ML22174A420

From kanterella
Jump to navigation Jump to search
Letter Response to - Allison Bawden, Director, Natural Resources and Environment, Et Al., Gao, E-mail Draft Report Entitled Preventing a Dirty Bomb: Vulnerabilities Persist in Nrc'S Controls for Purchases of High-Risk Radioactive Materials
ML22174A420
Person / Time
Issue date: 06/29/2022
From: Dan Dorman
NRC/EDO
To: Bawden A
US General Accounting Office (GAO)
Shared Package
ML22168A189 List:
References
GAO-22-103441
Download: ML22174A420 (9)
v  d  e


Text

June 29, 2022 Ms. Allison Bawden Director, Natural Resources and Environment U.S. Government Accountability Office 441 G Street NW Washington, DC 20548

SUBJECT:

U.S. NUCLEAR REGULATORY COMMISSION COMMENTS ON DRAFT GOVERNMENT ACCOUNTABILITY OFFICE REPORT GAO-22-103441, PREVENTING A DIRTY BOMB - VULNERABILITIES PERSIST IN NRCS CONTROLS FOR PURCHASES OF HIGH-RISK RADIOACTIVE MATERIALS

Dear Ms. Bawden:

Thank you for the opportunity to review and comment on the United States Government Accountability Office (GAO) draft report GAO-22-103441, Preventing a Dirty Bomb -

Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials, which the U.S. Nuclear Regulatory Commission (NRC) received on June 17, 2022. We appreciate the efforts by GAO to identify opportunities to enhance NRC regulations, as well as the collegiality with which you have consistently shared information on issues of interest. We take your recommendations seriously and will continue our efforts to strengthen the safety and security of radioactive materials.

Together, the NRC and Agreement States have established a strong regulatory framework that ensures the safety, security, and control of radioactive sources. This framework includes regulations that ensure appropriate access to high-risk radioactive sources; secure storage of these sources; and effective detection, assessment, and response to any unauthorized access.

This framework also includes robust oversight and enforcement programs. Collectively, this regulatory approach considers reasonable threats and provides both prevention and mitigation of consequences, such that the NRC maintains reasonable assurance of adequate protection of public health and safety, as well as common defense and security.

The NRCs mission and regulatory framework are complemented by those of several other Federal agencies. Each of these agencies, including the Department of Homeland Security (DHS), the Department of Energy, and the Federal Bureau of Investigation, play an integral role in the domestic architecture for radioactive security. Through forums such as the 14-agency Radiation Source Protection and Security Task Force (Task Force), Federal agencies coordinate on a routine basis to ensure that the United States is appropriately positioned to protect the country from potential terrorist threats such as the use of radioactive material in a radiological dispersal device (RDD) or radiation exposure device. In October 2018, the Task Force submitted a report to the President and Congress (Agencywide Documents Access and Management System (ADAMS) Accession No. ML18276A155). The Task Force concluded that there are no significant gaps in the area of radioactive source protection and security that are not already being addressed by ongoing efforts of the appropriate agencies. The 2022 report is in the final stages of development, and the NRC does not anticipate any change in this conclusion.

A. Bawden 2 In the subject draft report, the GAO staff emphasizes that their recommendations should be implemented immediately. This urgency is based on the GAOs conclusions from their report GAO-19-258SU; however, the NRC disagreed with the conclusions from this report (ADAMS Accession No. ML19077A341). The conclusions in GAO-19-258SU lack important context in that they focus on the potential consequences of an RDD without accounting for certain aspects of risk (i.e., threat and vulnerability), which include consideration of the probability of an event, the credible capabilities of adversaries, the protection afforded by the existing regulatory framework, and the sophisticated national infrastructure that is maintained under the leadership of DHS. In order to make a risk-informed determination regarding the appropriate level of safety and security controls to protect radioactive materials, including the urgency with which the NRC issues requirements (that is, whether to issue requirements by immediately effective Order or by a publicly transparent rulemaking process), it is necessary to consider all aspects of risk, and to assess the impact of any additional security measures on the beneficial use of radioactive materials.

In its draft report, the GAO made two recommendations for action by the NRC. The NRCs comments with respect to the recommendations follow.

GAO Recommendation 1: The Chairman of the NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory agency.

