Text

SUMMARY

OF NRC ACTIONS -RESPONSE TO GAO REPORTS Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices (GAO-15-98)................................................................................... 2 Nuclear Security: NRG Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain (GAO-16-330)...............................................................................4 Combating Nuclear Terrorism: NRG Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material (GAO-19-468)................................................................... 7 Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities (GAO-20-129)............................................................................................................. 9 Preventing a Dirty Bomb: Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials ( GAO-22-103441)........................................................................ 10 Nuclear Regulatory Commission: NRG Needs to Take Additional Actions to Prepare to License Advanced Reactors ( GAO23-105997)............................................................................ 12 High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use ( GAO-24-105998).................................................................................. 16 Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements (GAO-24-105658).................................................................................. 17 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Improve Its Cost Estimate by Incorporating More Best Practices December 2014 (GAO-15-98)

The U.S. Government Accountability Office (GAO), in its report, "Nuclear Regulatory Commission:

NRC Needs to Improve Its Cost Estimates by Incorporating More Best Practices," recommended that the U.S. Nuclear Regulatory Commission (NRC) align its procedures with relevant cost estimating best practices identified in GAO-089-3SP, "GAO Cost Estimating and Assessment Guide: Best Practices for Developing and Managing Capital Program Costs" (March 2009). The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

To improve the reliability of its cost estimates, as the NRC revises its cost estimating procedures, the NRC Chairman should ensure that the agency aligns the procedures with relevant cost estimating best practices identified in the GAO Cost Estimating and Assessment Guide and ensure that future cost estimates are prepared in accordance with relevant cost estimating best practices.

Status:

The NRC is updating its cost-benefit guidance to incorporate cost estimating best practices and the treatment of uncertainty to support the development of more realistic estimates of the costs to implement proposed requirements. This guidance update addresses relevant best practices provided by GAO and feedback provided by licensees, the Nuclear Energy Institute, and other stakeholders. This update will also consolidate guidance documents, incorporate recommendations from the GAO report on the NRC's cost-estimating practices and cost estimating best practices from the GAO guide, and capture best practices for the consideration of qualitative factors in accordance with Commission direction in the Staff Requirements Memorandum (SRM) for SECY-14-0087, "Qualitative Consideration of Factors in the Development of Regulatory Analyses and Backfit Analyses."

The cost-benefit guidance update was released on April 14, 2017, for a 60-day public comment period. Comments received were reviewed and addressed, and in March 2018, the staff submitted a draft of the final guidance (NUREG/BR-0058) to the Commission for approval. In July 2019, the Commission directed the staff to update NUREG/BR-0058 to align with the update to Management Directive 8.4, "Management of Backfitting, Forward Fitting, Issue Finality, and Information Requests," that the Commission approved in May 2019. The staff made conforming changes to NUREG/BR-0058 and submitted a revised draft of NUREG/BR-0058 to the Commission on January 28, 2020 (SECY-20-0008, "Draft Final NUREG/BR-0058, Revision 5, 'Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission"').

2 The staff also developed additional draft guidance that will be in appendices to NUREG/BR-0058.

The staff developed Appendices F-I, which address emergent policy issues and provide references that update pertinent information contained in NUREG/BR-0184, "Regulatory Analysis Technical Evaluation Handbook," dated January 1997. The new appendices contain data sources, regulatory analysis methods, data for nuclear facilities other than power reactors, severe accident risk analysis, and guidance used when conducting cost-benefit analyses for the NRC's regulatory, backfit, forward fit, issue finality, and National Environmental Policy Act (NEPA) environmental review analyses across NRC program offices. The NRC issued the draft appendices for public comment on April 16, 2021, and held a public meeting on May 19, 2021, to answer stakeholder questions and facilitate public comment. The final draft appendices were provided to the Commission for its consideration on April 1, 2022 (SECY-22-0028, "Appendices to NUREG/BR-0058, Revision 5, 'Regulatory Analysis Guidelines of the U.S. Nuclear Regulatory Commission"').

