NUREG-1885, Rev. 16, Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update (Annual Report for Calendar Year 2022)

From kanterella
(Redirected from NUREG-1885)
Jump to navigation Jump to search
NUREG-1885, Rev. 16, Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update (Annual Report for Calendar Year 2022)
ML23272A203
Person / Time
Issue date: 09/30/2023
From: Dante Johnson
Office of Nuclear Security and Incident Response
To:
References
NUREG-1885 R16
Download: ML23272A203 (1)
v  d  e


Text

NUREG-1885 Revision 16 Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update Annual Report for Calendar Year 2022

NUREG-1885 Revision 16 Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update Annual Report for Calendar Year 2022 Manuscript Completed: July 2023 Date Published: September 2023 Office of Nuclear Security and Incident Response

ABSTRACT This report fulfills the requirements of Section 170D.e of the Atomic Energy Act of 1954 (42 U.S.C. §2210 d.(e)), as amended, which states, not less often than once each year, the Commission shall submit to the Committee on Environment and Public Works of the Senate and the Committee on Energy and Commerce of the House of Representatives a report, in classified form and unclassified form, that describes the results of each security response evaluation conducted and any relevant corrective action taken by a licensee during the previous year. Additionally, Section 170D.a of the Atomic Energy Act of 1954 (42 U.S.C.

§2210 d.(a)), as amended, grants the U.S. Nuclear Regulatory Commission (NRC) the authority to determine which licensed facilities must undergo these security evaluations. The NRC is reporting the security response evaluation results for the Nations fleet of operating commercial nuclear power plants (NPPs) and Category I (CAT I) fuel cycle facilities, given the significance of the nature, form, and quantity of nuclear material at these facilities. With respect to NPPs, the scope of this report includes those undergoing decommissioning but not yet transitioned to a dry-storage independent spent fuel storage installation due to the continued implementation of Title 10 of the Code of Federal Regulations (10 CFR) Part 73, Physical Protection of Plants and Materials. This report includes a comprehensive overview of the combined results of the security programs for calendar year (CY) 2022. To aid in understanding the context of how the NRC conducts evaluations, this report also provides a description of relevant security programs, including the reactor oversight process (ROP);

physical and cyber security baseline inspection programs for NPPs; a force-on-force (FOF) evaluation description; and CAT I fuel cycle facility security oversight program.

Paperwork Reduction Act Statement NUREG-1885, Revision 16, Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update, does not contain information collection requirements and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. §3501 et seq.).

Public Protection Notification The NRC may not conduct nor sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget control number.

iii

TABLE OF CONTENTS ABSTRACT ................................................................................................................... iii EXECUTIVE

SUMMARY

.............................................................................................. vii 1 SECURITY OVERSIGHT FOR COMMERCIAL POWER REACTORS .................... 1 1.1 Reactor Oversight Process Framework ........................................................................ 1 2 CALENDAR YEAR 2022 NUCLEAR POWER PLANT INSPECTION RESULTS ................................................................................................................. 3 3 CATEGORY I FUEL CYCLE FACILITY SAFEGUARD AND SECURITY OVERSIGHT PROGRAM ......................................................................................... 5 3.1 Category I Fuel Cycle Facility Oversight Process Framework ...................................... 5 3.2 Calendar Year 2022 Inspection Results ....................................................................... 6 4 FORCE-ON-FORCE EVALUATIONS ...................................................................... 7 4.1 Overview....................................................................................................................... 7 4.2 Background .................................................................................................................. 7 4.3 Program Activities for CY 2022 .................................................................................... 9 4.4 Force-on-Force Evaluation Results .............................................................................. 9 5 OVERALL SECURITY INSPECTION RESULTS FOR 2022 ................................. 13 5.1 Overview..................................................................................................................... 13 5.2 Inspection Results ...................................................................................................... 13 6 CONCLUSION ....................................................................................................... 17 APPENDIX LIST OF ACRONYMS ............................................................................ 19 v

