI comment:

Paragraph not portion marked. Mark paragraph as The NRC disagrees with the commenters request (OUO-SRI). to portion mark Section C.1.2 as OUO-SRI.

Consistent with the Commission direction in the The IMP should be provided credit for mitigating Staff Requirements Memorandum (SRM)SECY-insider cyber threats and attack vectors. It does 17-0095Review and Approval of Proposed not impact outside cyber security threats and Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (ML21195A356), the NRC staff 15

DG-5044 Comment Specific Comments NRC Comment Resolution Section attack vectors. Differentiate between the two has critically examined the designation of the threats. document and determined that it should not be designated as Official Use OnlySecurity Related The commenter proposed the following edits: Information.

(OUO-SRI) It is important to recognize that the IMP program alone does not address all cyber Based on administrative renumbering, the revision threats and attack vectors. As a result, the IMP now appears under Section C.1 as the second alone does not take the place of other cyber paragraph on page 9 of DG-5044.

security requirements and controls used to mitigate outside cyber attack vectors and pathways that pose a threat to equipment.

18. NEI C.1.2, DG-5044 language: The NRC disagrees with the comment. Section 1st Paragraph It is important to recognize that the IMP program C.1.2 makes two statements: 1) that the insider (Pages 8-9) alone does not address all cyber threats and mitigation program (IMP) alone does not address attack vectors. As a result, the IMP alone does not all cyber-attack vectors, and 2) the IMP does not take the place of other cyber security take the place of cyber security requirements and requirements and controls used to mitigate cyber controls. The proposed amendment incorrectly attack vectors and pathways that pose a threat to states that the IMP alone mitigates the internal equipment. cyber threat. The IMP assists in the mitigation of the cyber threat, just as it does in the physical NEI comment: protection program, consistent with the licensees This paragraph states that the IMP does not implementation of the IMP program. Licensees address all cyber threats and attack vectors. must implement cyber security policies, practices, and controls to ensure that critical digital assets Concern: (CDAs) are adequately protected, as required by This paragraph implies that IMPs do not 10 CFR 73.54. These policies, practices and effectively mitigate the internal cyber threat. The controls may not specifically be a part of a result could be an interpretation that the licensees IMP. Therefore, it is not accurate to say implementation of cyber security controls within a that the IMP itself mitigates the internal cyber protected or vital area must be sufficiently robust threat. Accordingly, the NRC has made no change as to withstand the determined effort of an insider to DG-5044 based on this comment.

as though no IMP were in place. However, the Purpose section of DG-5044 states, This 16

DG-5044 Comment Specific Comments NRC Comment Resolution Section regulatory guide describes an approach that the staff of the U.S. Nuclear Regulatory Commission (NRC) considers acceptable for an insider mitigation program (IMP) for nuclear power reactors that contain protected or vital areas as required by Title 10 of the Code of Federal Regulations (10 CFR) 73.55(b)(9)(i).

Recommendation:

The paragraph should be amended, as recommended in the suggested wording, to clarify that the IMP mitigates the internal cyber security threat.

The commenter proposed to add a new third sentence to the first paragraph of Section C.1.2 that states: The IMP mitigates the internal threat, including the internal cyber threat.

19. NEI C.1.2, DG-5044 language: The NRC agrees with this comment and has 1st Paragraph, An example of this coordination is found in the revised DG-5044 accordingly. In addition, the NRC 4th Sentence need for security and human resources personnel has made minor clarifying revisions. The revised (Page 9) to work closely with employee assistance program sentence states:

(EAP) personnel, an element of the FFD program described in 10 CFR Part 26, to ensure that For example, access authorization personnel individuals demonstrating any potential to harm should work closely with employee assistance themselves or others are reported to appropriate program (EAP) personnel, an element of the FFD security personnel for evaluation as a potential program described in 10 CFR Part 26, to ensure insider threat, without creating the perception that that individuals demonstrating any potential to seeking help via the EAP will result in adverse harm themselves or others are reported to action. appropriate security personnel for evaluation as a potential insider threat, without creating the NEI comment: perception that seeking help through the EAP will result in adverse action.

17

DG-5044 Comment Specific Comments NRC Comment Resolution Section The terms security and human resources should be replaced with the term access authorization Based on administrative renumbering, the revised which is the organization tasked to work with EAP text now appears in the fourth paragraph of Section and others to ensure that individuals C.1. on page 9.

demonstrating any potential to harm themselves or others are reported to appropriate security personnel for evaluation as a potential insider threat, without creating the perception that seeking help via the EAP will result in adverse action.

The commenter proposed the following edits:

An example of this coordination is found in the need for access authorization personnel to work closely with employee assistance program (EAP) personnel, an element of the FFD program described in 10 CFR Part 26

20. NEI C.1.2, DG-5044 language: The NRC addressed the commenters request to 1st Paragraph, An example of this coordination is found in the replace security and human resources personnel 4th Sentence need for security and human resources personnel under Comment Number 19.

(Page 9) to work closely with employee assistance program (EAP) personnel, an element of the FFD program The NRC disagrees with the commenters request described in 10 CFR Part 26, to ensure that to delete the phrase personnel to work closely with individuals demonstrating any potential to harm employee assistance program. The EAP is themselves or others are reported to appropriate required under 10 CFR 26.35(c) to report to the security personnel for evaluation as a potential FFD program management if they determine that insider threat, without creating the perception that an individual poses a threat to others or seeking help via the EAP will result in adverse themselves. A licensees EAP may also wish to action. inform appropriate security personnel to help ensure adequate protection of other individuals, the NEI comment: facility, and the individual employee. Accordingly, The term human resources has specific meaning the NRC has made no change to DG-5044 based within licensee organizations. Within many on this comment.

18

DG-5044 Comment Specific Comments NRC Comment Resolution Section licensee organizations the human resources personnel are not involved. A more generalized term. In addition the term Security should be changed to Access Authorization.

The commenter proposed the following edits:

An example of this coordination is found in the need for security access authorization and organizations providing support personnel to work closely with employee assistance program (e.g.,

employee assistance program (EAP) personnel, an element of to the FFD program described in 10 CFR Part 26, to ensure that individuals

21. NEI C.1.2, DG-5044 language: The NRC disagrees with the comment. The NRC 1st Paragraph, In addition, licensee personnel should be able to has not deleted the sentence because it Last sentence recognize and report behaviors adverse to the emphasizes the need for licensee personnel to (Page 9) safe operation and security of the facility, including recognize and report behaviors adverse to the safe unusual interest in security practices, security operation and security of the facility. Having procedures, or involvement in security or licensee personnel capable of recognizing and operational activities outside an employees reporting such behavior is an essential component normal work scope. of an effective insider mitigation program.

NEI comment: The NRC does not agree that this sentence should Later in the document Section 4, DG 5044 be marked as OUO-SRI or made a separate characterizes behaviors such as recognize and paragraph and marked OUO-SRI. Consistent with report behaviors adverse to the safe operation the Commission direction in Staff Requirements and security of the facility, including unusual Memorandum (SRM)SECY-17-0095Review interest in security practices, security procedures, and Approval of Proposed Revision to RG 5.77, or involvement in security or operational activities Insider Mitigation Program, dated July 14, 2021 outside an employees normal work scope, OUO- (ML21195A356), the NRC staff has removed all SRI. It is suggested that this paragraph be marked OUO-SRI portion markings from DG-5044.

OUO-SRI, the sentence be removed, or the 19

DG-5044 Comment Specific Comments NRC Comment Resolution Section sentence be made a separate paragraph and Accordingly, the NRC has made no change to marked OUO-SRI. DG-5044 based on this comment.

22. NEI C.2 The IMP is applicable to individuals assigned to The NRC disagrees with the comment. The Applicability provide defense-in-depth against identified threats referenced letter provided implementation (Page 9) or individuals. At a minimum, to mitigate the standards for the insider mitigation program (IMP) potential for an insider to be successful, and as pending the initial issuance of RG 5.77. On April directed by the DBT Order, EA-03-086, an IMP 29, 2003, the NRC issued NRC Order EA-03-086, must consist of the following elements for all Requiring Compliance with Revised Design Basis personnel with unescorted access to the protected Threat (DBT). Order EA-03-086 set forth the and vital areas of a facility, or those who have minimum elements that a licensees IMP must been certified for unescorted access authorization: implement. A licensee may implement other (1) a security determination (certification or elements, such as those described in the April 5, unescorted access); (2) initial and random 2004, letter referenced by the commenter, to substance abuse testing; (3) psychological increase the effectiveness of its IMP. However, the assessments, which may include a medical objective of the April 5, 2004, letter was to help evaluation; (4) review by the immediate supervisor licensees develop standard Security Plans to at least annually; and, (5) a security determination achieve consistent, industry-wide implementation conducted by the reviewing official at the of the IMP requirements in the February 25, 2002, conclusion the periodic reinvestigation. For January 7, 2003, and April 29, 2003, Orders. The additional guidance, see RG 5.66, Access commenters references to previous IMP elements Authorization Program for Nuclear Power Plants found in the letter and the differences in IMP elements is an inaccurate statement. The In a letter dated April 5, 2004, from Roy requirements in the DBT Orders are the minimum Zimmerman (NRC) to Steven Floyd (NEI), the requirements for a licensee IMP and still remain in NRC specified that the Insider Mitigation program place today.

components were as follows:

Accordingly, the NRC has made no change to

• Trained to recognize tampering DG-5044 based on this comment.

• Procedures to react

• Capture events in CAP and

• IMP patrols 20

DG-5044 Comment Specific Comments NRC Comment Resolution Section The difference with the previous IMPs elements should be explained. The industry desires clarification on the specifics of the Insider Mitigation Program elements as compared to the 2004 letter.

23. NEI C.2.1 General DG-5044 language: The NRC agrees with the intent of the comment Applicability, The IMP applies to all persons who are granted but has not accepted the specific revision 1st Sentence and/or maintain unescorted access or unescorted suggested by the commenter. The NRC does not (Page 9) access authorization to an NRC licensed power understand what the commenter means by stating, reactor facility. For consistency with other documents a change in the ordering of the first sentence is suggested.

NEI comment:

For consistency with other documents a change in However, the NRC did revise DG-5044 to state:

the ordering of the first sentence is suggested.

The IMP applies to all persons who are granted or The commenter proposed the following edits: retain unescorted access authorization to a

...The IMP applies to all persons who are certified protected or vital area.

unescorted access authorization and/or granted and/or maintain unescorted access Based on administrative renumbering, the revised authorization/access at an NRC-licensed power sentence now appears under the General reactor facility. Applicability subheading in Section C.2.

