Text

Enclosure 1 Report to Congress on the Security Inspection Program for Commercial Power Reactors and Category I Fuel Cycle Facilities:

Results and Status Update Annual Report for Calendar Year 2024 U.S. Nuclear Regulatory Commission Office of Nuclear Security and Incident Response Washington, DC 20555-0001

ii ABSTRACT This report fulfills the requirements of section 170D.e of the Atomic Energy Act of 1954, as amended (42 U.S.C. §2210 d.(e)), which states the following:

Not less often than once each year, the Commission shall submit to the Committee on Environment and Public Works of the Senate and the Committee on Energy and Commerce of the House of Representatives a report, in classified form and unclassified form, that describes the results of each security response evaluation conducted and any relevant corrective action taken by a licensee during the previous year.

Additionally, section 170D.a of the Atomic Energy Act of 1954, as amended (42 U.S.C.

§2210 d.(a)), grants the U.S. Nuclear Regulatory Commission (NRC) the authority to determine which licensed facilities must undergo these security evaluations. The NRC is reporting the security response evaluation results for the Nations fleet of commercial nuclear power plants (NPPs) and Category I (CAT I) fuel cycle facilities, given the significance of the nature, form, and quantity of nuclear material at these facilities. With respect to NPPs, the scope of this report includes those undergoing decommissioning but not yet transitioned to a dry storage independent spent fuel storage installation and those undergoing a restart due to the continued implementation of Title 10 of the Code of Federal Regulations Part 73, Physical Protection of Plants and Materials. This report includes a comprehensive overview of the combined results of the security programs for calendar year 2024. To aid in understanding how the NRC conducts inspections, this report also provides descriptions and programmatic status updates for relevant NRC programs, including the Reactor Oversight Process, security inspection programs for NPPs and CAT I fuel cycle facilities, and the force-on-force inspection program.

Paperwork Reduction Act Statement NUREG-1885, Revision 18, Report to Congress on the Security Inspection Program for Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update, does not contain information collection requirements and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. §3501 et seq.).

Public Protection Notification The NRC may not conduct nor sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget control number.

iii CONTENTS ABSTRACT.................................................................................................................................. ii

1. EXECUTIVE

SUMMARY

........................................................................................................ 1

2. SECURITY OVERSIGHT FOR COMMERCIAL NUCLEAR POWER PLANTS AND CATEGORY I FUEL CYCLE FACILITIES.................................................................................. 4 2.1 NRC Security Inspections of Licensed Facilities............................................................. 4 2.2 Reactor Oversight Process Framework.......................................................................... 5 2.3 Oversight Process Framework for Category I Fuel Cycle Facilities................................ 7 2.4 NRC Enforcement Policy................................................................................................ 7 2.5 Nuclear Power Plant Reauthorization and Restart Support............................................ 8 2.6 ADVANCE Act: New Initiatives for Security.................................................................... 8

3. CALENDAR YEAR 2024 SECURITY INSPECTION RESULTS........................................... 10 3.1 Calendar Year 2024 Commercial Nuclear Power Plant Inspection Results.................. 10 3.2 Calendar Year 2024 Inspection Results for Category I Fuel Cycle Facilities................ 11 3.3 Calendar Year 2024 Overall Security Inspection Results............................................. 12

4. FORCE-ON-FORCE INSPECTIONS.................................................................................... 13 4.1 Force-on-Force Program Description............................................................................ 13 4.2 Force-on-Force Inspections in Calendar Year 2024..................................................... 13 4.3 Force-on-Force Exercise Results.................................................................................. 14

5. CONCLUSION...................................................................................................................... 16 APPENDIX: List of Acronyms................................................................................................... 17

1

1. EXECUTIVE

SUMMARY

Calendar Year 2024 Security Inspection Results In calendar year (CY) 2024, the U.S. Nuclear Regulatory Commission (NRC) performed 180 security inspections at nuclear power plants (NPPs) and Category I (CAT I) fuel cycle facilities to assess the security programs these licensees implement to protect and safeguard their sites. As shown in table 1, CY 2024 security inspections resulted in 123 combined findings, a 28-percent decrease in the number of findings compared to CY 2023. Table 1 and figure 1 also show that the majority of security inspection findings issued were of very low security significance (i.e., Green findings and Severity Level (SL) IV violations); two findings resulted in escalated enforcement action (one greater-than-Green finding and one greater-than-SL IV violation). The Official Use OnlySecurity-Related Information enclosure to this report (i.e., Enclosure 2) contains additional details on each finding.

