Enclosure - Response to Gao 2023 Priority Recommendations

ML23143A336
Person / Time
Issue date:	06/20/2023
From:	NRC/Chairman
To:	US Government Accountability Office (GAO)
Shared Package
ML23143A334	List: ML23143A335 ML23143A336
References
LTR-23-0124-1, CORR-23-0050
Download: ML23143A336 (1)
v • d • e

Text

U.S. Nuclear Regulatory Commission Actions to Address Priority Open U.S. Government Accountability Office Recommendations Addressing the Security of Radiological Sources The U.S. Government Accountability Office (GAO) identified six open priority recommendations for the U.S. Nuclear Regulatory Commission (NRC) from three reports that addressed the security of category 3 sources (GAO-16-330), security measures for radioactive materials that could be dispersed through a radiological dispersal device (GAO-19-468), and verification of licenses for category 3 materials (GAO-22-103441 ).

In the report GAO-16-330, "Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain," GAO recommended that the NRC:

1) Take the steps needed to include category 3 sources in the National Source Tracking System [NSTS] and add Agreement State category 3 licenses to the Web-Based Licensing [WBL] System as quickly as reasonably possible.

2) At least until such time as category 3 licenses can be verified using the License Verification System [LVS], require that transferors of category 3 quantities of radioactive materials confirm the validity of a would-be purchaser's radioactive material license with the appropriate regulatory authority before transferring any category 3 quantities of licensed material.

In the report GAO-22-103441 , "Preventing a Dirty Bomb: Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials," GAO recommended that:

1) The Chairman of the NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory authority.

2) The Chairman of the NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing.

In response to both GAO-16-330 and GAO-22-103441, on December 21, 2021, in Staff Requirements Memorandum (SRM) SECY-17-0083 (ML21355A290), the Commission directed the NRC staff to pursue rulemaking to:

1) Require safety and security equipment to be in place before granting a license for an unknown entity to address the concern related to obtaining a valid license using a fictitious company or by providing false information .

2) Clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds to: (a) update the oral certification method to require that the certification be followed up with confirmation using one of the other acceptable verification methods in Title 10 of the Code of Federal Regulations Parts 30, 40, and 70, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records.

Enclosure

3) Require licensees transferring category 3 quantities of radioactive material to verify licenses through the LVS or the regulatory authority. 1 In addition , the Commission directed the staff to evaluate and seek stakeholder comment on whether there is any subset of routine transactions involving established licensees to which the enhanced license verification requirement should not apply or should apply with reduced frequency.

The Commission approved the NRC staffs recommendation not to amend the regulations to:

(a) require inclusion of category 3 sources in the NSTS; or (b) impose security requirements to prevent aggregation of category 3 sources to a category 2 quantity of radioactive material. The NRC staff has begun its rulemaking process as directed by the Commission. The Commission is currently considering the draft proposed rule. The draft proposed rule and supporting content can be found in SECY-22-0112, "Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103) (ML22277A809 ).

In addition, the NRC staff continues to engage licensees and Agreement States on the issues identified by this GAO investigation. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses.

The NRC staff also reminded licensees that, under current requirements, they can contact their regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and to encourage the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on NRC communications and the GAO findings.

As part of the rulemaking process, the NRC will develop additional guidance for regulators and licensees on how to reduce the potential for use of altered or counterfeited licenses to purchase category 3 radioactive sources. The NRC is also exploring the specific methods suggested by GAO.

In the report GAO-19-468, "Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material," GAO recommended that the NRC:

1) Consider socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in a radiological dispersal device (RDD).

2) Require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

The NRC disagrees with GAO's recommendation regarding considerations for socioeconomic consequences and fatalities from evacuations in the criteria for determining what security measures should be required for radioactive materials that could be used in an RDD. The 1 Agreement States that do not use WBL as their license tracking system would need to either voluntarily provide their licenses authorizing Category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification .

2

NRC's established policy on the consequences of concern that form the basis of the regulatory framework for safety and security of radioactive materials continues to be based on potential health effects, not on socioeconomic impacts. The NRC continues to actively participate in U.S.

efforts to educate the public on appropriate responses to emergency situations and to maintain capabilities to mitigate adverse consequences of the misuse of radioactive materials.

The NRC also disagrees with GAO's recommendation requiring additional security measures, similar to the existing physical protection measures in place for category 2 quantities of radioactive material for certain category 3 radioactive materials. The NRC maintains that the current regulatory requirements provide for the safe and secure use of radioactive materials, regardless of the category of material. Given the existing threat environments, the NRC is not planning any additional security measures for category 3 radioactive materials beyond the rulemaking described above. The NRC continues to encourage GAO to consider the conclusions of the Radiation Source Protection and Security Task Force (Task Force), which includes members from 14 Federal agencies and the Organization of Agreement States, that indicate the current radionuclides and activity thresholds are appropriate for enhanced security.