In addition, the staff developed Appendices K-L, which provide guidance on the monetary valuation of nonfatal cancer risk used in cost-benefit analysis and replacement energy costs. The NRC issued the draft appendices for public comment on July 6, 2022, and held a public meeting on August 17, 2022, to answer stakeholder questions and facilitate public comment. The final draft appendices were provided to the Commission for its consideration on February 24, 2023.

After receiving Commission direction, the staff will issue the resulting final NUREG/BR-0058 and the associated appendices and reference it on the NRC public website.

On November 9, 2023, the Office of Management and Budget (0MB) issued a revised version of 0MB Circular No. A-4 on "Regulatory Analysis." The NRC staff is currently assessing the revised Circular to determine what actions, if any, the agency should take in response.

This GAO recommendation remains open.

3 The U.S. Government Accountability Office Report Nuclear Security:

NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain July 2016 (GAO-16-330)

The U.S. Government Accountability Office (GAO), in its report, "Nuclear Security: NRC Has Enhanced the Controls of Dangerous Radioactive Materials, but Vulnerabilities Remain," made three recommendations to the NRC to address vulnerabilities associated with licensing and accountability strategies for category 3 sources and quantities of radioactive material. The status of the actions taken by the NRC in response to the. GAO recommendations is provided below.

Recommendation 1:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should take the steps needed to include category 3 sources in the National Source Tracking System and add agreement state category 3 licenses to the Web-based Licensing (WBL) System as quickly as reasonably possible.

Status:

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY-17-0083 - Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001," the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations (10 CFR) Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records ; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the Licensee Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through L VS or perform manual license verification.

The Commission did not direct the staff to include category 3 sources in the National Source Tracking System.

4 On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration, addressing the Commission's SRM. The draft proposed rule and supporting content can be found in SECY-22-0112, "Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103)." The Commission is currently considering the draft proposed rule.

This GAO recommendation remains open.

Recommendation 2:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, at least until such time that category 3 licenses can be verified using the License Verification System, require that transferors of category 3 quantities of radioactive materials confirm the validity of a would-be purchaser's radioactive materials license with the appropriate regulatory authority before transferring any category 3 quantities of licensed materials.

Status:

In addition to the response provided to Recommendation 1, the NRC staff continues to engage licensees and Agreement States on the issues identified by this GAO investigation. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the issues identified by GAO and remind them of ways to identify fraudulent licenses. The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and encouraged the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on their responses to NRC communications and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 3:

Because some quantities of radioactive materials are potentially dangerous to human health if not properly handled, the NRC should take action to better track and secure these materials and verify the legitimacy of the licenses for those who seek to possess them. Specifically, the NRC should, as part of the ongoing efforts of the NRC working groups meeting to develop enhancements to the pre-licensing requirements for category 3 licenses, consider requiring that an on-site security review be conducted for all unknown applicants of category 3 licenses to verify that each applicant is prepared to implement the required security measures before taking possession of licensed radioactive materials.

In addition to the Commission direction and NRC staff activities described in response to Recommendations 1 and 2, the NRC issued a revision to the pre-licensing guidance. The revised guidance emphasizes that licenses should not be hand-delivered during a pre-licensing site visit and outlines processes to conduct additional screening of applicants and evaluate any 5

potential security risks identified during the application review, as appropriate. The NRC has also updated its licensing and inspection courses and offered multiple targeted training sessions to ensure that license reviewers understand the revisions to the pre-licensing guidance and to reinforce expectations regarding adherence to licensing processes.

This GAO recommendation remains open.

6 The U.S. Government Accountability Office Report Combating Nuclear Terrorism: NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material April 2019 (GAO-19-468)

The U.S. Government Accountability Office (GAO), in its report, "Combating Nuclear Terrorism:

The NRC Needs to Take Additional Actions to Ensure the Security of High-Risk Radioactive Material," made three recommendations to the U.S. Nuclear Regulatory Commission (NRC) related to the security of radioactive material. Two of these recommendations have been previously reported as recommendations that would not be implemented. The status of the actions taken by the NRC in response to the remaining GAO recommendation is provided below.