24. NEI C.2.1 General DG-5044 language: The NRC agrees with the intent of the comment but Applicability, Licensees should evaluate whether to include has not accepted the specific revision suggested 2nd Sentence personnel assisting with unescorted access by the commenter. Instead, the NRC has revised (Page 9) determinations, such as FFD program personnel DG-5044 to state:

and certain persons who have duties and responsibilities in the Emergency Operations Licensees should evaluate whether to include Facility (EOF), as described in Section 2.3 below personnel assisting with unescorted access determinations, such as FFD program personnel NEI comment: and certain persons who have duties and It is suggested that the paragraph be broadened responsibilities in the Emergency Operations and shortened. Combine the FFD Program Facility, as described in Section C.2.2.3 of this RG.

personnel and personnel that respond to the EOF, Insiders may occupy any position within a 21

DG-5044 Comment Specific Comments NRC Comment Resolution Section etc., into other personnel at the licensees licensees organization, and the IMP applies to all discretion. personnel that are in an unescorted access status or are certified for unescorted access authorization.

The commenter proposed the following edits: Persons in the critical group are considered to Licensees should evaluate whether to include present a greater risk as an insider threat because personnel assisting with unescorted access of their knowledge of the plant, access to vital plant determinations, such as FFD program personnel equipment, access to drug and alcohol records, and certain persons who have duties and and authorization determinations, or because they responsibilities in the Emergency Operations are in possession of weapons inside the protected Facility (EOF), as described in Section 2.3 below area of a licensed facility.

other personnel, at the licensees discretion.

Based on administrative renumbering, this revised text now appears under the General Applicability subheading in Section C.2, Applicability.

25. NEI C.2.2 The DG-5044 language: The NRC agrees with the comment and has Critical Group, As described in 10 CFR 73.56(i)(1)(v)(B), the amended DG-5044, with minor modification, to 1st Paragraph, trustworthiness and reliability determination for state:

Last Sentence any individual in the critical group must be re-(Page 10) established within 3 years of the date on which At a minimum, as described in 10 CFR that determination was last made, or more 73.56(i)(1)(v)(B), the current determination shall be frequently, based on factors determined by the based on a criminal history update and credit licensee or applicant. At a minimum, as described history reinvestigation within 3 years of the date on in 10 CFR 73.56(i)(1)(v)(B), the current which these elements were last completed and a determination shall be based on a criminal history psychological reassessment within 5 years of the update, credit history reinvestigation, and a date the last psychological assessment was psychological reassessment within 3 years of the completed.

date on which these elements were last completed. Based on administrative renumbering, the amended text now appears in the second NEI comment: paragraph of Section C.2.1.

The last sentence includes the psychological assess [sic] for a critical group member to be on a 3 year cycle. 10 CFR 73.56(i)(1)(v)(B) Maintaining 22

DG-5044 Comment Specific Comments NRC Comment Resolution Section unescorted access or unescorted access authorization states:

(B) For individuals who perform one or more of the job functions described in this paragraph, the trustworthiness and reliability determination must be based on a criminal history update and credit history reevaluation within three years of the date on which these elements were last completed, or more frequently, based on job assignment as determined by the licensee or applicant, and a psychological re-assessment within 5 years of the date on which this element was last completed.

Revise the last sentence to reflect a 5-year psychological re-assessment periodicity.

The commenter proposed the following edits:

At a minimum, as described in 10 CFR 73.56(i)(1)(v)(B), the current determination shall be based on a criminal history update, credit history reinvestigation within 3 years of the date on which these elements were last completed, and a psychological reassessment within 5 years of the date the last psychological assessment was completed.

26. NEI C.2.2 The DG-5044 language: The NRC agrees with the intent of the comment but Critical Group, (5) (U) Individuals who have access to, extensive has not accepted the specific revision suggested Paragraph (5) knowledge of, or administrative control over plant by the commenter.

(Page 10) digital computer and communication systems and networks, as identified in 10 CFR 73.54, including: First, the NRC has moved all critical group activity a) (U) plant network systems administrators, descriptions under paragraph (5) of Section 2.2 to the Glossary in DG-5044. Other NRC responses 23

DG-5044 Comment Specific Comments NRC Comment Resolution Section b) (U) IT personnel who are responsible for cover these changes in detail (Comment Numbers securing plant networks. 27, 28, 29, and 30).

NEI comment: Second, the NRC has added the following Paragraph (5) describes those individuals that statement to Section 2.2: Note: To further clarify should be included within the critical group for 10 CFR 73.56(i)(1)(v)(B)(4), the term information cyber security. technology (IT) personnel has been further defined in the glossary and is consistent with Concern: Security Frequently Asked Question (SFAQ) 10 05, The application of the IMP requirements for the IT Functions for the Critical Group, dated April 4, critical group to cyber security has been 2010 (Ref. 15). This revised content now appears challenging for the industry. The wording in under an administratively renumbered Section 2.1 10 CFR 73.56(i)(1)(v)(B)(4) has been interpreted The Critical Group.

as:

1) Applying to ALL individuals having Third, the NRC has revised Section 3.3, Cyber EITHER access OR extensive knowledge Security Elements to state:

OR administrative control; and,

2) Applying to every digital asset identified in Pursuant to 10 CFR 73.55(b)(9)(ii)(C), a licensees 10 CFR 73.54. IMP must contain elements from the cybersecurity program described in 10 CFR 73.54. As required The industry developed SFAQ 10-05 to address by 10 CFR 73.54(a), a licensees cybersecurity concern (1), however, concern (2) has not been program must provide high assurance that digital addressed, and should be in this revision to computer and communication systems and RG 5.77. The impact of concern (2) has been networks are adequately protected against exacerbated by the large number of digital assets cyberattacks, up to and including the design-basis (CDAs) - including many located outside of a PA threat as described in 10 CFR 73.1. RG 5.71 or VA, or CDAs associated with SSCs in the provides guidance on the implementation of the balance of plant that were added to the scope of NRCs cybersecurity requirements and provides a the cyber security rule after it was issued. framework for the identification of those digital assets that must be protected from cyberattacks.

NEI understands that many licensees have included very large numbers of individuals within One means of complying with the requirement to the critical group - and given the nature of many include cybersecurity elements in the IMP is to ensure that the applicable cybersecurity controls 24

DG-5044 Comment Specific Comments NRC Comment Resolution Section of the digital assets - without a commensurate identified in RG 5.71 are applied to the digital increase in safety or security. computer and communication systems and networks routinely used by members of the critical Recommendation: group, particularly IT personnel. The glossary of The suggested wording provides a minor this RG defines critical group and information reorganization to the language in DG 5044 to technology (IT) personnel as the terms are used in address the intent of SFAQ 10-05, and adds 10 CFR 73.56(i)(1)(v)(B). These definitions are clarity for the scope of individuals should be those consistent with those given in SFAQ 10-05. By who pose a real risk to the safe operation of the establishing, maintaining, and successfully plant. These changes address both industry integrating these security controls into a concerns. site-specific cybersecurity program and referencing these controls in the IMP, the licensee can provide The definition should appear in the glossary and assurance of an effective IMP.

with the proposed revision:

(5) (U) Individuals who have the combination of access to, and administrative control over, or and contain extensive knowledge of, plant digital computer and communication systems and networks, as identified in 10 CFR 73.54, associated with the safety related systems of the plant.

27. NEI C.2.2 The DG-5044 language: The NRC agrees with the intent of the comment Critical Group, iv. (U) Individuals assigned any duty to search for but has not accepted the specific revisions Note, contraband (e.g., weapons, explosives, or suggested by the commenter. The NRC agrees (iv) and (v) incendiary devices). that renumbering (iv) and (v) would clarify that (Page 11) v. (U) Individuals qualified for and assigned duties these activities do not apply to IT personnel, but as: armed security officers, armed responders, the NRC has chosen alternative approaches to alarm station operators, response team leaders, resolve this comment.

and armorers.

First, the content of (iv) already appears in the NEI comment: Glossary under the definition for critical group, Paragraphs (5)(iv) and (5)(v) should be numbered paragraph c. Therefore, the NRC has eliminated paragraph (5)(iv) from the revised Critical Group 25

DG-5044 Comment Specific Comments NRC Comment Resolution Section section 2.2 paragraphs (6) and (7), respectively. section of DG-5044, which has been 2.2 (6) and 2.2 (7), respectively. administratively renumbered as Section C.2.1.

Second, all the classes of individuals identified in paragraph (5)(v) (i.e., armed security officers, armed responders, alarm station operators, response team leaders, and armorer) are captured within the scope of paragraph a in the Critical Group definition in the Glossary of DG-5044.

The relevant section of the definition states:

a. has extensive knowledge of facility defensive strategies or designs and/or implements the plants defense strategies.

28. NEI C.2.2 The DG-5044 language: The NRC agrees with the intent of the comment to Critical Group, (U) Individuals who have access to, extensive combine the content of paragraph (5) and the first 2nd Paragraph, knowledge of, or administrative control over plant paragraph of i that appears under Note.

(5) digital computer and communication systems and However, the NRC has not accepted the (Page 10) networks, as identified in 10 CFR 73.54, including: commenters edits. Instead, the NRC has chosen to move, combine, and revise this information as NEI comment: part of a new definition for information technology Note I, first paragraph (IT) personnel added to the Glossary in DG-5044.

(U) an individual who has the combination of The definition of information technology (IT) electronic access AND the administrative control personnel states:

(e.g., system administrator rights) to alter one or more security controls associated with one or 1) Any individual who has the combination of more critical digital assets. electronic access AND the administrative control (e.g., system administrator rights) to alter one or The 2.2(5) paragraph and the Note I, first more security controls associated with one or more paragraph are the describing the same set of CDAs should be in the critical group. A person with individuals. It is suggested that the paragraphs be administrative control has the electronic access combined. and rights to independently change either the 26

DG-5044 Comment Specific Comments NRC Comment Resolution Section configuration of a CDA or the cybersecurity The commenter proposed the following edits: controls in place for a CDA, in a manner that could (U) Individuals who have a combination of result in an adverse impact to SSEP functions.

extensive knowledge and administrative control over plant digital computer and communication systems and networks (e.g. system administrator rights) to alter one or more security controls associated with one or more critical digital assets, as identified in 10 CFR 73.54, including:

29. NEI C.2.2 The DG-5044 language: The NRC agrees with the comment and has Critical Group, (U) Administrative control: A person with revised, with minor modification, and moved the Note, administrative control has the electronic access administrative control statement to the existing i, and rights to independently change either the definition for critical group in the Glossary of 2 Paragraph nd configuration of a critical digital asset (CDA) or the DG-5044. The statement appears under (Pages 10-11) cyber security controls in place for a CDA in a paragraph e.

manner that could result in an adverse impact to Safety, Important to Safety, Security or The NRC also included the administrative control Emergency Preparedness (SSEP) functions. statement, with minor modification, as part of a new definition of information technology (IT)

NEI comment: personnel that appears in the Glossary in This appears to be a definition of Administrative DG-5044. The second sentence in the first Control. Consider moving the definition to the paragraph of the definition states:

documents Glossary.