Table 1: Combined Security Inspection Results for 2024 180 Total number of security inspections conducted 123 Total number of inspection findings 115 Total number of Green findings 1

Total number of greater-than-Green findings 6

Total number of SL IV violations 1

Total number of greater-than-SL IV violations Figure 1: Summary of Security Inspection Program Results CY 2024

2 As shown in figure 2, the number of security inspections trended downward from 2017 to 2020 and began increasing gradually from 2021 to 2022.

The number of inspection findings began rising in 2021 and peaked in 2023. The rise in the number of security inspections and the number of security findings is due, in part, to incorporation of cybersecurity baseline inspections into the Reactor Oversight Process (ROP) beginning in CY 2022.

Table 2 summarizes the results of the force-on-force (FOF) inspection program for commercial NPPs, and CAT I fuel cycle facilities in CY 2024. The NRC conducted a total of 19 FOF inspections consisting of 38 FOF exercises conducted during CY 2024, including one FOF exercise at a CAT I fuel cycle facility. Enclosure 2 (nonpublic) presents additional details of FOF inspection results.

Table 2: FOF Inspection Results for 2024 19 Total number of FOF inspections conducted 34 Total number of effective exercises 4

Total number of indeterminate exercises 0

Total number of marginal exercises 0

Total number of ineffective exercises Calendar Year 2025: Key Focus Areas The NRC continues monitoring for potential threats to NPPs and CAT I fuel cycle facilities, communicating time-sensitive information to licensees, and assessing the need for any changes to the design-basis threats (DBTs) applicable to NRC-licensed facilities. In response to the Accelerating Deployment of Versatile Advanced Nuclear for Clean Energy (ADVANCE) Act, enacted in July 2024, the NRC has several new initiatives underway and will continue to implement the Acts requirements, including completing appropriate revisions to agency regulations or guidance and reporting progress to Congress. Consistent with the ADVANCE Act, the NRC will continue to seek opportunities to risk-inform and modernize its security oversight and inspection programs.

The NRC staff is currently revising FOF inspections consistent with Commission direction in SRM-COMSECY-19-0006, Staff RequirementsCOMSECY-19-0006Revised Security Inspection Program Framework (Option 3) in Response to SRM-17-0100, dated May 17, 2024 (Agencywide Documents Access and Management System, Accession No. ML24138A045). As part of the Commission-approved approach, the agency will revise the FOF inspection program from two NRC-conducted exercises to one, reducing the required direct inspection hours and level of inspection effort while maintaining an appropriate level of security oversight through an

3 enhanced inspection of licensee-conducted FOF exercises. Further, these revisions will eliminate redundancies with other baseline physical security inspections and will also include revised inspection objectives to align with Commission direction to place a greater focus on mission planning and exercise evaluation.

The NRC will continue to support the restart of power operations at formerly decommissioned NPPs to guarantee a safe return to operational status, evaluate the effectiveness of plant security programs under NRC regulations, and continue ongoing oversight to assess licensee performance. The NRC will also continue to evaluate the cybersecurity inspection program and recently implemented efficiencies through the completion of its third biennial ROP inspection cycle in CY 2026.

4

2. SECURITY OVERSIGHT FOR COMMERCIAL NUCLEAR POWER PLANTS AND CATEGORY I FUEL CYCLE FACILITIES 2.1 NRC Security Inspections of Licensed Facilities The NRC protects public health and safety and advances the Nations common defense and security by enabling the safe and secure use and deployment of civilian nuclear energy technologies and radioactive materials through efficient and reliable licensing, oversight, and regulation for the benefit of society and the environment. Consistent with its security mission, the NRC requires that NPPs and CAT I fuel cycle facilities design, establish, and maintain security programs that provide reasonable assurance of adequate protection against the radiological sabotage DBT. CAT I fuel cycle facilities must protect against an additional DBT of theft or diversion of a formula quantity of strategic special nuclear material (SSNM).1 These DBTs comprise a set of adversary characteristics, equipment, attack mechanisms, and tactics that NPPs and CAT I fuel cycle facilities must be able to defend against.

