OMB 3150-0251, Final 2025, Supporting Statement for NRC Insider Threat Program for Licensees and Other Requiring Access to Classified Information

ML25224A258
Person / Time
Issue date:	11/21/2025
From:	Ruppert R NRC/NSIR/DSO/ISB
To:
References
OMB 3150-0251
Download: ML25224A258 (13)
v • d • e

Text

FINAL SUPPORTING STATEMENT FOR NUCLEAR REGULATORY COMMISSION INSIDER THREAT PROGRAM FOR LICENSEES AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION (31500251)

REVISION Description of the Information Collection On October 7, 2011, the President issued Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. In November 2012, following an extensive interagency coordination and vetting process, the President issued the National Insider Threat Policy and the Minimum Standards (NITPMS).

EO 12968, Access to Classified Information, contains the requirements for access to classified information. EO 13587 mandated that an insider threat program (ITP) be implemented for all executive branch departments and agencies that access classified information. The NITPMS states, Consistent with Executive Orders 13587 and 12968, this policy is applicable to all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the Federal Government); and all classified information on those networks.

On May 18, 2016, the Department of Defense (DoD), acting as the Executive Agent for the National Industrial Security Program Operating Manual (NISPOM,) (DoD 5220.22 M) issued NISPOM Change 2. This changed the NISPOM to require that Federal agencies that provide classified information to contractors, as defined in the NISPOM, develop and maintain an ITP.

On February 24, 2021, the NISPOM was codified as a Federal rule under Title 32 of the Code of Federal Regulations (32 FR) Part 117, National Industrial Security Program Operating Manual (NISPOM) (NISPOM rule).

For the Nuclear Regulatory Commission (NRC), the rule affects 19 licensees with facility clearances and approximately 900 NRC-issued personnel security clearances. Licensees subject to the ITP requirements fall into two categories:

1) Those who possess, use or transmit classified matter at their site or a cleared contractor site, and

2) Those licensees or cleared contractors who only need access to classified matter at a government or appropriately cleared non-government site.

The NISPOM rule contains reporting and recordkeeping requirements. Some collection requirements are recurring, such as periodic training, and procedures for maintaining acceptable security education, facility, and classification/declassification programs. Some reports or applications are only required as occasioned by the occurrence of specific events, such as an update to key personnel positions identified in the NISPOM rule, or a report of loss of classified information. This clearance covers only those sections of 32 CFR Part 117 that

pertain to the establishment of an insider threat program. Additional procedures for obtaining facility security clearance and for safeguarding Secret and Confidential National Security Information and Restricted Data are covered under Office of Management and Budget (OMB) clearance 3150-0047, Title 10 of the Code of Federal Regulations (10 CFR) Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data.

A.

JUSTIFICATION

1. Need For and Practical Utility of the Collection of Information The scope of EO 13587 applies to all entities (government and private sector) that access classified information as defined in the Atomic Energy Act of 1954 (AEA), as amended, or EO 13526, Classified National Security Information. The NRC has determined that licensees and their cleared contractors fall within the scope of the NISPOM rule leaving the NRC no discretion with respect to imposing the NISPOM rule ITP requirements upon licensees and their cleared contractors who access classified information.

The annual report on the condition of the ITP is required to demonstrate that all requirements have been implemented and maintained by entities who access classified information for which the NRC is the Cognizant Security Agency (CSA) as defined in the NISPOM rule. While EO 13587 is an element of determining the suitability of an entity to access classified information, 10 CFR Part 95, Facility Security Clearance and Safeguarding of National Security Information and Restricted Data, defines the scope for who the NRC grants access to classified information.

In addition to the annual report, licensees are expected to report the detection of an insider threat.

The respondents of this collection fall into two groups:

1. The first group is comprised of licensees and their cleared contractors who require access to classified information as a condition of their license. This group is comprised of fuel cycle licensees using technology that is determined to be Restricted Data as defined in the AEA. The information collection is mandatory for this group.

2. The second group is made up of licensees who do not require access to classified information as a condition of their license, but for whom the Commission determined it was in the best interest of common defense and security to allow limited access to classified information under EO 13526. The Commission extended the invitation to apply for access to classified information under 10 CFR 95. Acceptance is voluntary. However, if accepted, the invitee is bound by all the requirements necessary to establish and maintain access, including the ITP. However, invitees are free to surrender their access to classified information at any time with no effect upon their license. For these respondents, the information collection is voluntary/necessary to receive a benefit.