A person with administrative control has the The commenter proposed the following edits: electronic access and rights to independently Administrative control: the electronic access change either the configuration of a CDA or the and rights to independently change either the cybersecurity controls in place for a CDA, in a configuration of a critical digital asset (CDA) or the manner that could result in an adverse impact to cyber security controls in place for a CDA in a SSEP functions.

manner that could result in an adverse impact to Safety, Important to Safety, Security or Emergency Preparedness (SSEP) function...

27

DG-5044 Comment Specific Comments NRC Comment Resolution Section

30. NEI C.2.2 The DG-5044 language: The NRC agrees with the comment and has Critical Group, (ii) (U) An individual with extensive knowledge of revised DG-5044 accordingly. The NRC made Note, the site-specific cyber-defensive strategy. minor clarifying revisions and moved the extensive ii knowledge information to a new definition for (Page 11) Extensive knowledge is defined as having: (U) information technology (IT) personnel in the

a. (U) knowledge of the cyber security controls in Glossary of DG-5044.

place for a CDA;

b. (U) knowledge of how the configuration of a The second paragraph of the definition states:

CDA or the cyber security controls can be (2) Any individual with extensive knowledge of the modified or leveraged in a manner that could site-specific cyber defensive strategy should also result in an adverse impact to SSEP functions; be in the critical group. Extensive knowledge is

c. (U) knowledge of vulnerabilities of the site defined as having (a) knowledge of the specific cyber security defensive strategy. cybersecurity controls in place for a CDA, or (b) knowledge of how the configuration of a CDA or NEI comment: the cybersecurity controls can be modified or This appears to be a definition of Extensive leveraged in a manner that could result in an knowledge. Consider moving the definition to the adverse impact to SSEP functions, or (c) documents Glossary. knowledge of vulnerabilities of the site-specific cybersecurity defensive strategy.

31. NEI C.2.3.2 d DG-5044 language: The NRC agrees with the intent of the comment (Page 12) Persons, including the Medical Review Officer and but has not accepted the specific revision site nurse or medical practitioner, if assigned, suggested by the commenter. Instead, the NRC who: has revised the sentence to state:

NEI comment: d. persons, including the Medical Review Officer, SFAQ 12-09 limits the MRO to occasions when site nurse, or medical practitioner, when on site, the Medical Review officer is on site. The who do the following proposed text does not seem to recognize this understanding. Based on administrative renumbering, the revised text appears in Section C.2.2.2 d.

The commenter proposed the following edits:

Persons, including the Medical Review Officer, 28

DG-5044 Comment Specific Comments NRC Comment Resolution Section when onsite, and site nurse or medical practitioner, if assigned

32. NEI C.2.3.3 DG-5044 language: The NRC disagrees with the comment. There is no (Page 12) (U) The IMP should apply to persons designated regulatory requirement to apply the insider to physically report to the EOF and those persons mitigation program to individuals who report to the who may have unmonitored access to sensitive Emergency Operations Facility (EOF) or who have (e.g. security- or safety-related) information. access to sensitive security or safety related information, unless those individuals are part of the NEI comment: Critical Group or they could remotely take actions Placing persons under IMP beyond those required by electronic means remotely that could adversely by regulation such as persons who may have impact the licensees operational safety, security, unmonitored access to sensitive information or emergency preparedness. These individuals are (e.g., security safety related information) is already covered by existing regulatory ambiguous without definition or regulatory basis. requirements.

The commenter proposed the following edits: Licensees should be aware of the existing Provide a reference to other Regulatory guidance applicable to these individuals and Guidance or Policy Issue (e.g., RG-5.79 situations. This paragraph is suggesting that a Protection of Safeguards Information, SECY licensee may wish to extend its IMP program to 0191, Withholding Sensitive Unclassified individuals who are not covered by existing Information Concerning Nuclear Power Reactors regulatory requirements. There is no need to From Public Disclosure, etc.) reference guidance or policy when a licensee elects to extend the scope of its IMP beyond what is regulatorily required. Accordingly, the NRC has made no change to DG-5044 based on this comment.

33. NEI C.3.1.1.2, DG-5044 language: The NRC agrees with the comment and has Last Sentence (OUO-SRI) Licensees shall, as required in amended the sentence, with minor modification, to (Page 13) 10 CFR 26.189, consider the potential insider state:

threat when making FFD determinations.

Licensees should consider the potential NEI comment: insider threat when making FFD 10 CFR 26.189 does not contain this requirement. determinations under 10 CFR 26.189(c)(2).

29

DG-5044 Comment Specific Comments NRC Comment Resolution Section Consider adding the suggested text. For example, licensee or other entity management personnel should implement the The commenter proposed the following text required actions to ensure any potential addition: Licensees should consider the potential limiting condition does not represent a threat insider threat when making FFD determinations as to workplace or public health and safety.

required in 10 CFR 26.189(c)(2), (e.g., Licensee or other entity management personnel shall Based on administrative renumbering, the revised implement the required actions to ensure any text now appears under Section C.3.1.1.5.

possible limiting condition does not represent a threat to workplace or public health and safety.) The NRC staff also removed the (OUO-SRI) portion marking from this paragraph, consistent with the Commission direction in the Staff Requirements Memorandum (SRM)SECY 0095Review and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

34. NEI C.3.1.2 DG-5044 language: The NRC agrees with the comment and has Behavioral Behavioral observation is performed by individuals amended DG-5044, with minor modification, to Observation, trained under § 26.29 to detect behaviors that may state:

§ 26.33, indicate possible use, sale, or possession of illegal 2nd Sentence drugs; use or possession of alcoholic beverages, Although behavioral observation includes the early (Page 13) or impairment from fatigue or any cause that, if left identification of many other behaviors that may unattended, may constitute a risk to public health pose a risk to a nuclear power plant or spent fuel and safety or the common defense and security. pool, it is performed by individuals trained under 10 CFR 26.29, Training, to detect behaviors that NEI comment: may indicate possible use, sale, or possession of The concept of Behavioral Observation is illegal drugs; use or possession of alcohol; or broader than the [sic] in Section 3.1.2 of the draft impairment from fatigue or any cause that, if left RG. The term encompasses other undesirable unattended, may constitute a risk to public health behaviors that an individual may display in the and safety or the common defense and security.

nuclear power plant environment. It is suggested that in this context that the paragraph 3.1.2 text be changed.

30

DG-5044 Comment Specific Comments NRC Comment Resolution Section The commenter proposed the following edits:

Although behavioral observation includes the early identification of many other behaviors that may pose a risk to a nuclear power plant, it is performed by individuals trained under § 26.29 to detect behaviors that may indicate possible use, sale, or possession of illegal drugs; use or possession of alcoholic beverages, or impairment from fatigue or any cause that, if left unattended, may constitute a risk to public health and safety or the common defense and security.

35. NEI C.3.1.2 DG-5044 language: The NRC disagrees that guidance on implementing Behavioral Implementing these requirements helps provide insider mitigation programs at decommissioning Observation, high assurance of an effective behavioral reactors should be removed from DG-5044.

§ 26.33, observation program at operating and However, the NRC has revised Section C.3.1.2 to Last sentence decommission power. include or spent fuel pool, as well as other minor (Page 13) clarifying revisions.

NEI comment:

The industry suggests removal of this section and The first three sentences of the first paragraph to include the section within a separate under Section 3.1.2 in the revised DG-5044 state:

decommissioning rulemaking.

Licensees and other affected entities must ensure The commenter proposed the following edits: that the individuals who are subject to Implementing these requirements helps provide 10 CFR Part 26, Subpart B, Program Elements, high assurance of an effective behavioral are also subject to a behavioral observation observation program at operating and program that meets the requirements specified in decommission power. 10 CFR 26.33, Behavioral observation, and 10 CFR 73.56(f). Although behavioral observation includes the early identification of many other behaviors that may pose a risk to a nuclear power plant or spent fuel pool, it is performed by individuals trained under 10 CFR 26.29, Training, 31

DG-5044 Comment Specific Comments NRC Comment Resolution Section to detect behaviors that may indicate possible use, sale, or possession of illegal drugs; use or possession of alcohol; or impairment from fatigue or any cause that, if left unattended, may constitute a risk to public health and safety or the common defense and security. Further, individuals should be trained in recognizing and reporting behaviors as required in 10 CFR 73.56(f), which may be considered adverse to the safe operation and security of the licensee facility.

The NRC has adopted a graded approach to security requirements at reactors that is commensurate with the reductions in radiological risk at four levels of decommissioning: (1) permanent cessation of operations and removal of all fuel from the reactor vessel, (2) sufficient decay of fuel in the spent fuel pool such that it would not reach ignition temperature within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> under adiabatic heat up conditions, (3) transfer of all fuel to dry storage, and (4) removal of all fuel from the site. Until the licensee removes all irradiated fuel from the spent fuel pool implementing an Insider Mitigation Program is required.

In addition, the NRC response to Comment Number 3 discusses the ongoing decommissioning rulemaking, which is proposing revisions to 10 CFR Part 26 and the insider mitigation program.

36. NEI C.3.2.1 DG-5044 language: The NRC agrees with the comment and has Initial Security Initial security measures for completing revised DG-5044 accordingly.

Determination background investigations and other (Pages 13-14) programmatic elements required by the NRC, 32

DG-5044 Comment Specific Comments NRC Comment Resolution Section through the implementation of the requirements of In addition, the NRC has replaced the phrase the 10 CFR 73.56 and 10 CFR 73.57 and the latest latest NRC staff endorsed guidance of NEI 03-01 NRC staff endorsed guidance of NEI 03-01, with consistent with guidance contained in RG provide high assurance that persons initially 5.66. NEI 03-01, while endorsed by the NRC staff, selected for unescorted access or unescorted is not a document authored by the NRC.

access authorization are trustworthy and reliable and do not present a risk to public health and The revised sentence states:

safety or the common defense and security.

Initial security measures for completing NEI comment: background investigations and other programmatic For consistency with other documents a change in elements required by the NRC, through the the ordering of the first sentence is suggested. implementation of the requirements of 10 CFR 73.56 and 10 CFR 73.57 and consistent The commenter proposed the following edits: with guidance contained in RG 5.66, provide high

...the latest NRC staff endorsed guidance of assurance that persons initially certified for NEI 03-01, provide high assurance that persons unescorted access authorization or granted initially certified for unescorted access unescorted access are trustworthy and reliable and authorization or granted unescorted access are do not present a risk to public health and safety or trustworthy and reliable and do not present a risk the common defense and security.

to public health and safety or the common defense and security.