To verify that NPPs and CAT I fuel cycle facilities can defend against the applicable DBTs, the NRC regularly performs security oversight activities to assess licensee performance and verify compliance with security requirements. These oversight activities include monitoring daily licensee activities and performing routine inspections that closely focus on a cross section of areas that the agency has determined have the greatest impact on security. These areas include personnel access authorization; access control; equipment performance, testing, and maintenance; protective strategy evaluation and performance evaluation program; protection of safeguards information; security training; fitness-for-duty programs; material control and accounting; transportation security; cybersecurity; and target set identification.

The NRC conducts performance-based security response FOF inspections at NPPs and CAT I fuel cycle facilities. The NRC uses FOF inspections to evaluate the effectiveness of a licensees protective strategy through an integrated response exercise during which the licensees security force executes its protective strategy in response to a simulated attack by an opposing force with the characteristics and attributes of the DBT. These simulated attack scenarios are designed to probe and challenge potential weaknesses in the sites protective strategies.

Section 4 of this report contains additional information on these FOF inspections.

The NRCs security inspections, including FOF inspections, verify that security programs at NPPs and CAT I fuel cycle facilities have been adequately designed, implemented, and maintained in a manner consistent with regulatory requirements, and that these security programs are effectively integrated to adequately protect against the DBTs.

While NPPs and CAT I fuel cycle facilities licensed by the NRC must provide reasonable assurance of adequate protection against the applicable DBT and are subject to periodic baseline security inspections, including FOF inspections, the sections below detail the differences between the NRCs oversight and enforcement process framework for these two types of facilities.

1 SSNM is defined in Title 10 of the Code of Federal Regulations 73.2 as uranium-235 (contained in uranium enriched to 20 percent or more in the uranium-235 isotope), uranium-233, or plutonium.

5 2.2 Reactor Oversight Process Framework The ROP is the NRCs program for inspecting, measuring, and assessing the safety and security performance of NPPs. The ROP encompasses three strategic performance areas and measures NPP performance in seven specific cornerstones of safety, as shown in figure 3.

Performance is also measured across three cross-cutting areas, which can affect each of the cornerstones across all the strategic performance areas. Additional information on the ROP can be found on the NRCs public website at https://www.nrc.gov/reactors/operating/oversight/rop-description.html.

Figure 3: Reactor Oversight Framework The NRC evaluates NPP performance under the ROP by analyzing two inputs: performance indicators (PIs) reported by NRC licensees and inspection findings identified through the NRC's inspection programs.

Performance Indicators The NRC established PIs to quantitatively measure licensee performance in risk-significant areas of each cornerstone in the ROP. Each PI has objective criteria and thresholds for measuring acceptable performance using a color-coded system. Licensees submit PI data quarterly, and the NRC regularly conducts inspections to verify the accuracy and completeness of the submittals. Publicly available PI data are posted at https://www.nrc.gov/reactors/operating/oversight/pi-summary.html.

The NRC established one PI under the security cornerstone that measures the operability of intrusion detection systems at NPPs. This PI provides insight into the effectiveness of the licensees maintenance of these systems and describes a method of monitoring security equipment degradation that could adversely impact reliability.

All NPP licensees maintained a Green security PI for CY 2024. Specific details about the security PI are withheld from public disclosure to ensure that security-related information is not made available to a potential adversary.

Inspection Findings Findings identified during NRC security inspections are evaluated under a security significance determination process and assigned a significance level using a color-coded system similar to

6 PIs. These findings can range in significance from Green to Red, as described below and illustrated in figure 4:

Green indicates a finding of very low safety or security significance.

White indicates a finding of low-to-moderate safety or security significance.

Yellow indicates a finding of substantial safety or security significance.

Red indicates a finding of high safety or security significance.

Security findings determined to be of very low security significance (i.e., Green) yield no need for further regulatory action after the performance deficiencies have been corrected. For those findings that have a greater potential for adversely impacting security at an NPP (i.e., White, Yellow, Red), the NRC will apply additional regulatory action as determined by the NRC's action matrix.2 Figure 4: Assessing Significance within the Reactor Oversight Program Action Matrix The NRC uses information from inspection findings and PIs to make objective conclusions about the licensees safety and security performance. Information on security findings is identified in the publicly available action matrix summary as having either very low significance (i.e., Green) or greater-than-Green significance (i.e., White, Yellow, or Red). The NRC does not disclose the specific significance of greater-than-Green findings to ensure that information regarding NPP security vulnerabilities is not provided to possible adversaries. For those findings that have a greater potential for adversely impacting security at an NPP (i.e., White, Yellow, Red), the NRC will determine the appropriate level of agency response and apply additional regulatory action as determined by the NRCs action matrix. The action matrix is available on the NRCs public website at https://www.nrc.gov/reactors/operating/oversight/actionmatrix-summary.html#am_summary.

