Text

The U.S. Government Accountability Office Report Nuclear Regulatory Commission Summary of NRC Actions - Response to GAO Reports

SUMMARY

OF NRC ACTIONS - RESPONSE TO GAO REPORTS

Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98).....2

Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330).......4

Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468).......7

Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129)....9

Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts (GAO-20-362).10

Preventing a Dirty Bomb: Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials (GAO-22-103441)...11

Privacy: Dedicated Leadership Can Improve Programs and Address Challenges (GAO 105065)...13

Enclosure 1 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices December 2014 (GAO-15-98)

The U.S. Government Accountability Office (GAO), in its report, Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices, recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost-estimating best practices identified in GAO-089-3SP, GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as the NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRCs cost-estimating practices and cost-estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses.

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the update to Management Directive 8.4, Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests, that the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft of NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, Draft Final NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission).

The staff also developed additional draft guidance that will be in appendices to NUREG/BR-0058. The staff developed draft Appendices F-I, which address emergent policy issues and provide references that update pertinent information contained in NUREG/BR-0184, Regulatory Analysis Technical Evaluation Handbook, dated January 1997. The newly

proposed appendices contain data sources, regulatory analysis methods, data for nuclear facilities other than power reactors, severe accident risk analysis, and guidance used when conducting cost-benefit analyses for the NRCs regulatory, backfit, forward fit, issue finality, and National Environmental Policy Act (NEPA) environmental review analyses across NRC program offices. The NRC issued the draft appendices for public comment on April 16, 2021, and held a public meeting on May 19, 2021, to answer stakeholder questions and facilitate public comment.

The final draft appendices were provided to the Commission for review and approval on April 1, 2022 (SECY-22-0028, Appendices to NUREG/BR-0058, Revision 5, Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission).

In addition, the staff developed draft Appendices K-L, which provide guidance on the monetary valuation of nonfatal cancer risk used in cost-benefit analysis and replacement energy costs.

The NRC issued the draft appendices for public comment on July 6, 2022, and held a public meeting on August 17, 2022, to answer stakeholder questions and facilitate public comment.

The final draft appendices will be provided to the Commission for review and approval by June 2023.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

GAO, in its report, Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain, made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include category 3 sources in the National Source Tracking System and add agreement state category 3 licenses to the Web-based Licensing (WBL)

System as quickly as reasonably possible.

Status:

On December 21, 2021, in SRM-SECY-17-0083, Staff Requirements Memorandum SECY-17-0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001, the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the Licensee Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

The Commission did not direct the staff to include category 3 sources in the National Source Tracking System.

On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration. The draft proposed rule and supporting content can be found in SECY-22-0112, Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103). The Commission is currently considering the draft proposed rule, which the staff expedited.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, at least until such time that category 3 licenses can be verified using the License Verification System, require that transferors of category 3 quantities of radioactive materials confirm the validity of a would-be purchasers radioactive materials license with the appropriate regulatory authority before transferring any category 3 quantities of licensed materials.

Status:

In addition to the response provided to Recommendation 1, the NRC staff continues to engage licensees and Agreement States on the issues identified by this GAO investigation. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses. The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and encouraged the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on their responses to NRC communications and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of the NRC working groups meeting to develop enhancements to the pre-licensing requirements for category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

Status:

In addition to the Commission direction and NRC staff activities described in response to Recommendations 1 and 2, the NRC issued a revision to the pre-licensing guidance. The revised guidance emphasizes that licenses should not be hand-delivered during a pre-licensing site visit and outlines processes to conduct additional screening of applicants and evaluate any

potential security risks identified during the application review, as appropriate. The NRC has also updated its licensing and inspection courses and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO 468)

The U.S. Government Accountability Office (GAO), in its report, Combating Nuclear Terrorism:

The NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material, made three recommendations to the U.S. Nuclear Regulatory Commission (NRC) related to the security of radioactive material. Two of these recommendations have been previously reported as recommendations that would not be implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 2:

The Chairman of the NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

Status:

On December 21, 2021, in SRM-SECY-17- 0083, Staff Requirements Memorandum SECY-17- 0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001, the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations Parts 30, Rules of General Applicability to Domestic Licensing of Byproduct Material, 40, Domestic Licensing of Source Material, and 70, Domestic Licensing of Special Nuclear Material, to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the License Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the Web-based Licensing (WBL) System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

The Commission did not direct the staff to include category 3 sources in the National Source Tracking System.

On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration. The draft proposed rule and supporting content can be found in SECY 0112, Proposed Rule: Radioactive Source Security and Accountability (3150- AK83; NRC-2022- 0103). The Commission is currently considering the draft proposed rule, which the staff expedited.

This GAO recommendation remains open.

The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities March 2020 (GAO-20-129)

The Federal Government spends over $90 billion on information technology (IT). Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which Federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report.

Recommendation 14:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully implement.

Status:

The following summary describes the actions taken by the NRC to fully implement seven key IT workforce planning activities identified by GAO.

The NRC has an enhanced the Strategic Workforce Planning (SWP) process. This process was informed by the GAO report titled Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices (GAO-17-233). This enhanced SWP process has been fully implemented resulting in the identification of strategies and action plans to address potential IT skill gaps.