Recommendation 2:

The Chairman of the NRC should require additional security measures for high-risk quantities of certain category 3 radioactive material and assess whether other category 3 materials should also be safeguarded with additional security measures.

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY-17-0083 -Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001," the Commission directed the staff to pursue rulemaking to amend the regulations in Title 10 of the Code of Federal Regulations Parts 30, "Rules of General Applicability to Domestic Licensing of Byproduct Material," 40, "Domestic Licensing of Source Material," and 70, "Domestic Licensing of Special Nuclear Material," to:

1.require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information; 2.clarify license verification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and, 3.require licensees transferring category 3 quantities of radioactive material to verify licenses through the License Verification System (LVS) or the regulatory authority. For this activity Agreement States that do not use the Web-based Licensing (WBL) System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through L VS or perform manual license verification.

The Commission did not direct the staff to include category 3 sources in the National Source Tracking System.

7 On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration, addressing the Commission's SRM. The draft proposed rule and supporting content can be found in SECY-22-0112, "Proposed Rule : Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103)." The Commission is currently considering the draft proposed rule.

This GAO recommendation remains open.

8 The U.S. Government Accountability Office Report Information Technology: Agencies Need to Fully Implement Key Workforce Planning Activities March 2020 (GAO-20-129)

The Federal Government spends over $90 billion on information technology (IT). Despite this large investment, projects too frequently fail or incur cost overruns and schedule slippages while contributing little to mission-related outcomes. Effectively implementing workforce planning activities can facilitate the success of major acquisitions. GAO was asked to conduct a government-wide review of IT workforce planning. The objective was to determine the extent to which Federal agencies effectively implemented IT workforce planning practices. GAO made one recommendation to the NRC in this report.

Recommendation 14:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements each of the seven key IT workforce planning activities it did not fully imp_lement.

Status:

The following summary describes the actions taken by the NRC to fully implement seven key IT workforce planning activities identified by GAO.

The NRC has enhanced the Strategic Workforce Planning (SWP) process. This process was informed by the GAO report titled "Strategic Human Capital Management: NRC Could Better Manage the Size and Composition of Its Workforce by Further Incorporating Leading Practices" (GAO-17-233). This enhanced SWP process has been fully implemented resulting in the identification of strategies and action plans to address potential IT skill gaps.

In a previous report, the NRC described its efforts to identify competencies at the agency and to further strengthen that activity by joining other Federal agencies that are part of the Chief Information Officers Council to build career paths/competency models for 64 IT security roles across the Federal Government. After further review, the NRC identified 34 core positions for IT security roles instead of the initial 64 roles identified within the Office of the Chief Information Officer (OCIO) in order to build competency models. OCIO has completed 11 competency models to date.

The NRC also provided comments on the current state of our IT workforce planning activities, including our efforts to identify competencies at the agency, and to further strengthen that activity by joining other Federal agencies that are part of the Office of the Chief Information Officer Council to build career paths/competency models for 64 IT Security roles across the Federal Government.

The NRC has identified certain competency gaps and has developed and implemented strategies, taken steps to address issues, monitored actions, and reported on progress in addressing these competency gaps. As a result of its actions, NRC has improved its capability to anticipate and respond to changing staffing needs and to control human capital risks when developing, implementing, and operating critical IT systems.

The NRC considers this GAO recommendation to be closed.

9 The U.S. Government Accountability Office Report Preventing a Dirty Bomb:

Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials July 2022 (GAO-22-103441)

The U.S. Government Accountability Office (GAO), in its report, "Preventing a Dirty Bomb:

Vulnerabilities Persist in NRC's Controls for Purchases of High-Risk Radioactive Materials,"

made two recommendations to the NRC related to the security of radioactive material. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

The Chairman of the NRC should immediately require that vendors verify category 3 licenses with the appropriate regulatory authority.