37. NEI C.3.2.2.1, DG-5044 language: The NRC agrees with the intent of the comment 1st Sentence Initial psychological assessments should ensure but has not accepted the specific revision (Page 14) that any testing mechanism applied, in whole or in suggested by the commenter. Instead, the NRC part, to a psychological determination of suitability deleted the phrase as described in paragraph (c) for unescorted access includes the opportunity to below and moved the revised sentence to a detect the need for a medical evaluation as renumbered Section C.3.2.2.1 b.

described in paragraph (c) below.

NEI comment:

The reference to paragraph c below seems to refer to the paragraph numbering system in RG 54.77. The same numbering did not flow 33

DG-5044 Comment Specific Comments NRC Comment Resolution Section through to the draft 5044 document. It is now the 3rd bullet.

The commenter proposed the following edit:

Initial psychological assessments should ensure that any testing mechanism applied, in whole or in part, to a psychological determination of suitability for unescorted access includes the opportunity to detect the need for a medical evaluation as described in 3.2.2.3 below.

38. NEI C.3.2.2.2 DG-5044 language: The NRC agrees with this comment and has (Page 14) Before any psychological or medical assessment, replaced the word physician with the word the appropriate practitioner should review a appropriate.

current position description for the person being interviewed and the most recently completed Based on administrative renumbering, the revised supervisory review, if applicable, for information paragraph now appears under Section C.3.2.2.1 a.

that could assist the physician practitioner in his or her assessment.

NEI comment:

The word physician should be replaced with the word appropriate.

39. NEI C.3.2.2.2, DG-5044 language: The NRC agrees with the comment and has 3rd Bulleted Medical evaluations triggered by a psychological revised DG-5044 to include the commenters Paragraph, recommendation should include a review of the suggested language, with minor modification. The 3rd Sentence individuals prescribed medications to ensure that NRC also included (see 10 CFR 26.189, (Page 14) these medications do not impair the persons Determination of fitness) to the end of the judgment to the extent that trustworthiness and sentence to clarify the regulatory requirement reliability are jeopardized. Individuals identified as applicable to the further evaluation phrase. The candidates for further medical review should be revised sentence states:

referred to a physician for further evaluation.

Individuals identified as candidates for further NEI comment: medical review should be referred to a physician 34

DG-5044 Comment Specific Comments NRC Comment Resolution Section The term physician should be qualified to include who may be qualified as the Medical Review a physician who may be the MRO. Officer, for further evaluation (see 10 CFR 26.189, Determination of fitness).

The commenter proposed the following edits:

Individuals identified as candidates for further Due to an administrative change in numbering, this medical review should be referred to a physician, sentence appears under Section C.3.2.2.4.

who may be the MRO, for further evaluation.

40. NEI C.3.2.3 DG-5044 language: The NRC agrees with the portion of the comment Annual review A review conducted by the assigned supervisor stating that individuals, consistent with the by Immediate has value as an integral part of the behavior requirement in 10 CFR 73.56(g), must promptly Supervisor, observation program (BOP) required by 10 CFR report any legal actions taken by law enforcement 2nd Paragraph 73.56(i)(1)(iv). This review creates a platform for or a court of law. The NRC disagrees with the (Page 15) interaction between the supervisor and the commenters request to delete this statement in employee to the extent that the supervisor has the Section C.3.2.3 because it reminds licensees that opportunity to become cognizant of any condition the annual supervisory review conducted as that may cause the employee to act or behave in required in 10 CFR 73.56(i)(1)(iv) should take into an unconventional manner. In addition, the consideration any information obtained by the supervisory review provides an opportunity for the licensee as a result of an individuals compliance supervisor to consider whether any circumstances with the self-reporting requirement in 10 CFR may indicate the need to refer the employee for 73.56(g). Consideration of such information is additional medical or psychological review. valuable to licensee supervisors that conduct the comprehensive annual reviews.

The annual supervisory review or interview must incorporate the consideration of any self-reporting The NRC did make one change in Section C.2.3.2, as required in 10 CFR 73.56(g). replacing must with should in the phrase review or interview must incorporate.

NEI comment:

The paragraph does not address the immediate The revised sentence states:

reporting required of such individuals. Individuals The annual supervisory review or interview should are required to self-report legal actions in incorporate the consideration of any self-reporting accordance with licensee procedures. An effective as required in 10 CFR 73.56(g).

program does not wait for an annual supervisory review to report legal actions. The actions are 35

DG-5044 Comment Specific Comments NRC Comment Resolution Section report [sic] timely to the licensee reviewing official who evaluates the matter in terms of the licensee denial criteria. Re-submitting the legal action or other behavior on an Annual Supervisory Review is duplicate work and the reviews information is already known to the licensee Reviewing Official.

Delete.

41. NEI C.3.2.3.1 DG-5044 language: The NRC agrees with the comment and has Last sentence In some cases, the supervisor may not have deleted the sentence:

(Page 16) frequent enough personal interaction with the individual throughout the review period needed to In addition, the licensee must ensure that the develop an informed and reasonable opinion annual supervisory review or interview is regarding the individuals behavior, conducted consistent with the requirements of trustworthiness, and reliability. When this unusual 10 CFR 26.27, Written Policy and Procedures, condition occurs, the interview may consist of face and 10 CFR 26.29, Training.

to face contact, in addition to gathering of information from personnel who have had frequent interaction with the individual, combined with other documented methods of trustworthiness and reliability. In addition, the licensee must ensure that the annual supervisory review or interview is conducted consistent with the requirements of 10 CFR 26.27, Written Policy and Procedures, and 10 CFR 26.29, Training.

NEI comment:

The last sentence of the paragraph does not seem to modify the paragraphs main message that a supervisor who does not have frequent enough interactions to perform the Annual Supervisory Review has other options. It introduces another topic that the Annual Supervisory Review must be consistent with 10 CFR 26.17 and 10 CFR 26.29 36

DG-5044 Comment Specific Comments NRC Comment Resolution Section which talk to self-reporting of legal actions and its attendant training respectively.

In addition, the suggestion is to remove the last sentence as 10 CFR 26.27 and 29 [sic] does not require the Annual Supervisory Review.

42. NEI C.3.2.3.2 DG-5044 language: The NRC disagrees with the comment. The Last Sentence This review serves two purposes. First, it can sentence does not contradict the requirement for (Page 16) identify issues related to physical or mental the immediate reporting of observations and impairment that fall under the general changes in behavior under the behavioral performance objectives of 10 CFR Part 26. observation program (BOP). It simply states that Second, it can identify issues related to issues related to trustworthiness and reliability are trustworthiness and reliability other than those not limited solely to issues of physical and mental related to physical or mental impairment. impairment identified by the BOP. In context, it indicates that such other trustworthiness and NEI comment: reliability information can be incorporated into the The last sentence contradicts the BOP program annual supervisory review. Accordingly, the NRC emphasis of immediate reporting. Recommend has made no change to DG-5044 based on this deleting the sentence from the document. comment.

Licensee programs require immediate reporting of observations and changes in behavior. Delete.

43. NEI C.3.2.4 DG-5044 language: The NRC agrees with the comment and has Periodic (OUO-SRI) Members of the critical group must revised DG-5044 accordingly.

Reinvestigation also get a psychological reassessment within 5 of Security years of the date on which this assessment was Based on administrative renumbering, the revised Determination, last completed. paragraph appears under Section 3.2.4.2 in 2nd Paragraph, DG-5044.

2nd Sentence NEI comment:

(Page 16) This sentence should be deleted from this The NRC staff also removed the (OUO-SRI) paragraph as it is already contained with portion marking from this section, consistent with Section 3.2.2.2, paragraph 5 on page 15. the Commission direction in the Staff Requirements Memorandum (SRM)SECY 0095Review and Approval of Proposed Revision 37

DG-5044 Comment Specific Comments NRC Comment Resolution Section The commenter proposed the following edits: to RG 5.77, Insider Mitigation Program, dated (OUO-SRI) Under 10 CFR 73.56(i)(1)(v)(B)(1) July 14, 2021 (ML21195A356).

through (5), members of the critical group must be reinvestigated within 3 years of the date on which the criminal history update and credit history reevaluation were last completed, or more frequently, based on job assignment as determined by the licensee or applicant. Members of the critical group must also get a psychological reassessment within 5 years of the date on which this assessment was last completed. The requirements of this section apply to all individuals with unescorted access authorization or unescorted access that are members of the critical group.

44. NEI C.3.2.4 DG-5044 language: The NRC agrees with the comment and has Periodic (OUO-SRI) The requirements of this section amended DG-5044, with minor modification, to Reinvestigation apply to all individuals with unescorted access state:

of Security authorization or unescorted access who are Determination, members of the critical group. Individuals who The requirements of this section apply to all 2nd Paragraph, have not satisfied the reinvestigation requirements individuals certified for unescorted access 3rd Sentence shall have unescorted access authorization or authorization or granted unescorted access who (Page 16) unescorted access administratively withdrawn are members of the critical group. As required by until the reinvestigation has been completed, or 10 CFR 73.56(i)(1)(vi), individuals who have not the worker should be reassigned to non critical satisfied the reinvestigation requirements shall group positions until the required critical group have unescorted access authorization or reassessment can be completed. unescorted access administratively withdrawn until the reinvestigation has been completed, or the NEI comment: worker should be reassigned to non-critical group It is suggested that the wording be changed for positions until the required critical group consistency. In addition consider added [sic] a reassessment can be completed. In addition, any second paragraph to this section to provide a individual not assigned to the Critical Group is recognition that all workers not deemed Critical reinvestigated within 5 years of the date on which Group are reinvestigated every five (5) years.

38

DG-5044 Comment Specific Comments NRC Comment Resolution Section the criminal history update and re-evaluation The commenter proposed the following edits: elements were last completed.

The requirements of this section apply to all individuals certified with unescorted access Based on administrative renumbering, the revised authorization or granted unescorted access who text appears under Section C.3.2.4.2 in DG-5044.

are members of the critical group. Individuals who have not satisfied the reinvestigation requirements The NRC staff also removed the (OUO-SRI) shall have unescorted access authorization or portion marking from this section, consistent with unescorted access administratively withdrawn the Commission direction in the Staff until the reinvestigation has been completed, or Requirements Memorandum (SRM)SECY the worker should be reassigned to non-critical 0095Review and Approval of Proposed Revision group positions until the required critical group to RG 5.77, Insider Mitigation Program, dated reassessment can be completed. In addition, any July 14, 2021 (ML21195A356).

individual not assigned to the Critical Group is reinvestigated within 5 years of the date on which the criminal history update and re-evaluation elements were last completed.