NRC Response: The NRC agrees with requiring vendors to verify Category 3 licenses with the appropriate regulatory agency and has already begun rulemaking that would require such verification, based on Commission direction in December 2021. The proposed rule is expected to be transmitted to the Commission in October 2023 for their consideration. The NRC is taking internal process steps to appropriately expedite this rulemaking. The existing regulatory framework considers all aspects of both safety and security riskthreat, vulnerability, and consequenceand is applied in a graded approach to mitigate the risk from resulting radiation effects. Given this framework, the NRC maintains reasonable assurance of adequate protection of public health and safety, as well as common defense and security. Therefore, while this rulemaking will provide an improvement in overall security, the NRC does not have a sufficient basis to issue immediately effective requirements. Furthermore, following the rulemaking process under the Administrative Procedure Act enables the NRC to incorporate public feedback, providing for fully informed and effective requirements that can be implemented without unintended impacts.

GAO Recommendation 2: The Chairman of the NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multi-factor authentication or moving away from paper licenses to electronic-based licensing.

NRC Response: The NRC agrees with considering enhanced security features in the licensing process. As part of the rulemaking process already underway to require license verification, the NRC will consider providing guidance to regulators and licensees that will reduce the potential for altered or forged licenses to be used in acquiring Category 3 radioactive sources, which could include the specific methods suggested by GAO. The rulemaking will be conducted in coordination with the Agreement States, which will jointly implement the new requirements.

A. Bawden 3 The enclosure provides detailed comments and suggestions from the NRC on the draft GAO report. Should you have any questions concerning these comments, please contact John Jolicoeur at John.Jolicoeur@nrc.gov or 301-415-1642.

Sincerely, Signed by Dorman, Dan on 06/29/22 Daniel H. Dorman Executive Director for Operations

Enclosure:

U.S. Nuclear Regulatory Commission Detailed Comments on U.S. Government Accountability Office (GAO) Draft Report GAO-22-103441 Preventing a Dirty Bomb - Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials

A. Bawden 4

SUBJECT:

U.S. NUCLEAR REGULATORY COMMISSION COMMENTS ON DRAFT GOVERNMENT ACCOUNTABILITY OFFICE REPORT GAO-22-103441, PREVENTING A DIRTY BOMB - VULNERABILITIES PERSIST IN NRCS CONTROLS FOR PURCHASES OF HIGH-RISK RADIOACTIVE MATERIALS DATED: June 29, 2022 DISTRIBUTION: LTR-22-0175 Public JJolicoeur, OEDO RidsNmssOd RidsNsirOd KWilliams, NMSS TClark, NMSS JODriscoll, NMSS AGiantelli, NMSS MBarrett, NMSS ADWhite, NMSS ARivera, NSIR GPurdy, NSIR ADAMS Accession Number: ML22168A189 *via email OFFICE NMSS/MSST NMSS/MSST NMSS OGC OEDO/EDO OCM OEDO/EDO MZobler DDorman ALewis DDorman NAME AGiantelli TClark RLewis CHaney for DATE 06/22/2022 06/22/2022 06/23/2022 06/23/2022 06/24/2022 06/29/2022 06/29/2022 OFFICIAL RECORD COPY

U.S. Nuclear Regulatory Commission Detailed Comments on U.S. Government Accountability Office (GAO) Draft Report GAO-22-103441, Preventing a Dirty Bomb - Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials

1. Page 1, footnote 2, states: In 2016, NRC interpreted high-risk to mean the largest quantities of radioactive material (categories 1 and 2). In our 2019 report, we used the views of security experts to define high-risk, and these experts generally agreed that high-risk includes both larger quantities and some smaller quantities of radioactive materials, including some category 3 quantities. See Nuclear Regulatory Commission, Report to Congress under Public Law 113-235: Effectiveness of Part 37 of Title 10 of the Code of Federal Regulations (Washington, D.C.: Dec. 14, 2016); and GAO, Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, GAO-19-468 (Washington, D.C.: Apr. 4, 2019).

NRC Comment: Recommend adding to footnote after the first sentence, The NRCs interpretation of high-risk to mean category 1 and 2 quantities is consistent with the Radiation Source Protection and Security Task Force (Task Force) Reports that are submitted to the President and Congress every 4 years. The Task Force is composed of 14 Federal agencies, with the Organization of Agreement States as an observer. The Energy Policy Act of 2005 established this interagency Task Force to evaluate and periodically provide recommendations to the President and Congress relating to the security of radiation sources in the United States from potential terrorist threats, including acts of sabotage, theft, or use of a radiation source in a radiological dispersal device or radiological exposure device.