Further, depending on the number and significance of inspection findings and PIs at an NPP, the NRCs response may include supplemental inspections, as well as a range of other appropriate regulatory actions up to and including orders to shut down the NPP. Information on current NPP performance is provided on the NRCs public website at https://www.nrc.gov/reactors/operating/oversight/plant-by-plant-summaries.html.

2 The NRC defines a performance deficiency as the licensees failure to satisfy one or more regulatory requirements or self-imposed standards where such failure was reasonably foreseeable and preventable.

7 2.3 Oversight Process Framework for Category I Fuel Cycle Facilities The NRC maintains regulatory oversight of safeguards3 and security programs at two CAT I fuel cycle facilities: BWX Technologies, Inc., in Lynchburg, Virginia, and Nuclear Fuel Services, Inc., in Erwin, Tennessee. Each CAT I fuel cycle facility is licensed to use and process a formula quantity of SSNM. The SSNM must be protected against acts of radiological sabotage as well as theft and diversion. The NRC conducts periodic security inspections at these facilities to ensure that these licensees maintain adequate protection of their sites.

The primary objectives of the NRCs CAT I fuel cycle facility safeguards and security oversight program are to determine if the fuel cycle facilities are operating securely and pursuant to the NRCs regulatory requirements and orders, detect indications of declining security performance, investigate specific security events and vulnerabilities, and identify generic security issues. The NRC inspects physical security areas related to highly enriched uranium annually, biennially, or triennially using established inspection procedures (IPs). The results of these inspections contribute to an overall assessment of licensee performance.

Inspection reports for CAT I fuel cycle facilities can be found on the NRCs public website at https://www.nrc.gov/info-finder/fc/index.html#facility-list. As with security violation information for NPPs, detailed information on security violations at CAT I fuel cycle facilities is withheld from public disclosure.

Since CAT I fuel cycle facilities are not subject to the ROP, performance issues identified at these sites are not assigned a color-coded finding. All violations identified at CAT I fuel cycle facilities are assessed and assigned an SL in accordance with the NRC Enforcement Policy.

The NRC has not established PIs for CAT I fuel cycle facility licensees.

2.4 NRC Enforcement Policy The NRCs enforcement authority derives from the Atomic Energy Act of 1954, as amended, and the Energy Reorganization Act of 1974, as amended. The enforcement program has two goals: (1) deter noncompliance by emphasizing the importance of adherence to NRC requirements, and (2) encourage prompt identification and prompt comprehensive correction of violations of NRC requirements. The NRCs Enforcement Policy can be found on the NRCs public website at https://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.

When inspections and investigations identify violations of NRC requirements, the NRC uses three primary enforcement sanctions: notices of violation; civil penalties; and orders to modify, suspend, or revoke a license. Notices of violation and civil penalties are issued based on violations. The NRC may issue orders in response to violations or because of a public health 3

Safeguards refers to the use of material control and accounting programs to verify that all special nuclear material is properly controlled and accounted for. It also refers to the physical protection (or physical security) equipment and security forces.

8 and safety or common defense and security issue. The NRCs enforcement program applies to both NPP and CAT I fuel cycle facility licensees.

Under its traditional enforcement process, the NRC assesses significance by assigning an SL to all violations. The traditional enforcement process has established four SLs that demonstrate the relative importance of a violation:

SL I violations are those that resulted in, or could have resulted in, serious safety or security consequences.

SL II violations are those that resulted in, or could have resulted in, significant safety or security consequences.

SL III violations are those that resulted in, or could have resulted in, moderate safety or security consequences.

SL IV violations are those that are less serious but are of more-than-minor concern, that resulted in no or relatively inappreciable potential safety or security consequences.

Traditional enforcement is also used at NPPs to address certain aspects of violations (e.g., willfulness and individual actions) that cannot be addressed solely through the ROP.

These violations include those that resulted in actual safety or security consequences, affected the ability of the NRC to perform its regulatory oversight function, or involved willfulness.