Status:

On December 21, 2021, in SRM-SECY-17-0083, "Staff Requirements Memorandum SECY-17-0083-Re-Evaluation of Category 3 Source Security and Accountability in Response to SRM-COMJMB-16-0001," the Commission directed the staff to pursue rulemaking to amend the regulations in 10 CFR Parts 30, 40, and 70 to:

1. require safety and security equipment to be in place before granting a license for an unknown entity in order to address the concern related to obtaining a valid license using a fictitious company or by providing false information;

2. clarify license ve rification methods for transfers involving quantities of radioactive material that are below category 2 thresholds in order to: (a) update the oral certification method to require that the certification be followed up with confirmation by the use of one of the other acceptable verification methods in those parts, and (b) remove the obsolete method of obtaining other sources of information compiled by a reporting service from official records; and,

3. require licensees transferring category 3 quantities of radioactive material to verify licenses through the LVS or the regulatory authority. For this activity Agreement States that do not use the WBL System as their license tracking system would need to either voluntarily provide their licenses authorizing category 3 quantities of radioactive material to the NRC to facilitate verification through LVS or perform manual license verification.

On December 19, 2022, the staff submitted the draft proposed rule to the Commission for its consideration, addressing the Commission 's SRM. The draft proposed rule and supporting content can be found in SECY-22-0112, "Proposed Rule: Radioactive Source Security and Accountability (3150-AK83; NRC-2022-0103)." The Commission is currently considering the draft proposed rule.

The NRC staff continue to engage licensees and Agreement States on the issues identified by this GAO investigation. In July 2022, the NRC staff issued a communication to its manufacturer and distributor licensees and Agreement State regulators to ensure that they are aware of the

10 issue s identified by GAO and remind them of ways to identify fraudulent licenses. The NRC staff also reminded licensees that under current requirements they can contact the regulator (either the NRC or Agreement State, as appropriate) to verify that a license holder can receive radioactive material under the terms of its license. In addition, the NRC staff contacted industry trade associations for source producers to discuss the GAO recommendations and encouraged the trade associations to proactively engage their member companies. The NRC staff will continue to engage with all relevant stakeholders on these issues, their responses to NRC communications, and the findings of this GAO audit.

This GAO recommendation remains open.

Recommendation 2:

The Chairman of the NRC should add security features to its licensing process to improve its integrity and make it less vulnerable to altering or forging licenses. These security features could include multifactor authentication or moving away from paper licenses to electronic-based licensing.

Status:

The draft proposed Radioactive Source Security and Accountability rule currently being considered by the Commission offers direct verification of licenses for category 3 quantities of radioactive materials through L VS or by contact with the regulator. The draft proposed rule also contemplates that the NRC would develop additional guidance for regulators and licensees to reduce the potential for use of altered or counterfeited licenses to purchase category 3 radioactive sources.

The NRC staff also explored the security features suggested by GAO as an interim step for licenses for category 3 quantities of material, as well as a potential enhancement for smaller quantitie s of materials. The NRC evaluated the advantages and disadvantages of features such as two factor authentication, non-fungible tokens, data tokens, and QR codes. Tokenization and QR codes demonstrated the most promise of security improvement within reasonable implementation cost. A path towards adoption of this security feature has been developed, and integration into WBL will begin in 2024.

This GAO recommendation remains open.

11 The U.S. Government Accountability Office Report Nuclear Regulatory Commission: NRC Needs to Take Additional Actions to Prepare to License Advanced Reactors July 2023 (GAO-23-105997)

The U.S. Government Accountability Office (GAO), in its report, "Nuclear Regulatory Commission: NRC Needs to Take Additional Actions to Prepare to License Advanced Reactors," made four recommendations to further enhance the NRC's ability to review advanced reactors. The status of the actions taken by the NRC in response to the GAO recommendations is provided below.