45. NEI C.3.2.4 DG-5044 language: The NRC disagrees with the comment. The Periodic Licensees should prioritize fingerprint requests to guidance is appropriate because extenuating Reinvestigation ensure there are no unanticipated staffing issues. circumstances have sometimes prevented a timely of Security response to requests for obtaining and processing Determination, NEI comment: of fingerprints that have resulted in delayed 3rd Paragraph, This sentence should be deleted as it is no longer response times. This language is a reminder to 1st Bullet, reflects service problems. The fingerprints are licensees that processing of fingerprints should be 2 Sentence nd now received within a 24-hour window after a priority. Accordingly, the NRC has made no (Page 16) submission. change to DG-5044 based on this comment.

The commenter proposed the following edits:

A review of criminal history records obtained under 10 CFR 73.56(d)(7) and 10 CFR 73.57, or as the Commission may require, or as Federal statutes may direct. Licensees should compare data returned from the criminal history records 39

DG-5044 Comment Specific Comments NRC Comment Resolution Section check with the access authorization records of the person named in the record to ensure that the person has complied with the self reporting requirements in 10 CFR 73.56(g). Licensees should prioritize fingerprint requests to ensure there are no unanticipated staffing issues.

46. NEI C.3.2.4 DG-5044 language: The NRC agrees with the comment and has Periodic The individual should complete new consent to revised DG-5044 accordingly. This discussion has Reinvestigation screen and Federal Credit Reporting Act been administratively renumbered as Section of Security disclosure and authorization statement forms C.3.2.4.2 b.

Determination, before initiating this reinvestigation.

3rd Paragraph, 2nd Bullet, NEI comment:

2nd Sentence The term Federal Credit Reporting Act should be (Page 16) Fair Credit Reporting Act.

40

DG-5044 Comment Specific Comments NRC Comment Resolution Section

47. NEI C.3.2.4 DG-5044 language: The NRC agrees with the comment and has Periodic Licensees shall take appropriate action if revised DG-5044, with minor modification, to state:

Reinvestigation disqualifying information is discovered during any of Security reinvestigation review. Licensees shall review any potentially Determination, disqualifying information during a reinvestigation 3rd Paragraph, NEI comment: against the licensees program policies and 3rd Bullet The term utilized throughout of [sic] industry procedures and act as appropriate.

(Page 16) document is potentially disqualifying information with the acronym (PDI). In addition, the This discussion has been administratively requirement is to review the PDI against denial renumbered as Section C.3.2.4.2 c.

criteria and to take appropriate action consistent with the licensee access authorization program policies and procedures. Suggest the following word change to the text of DG-5044.

The commenter proposed the following edits:

Licensees shall review any take appropriate action if potentially disqualifying information (PDI) developed during a reinvestigation against the licensees program policies and procedures and take action as appropriate is discovered during any reinvestigation review.

48. NEI C.3.2.5 DG-5044 language: The NRC disagrees with the comment.

Access to Vital The rule requires that access authorization lists SFAQ 14-03 clarified that licensee reviews need Areas, will be updated and reapproved at least every 31 not be conducted at an exact 31-day interval, but 1st Paragraph, days to minimize insider threats by ensuring that that the licensees cognizant manager or 2nd Sentence personnel listed have a continued need to access supervisor conduct a review no less frequently than (Page 17) vital areas to perform their official duties and not every 31 days, and that there be no less than 12 just a possibility of needing access sometime in reviews during each calendar year. As stated, in the future. part, in SFAQ 14-03: The composite list concept meets the intent of 10 CFR 73.56(j) provided that NEI comment: the cognizant manager/supervisor responsible for SFAQ 14-03, Vital Area Review, provided further compiling each supporting list reviews, agree-upon clarification of the no less frequently re-approves, and identifies any required changes 41

DG-5044 Comment Specific Comments NRC Comment Resolution Section than every 31 days rule text. The SFAQ for individuals as needed when the cognizant concluded that: manager/supervisor directs their work activities.

Accordingly, the NRC has made no change to The composite list would be completed each DG-5044 based on this comment.

calendar month during the calendar year to meet the intent of 10 CFR 73.56 (j). This process would reduce the administrative burden on licensees when working with multiple supporting lists independently of each other. The composite list would be completed as described, to encompass no less than 12 reviews each calendar year (without counting 31 days from completion of the process from month-to-month) to meet the intent of 10 CFR 73.56(j).

The suggestion is to place an asterisk (*) after 31 day and place a Note in the body of the text following the end of the paragraph.

The commenter proposed the following edits:

The rule requires that access authorization lists will be updated and reapproved at least every 31 days

• to minimize insider threats by ensuring that personnel listed have a continued need to access vital areas to perform their official duties and not just a possibility of needing access sometime in the future.

• The composite 31-day list would be completed as described, to encompass no less than 12 reviews each calendar year (without counting 31 days from completion of the process from monthto-month) to meet the intent of 10 CFR 73.56 (j).

42

DG-5044 Comment Specific Comments NRC Comment Resolution Section

49. NEI C.3.2.5 Access DG-5044 language: The NRC disagrees with the comment. Individuals to Vital Areas, The intent of this requirement is to minimize required to respond to emergency conditions fall 2nd Paragraph, insider threats by reducing the number of within the scope of personnel who require access 1st Sentence individuals having unescorted vital area access, to vital areas in order to perform their duties.

(Page 17) and by limiting vital area access to those Therefore, the language suggested by the personnel who specifically require access to vital commenter is not necessary. The NRC further areas in order to perform their duties. notes that the role of emergency responders is discussed in Section C.3.2.5. Accordingly, the NRC NEI comment: has made no change to DG-5044 based on this It is suggested that those required to respond to comment.

emergency conditions also be included. Often time this will increase the numbers of personnel because normal conditions may not require access but emergency conditions may.

The commenter proposed the following edits:

The intent of this requirement is to minimize insider threats by reducing the number of individuals having unescorted vital area access, and by limiting vital area access to those personnel who specifically require access to vital areas in order to perform their duties, including responding to emergency conditions.

50. NEI C.3.2.5 NEI comment: The NRC disagrees with the comment, which is Access to Vital SFAQ 14-03, Vital Area Review, provided further essentially the same as Comment Number 48.

Areas, agree-upon clarification of the no less frequently Accordingly, the NRC reiterates its response to 1st Paragraph than every 31 days rule text. The SFAQ Comment Number 48 here and has made no (Page 17) concluded that: change to DG-5044 based on this comment.

The composite list would be completed each calendar month during the calendar year to meet the intent of 10 CFR 73.56 (j). This process would reduce the administrative burden on licensees when working with multiple supporting lists independently of each other. The composite list 43

DG-5044 Comment Specific Comments NRC Comment Resolution Section would be completed as described, to encompass no less than 12 reviews each calendar year (without counting 31 days from completion of the process from month-to-month) to meet the intent of 10 CFR 73.56 (j).

The suggestion is to place an asterisk (*) after 31 day and place a Note in the body of the text following the end of the paragraph.

The commenter proposed the following edits:

The intent of this requirement is to minimize insider threats by reducing the number of individuals having unescorted access no less frequently than at a 31 day frequency *. The NRC recognizes that a single licensee manager or supervisor would not have oversight and control of every person with unescorted access to any or all of a licensees vital areas.

• The composite 31-day list would be completed as described, to encompass no less than 12 reviews each calendar year (without counting 31 days from completion of the process from month-to-month) to meet the intent of 10 CFR 73.56 (j).

51. NEI C.3.2.5.1, DG-5044 language: The NRC disagrees with the comment, which is 3rd Sentence Personnel who fall into this emergency response essentially the same as Comment Number 48.

(Page 17) category must be evaluated for continued need for Accordingly, the NRC reiterates its response to access during the 31 day review by a cognizant Comment Number 48 here and has made no licensee or applicant manager or supervisor who change to DG-5044 based on this comment.

would be responsible for directing the work activities of the individual while that individual is present at the licensee or applicant site.

44

DG-5044 Comment Specific Comments NRC Comment Resolution Section NEI comment:

SFAQ 14-03, Vital Area Review, provided further agree-upon clarification of the no less frequently than every 31 days rule text. The SFAQ concluded that:

The composite list would be completed each calendar month during the calendar year to meet the intent of 10 CFR 73.56 (j). This process would reduce the administrative burden on licensees when working with multiple supporting lists independently of each other. The composite list would be completed as described, to encompass no less than 12 reviews each calendar year (without counting 31 days from completion of the process from monthto month) to meet the intent of 10 CFR 73.56 (j).

The suggestion is to place an asterisk (*) after 31 day and place a Note in the body of the text following the end of the paragraph.

The commenter proposed the following edits:

Personnel who fall into this emergency response category must be evaluated for continued need for access during the 31 day review

• by a cognizant licensee or applicant manager or supervisor who would be responsible for directing the work activities of the individual while that individual is present at the licensee or applicant site.

• The composite 31-day list would be completed as described, to encompass no less than 12 45

DG-5044 Comment Specific Comments NRC Comment Resolution Section reviews each calendar year (without counting 31 days from completion of the process from monthto-month) to meet the intent of 10 CFR 73.56 (j).

52. NEI C.3.3 NEI comment: The NRC disagrees with the commenters request Cyber Security Section 3.3 provides cyber security elements of an to delete Section C.3.3 of DG-5044 in its entirety.

Elements acceptable IMP. Section C.3.3 reminds licensees to be cognizant of (Pages 17-18) the potential cyber threat that an insider may pose.

Concern: The NRC has determined that it is more This section, in its entirety, is disjointed with the appropriate to maintain the reference to RG 5.71 other subsections of Section 3. As written, the but not to include the specific cyber security section appears to indicate that the controls listed controls described in RG 5.71. To accomplish the be implemented in a manner sufficiently robust as intent of this section more effectively, the NRC has to withstand the determined effort of an insider as revised Section C.3.3. to read as follows:

though no IMP were in place.