2.5 Nuclear Power Plants Reauthorization and Restart Support The NRC is coordinating timely, efficient reviews and responses to support licensing actions, exemptions, technical issues, and inspections required for licensed facilities seeking to resume commercial operation. On September 28, 2023, Holtec Palisades, LLC, the licensee for Palisades Nuclear Plant, submitted a letter (ML23271A140) to the NRC requesting reauthorization of power operations. Similarly, on September 20, 2024, Constellation Energy Corporation, the licensee for the Three Mile Island Nuclear Station, expressed interest in returning to an operational status and changing the licensed name to the Crane Clean Energy Center (ML24310A104). In January 2025, NextEra Energy Duane Arnold, LLC, the licensee for the Duane Arnold Energy Center, expressed interest in returning the plant to an operational status and resuming commercial operation. In preparation for required physical security inspections, the NRC revised and issued inspection procedures with an effective date of January 1, 2025, to evaluate and assess the licensees operational readiness.

2.6 ADVANCE Act: New Initiatives for Security The ADVANCE Act, signed into law in July 2024, requires the NRC to take a number of actions, particularly in the areas of licensing new reactors and fuels, while maintaining the agencys core safety and security mission. The ADVANCE Act outlines requirements for a wide range of NRC activities, including supporting the recruitment and retention of the agency workforce; adding flexibility in the agencys budgeting process; enhancing the regulatory framework for advanced reactors and fusion technology; and requiring initiatives to support the agencys efficient, timely, and predictable reviews of license applications.

9 Consistent with section 507, Improving Oversight and Inspection Programs, of the ADVANCE Act, the NRC has identified several initiatives specific to physical and cybersecurity oversight and inspections needed to improve oversight and inspections, eliminate redundancies, and risk-inform inspection and oversight processes. The NRC will provide its review of existing processes and reports to Congress in CY 2025, in accordance with the timelines provided in the ADVANCE Act.

10

3. CALENDAR YEAR 2024 SECURITY INSPECTION RESULTS 3.1 Calendar Year 2024 Commercial Nuclear Power Plant Inspection Results Figure 5 summarizes the results of the security baseline inspection program for NPPs in CY 2024. As indicated in this figure, 119 out of 121 security findings at NPPs issued in CY 2024 were of very low security significance (i.e., Green or SL IV violations) and two findings resulted in escalated enforcement action (one greater-than-Green finding and one greater-than-SL IV finding). These findings were issued across 170 total inspections. Enclosure 2 (nonpublic) presents additional details of the inspection findings.

Table 3 summarizes the number of findings related to each security IP for NPPs. The areas with the most inspection findings within the security baseline inspection program are cybersecurity (see Enclosure 2), access control, FOF, and equipment, performance and maintenance.

Cybersecurity inspections have consistently resulted in the highest number of security inspection findings since the baseline cybersecurity inspection program began in CY 2022.

Figure 5: Summary of Calendar Year 2024 Commercial Nuclear Power Plants Inspection Results 115 1

4 1

0 20 40 60 80 100 120 140 Total Number of Green Findings Total Number of Greater-than-Green findings Total Number of SL IV Violations Total Number of Greater-than-SL IV Violations Total Number of Green Findings Total Number of Greater-than-Green findings Total Number of SL IV Violations Total Number of Greater-than-SL IV Violations Inspection Findings by Significance 115 1

4 1

Total Number of Inspection Findings:

121

11 Table 3: Summary of Calendar Year 2024 Security Baseline Inspections and Associated Findings for Commercial Nuclear Power Plants by Inspection Procedure 71130, Security IP Section Number of IP Completions in CY 2024 Number of Findings in CY 2024 01Access Authorization 22 7

02Access Control 57 13 03Contingency ResponseForce-on-Force Inspections 19 10 04Equipment Performance, Testing, and Maintenance 34 10 05Protective Strategy Evaluation and Performance Evaluation Program 23 6

06Protection of Safeguards Information 1

1 07Security Training 23 0

08Fitness-for-Duty Program 7

6 09Security Plan Changes 38 5

10Cybersecurity 27 56 11Materials Control and Accounting 19 3

14Review of Power Reactor Target Sets 15 4

TOTAL:

2854 121 3.2 Calendar Year 2024 Inspection Results for Category I Fuel Cycle Facilities Two violations were issued in CY 2024 at CAT I fuel cycle facilities across a total of 10 inspections conducted. Both violations were of very low security significance (i.e., SL IV violations). There were no violations greater than SL IV. Enclosure 2 presents additional information on these inspection violations.