Recommendation 1:

The Chairman of the NRC should direct the staff to develop procedures for establishing and managing a review schedule for an incomplete application, including applications for first-of-a kind designs.

Status:

The Office of Nuclear Reactor Regulation (NRR) reviews license applications for completeness and acceptability for docketing, consistent with the requirements of Title 10 of the Code of Federal Regulations (10 CFR). NRR established procedures for conducting acceptance reviews in NRR Office Instruction LIC-117, "Acceptance Review Process for New Nuclear Facility Licensing Applications," dated January 28, 2021 (Agencywide Documents Access and Management System Accession No. ML20283A188). NRR considers a license application to be acceptable for docketing and review upon the U.S. Nuclear Regulatory Commission (NRC) staff's conclusion that the application reasonably appears to contain sufficient technical information, both in scope and depth, for the agency to complete the technical review in a predictable timeframe. In certain rare circumstances, the NRC may docket for review an incomplete application, for example, a first-of-a-kind design, that the staff would not normally find to be sufficiently complete for docketing. Under these circumstances, the application would not contain sufficient information to establish a predictable review schedule. In such a case, the NRC staff could establish interim schedule milestones for portions of the application that contain sufficient information for review but would not be able to provide a comprehensive review schedule until such time as the applicant has supplemented the application with sufficient information to enable the staff to review the entire application in a predictable timeframe.

Based on its experience with docketing for review incomplete applications for novel and first-of-a-kind designs were ultimately denied, the NRC expects that it would be very rare to invoke this exception in the future. If an application has technical sufficiency issues but contains sufficient information to begin the majority of the review, the NRC may begin portions of the review without making a determination that the staff will accept the application for docketing.

The NRC recently took this approach for the NuScale US460 standard design approval application, which was tendered but not docketed as indicated in a letter dated March 17, 2023 (ML23058A160). This is consistent with the guidance in LIC-117, Enclosure 1, "Guide to Performing Acceptance Reviews for New Reactor Licensing Applications," Section 4.0 B, "Application Not Initially Acceptable for Docketing-Acceptance Contingent on Receipt of Specific Supplemental Information."

12 Further, as the NRC workload increases with expected initial license application submissions, the NRC will prioritize its resources to review high-quality applications. Low-quality or incomplete applications typically consume significant resources and could divert attention and resources away from high-quality applications, resulting in potentially unnecessary schedule delays for them. The NRC has held public discussions with stakeholders including the industry, most recently on December 7, 2023, to emphasize the importance of applicants' submitting high-quality applications, as outlined in the published acceptance criteria, and the importance of the NRC's not accepting incomplete applications for docketing.

Based on the foregoing, the NRC staff is confident that its current procedures are adequate to manage incomplete applications and that it would be inconsistent with the NRC's Principles of Good Regulation, specifically efficiency, to expend resources to develop new procedures to govern what is now considered a highly unlikely scenario.

The NRC considers this GAO recommendation closed.

Recommendation 2:

The Chairman of the NRC should direct the staff to finalize draft preapplication guidance to clarify the extent to which advanced reactor developers should participate in preapplication activities.

Status:

Communicating expectations on preapplication engagement with prospective applicants continues to be a priority for the agency. The NRC published draft preapplication guidance in the Federal Register (FR) for comment on May 25, 2023 (88 FR 33924 ), as Appendix A to Draft Interim Staff Guidance (DANU) ISG 2022 01, "Review of Risk Informed, Technology Inclusive Advanced Reactor Applications-Roadmap," issued May 2023 (ML22048B546). This draft preapplication guidance covers the optimization of preapplication engagement and was discussed in several public meetings to seek stakeholder feedback before it was formally issued for public comment. The NRC staff will finalize this guidance in early 2024 after consideration of public comments.

This GAO recommendation remains open.