In the previous report, the NRC described its efforts to identify competencies at the agency and to further strengthen that activity by joining other Federal agencies that are part of the Chief Information Officers Council to build career paths/competency models for 64 IT security roles across the Federal Government. After further review, the NRC has identified 34 core positions for IT security roles instead of the initial 64 roles identified within the Office of the Chief Information Officer (OCIO) in order to build competency models. OCIO has completed 11 competency models to date.

The NRC currently has four additional competency models in the development process. OCIO continues to work closely with the NRCs Office of the Chief Human Capital Officer (OCHCO) in the development of IT competency requirements by utilizing the NICE Framework as an assessment tool. The NICE Framework is being used to address the identified gaps discovered as a result of the SWP process. OCIO is leveraging the NICE framework and other supporting information to assess the knowledge, skills, and abilities of each role.

This GAO recommendation remains open.

- 9 -

The U.S. Government Accountability Office Report Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts February 2020 (GAO-20-362)

The NRC creates and posts public cost estimates for common oversight activities on its website to increase transparency and enhance stakeholder awareness of the costs associated with these activities. These estimates are designed to aid licensees in planning for future work and assisting with budgeting to pay future costs. GAO, in its report, Nuclear Regulatory Commission: Fee-Setting, Billing, and Budgeting Processes Have Improved, but Additional Actions Could Enhance Efforts, indicated that the NRC has not consistently updated those estimates since September 2017, or clearly defined what costs were included in the estimates.

GAO made two recommendations to the NRC in this report. One of these recommendations has been closed. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 1:

The Executive Director for Operations of the NRC should ensure relevant NRC program offices develop policy and guidance for when to communicate information on work progress to licensees, such as through communications to licensees at specified timeframes or thresholds.

Status:

All three of the relevant program offices have updated office procedures to establish policy and guidance for when to communicate information on work progress to licensees.

The NRC considers this recommendation to be closed.

- 10 -

The U.S. Government Accountability Office Report Preventing a Dirty Bomb: Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials July 2022 (GAO-22-103441)

GAO, in its report, Preventing a Dirty Bomb: Vulnerabilities Persist in NRCs Controls for Purchases of High-Risk Radioactive Materials, made two recommendations to the NRC related to the security of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

The Chairman of the NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory authority.

Status:

On December 21, 2021, in SRM-SECY-17-0083, Staff Requirements Memorandum SECY-17-0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001, the Commission directed the staff to pursue rulemaking to amend the regulations in 10 CFR Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the LVS or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration. The draft proposed rule and supporting content can be found in SECY-22-0112, Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103). The Commission is currently considering the draft proposed rule, which the staff expedited.

The NRC staff also continues to engage licensees and Agreement States on the issues identified by this GAO investigation. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses.

The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted

- 11 -

industry trade associations for source producers to discuss the GAO recommendations and encouraged the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on their responses to NRC communications and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 2:

The Chairman of the NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing.

Status:

As part of the ongoing rulemaking process, the NRC will develop additional guidance to regulators and licensees to reduce the potential for use of altered or counterfeited licenses to purchase category 3 radioactive sources. The NRC is also exploring the specific methods suggested by GAO.

This GAO recommendation remains open.

- 12 -

The U.S. Government Accountability Office Report Privacy: Dedicated Leadership Can Improve Programs and Address Challenges September 2022 (GAO-22-105065)

The protection of personal privacy has become a more significant issue in recent years with the advent of new technologies and the proliferation of personal information. Federal agencies collect and process large amounts of personally identifiable information (PII) for various government programs. Accordingly, they must ensure that any PII that they collect, store, or process is protected from unauthorized access, tampering, or loss.

Federal agencies are required to establish privacy programs for the protection of PII that they collect and process. Among other things, this includes designating a senior agency official for privacy with overall responsibility for the agencys privacy program. In addition, agencies are to conduct privacy impact assessments to analyze how personal information is collected, stored, shared, and managed in a federal system.

GAO was asked to review Federal agencies privacy programs. This report examines (1) the extent to which agencies have established programs for ensuring privacy protections; (2)challenges agencies reported experiencing in implementing their privacy programs; (3)reported benefits and limitations in agencies use of privacy impact assessments; and (4) the extent to which agencies have senior leadership dedicated to privacy issues. GAO made two recommendations to the NRC in this report. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 50:

The Chairman of the NRC should fully define and document a process for ensuring that the senior agency official for privacy or other designated privacy official is involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy.

Status:

The NRC agrees with this recommendation and has updated its Privacy Program Plan to better document the roles and responsibilities of the Senior Agency Official for Privacy (SAOP) regarding the hiring, training, and professional development needs of the agency with respect to privacy.

The NRC considers this recommendation to be closed.

Recommendation 51:

The Chairman of the NRC should fully define and document the role of the senior agency official for privacy or other designated privacy official in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages.

- 13 -

Status:

The NRC agrees with this recommendation and has updated its security processes to better document the SAOPs roles and responsibilities regarding reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages.

The NRC considers this recommendation to be closed.

- 14 -