NRC Explanation: It is important to clarify that the NRCs definition of risk-significant including only category 1 and 2 quantities is endorsed by all 14 Federal agencies of the Task Force. This Federal definition for risk-significant quantities of radioactive materials does not match the GAO definition of both larger quantities and some smaller quantities of radioactive materials, including some category 3 quantities.

2. Page 2, first paragraph, states From 2011 through 2020, Nuclear Regulatory Commission (NRC) reported 4,512 nuclear materials events NRC Comment: The NRC requests that GAO provide context for the types of events that are considered in this total of 4,512 events over 9 years.

Explanation: The events tracked in the National Materials Event Database date back to January 1990. The NRC has analyzed the data to look specifically at theft, acts of sabotage, and vandalism and found that since 1990 there has been a significantly smaller number of events, as shown in that table below.

Category Number of reported thefts, acts of sabotage, and vandalism (January 1990 - May 2022) 1 0 2 30 3 4 Enclosure

A closer look at this data indicates that for category 2 material, in 26 of 30 incidents, the material was recovered. The last time a category 2 source went unrecovered following a theft was 2012. For category 3 material, in three of the four incidents, the material was recovered. The last time a category 3 source went unrecovered following a theft was 1991.

3. Page 2, last paragraph, second sentence states: known as agreement states, which have entered into an agreement with NRC to manage licenses in those states.

NRC Comment: Revised this statement to known as Agreement States, which have entered into agreements with NRC under the Atomic Energy Act to regulate certain radioactive materials in those states.

NRC Explanation: As authorized by the Atomic Energy Act, the NRC can discontinue its regulatory authority and allow Agreement States to regulate certain radioactive material in their state. This scope of responsibility covers all aspects of regulation, not just managing licenses.

4. Page 2, footnote 4, states: The material in the devices is regulated under NRCs 10 CFR Part 37 security regulations, which govern the physical protection of certain quantities of byproduct material. NRCs 10 CFR Part 37 regulations (commonly known as Part 37), address topics such as physical security, access control, monitoring and detection, and employee trustworthiness and reliability.

NRC Comment: Revise this statement to The material in the devices is regulated under NRCs applicable safety and security regulations found in Title 10 of the Code of Federal Regulations (CFR) Parts 1-199. The requirements of 10 CFR Part 37 (commonly known as Part 37), address additional security topics such as physical security, access controls, monitoring and detection, and employee trustworthiness and reliability.

NRC Explanation: The NRC proposes this wording for clarity. As written, this footnote implies that only 10 CFR Part 37 regulations apply to the radiography devices in the Arizona event. The NRC has a regulatory framework that addresses safety, security, and control of radioactive material. In addition to Part 37, Parts 19, 20, 30, and 34 apply to licensees conducting radiography activities.

5. Page 3, last paragraph, first sentence states: In December 2021, the NRC began a process that could result in implementation of one of the recommendations from our 2016 investigation.

NRC Comment: Revise this statement to In December 2021, the NRC began rulemaking that could result in implementation of one of the recommendations from our 2016 investigation.

NRC Explanation: The NRC proposes this wording for clarity.

6. Page 6, first paragraph, second sentence: The National Source Tracking System (NSTS), deployed in January 2009, tracks category 1 and 2 sources of the 16 radionuclides that NRC and the Department of Energy have determined are attractive for use in a dirty bomb or for other malicious purposes, and that warrant national tracking.

2

NRC Comment: Revise this sentence to The National Source Tracking System (NSTS), deployed in January 2009, tracks 20 radionuclides, including category 1 and 2 sources, that NRC and the Department of Energy have determined are attractive for use in a dirty bomb or for other malicious purposes, and that warrant national tracking.

NRC Explanation: The NRC proposes this wording for clarity. The NSTS tracks 20 radionuclides, not 16.

7. Page 9, last paragraph, first sentence: NRC officials told us in January 2022 that in response to previous GAO recommendations they have begun a process, ...

NRC Comment: Revise this statement to NRC officials told us in January 2022 that they have begun a Commission-directed rulemaking that will address several previous GAO recommendations NRC Explanation: The NRC proposes this wording for clarity, as internal NRC assessments and stakeholder feedback also support the need for this rulemaking.

8. Page 10, second sentence, states: Specifically, NRC officials told us that they would propose a new regulatory rule under which agreement states would either (1) voluntarily enter licenses into WBL to permit online verification of licenses, or (2) require that vendors in their state contact regulatory officials to verify licenses.