Task Force reports have included statements that "current measures for the security and control of radioactive sources are appropriately protective of risk-significant ( category 1 and 2) quantities of radioactive material2" and that "there are no significant gaps in the area of radioactive source protection and security that are not already being addressed through interagency cooperation and actions.3"

• Improving the Reliability of Cost Estimates In the report GAO-15-98, "Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices," GAO stated that the NRC should align its cost estimating procedures with relevant best practices identified in the GAO Cost Estimating and Assessment Guide (GAO Cost Guide).

The NRC is updating its cost-benefit guidance, NUREG/BR-0058, "Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission," to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees and other stakeholders. This update also consolidates guidance documents, incorporates recommendations from the GAO report on the NRC's cost estimating practices and cost estimating best practices from the GAO Cost Guide, and captures best practices for the consideration of qualitative factors in accordance with Commission direction in the SRM for SECY-14-0087, "Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses" {ML15063A568).

The NRC released a draft of the updated cost-benefit guidance (NUREG/BR-0058) in April 2017 for a 60-day public comment period . The NRC staff reviewed and addressed comments , and in March 2018 provided a draft of the final guidance to the Commission for consideration

{ML17221A000). In July 2019, the Commission directed the NRC staff to align the updated guidance with the policy recently approved by the Commission in Management Directive 8.4, "Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests" 2 U.S . Nuclear Regulatory Commission. "The 2022 Radiation Source Protection and Security Task Force Report,"

August 5, 2022 , ML22213A157, page 1.

3 Id., Executive Summary Page I 3

(ML18093B087). The NRC staff re-submitted NUREG/BR-0058 to the Commission for consideration in January 2020 (ML19261A280).

The NRC staff is also developing new guidance located in Appendices F-I to NUREG/BR-0058.

These appendices address emergent policy issues and guidance enhancements as well as provide references that update pertinent information contained in NUREG/BR-0184, "Regulatory Analysis Technical Handbook," dated January 1997 (ML111290858). The new appendices provide guidance on data sources, regulatory analysis methods and data for nuclear facilities other than power reactors, severe accident risk analysis, and methods when conducting cost benefit analyses to satisfy the requirements of the National Environmental Policy Act. These appendices will guide the NRC staff to cost-benefit analysis source data and other reference material and serve as a knowledge management repository. The NRC issued the draft appendices for public comment in April 2021 and held a public meeting in May 2021 to answer stakeholder questions and facilitate public comment. The final guidance contained in these appendices was provided to the Commission for consideration in April 2022 (ML21228A118).

In addition, the staff developed Appendices K-L, which provide guidance on the monetary valuation of nonfatal cancer risk used in cost-benefit analysis and replacement energy costs.

The NRC issued the draft appendices for public comment in July 2022 and held a public meeting in August 2022 to answer stakeholder questions and facilitate public comment. The final draft appendices were provided to the Commission for review and approval in February 2023.

Following Commission review and approval, the staff will issue the final NUREG/BR-0058 and the associated appendices and reference it on the NRC public website.

Ensuring the Cybersecurity of the Nation In the report, GAO-22-105065, "Privacy: Dedicated Leadership Can Improve Programs and Address Challenges," GAO recommended that NRC fully define and document the role of the Senior Agency Official for Privacy or other designated privacy officials in reviewing and approving systems categorizations, overseeing privacy control assessments, and reviewing authorization packages.

The NRC has fully defined and documented the role of the Senior Agency Official for Privacy (SAOP) as it relates to risk and continuous monitoring activities. For example, the organizational responsibilities and delegations of authority for the SAOP are documented in the NRC's Management Directive 3.2, "Privacy Act." The NRC also updated five cyber security processes and one reference guide to document the SAOP's role in reviewing and approving system categorizations, overseeing privacy control assessments, and reviewing authorization packages. Those documents are:

1) CSO-PROS-1323, "Continuous Monitoring Process,"

2) CSO-PROS-1341, "Short-Term Authorization Process,"

3) CSO-PROS-1325, "External IT Service Authorization Process,"

4) CSO-PROS-2030, "Risk Management Framework Process"

5) CSO-PROS-2001 , "System Security Categorization Process"

6) "Senior Agency Official for Privacy, SAOP Responsibilities" 4