Table 4 summarizes the associated findings related to each security IP for CAT I fuel cycle facilities. The area with the most inspection findings within the security core inspection program is equipment performance, testing, and maintenance. This is consistent with security inspection results in CY 2022 and CY 2023.

4 More than one baseline IP is often completed during a security inspection at an NPP. Therefore, the total number of IP completions is higher than the total number of inspections documented in table 3.

12 Table 4: CY 2024 Security Baseline Inspections and Associated Findings for CAT I Fuel Cycle Facilities by IP IPs Number of IP Completions at CAT I Fuel Cycle Facilities in CY 2024 Number of CAT I Fuel Cycle Violations in CY 2024 81700.01SSNM Security Controls 2

0 81700.02Access Control Measures 1

0 85303.02Material Control & Accounting 3

0 81700.04Equipment Performance, Testing and Maintenance 2

2 81700.05Protective Strategy Evaluation 0

0 81700.06Licensee-Conducted FOF 1

0 81700.07Security Training 0

0 81700.08Fitness-for-Duty Program 0

0 81700.09Security Measures 0

0 81700.10Protection of Safeguards Information 0

0 81700.11Annual Observation of Licensee-Conducted FOF 1

0 TOTAL:

10 2

3.3 Calendar Year 2024 Overall Security Inspection Results Table 5 summarizes the combined number of security inspections and findings for NPPs and CAT I fuel cycle facilities in CY 2024.

Table 5: Combined Security Inspection Results for 2024 170 Total number of security inspections conducted at commercial NPPs 10 Total number of security inspections conducted at CAT I fuel cycle facilities 180 Total number of security inspections 115 Total number of Green findings at NPPs 1

Total number of greater-than-Green findings at NPPs 4

Total number of SL IV violations at NPPs 1

Total number of greater-than-SL IV violations at NPPs 2

Total number of SL IV violations at CAT I fuel cycle facilities 0

Total number of greater-than-SL IV violations at CAT I fuel cycle facilities 123 Total number of inspection findings

13

4. FORCE-ON-FORCE INSPECTIONS 4.1 Force-on-Force Program Description An FOF inspection is a two-phased, performance-based inspection that is designed to verify and assess a licensees ability to defend against the applicable DBTs of radiological sabotage, theft or diversion of SSNM, or both, through implementation of its protective strategy. The NRC conducts these FOF inspections at each NPP and CAT I fuel cycle facility on a triennial cycle.

During the first phase of the inspection, NRC security inspectors conduct briefings and site walkdowns to assess the number of defenders, their protective positions, and the licensees overall protective strategy. The inspectors also conduct tabletop drills on a mock-up of the facility to evaluate the effectiveness of the licensees security strategy against a series of attack scenarios. The role of local, State, and Federal law enforcement and emergency planning officials is also discussed in the tabletop drills. Using information obtained from the tabletop drills, briefings, site walkdowns, security procedures, and previous inspection reports, the NRC inspection team, with technical support from active-duty members of the U.S. Special Operations Command, develops attack scenarios designed to probe and challenge potential weaknesses in the sites protective strategy.

During the second phase of the inspection, a mock adversary force carries out the attack scenarios developed by the NRC inspection team during a performance-based exercise. At NPPs, the mock adversary force attempts to reach and simulate destroying enough safety equipment to set in motion an event that would damage the reactors core or spent fuel pool and potentially cause a release of radiation to the environment. At CAT I fuel cycle facilities, a similar process is used to assess the effectiveness of a licensees protective strategy capabilities relative to the DBTs of radiological sabotage and theft or diversion of SSNM. The security force at each facility attempts to interdict the mock adversary force and prevent it from achieving radiological sabotage or the theft or diversion of SSNM. During these exercises, the licensee maintains both its normal security force, which is not involved in the exercise, and a second security force that actively participates in the exercise. The use of weapons and explosives is simulated using electronic equipment and other means.

The purpose of these exercises is to identify any significant deficiencies in the protective strategy. Any such deficiencies are promptly reviewed, and compensatory measures are established when appropriate while the licensee evaluates and implements necessary long-term corrective actions. These exercises provide the most realistic evaluation of the licensees protective strategy, short of an actual attack.