Pursuant to 10 CFR 73.55(b)(9)(ii)(C), a Recommendation licensees IMP must contain elements from the Section 3.3 should be removed in its entirety, or, if cybersecurity program described in 10 CFR 73.54.

retained, be replaced in its entirety with the As required by 10 CFR 73.54(a), a licensees suggested wording. cybersecurity program must provide high assurance that digital computer and The commenter proposed the following edits: communication systems and networks are 3.3 Cyber Security Elements (u) adequately protected against cyberattacks, up to and including the design-basis threat as described (U) The following elements support mitigation of in 10 CFR 73.1. RG 5.71 provides guidance on the the cyber insider threat. implementation of the NRCs cybersecurity requirements and provides a framework for the 3.3.1 (U) Any individual whose duties and identification of those digital assets that must be responsibilities permit the individual to take protected from cyberattacks.

actions by electronic means, either on site or remotely, that could adversely impact the One means of complying with the requirement to licensees or applicants operational safety, include cybersecurity elements in the IMP is to security, or emergency preparedness are subject ensure that the applicable cybersecurity controls 46

DG-5044 Comment Specific Comments NRC Comment Resolution Section to an access authorization program identified in RG 5.71 are applied to the digital

[10 CFR 73.56(b)(1)(ii)]. computer and communication systems and networks routinely used by members of the critical 3.3.2 (U) Individuals performing the job functions group, particularly IT personnel. The glossary of described in 10 CFR 73.56(i)(1)(v)(B)(4) are this RG defines critical group and information added to the critical group. technology (IT) personnel as the terms are used in 10 CFR 73.56(i)(1)(v)(B). These definitions are 3.3.3 (U) Appropriate facility personnel, including consistent with those given in SFAQ 10-05. By contractors, are aware of cyber security establishing, maintaining, and successfully requirements and receive the training necessary integrating these security controls into a to perform their assigned duties and site-specific cybersecurity program and responsibilities. [10 CFR 73.54(d)(1)] referencing these controls in the IMP, the licensee can provide assurance of an effective IMP.

3.3.4 (U) Policies and implementing procedures for incident response and recovery for cyber attacks are developed and maintained.

[10 CFR 73.54(e)(2) and 10 CFR 73.54(f)]

53. NEI C.3.3 DG-5044 language: This is essentially the same comment as Comment Cyber Security (OUO-SRI) Licensees should conduct random Number 52. Accordingly, the NRC reiterates its Elements patrols, by trained staff, of CDAs that affect SSEP response to Comment Number 52 here.

(Page 18) functions to look for obvious signs of cyber related tampering. The NRC staff removed the (OUO-SRI) portion marking from this section, consistent with the NEI comment: Commission direction in the Staff Requirements The final paragraph of Section 3.3 describes that Memorandum (SRM)SECY-17-0095Review licensees should conduct random patrols of and Approval of Proposed Revision to RG 5.77, CDAs. Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

Concern:

10 CFR 73.55(f)(2) requires licensees consider cyber attacks in the development and identification of target sets. 10 CFR 73.55(i)(5) provides a series of requirements for surveillance, observation, and monitoring, including 47

DG-5044 Comment Specific Comments NRC Comment Resolution Section requirements for the recognition of obvious indications of tampering. Notably, 10 CFR 73.55(i)(5)(vi) requires licensees provide random patrols of all accessible areas containing target set equipment. 10 CFR 73.55(i)(5)(vii) requires security personnel be trained to recognize obvious indications of tampering consistent with their assigned duties and responsibilities. Given the current requirements for patrols provided in 10 CFR 73.55, the net safety and security benefit from specific patrols of all CDAs is questionable.

Recommendation:

The final paragraph from section 3.3 should be deleted.

54. NEI C.3.3.1 DG-5044 language: The NRCs response to Comment Number 52 Additional (OUO-SRI) Licensees should conduct random made this comment moot. Accordingly, the NRC Guidance patrols, by trained staff, of CDAs that affect SSEP has made no change to DG-5044 based on this (Page 18) functions to look for obvious signs of cyber related comment.

tampering.

The NRC staff removed the (OUO-SRI) portion NEI comment: marking from this section, consistent with the Verify that random patrols are conducted by Commission direction in the Staff Requirements trained staff. Memorandum (SRM)SECY-17-0095Review and Approval of Proposed Revision to RG 5.77, Who does the training? How often. If supervisor Insider Mitigation Program, dated July 14, 2021 raining [sic] lapses does this impact the ability if (ML21195A356).

the patrol to continue patrols of CDAs?

55. NEI C.3.4.1, DG-5044 language: The NRC disagrees with the comment. The NRC 1st Sentence Licensees should have procedures available for specifically used the word operator in this sentence (Page 18) operator response to events involving deliberate to address plant control room and external plant acts directed against plant equipment. operators. Operators play a critical role in ensuring the safe and secure operation and if necessary, 48

DG-5044 Comment Specific Comments NRC Comment Resolution Section NEI comment: shutdown of a plant. Given their roles, it is Suggest a change in wording. Change operator important for operators to have clear procedures to operational for clarity. for addressing deliberate acts that could compromise plant equipment necessary for the safe operation or shut down of a plant. Accordingly, the NRC has made no change to DG-5044 based on this comment.

56. NEI C.3.4.2 f DG-5044 language: The NRC agrees with the comment and has (Page 19) (OUO-SRI) Conduct random armed patrols of revised DG-5044 accordingly.

target set equipment or elements as required in 73.55(i)(5)(vi) The NRC staff removed the (OUO-SRI) portion marking from this section, consistent with the NEI comment: Commission direction in the Staff Requirements Concern: Memorandum (SRM)SECY-17-0095Review 10 CFR 73.55(i)(5)(vi) does not require armed and Approval of Proposed Revision to RG 5.77, patrols of target sets. Additionally, the element (f) Insider Mitigation Program, dated July 14, 2021 does not need to be marked OUO-SRI, as it (ML21195A356).

restates a regulatory requirement.

Recommendation:

Item (f) should be revised to align with the requirement, as proposed in the suggested wording.

The commenter proposed the following edit:

Conduct random armed patrols of target set equipment or elements as required in 73.55(i)(5)(vi).

57. NEI C.3.4.3 d DG-5044 language: The NRC disagrees with the comment. The phrase (Page 20) (OUO-SRI) While the above physical protection should remain aware is used to remind licensees measures relate to target set equipment or that tampering with non-target set equipment can elements, licensees should remain aware that also have an adverse impact on plant safety and tampering with non-target set equipment or security functions. Such impacts may affect a 49

DG-5044 Comment Specific Comments NRC Comment Resolution Section support systems, such as safety, security, licensees ability to comply with existing regulations important to safety or emergency preparedness or to respond to unexpected events. The NRC has equipment, can adversely affect the ability to determined that the meaning of the phrase should respond to events and comply with established remain aware does not need further explanation.

regulations. Accordingly, the NRC has made no change to DG-5044 based on this comment.

NEI comment:

The text should remain aware is difficult to define The NRC staff removed the (OUO-SRI) portion and quantify. The industry requests for definition marking from this section, consistent with the

[sic] by the NRC staff on the intent. In addition, Commission direction in the Staff Requirements what limits are the licensee to place on this Memorandum (SRM)SECY-17-0095Review requirement since there is a significant amount of and Approval of Proposed Revision to RG 5.77, such equipment outside of the PA. Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

This discussion has been relocated to Section C.3.4.3 a of DG-5044.

58. NEI C.3.4.3 e, DG-5044 language: The NRC disagrees with the comment. Operators 3rd Sentence (OUO-SRI) Licensees should train operations frequently engage in patrols to verify that plant (Page 20) personnel to be sensitive to abnormalities that equipment is operating properly. This guidance could be the result of tampering and to respond to recommends that licensees provide operations such indications in a timely manner. During personnel with training to be aware that routine tours, operations personnel should be abnormalities in equipment operations may be an sensitive to changes in configurations that might indication of tampering. This guidance further indicate possible tampering. Licensees should recommends including training on target set and review, determine, and provide training to target set equipment. This training may be operations personnel for target sets and target set beneficial for the implementation of a licensees equipment that may be disabled locally without insider mitigation program. Accordingly, the NRC any recognition by control room personnel that the has made no change to DG-5044 based on this equipment had been disabled prior to operation. comment.

NEI comment: The NRC staff removed the (OUO-SRI) portion marking from this section, consistent with the 50

DG-5044 Comment Specific Comments NRC Comment Resolution Section There is no regulatory basis to provide training to Commission direction in the Staff Requirements operations personnel for target sets and target set Memorandum (SRM)SECY-17-0095Review equipment. and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 Furthermore "equipment that may be disabled (ML21195A356).

locally without any recognition by the control room personnel that the equipment had been disabled This discussion has been relocated to Section prior to operation" is covered under previous C.3.4.3 b of DG-5044.

subsections a) and b) of 3.4.3.

The commenter proposed the following edit:

During routine tours, operations personnel should be sensitive to changes in configurations that might indicate possible tampering. Licensees should review, determine, and provide training to operations personnel for target sets and target set equipment that may be disabled locally without any recognition by control room personnel that the equipment had been disabled prior to operation.

59. NEI C.3.4.3 f, DG-5044 language: The NRC disagrees with the comment. The text is 1st Sentence (OUO-SRI) As described in 10 CFR consistent with the 10 CFR 73.55(i)(5)(vii)

(Page 20) 73.55(i)(5)(vii), licensees shall train security requirement. Accordingly, the NRC has made no personnel to recognize and respond to obvious change to DG-5044 based on this comment.

indications of tampering. In accordance with 10 CFR 73.55(i)(5)(vi), licensees are required to The NRC staff removed the (OUO-SRI) portion provide random patrols of all accessible areas marking from this section, consistent with the containing target set equipment. These patrols Commission direction in the Staff Requirements should be conducted by an armed security officer Memorandum (SRM)SECY-17-0095Review and should include all targets set equipment or and Approval of Proposed Revision to RG 5.77, elements, except where precluded by immediate Insider Mitigation Program, dated July 14, 2021 personnel safety concerns, operational (ML21195A356).

abnormalities, or restrictions, consistent with guidelines to keep radiation dose rates as low as reasonably achievable.

51

DG-5044 Comment Specific Comments NRC Comment Resolution Section Based on administrative renumbering, this NEI comment: discussion now appears under Section 3.4.3 c of The commenter proposed the following edit: DG-5044.

(OUO-SRI) As described in 10 CFR 73.55(i)(5)(vii), licensees shall train security personnel to recognize and respond to obvious indications of tampering. In accordance with 10 CFR 73.55(i)(5)(vi), licensees are required to provide random patrols of all accessible areas containing target set equipment

60. NEI C.3.4.3 h, DG-5044 language: The NRC agrees with the intent of the comment 3rd Sentence (OUO-SRI) Licensees should implement an but has not accepted the specific revision (Page 20) armed patrol program applying special suggested by the commenter. Instead, the NRC consideration to target set equipment. These has replaced the reference to NEI 03-12 with a patrols should also periodically assess the reference to RG 5.76. The complete reference to integrity of the barriers protecting and controlling RG 5.76 is included in the References section of access to target set equipment. NEI 03-12, DG-5044.

describes the specifics of a patrol program that the NRC has found acceptable. The NRC staff also removed the (OUO-SRI) portion marking from this section, consistent with NEI comment: the Commission direction in the Staff The title of NEI 03-12 should be added for proper Requirements Memorandum (SRM)SECY designation and clarification. 0095Review and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

Based on administrative renumbering, this discussion now appears under Section 3.4.3 e.