Recommendation 3:

The Chairman of the NRC should direct the staff to establish benchmarks and measures to assess the effectiveness of its recruitment, relocation, and retention strategies and incentives to assess their effectiveness to help NRC retain and hire the staff necessary to license advanced reactors.

Status:

The NRC has established several processes (including formal strategic workforce planning) and formulated fiscal year budget requests to ensure sufficient staff with the appropriate skill sets will be available to accomplish the anticipated workload. If the strategic workforce planning process highlights potential gaps in staffing, steps are taken to address them. The agency is currently engaged in an aggressive human capital campaign to recruit and retain the necessary staff to fulfill its mission. Building on work done in response to GAO-20-129, Recommendation 14 (discussed on page 9), the NRC continues to evaluate its Strategic Workforce Planning process.

This evaluation is expected to result in recommendations for enhancing the program's 13 effectiveness as well as refining the benchmarks and measures that will be used to continuously assess the effectiveness of the program going forward. These benchmarks and measures will consider indicators for measuring and monitoring organizational health and performance that were provided as examples in guidance from the Office of Management and Budget in memorandum M 23 15, "Measuring, Monitoring, and Improving Organizational Health and Organizational Performance in the Context of Evolving Agency Work Environments," dated April 13, 2023. Furthermore, the NRC staff is exploring additional options to address future potential peaks in advanced reactor licensing work, including repositioning other qualified, appropriately skilled NRC staff throughout the agency to further augment advanced reactor staffing and using contractors.

To date, staffing challenges have not impacted the NRC's schedule for reviewing advanced reactor licensing actions. However, NRR has experienced some challenges to fully encumber all budgeted positions that will support future reviews for advanced reactor applications. This has required NRR to employ creative near-term solutions to manage the current workload, including exercising telework flexibilities, employing rehired annuitants, engaging available contractor support, and leveraging staff in other offices for select short term assignments. The volume of advanced reactor licensing work is expected to increase based on industry plans, therefore the Agency's ability to achieve a commensurate increase in dedicated staffing resources with the requisite knowledge, critical skill sets, and experience to perform the essential work will be critical to continue to support timely reviews.

The NRC staff routinely monitors and refines benchmarks and measures to assess the effectiveness of its recruitment, relocation, and retention strategies to ensure alignment with agency hiring goals. Furthermore, NRR continues to work with the Office of the Chief Human Capital Officer to maximize opportunities to fill mission critical, priority vacancies in a strategic, efficient, and informed manner to best ensure there are no adverse impacts to the agency's ability to fulfill its regulatory mission.

This GAO recommendation remains open.

Recommendation 4:

The Chairman of the NRC should direct the staff to clarify in information provided to advanced reactor developers how and when they should engage with the ACRS during the licensing process.

Status:

The review schedules published by the NRC staff include interactions with the Advisory Committee on Reactor Safeguards (ACRS). The NRC licensing project managers are responsible for coordinating with the ACRS staff to schedule timely ACRS meetings to support the overall schedule for advanced reactor reviews. The NRC project managers also coordinate the ACRS meeting schedule with the applicant. The NRC staff and the Chair of the ACRS communicated this process to stakeholders during an advanced reactor stakeholder meeting held on July 20, 2023, to ensure that prospective applicants are aware of the process. The NRC staff also communicates this information to individual applicants and potential applicants through routine interactions, including public meetings and status calls.

As noted in GAO-23-105997, the NRC staff encourages design developers to seek early engagement with the ACRS. Decisions regarding how and when to engage the ACRS depend on multiple factors, including the number of unique and novel features affecting the safety of the proposed facility and the developer's desired schedule for gaining NRC approval. To assist

14 developers in making informed decisions about Committee engagement, the ACRS has increased communication and the transparency of its review processes. Best practices guidance for ACRS members is now posted on the ACRS public website (https ://www. nrc.gov/docs/ML2322/ML23227A042.pdf ), specifically in the section titled "Member Guidance -Ill Design-Centered Subcommittee Reviews," beginning on page 10.This guidance emphasizes several aspects of the ACRS review process, such as the following:

• topical report subjects that typically warrant ACRS review

• the importance of communicating with cognizant NRC staff

• practices that make reviews more efficient An applicant may use this information to optimize its schedule for ACRS review. ACRS members will continue to identify and make available new lessons learned as more reviews are conducted.