4.2 Force-on-Force Inspections in Calendar Year 2024 CY 2024 marked the second year of the seventh triennial FOF inspection cycle. The NRC staff conducted a total of 18 NRC-evaluated FOF inspections at NPPs during CY 2024. The NRC completed these inspections in accordance with IP 71130.03, Contingency Response Force-on-Force Testing (non-public).

One NRC-evaluated FOF inspection was conducted at a CAT I fuel cycle facility in CY 2024.

This inspection was completed in accordance with IP 96001, NRC Force-on-Force Inspections at Category 1 Fuel Cycle Facilities (non-public).

14 4.3 Force-on-Force Exercise Results The NRC categorizes FOF exercise results as (1) effective, (2) indeterminate, (3) marginal, or (4) ineffective. An effective exercise is one in which the licensee demonstrates effective implementation of its protective strategy in accordance with security plans approved by the NRC and related implementing procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters. An indeterminate exercise is one in which the results were significantly skewed by an anomaly or anomalies, resulting in the inability to determine the outcome of the exercise (e.g., site responders neutralize the adversaries by using procedures or practices unanticipated by the design of the site protective strategy or in conflict with the training of security personnel to implement the site protective strategy, or significant exercise control failures were experienced). A marginal exercise is one in which the licensees performance prevented the loss of a complete target set; however, the sites response force did not neutralize the adversary before the adversary simulated the loss of a subset of target set elements. An ineffective exercise is one in which the licensee did not demonstrate effective implementation of its protective strategy in accordance with plans approved by the NRC and related implementation procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters.

Table 6 summarizes the 19 FOF inspections conducted in CY 2024.

Table 6: CY 2024 FOF Inspections Summary Total number of FOF inspections conducted at NPPs (two exercises per inspection) using IP 71130.03 18 Total number of FOF inspections conducted at a CAT I fuel cycle facility (two exercises per inspection) using IP 96001 1

15 Table 7 lists the outcomes for FOF exercises conducted in CY 2024.

Table 7: FOF Exercise Outcomes Total number of effective exercises 34 Total number of indeterminate exercises 4

Total number of marginal exercises 0

Total number of ineffective exercises 0

Total number of canceled exercises 0

Figure 6 shows the number of ineffective FOF exercises per year from 2018 to 2024. The number of ineffective FOF exercises has remained stable at between zero and two per year.

Figure 6: Total FOF Ineffective Exercises by Year

16

5. CONCLUSION The NRC remains focused on its mission and will continue to leverage available data and risk insights to inform the conduct of inspection and oversight activities. The NRC requires licensed facilities to employ and demonstrate effective defense-in-depth strategies to protect against the theft and diversion of radiological materials as well as radiological sabotage, including well-trained security forces, physical barriers, intrusion detection systems, surveillance systems, and reactor controls.

Consistent with ROP objectives, the NRC will continue to assess for sustained physical security and cybersecurity performance at NRC-licensed facilities and facilities undergoing restart. The NRCs security oversight programs continue to identify vulnerabilities or deficiencies in site protective strategies and security programs and act promptly when these are identified. In addition, baseline inspections, including FOF and cybersecurity inspections (discussed in further detail in Enclosure 2), continue to provide performance-based insights regarding licensee readiness to protect their sites. In these ways, the NRC security inspection program ensures that NRC licensees remain aware of and prepared to protect against a wide range of threats.

Lastly, in accordance with the ADVANCE Act, the NRC staff will also continue to review and assess existing processes within the security inspection program to ensure that the agencys regulatory activities are conducted efficiently and provide an objective means of evaluating security-related findings to promote the common defense and security.

Additional information on the NRCs security oversight programs can be found on the agencys public website at https://www.nrc.gov/security.html.

17 Report to Congress on the Security Inspection Program for Commercial Power Reactors and Category I Fuel Cycle Facilities:

Results and Status Update Appendix: List of Acronyms and Abbreviations Used in Enclosure 1 ADVANCE Act Accelerating Deployment of Versatile Advanced Nuclear for Clean Energy Act CAT I Category I CY calendar year DBT design-basis threat FOF force-on-force IP inspection procedure NPP nuclear power plant NRC U.S. Nuclear Regulatory Commission PI performance indicator ROP Reactor Oversight Process SL severity level SSNM strategic special nuclear material