61. NEI C.3.4.3 i, NEI comment: The NRC agrees with the comment and has added 3rd Sentence The reference to NUREG/CR7145 should be NUREG/CR7145 to the References section of (Page 20) added to the References. DG-5044.

52

DG-5044 Comment Specific Comments NRC Comment Resolution Section

62. NEI C.3.4.3 i, DG-5044 language: The NRC disagrees with the comment. There is a 4th Sentence (OUO-SRI) Armed patrols and surveillance requirement in 10 CFR 73.55(i)(2) that intrusion (Page 20) mechanisms should provide for notification to at detection and video assessment equipment least two members of the response force. (surveillance mechanisms) must annunciate in two continuously staffed alarm stations. The sentence NEI comment: recommends, but does not require, that armed It is suggested that this sentence be deleted else patrols also provide notifications to two members of a regulatory basis be provided. Delete or provide the response force, which could include staff in one clarity and basis for statement. or both of the continuously staffed alarm stations.

Accordingly, the NRC has made no change to DG-5044 based on this comment.

The NRC staff removed the (OUO-SRI) portion marking from this section, consistent with the Commission direction in the Staff Requirements Memorandum (SRM)SECY-17-0095Review and Approval of Proposed Revision to RG 5.77, Insider Mitigation Program, dated July 14, 2021 (ML21195A356).

This discussion has been relocated to Section C.3.4.3 e.

63. NEI C.4.1 DG-5044 language: The NRC agrees with the comment and has added (Page 21) (OUO-SRI) A comprehensive and effective BOP the reference to 10 CFR 26.33 to Section C.4.1 of will include a training program for recognizing and the revised DG-5044.

reporting behaviors as required in § 73.56(f)(3),

which may be considered adverse to the safe The NRC staff also removed the (OUO-SRI) operation and security of the licensee facility. portion marking from this section, consistent with the Commission direction in the Staff NEI comment: Requirements Memorandum (SRM)SECY 10 CFR 26.33, Behavior Observation has 0095Review and Approval of Proposed Revision requirements that are pertinent to the IMP and to RG 5.77, Insider Mitigation Program, dated probably should be referenced accordingly. July 14, 2021 (ML21195A356).

53

DG-5044 Comment Specific Comments NRC Comment Resolution Section The commenter proposed the following edit:

(OUO-SRI) A comprehensive and effective BOP will include a training program for recognizing and reporting behaviors as required in § 73.56(f)(3) and § 26.33, which may be considered adverse to the safe operation and security of the licensee facility.

64. NEI C.4.2 DG-5044 language: The NRC disagrees with the comment. The (Pages 21-22) (OUO-SRI) Licensees should ensure that the BOP addition of the proposed wording any other training includes recognition of and response to behavior inimical to facility safety or security is the following conditions or behavioral overly vague and therefore overly broad. The NRC characteristics: has determined that the proposed language is not necessary because the examples provided in NEI comment: Section C.4.2 adequately encompass the range of The paragraph includes 19 bullets representing inimical behaviors that could adversely impact specific training objectives. The bulleted items facility safety or security. Accordingly, the NRC has were added to the NEI 03-04, Guideline for Plant made no change to DG-5044 based on this Access and other Standardized Shared Training comment.

Courses and Evaluations in December 2012. The industry believes that objectives, which were The NRC staff removed the (OUO-SRI) portion adapted from the Department of Homeland marking from this section, consistent with the Security Suspicious Activity Reporting program Commission direction in the Staff Requirements further bolsters the awareness responsibilities of Memorandum (SRM)SECY-17-0095Review individuals subject to the industrys behavior and Approval of Proposed Revision to RG 5.77, observation program. Since the NEI 03-04 Insider Mitigation Program, dated July 14, 2021 document is not endorsed by the NRC, the (ML21195A356).

industry feels that its ability to immediately adapt to changing conditions in the observed in community or worldwide for that matter are a significant strength in the program. The rigid structure defined in the draft 5044 document lesson that ability to immediately respond to changes. The industry would prefer IMP text to 54

DG-5044 Comment Specific Comments NRC Comment Resolution Section generically address conditions thus permitting the licensee to be flexible in addressing changing conditions.

The commenter proposed adding a 20th bullet to end of the list of bulleted items in Section 4.2:

(OUO-SRI) any other behavior inimical to facility safety and security.

65. NEI C.5. NEI comment: The NRC disagrees with the commenter and has FFD Program The industry believes that decommissioning maintained Section C.5, FFD Program Elements Elements activities should be contained within a separate During Decommissioning in DG-5044.

During decommissioning document.

Decommission- The NRC response to Comment Number 3 ing The commenter proposed to the delete section discusses the ongoing decommissioning (Pages 23-25) 5. FFD Program Elements During rulemaking, which is proposing revisions to Decommissioning. 10 CFR Part 26 and the insider mitigation program.

66. NEI Glossary, DG-5044 language: The NRC disagrees with the comment. The Behavior An awareness program that meets requirements behavioral observation program requires that Observation of both the access authorization and FFD licensee personnel should strive to be aware of Program programs. Personnel are trained to report legal and recognize behaviors adverse to the safe (BOP) actions; to possess certain knowledge and operation and security of the facility. Appropriate (Page 28) abilities related to abuse of drugs and alcohol and training is provided to licensee personnel to the recognition of behaviors adverse to the safe facilitate their awareness of such behaviors in the operation and security of the facility by observing workplace, including detecting and reporting the behavior of others in the workplace and aberrant behavior or changes in behavior that detecting and reporting aberrant behavior or might adversely impact an individuals changes in behavior that might adversely impact trustworthiness or reliability. Accordingly, the NRC an individuals trustworthiness or reliability; and has made no change to DG-5044 based on this undergo an annual supervisory review. comment.

NEI comment:

The industry suggests the deletion of the word awareness to make the definition the same as in 55

DG-5044 Comment Specific Comments NRC Comment Resolution Section RG 5.66 Attachment, NEI 03-01, Nuclear Power Plant Access Authorization Program. The definitions contained within NEI 03-01 are promulgated through industry documents (e.g.,

Policies, procedures, forms, etc.). Changing wording however, minor opens the inconsistency window during audits and inspections. Or leads to significant costs to change documents for no real improvement value.

The commenter proposed the following edit:

An awareness program that meets requirements of both the access authorization and FFD programs.

67. NEI Glossary, DG-5044 language: The NRC agrees with the comment, and has Critical Group (OUO-SRI) Any individual who performs job amended DG 5044, with minor modification.

(Page 28) functions critical to the safe and secure operation of the licensees facility. This individual includes The additional text provided by the commenter is any individual who has been granted UA or contained in the Critical Group description in certified UAA and performs one or more of the Section C.2.1 of DG-5044. Moreover, the NRC has following job functions: revised the Critical Group definition in the Glossary of DG-5044 to include the acceptable

a. (OUO-SRI) any individuals who have extensive language in SFAQ 10-05, IT functions for Critical knowledge of facility defensive strategies or who Group, for consistency purposes.

design or implement the plants defense strategies; The NRC staff removed the (OUO-SRI) portion

b. (OUO-SRI) any individuals in a position to grant marking from this section, consistent with the an individual unescorted access or to certify an Commission direction in the Staff Requirements individual unescorted access authorization; Memorandum (SRM)SECY-17-0095Review and Approval of Proposed Revision to RG 5.77,

c. (OUO-SRI) any individuals assigned a duty to Insider Mitigation Program, dated July 14, 2021 search for contraband (e.g., weapons, explosives, (ML21195A356).

incendiary devices);

56

DG-5044 Comment Specific Comments NRC Comment Resolution Section

d. (OUO-SRI) any individuals who have access, extensive knowledge, or administrative control over plant digital computer and communication systems and networks as identified in 10 CFR 73.54.

NEI comment:

Revise definition to include the SFAQ 10-05 clarification and consistency with RG 5.66, Reference 4, NEI 03-01.

68. NEI Glossary, DG-5044 language: The NRC agrees with the comment and has Fitness for A term commensurate with authorization as revised the definition, with minor modification. In Duty defined in 10 CFR 26.5, Definitions. An element addition, the NRC deleted the first sentence of the Authorization of UAA that identifies the status of an individuals definition: A term commensurate with (FFDA) required FFD elements, which are then evaluated authorization as defined in 10 CFR 26.5, (Page 29) by a reviewing official to determine whether the Definitions.

individual is trustworthy, reliable, and fit for duty.

The revised definition of fitness for duty (FFD)

NEI comment: authorization states:

The industry suggests the inclusion [sic] the red text to complete the definition of FFD An element of unescorted access that identifies Authorization and to be consistent with the text of the status of an individuals required FFD NEI 03-01. The definitions contained within NEI elements, which are then evaluated by a reviewing 03-01 are promulgated through industry official to determine the individuals documents (e.g., policies procedures, forms, etc.) trustworthiness, reliability, and FFD. These Changing wording however, minor opens the required elements for FFD authorization are inconsistency window during audits and consent, suitable inquiry (including education in inspections. Or leads to significant costs to lieu of employment and military service as change documents for no real improvement value. employment), self-disclosure, pre-access drug and alcohol testing, and being subject to both a The commenter proposed the following edits: licensee approved behavioral observation and Fitness-for-Duty (FFD) Authorization (FFDA)A random drug and alcohol testing program.

term commensurate with Authorization as defined in 10 CFR 26.5. An element of UAA that 57

DG-5044 Comment Specific Comments NRC Comment Resolution Section identifies the status of an individuals required fitness-for-duty elements, which are then evaluated by a reviewing official to determine whether the individual is trustworthy, reliable and fit for duty. The required elements for FFDA are:

consent, suitable inquiry (including education in lieu of employment and military service as employment); self- disclosure; pre-access drug and alcohol testing; training in the required FFD K&As, FFD and BOP); being subject to both licensee-approved BOP and drug and a alcohol testing program.

69. NEI Glossary, DG-5044 language: The NRC disagrees with the comment. Definitions Insider A person who has been granted unescorted should remain as consistent as possible within (Page 29) access or unescorted access authorization under regulatory guidance documents authored by the the requirements of 10 CFR 73.56, Personnel NRC. The NRC defines insider within the Access Authorization Requirements for Nuclear Glossary of Security Terms for Nuclear Power Power Plants, or has the ability to access Reactors NUREG-2203 dated February 2017 and information systems that: (1) connect to systems RG 5.69, Guidance for the Application of the that connect to plant operating systems, or (2) Radiological Sabotage Design-Basis Threat in the contain sensitive information that may assist in an Design, Development, and Implementation of a attempted act of sabotage. Physical Security Program that meets 10 CFR 73.55 Requirements, (SGI), providing consistency NEI comment: within DG-5044 glossary section. NEI 03-01, while The industry suggests the inclusion the red text in endorsed by the NRC staff, is not a document the next column to complete the definition of authored by the NRC. Accordingly, the NRC has Insider and to be consistent with the text of NEI made no change to DG-5044 based on this 03-01. The definitions contained within NEI 03-01 comment.

are promulgated through industry documents (e.g., policies procedures, forms, etc.) Changing wording however, minor opens the inconsistency window during audits and inspections. Or leads to significant costs to change documents for no real improvement value.