ACRS members and staff participate in outreach efforts regarding Committee review processes.

During the last several years, members presented in public forums, such as advanced reactor stakeholder meetings, American Nuclear Society meetings, Nuclear Energy Institute conferences, and Commission briefings. During these meetings, members discuss ACRS processes related to reviewing applications for first-of-a-kind reactors with little operating experience and recent changes to improve ACRS effectiveness. In addition, the ACRS staff has issued publications regarding ACRS review processes and contributions.

The NRC considers this GAO recommendation closed.

15 The U.S. Government Accountability Office Report High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use November 2023 (GAO-24-105998)

The U.S. Government Accountability Office (GAO), in its report, "High-Risk Radioactive Material: Opportunities Exist to Improve the Security of Sources No Longer in Use," made two recommendations to the NRC related to the storage of foreign-origin americium-241 and minimizing the time that disused sources are in licensees' possession. GAO also made a separate recommendation to the U.S. Department of Energy regarding foreign-origin americium-241. The status of the NRC actions is provided below.

Recommendation 2:

The Chairman of the NRC, in coordination with DOE and in consultation with other relevant stakeholders, should conduct an analysis to evaluate options and take action to facilitate long term storage, within agency authorities, to better secure foreign-origin americium-241 until a permanent disposal or viable recycling option is available.

Status:

The GAO report was issued on November 30, 2023. The NRC is evaluating the report, assessing necessary actions, and will respond to GAO and Congress within 180 days of the report date.

This GAO recommendation remains open.

Recommendation 3:

The Chairman of the NRC should comprehensively assess leading practices that, if implemented, would minimize the time that disused sources are in a licensee's possession.

These practices include financial assurances for all category 1, 2, and 3 sources; tracking of category 3 sources; possession time limits or fees for disused sources; and orphan source funds.

The GAO report was issued on November 30, 2023. The NRC is evaluating the report, assessing necessary actions, and will respond to GAO and Congress within 180 days of the report date.

This GAO recommendation remains open.

16 The U.S. Government Accountability Office Report Cybersecurity: Federal Agencies Made Progress, But Need to Fully Implement Incident Response Requirements December 2023 (GAO-24-105658)

The U.S. Government Accountability Office (GAO), in its report, "Cybersecurity: Federal Agencies Made Progress, but Need to Fully Implement Incident Response Requirements,"

recommended that the Nuclear Regulatory Commission should ensure that the agency fully implements all event logging requirements as directed by 0MB guidance. The Federal Information Security Modernization Act of 2014 (FISMA) requires agencies to develop, document, and implement agency-wide programs to provide security for the information and information systems that support their operations and assets. FISMA requires that agency information security programs include procedures for detecting, reporting, and responding to security incidents and that agencies report annually on the total number of information security incidents to 0MB and Congress. The status of the actions taken by the NRC in response to the GAO recommendation is provided below.

Recommendation:

The Chairman of the Nuclear Regulatory Commission should ensure that the agency fully implements all event logging requirements as directed by 0MB guidance.

Status:

The NRC has increased the Security Information and Event Management (SIEM) tool licensing level and acquired funding to adequately support procurement and onboarding. The NRC plans to implement all requirements across event logging (EL) maturity tiers EL 1, EL2 and EL3 to ensure events are logged and tracked in accordance with Office of Management and Budget (0MB) M-21-31, "Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents," dated August 27, 2021, by the fourth quarter of fiscal year 2025.

This GAO recommendation remains open.

17