2

2. Agency Use of Information As the CSA for its licensees and their cleared contractors, the NRC has assigned responsibilities. The NRC will use this information to monitor ITP performance by its licensees and cleared contractors and to demonstrate the agency is fulfilling its responsibilities under the NISPOM rule. If a licensee reports an ITP issue, the NRC will refer the report to the Federal Bureau of Investigation.

3. Reduction of Burden Through Information Technology There are no legal obstacles to reducing the burden associated with this information collection. The NRC encourages respondents to use information technology when it would be beneficial to them. The NRC has issued Guidance for Electronic Submissions to the NRC which provides direction for the electronic transmission and submittal of documents to the NRC. Electronic transmission and submittal of documents can be accomplished via the following avenues: the Electronic Information Exchange (EIE) process, which is available from the NRC's Electronic Submittals Web page, by Optical Storage Media (OSM) (e.g., CD-ROM, DVD), or by email. It is estimated that 100 percent of the responses are filed electronically.

4. Effort to Identify Duplication and Use Similar Information No sources of similar information are available. There is no duplication of requirements.

5. Effort to Reduce Small Business Burden Currently, no licensees subject to ITP requirements qualify as a small business.

The requirements to access classified information under the ITP are based on statutes or EO that must be complied with regardless of the size of the business.

6. Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently Annual collections with a frequency of once per year (or as needed) shows that the NRC is fulfilling the duty of the CSA and is in compliance with 32 CFR Part 117.7(d),

Insider Threat Program. The information collected is necessary to verify ITP program requirements have been properly implemented and are being maintained.

7. Circumstances Which Justify Variation from OMB Guidelines There are no variations from OMB Guidelines.

8. Consultations Outside the NRC Opportunity for public comment on the information collection requirements for this clearance package was published in the Federal Register on June 9, 2025 90 FR 24303. As part of the process three fuel cycle facility licensees were contacted via email. No comments were received in response to these consultations. One public comment was received from DTEX Federal. The comment was determined to be out of scope as it did not directly apply to NRC programs.

3

9. Payment or Gift to Respondents Not applicable.

10. Confidentiality of Information Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 95, Paragraph 9.17(a) and 10 CFR 2.390(b). However, no information normally considered confidential or proprietary is requested.

11. Justification for Sensitive Questions There is no Privacy Act concern as the information collected is not retrieved using personal identifiable information.

12. Estimated Burden and Burden Hour Cost The NRC estimates that there are 19 respondents and 53 responses to the information collection in the ITP. The annual reporting burden is 2,268 hours0.0031 days <br />0.0744 hours <br />4.431217e-4 weeks <br />1.01974e-4 months <br /> and recordkeeping burden is 919 hours0.0106 days <br />0.255 hours <br />0.00152 weeks <br />3.496795e-4 months <br />, for a total of 3,187 burden hours for the collection. It should be noted that 461 of the reporting hours capture the burden for program implementation. However, each time a new Insider Threat Program Senior Official is assigned, the burden associated with assigning or training them will be incurred.

The following table summarizes respondent burden, responses, and cost at

$317 per hour. Details of reporting and recordkeeping burden and cost estimates to the respondents, broken down by requirement, are reflected in Tables 1 and 2.

Responses Hours Cost at $317 per hour.

Reporting 53 2,268

$718,956 Recordkeeping 19 919

$291,323 Total 72 3,187

$1,010,279 Records must be available for NRC review upon demand for such purposes as required inspections.

It should be noted that burden is not uniformly distributed across the 19 respondents. The bulk of the burden is driven by two factors: (1) the number of cleared personnel a respondent has, and (2) whether or not the respondent operates classified information systems. Three respondents account for 800 of 900 NRC-cleared personnel coming under the program. Only 3 of the 19 respondents operate classified information systems.

The $317 hourly rate used in the burden estimates is based on the NRCs fee for hourly rates as noted in 10 CFR 170.20, Average cost per professional staff-hour.

For more information on the basis of this rate, see the Revision of Fee Schedules; Fee Recovery for Fiscal Year 2024 (89 FR 51789; June 20, 2024).

4

13. Estimate of Other Additional Costs None.

14. Estimated Annualized Cost to the Federal Government The staff has developed estimates of annualized costs to the Federal Government related to the conduct of this collection of information. These estimates are based on staff experience and subject matter expertise and include the burden needed to review, analyze, and process the collected information and any relevant operational expenses.