NRC Comment: Revise this statement to Specifically, NRC officials told us that the rulemaking they envision would require licensees transferring category 3 material to verify licenses in a manner similar to what is required in 10 CFR Part 37 for transfers of category 1 and 2 material. The two acceptable methods for transfer of category 1 and 2 quantities are verifying by direct contact with the regulator or through using the NRCs license verification system (LVS). The final rule content would be informed by public comment and Agreement State participation.

NRC Explanation: The NRC proposes this wording for clarity. As written, this sentence implies that the rulemaking will apply to Agreement State regulators. The rule will apply to NRC and Agreement State licensees that transfer category 3 quantities of materials.

The NRC expects that many more Agreement States will voluntarily include their licenses in WBL to reduce the administrative effort of verifying licenses, as well as to use the powerful functions of this licensing system. Currently, nine states use WBL and 10 more are in the onboarding process.

9. Page 10, second paragraph, last sentence, states: However, NRC officials told us that they have the authority to quickly issue additional binding security requirements to licensees via an NRC order if warranted. For example, NRC could issue an order immediately requiring vendors to verify licenses via phone call to NRC or agreement state officials if the agency believed that doing so was necessary to promote the common defense and security. NRC officials told us that there was insufficient justification or urgency from an imminent threat to take such a step.

NRC Comment: Revise this statement to However, NRC officials told us that they have the authority to quickly issue additional binding security requirements to licensees via an NRC order if warranted. For example, the NRC could issue an Order immediately requiring vendors to verify licenses via phone call to NRC or Agreement State officials if 3

the agency believed that doing so was necessary to promote the common defense and security. NRC officials told us that given the existing regulatory framework, they do not have a sufficient basis to issue immediately effective requirements to address the findings raised by GAO, and they will follow their public rulemaking process.

NRC Explanation: This statement more accurately reflects NRCs position as discussed at the exit meeting.

10. Page 10, last paragraph, first sentence states: Similarly, NRC officials stated that the consequences stemming from the detonation of a dirty bomb using category 3 radioactive materials would be insufficient to require immediate action.

NRC Comment: Recommend revising to, Similarly, NRC officials stated that the consequences stemming from the detonation of a dirty bomb using category 3 radioactive materials would be insufficient to require issuing immediately effective orders.

NRC Explanation: The NRC does not have a sufficient basis to issue immediately effective requirements to address the GAO findings. The existing regulatory framework considers all aspects of both safety and security riskthreat, vulnerability, and consequenceand is applied in a graded approach to mitigate the risk from radiation effects.

11. Page 10, last paragraph, second sentence, states: ... could be expected to cause hundreds of deaths from evacuations and billions of dollars of socioeconomic effects.

NRC Comment: NRC requests this report mention the agencys previously documented concerns about the recommendations within GAO 19-468. Specifically, the NRC concluded that the GAOs report supporting its recommendations lacked important context. Specifically, GAO focused on the potential consequences of an RDD without accounting for certain aspects of risk (i.e., threat and vulnerability), which include consideration of the probability of an event, the credible capabilities of adversaries, the protection afforded by the existing regulatory framework, and the sophisticated national infrastructure that is maintained under the leadership of DHS.

NRC Explanation: Together, the NRC and Agreement States have established a strong regulatory framework that ensures the safety, security, and control of radioactive sources. This framework includes regulations that ensure appropriate access to high-risk radioactive sources; secure storage of these sources; and effective detection, assessment, and response to any unauthorized access. This framework also includes robust oversight and enforcement programs. Collectively, this regulatory approach considers reasonable threats and provides both prevention and mitigation of consequences, such that the NRC maintains reasonable assurance of adequate protection of public health and safety, as well as common defense and security.

The regulatory framework was developed, and later revised, by considering all aspects of both safety and security riskthreat (i.e., likelihood), vulnerability, and consequenceand is applied in a graded approach to mitigate the risk from resulting radiation effects. This graded approach ensures that requirements are adequate and appropriate for all the radioactive materials in use in the United States. The NRC staff will continue to work with the agency's partners in the Federal government to evaluate 4

the current domestic threat environment to ensure the NRC's security framework is effective.

12. Page 11, second paragraph, second sentence, states: NRCs proposed process to address this, NRC comment: Revise to NRCs proposed rulemaking to address this NRC Explanation: The NRC proposes this wording for clarity.

5

Retrieved from "https://kanterella.com/w/index.php?title=ML22174A420&oldid=3451200"