58

DG-5044 Comment Specific Comments NRC Comment Resolution Section The commenter proposed the following edits:

or (2) contain sensitive information that could benefit an insider.

70. NEI Glossary, DG-5044 language: The NRC agrees with the comment and has Reviewing The licensee or, if applicable, the contractor or revised the definition, with minor modification.

Official vendor, persons designated by their company to (Page 29) be responsible for reviewing and evaluating all The revised definition of "reviewing officials states:

data collected about an individual, including potentially disqualifying information, in order to Persons designated by the licensee or, if determine whether the individual may be applicable, the contractor or vendor, to be authorized UAA or granted UA. responsible for reviewing and evaluating data collected about an individual, including potentially NEI comment: disqualifying information, to determine whether the The definition is not consistent with RG 5.66, individual may be certified for unescorted access Reference 4. The certification of UAA and/or the authorization or granted unescorted access by a granting of UA is a licensee responsibility. licensee.

The commenter proposed the following edit:

...including potentially disqualifying information, in order to determine whether the individual may be certified UAA by a licensee or C/V, or granted UA by a licensee.

71. NEI C.1, DG-5044 language: The NRC disagrees with the comment. As stated, (about Page 4) implementation of measures that control in part, in 10 CFR 73.54(a)(1), the licensee is personnel access to the licensees required to protect digital computer and communication systems and networks associated NEI comment: with safety-related and important-to-safety Safety-related systems are not listed (they may functions. However, the wording of this discussion not necessarily be part of the target set elements), has been revised to be consistent with language of yet the computer networks associated with safety- the regulation. Accordingly, the NRC has made no related and important to safety are listed. change to DG-5044 based on this comment.

59

DG-5044 Comment Specific Comments NRC Comment Resolution Section Change vi to read, computer networks associated with target sets, security functions and emergency preparedness functions

72. NEI B. Discussion, NEI comment: The NRC disagrees with the comment. The Harmonization This regulatory guide revision doesnt include requirements for visitors are captured in 10 CFR with visitor information contained in IAEA Nuclear 73.55(g)(7). The International Atomic Energy International Security Series No. 8. The regulatory guide lacks Agency (IAEA) Nuclear Security Series No. 8 Standards, any mention of concern with visitors. contains similar guidelines and is cited as (Page 6) reference No.13 within DG-5044.

Escort and surveillance of infrequent workers and visitors. Temporary workers, such as The NRC has revised the section title maintenance, service or construction workers, Harmonization with International Standards to often come from contracting or subcontracting read Consideration of International Standards.

companies. The trustworthiness of temporary workers and visitors may not have been This section also has been revised to state:

determined prior to their being permitted access.

Escorting such people is a way of making sure The International Atomic Energy Agency (IAEA) that they are in the right place and that they are works with member states and other partners to performing their duties properly. To be effective, promote the safe, secure, and peaceful use of the escort should know about their approved nuclear technologies. The IAEA develops safety activities, including access to specific places and requirements and safety guides for protecting actions they should not perform. In addition, guard people and the environment from harmful effects of patrols may deter or detect any attempt by ionizing radiation. This system of safety individuals to carry out malicious acts. fundamentals, safety requirements, safety guides, and other relevant reports, reflects an international perspective on what constitutes a high level of safety. To inform its development of this RG, the NRC considered IAEA safety requirements and safety guides pursuant to the Commissions International Policy Statement (Ref. 11) and Management Directive and Handbook 6.6, Regulatory Guides, dated May 2, 2016 (Ref. 12).

60

DG-5044 Comment Specific Comments NRC Comment Resolution Section The staff considered the following IAEA safety requirements and guide in the development and update of the RG:

IAEA Nuclear Security Series No. 8-G, Preventive and Protective Measures against Insider Threats, Revision 1, issued 2020 (Ref. 13).

73. NEI C.1. NEI comment: It is not clear what change this comment is General Licensee or applicants RO.determine what recommending. The NRC has determined that the Requirements, access level for the individual current language addressing the responsibilities of (Page 8) the licensees or applicants Reviewing Official is appropriate. Accordingly, the NRC has made no change to DG-5044 based on this comment.

74. NEI C.2. NEI comment: The NRC disagrees with the comment. The Applicability, Requires an initial and periodic medical language is consistent with the language contained 1st paragraph assessment, to include a psychological in DBT Order, EA-03-086, Attachment 2, page 5.

evaluations Accordingly, the NRC has made no change to DG-5044 based on this comment.

Should be, Requires a psychological evaluation, which may include a medical assessment

75. NEI C.1.2, NEI comment: The NRC disagrees with the comment. The 1st Paragraph, No mention of escorted workers, e.g., visitors language in the section referenced by the comment (Page 9) Add escorted workers or visitors. is a high-level discussion of the motivations and unpredictable nature of an insider and the insider threat. The reference to a disgruntled employee is only an example of one type of insider threat. This discussion is not meant to address all types of insider threats that a licensee might face. The NRC further notes that the requirements for visitors are captured in 10 CFR 73.55(g)(7). Accordingly, the NRC has made no change to DG-5044 based on this comment.

61

DG-5044 Comment Specific Comments NRC Comment Resolution Section

76. NEI C.2. NEI comment: The NRC notes that NRC Order EA-03-086 was Applicability DBT Order, EA-03-086 -- Its listed several times. issued on February 25, 2002, and was revised on What portions of this order are still valid? April 29, 2003. All elements in the revised order remain in effect and have not been rescinded or modified.

77. NEI Glossary NEI comment: The NRC disagrees with the comment. SFAQ Add FFD staff and reword to reflect current critical 10-05 does not make any reference to FFD staff as group definition as in SFAQ 10-05. part of the critical group. Personnel addressing FFD issues are governed by the requirements of 10 CFR Part 26. While the NRC acknowledges that FFD elements play a role in the IMP, to the extent that a definition of FFD staff is needed it should properly be in 10 CFR Part 26 or the 10 CFR Part 26 associated guidance. Accordingly, the NRC has made no change to DG-5044 based on this comment.

78. NEI Glossary NEI comment: The NRC disagrees with the comment. Escorted Add escorted worker definition. workers fall under the category of visitors. The requirements for visitors are captured in 10 CFR 73.55(g)(7). Accordingly, the NRC has made no change to DG-5044 based on this comment.

79. NEI References NEI comment: The NRC agrees with the comment. The identified References section doesnt include all references references have been added to the References in the document (e.g., IEA nuclear security series section of the revised DG-5044.

1. 8, SAND2007-5591, NUREG/CR-7145).

80. NEI References NEI comment: The NRC agrees with the comment. The NUREG-1959 hasnt been listed before and reads discussion of NUREG 1959 in the related like were now required to use it. Guidance section of the revised DG-5044 makes clear that proximity sensors may be used.

Change to provides a detailed discussion of proximity sensors, which may be used as part of an IMP.

62

DG-5044 Comment Specific Comments NRC Comment Resolution Section

81. NEI C.3.5.3 NEI comment: The NRC agrees with the comment. However, the Deleted the reference to NEI 03-12 and statement NRC believes that the commenter may have that the guidance in NEI 03-12 provides the inadvertently referred incorrectly to Section 3.5.3 of specifics of a patrol program that the NRC has DG-5044. DG-5044 contains no Section 3.5.3 found acceptable. Why was this reference within the document. The correct reference is deleted? Doesnt this leave licensees open to Section 3.4.3.

subjective judgments regarding what a satisfactory patrol program consists of that is Guidance on an acceptable security patrol program outside the guidance of NEI 03-12 regarding can be found under Regulatory Guide 5.76, frequency, locations, depth of patrols, etc.? Physical Protection Programs at Nuclear Power Reactors (SGI). The reference to NEI 03-12 has been removed from DG-5044 because it is redundant to the guidance found in RG. 5.76.

82. UCS 1 (vi) UCS comment: The NRC agrees with this comment. Consistent The IMP should not overlook insider access to with 10 CFR 73.55(b)(9)(iii), the foundation of the systems that may not have a direct nexus to insider mitigation program is to ensure that SSEP but may provide information useful to an licensees implement defense-in-depth adversary - eg. Personal information on staff that methodologies to minimize the potential for an could be used for blackmail. insider to adversely affect a licensees capability to prevent significant core damage and spent fuel sabotage. The comment does not make any specific recommendation for a revision to DG-5044. Accordingly, the NRC has made no change to DG-5044 based on this comment.

83. UCS C.4 UCS comment: The NRC agrees with the comment. Section 4 of Behavior NRC should not limit the scope of this section as DG-5044 discusses the Behavioral Observation Observation proposed by NEI. (BOP) Program (BOP). This section provides a high-level Training discussion consistent with the applicable requirements in 10 CFR 73.56(f). The NRC has not accepted recommendations to limit the scope of the BOP that are inconsistent with these requirements. The comment does not make any specific recommendation for a revision to 63

DG-5044 Comment Specific Comments NRC Comment Resolution Section DG-5044. Accordingly, the NRC has made no change to DG-5044 based on this comment.

84. UCS Not UCS comment: The NRC agrees with the comment. The NRC applicable General Comment. It should be evident today that continuously monitors the current threat the insider threat is posing an ever-growing risk to environment for any changes that may impact NRC sensitive information and facilities. The NRC must licensed facilities, materials, and/or other activities.

be vigilant in ensuring that licensees maintain The NRC currently has no indication of any impact robust and broad programs to protect against or change to the threat environment for our insiders. A growing danger today is the insider licensed facilities, materials, and activities.

who has received sophisticated training on how to evade being detected by conventional insider The NRC continues to coordinate with our Federal mitigation programs. Therefore, such programs partners to ensure we are providing prompt themselves must evolve in order to detect such assessment of any security threats to our licensed training. facilities, materials, and activities. Should any change to the threat landscape emerge, NRC will take prompt and appropriate action to address any security threats to our licensed facilities, materials, and activities.

The comment does not make any specific recommendation for a revision to DG-5044.

Accordingly, the NRC has made no change to DG-5044 based on this comment.

85. UCS C.2.2, UCS comment: The NRC notes that the elements of the critical The Critical Why was this deleted? Where did it go? group were not deleted from DG-5044. The NRC Group, relocated this information to the Glossary of 2nd Paragraph, revised DG-5044 in the definition of information Items (1) to (5) technology (IT) personnel.

64