Total Annual cost - professional effort (100 hours0.00116 days <br />0.0278 hours <br />1.653439e-4 weeks <br />3.805e-5 months <br /> x $317 per hour.)

=

$31,700

15. Reasons for Change in Burden or Cost The burden changed from 3,828 hours0.00958 days <br />0.23 hours <br />0.00137 weeks <br />3.15054e-4 months <br /> to 3,187 hours0.00216 days <br />0.0519 hours <br />3.091931e-4 weeks <br />7.11535e-5 months <br />, a decrease of 641 hours0.00742 days <br />0.178 hours <br />0.00106 weeks <br />2.439005e-4 months <br />. The number of respondents decreased from 28 to 19. The number of responses decreased from 99 to 72.

The reason for the changes in the estimate for the upcoming clearance period is based on termination of Facility Security Clearances for several respondents, thereby removing their requirement to respond to this information collection.

In addition, the fee rate increased from $288 to $317 per hour since the last submission of this information collection.

16. Publication for Statistical Use There is no application of statistics in the information collected. There is no publication of this information.

17. Reason for Not Displaying the Expiration Date The expiration date is displayed on the submission templates.

18. Exceptions to the Certification Statement There are no exceptions.

B.

COLLECTIONS OF INFORMATION EMLOYING STATISTICAL METHODS Statistical methods are not used in this collection of information.

5

6 TABLE 1-INSIDER THREAT PROGRAM ESTIMATE (REPORTING)

Section Requirement No. of Respondents Responses Per Respondent No. of Responses Burden Per

Response

(Hours)

Total Annual Burden Hours1 Total Burden Cost $317 32 CFR 117.7(b)(4)

Establish program including formal appointment and training by the licensee of an Insider Threat Program Senior Official (ITPSO) who is a U.S.

citizen employee and a senior official of the company.

19 1

19 24.25 461

$146,137 32 CFR 117.7(h)(2)

Annual licensee self-review including self-inspection of the ITP and report to the NRC 19 1

19 16 304

$96,368 32 CFR 117.7(d)

Requirements to report to the NRC any detection of an insider threat to the licensee 19

.15 3

1 3

$951 1 Total hours per requirement have been rounded to the nearest hour.

7 Section Requirement No. of Respondents Responses Per Respondent No. of Responses Burden Per

Response

(Hours)

Total Annual Burden Hours1 Total Burden Cost $317 32 CFR 117.18(b)(4)

Monitor user activity on classified IS 3

4 12 125 1,500

$475,500 Totals 19 53 2,268

$718,956

8 TABLE 2-INSIDER THREAT PROGRAM ESTIMATE (RECORDKEEPING)

Section Requirement/Record Retention No. of Recordkeepers Annual Hours Per Recordkeeper Total Annual Recordkeeping Hours 32 CFR 117.7(b)(4)

Formal appointment by the licensee of an ITPSO who is a U.S. citizen employee and a senior official of the company.

19 10 190 32 CFR 117.7(h)(2)

Annual licensee self-review including self-inspection of the ITP 19 16 304 32 CFR 117.12(k)

Maintain ITP Training Records 19 2

38 32 CFR 117.7(d)

Requirements to report to the NRC any detection of an insider threat to the licensee 19 3

57 32 CFR 117.18(b)(4)

Maintain policies and procedures that address key components of the contractor's insider threat program 3

110 330 Totals 19 919

9 DESCRIPTION OF INFORMATION COLLECTION REQUIREMENTS CONTAINED IN NRC INSIDER THREAT PROGRAM FOR LICENSEES AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION 31500251 32 CFR 117.7(b)(4): This section requires an entity under an ITP to appoint an ITPSO and establish and execute an insider threat program.

32 CFR 117.7(d): This section requires an entity under an ITP to report relevant and available information indicative of a potential or actual insider threat to the NRC using NRC provided template.

32 CFR 117.7(h)(2): This section requires an entity under the ITP to perform an annual self-assessment/inspection and report it to the NRC.

32 CFR 117.12(g): This section requires initial and annual insider threat awareness training for all persons with access to classified information.

32 CFR 117.12(k): This section specifies the records retention requirements for the ITP.

32 CFR 117.18(b)(4): This section requires an entity with classified information systems to continuously monitor those systems to detect potential activity indicating an insider threat.