EXECUTIVE

SUMMARY

Conducting FOF inspections and implementing the security inspection program contribute to the secure and safe use of radioactive and nuclear materials by the commercial nuclear power industry and at CAT I fuel cycle facilities. In CY 2022, the NRC conducted inspection activities similar to those that were conducted before the coronavirus disease 2019 (COVID-19) public health emergency (PHE). The NRC remained flexible, however, as the effects of the COVID-19 variants continued to linger throughout the year. Under these conditions, the NRC took appropriate Figure 1 NRC Region II Inspectors Oversee an measures to balance the needs of the Exercise with Federal, State, and Local Officials in program and the need to keep NRC and Florida during February 2023 licensee staff safe while also applying the NRCs Principles of Good Regulation (independence, openness, efficiency, clarity, and reliability) in performing its safety and security mission.

In CY 2022, the NRC performed a total of 193 security inspections at operating commercial nuclear power plants and CAT I fuel cycle facilities to assess the multifaceted security programs licensees implement to protect and defend their sites. This is a higher number of inspections than conducted during CY 2020 and CY 2021, when COVID-19 impacts were greater. The number of security inspections conducted in CY 2022 is consistent with inspection numbers prior to the PHE.

For CY 2022, there were a total of 140 inspection findings in the security baseline inspection program. Approximately 95 percent of the findings were assessed as having very low security significance. The Official Use Only - Security-Related Information version of this report (Enclosure 2) contains specific details on the inspection findings. This represents an upward trend in findings over previous years, which the NRC will continue to monitor and evaluate.

More broadly, the NRC continues to assess opportunities to risk-inform and modernize its security oversight program to help ensure the health of licensee security programs to provide for reasonable assurance of adequate protection of public health and safety and the common defense and security.

vii

In CY 2023, the NRC will continue to advance efforts targeted at increasing realism in the FOF program. The agency will continue with the first ROP cycle of the cybersecurity inspection program and routine oversight of licensees cybersecurity and baseline physical security programs. Finally, the NRC will New Cybersecurity continue its important mission of monitoring the Inspection Procedure threat directed toward NPPs and CAT I fuel cycle facilities and will communicate time-sensitive information and assess the need for From 2018 to 2021, the NRC inspected NPPs any changes to the design-basis threat (DBT) to evaluate the full implementation of their applicable to these facilities. cybersecurity programs. These inspections resulted in the identification of over 100 findings and violations. Primary contributing causes can be one of 23 different cross-cutting aspects associated with human performance, problem identification and resolution, or safety conscious work environment.

The NRCs cybersecurity requirements for NPPs are found in 10 CFR 73.54, Protection of digital computer and communication systems and networks. Licensees are required to protect digital computer systems and networks associated with safety, security, and emergency preparedness functions, as well as support systems and equipment from cyberattacks.

A new cybersecurity Inspection Procedure (IP), IP 71130.10, was implemented on January 1, 2022. It is being used to complete the ROP baseline inspections that started in CY 2022. The first cybersecurity inspection using the new IP occurred in February 2022.

The cybersecurity baseline inspections are biennial inspections conducted over a 1 week period. An analysis of CY 2022 cybersecurity inspections is discussed in Enclosure 2.

viii

1 SECURITY OVERSIGHT FOR COMMERCIAL POWER REACTORS 1.1 Reactor Oversight Process Framework The NRC maintained regulatory oversight of safeguards and security programs for 93 power reactors located at 58 sites in 29 States across the country in CY2022. The ROP 1 is the NRC's process to inspect, measure, and assess the safety and security performance of an NPP licensee and to respond to any decline in their performance. The ROP is anchored in the NRC's mission to provide reasonable assurance of adequate protection of public health and safety and to promote the common defense and security and to protect the environment. The ROP encompasses three key strategic performance areas and measures NPP performance in seven specific cornerstones and in three cross-cutting areas as shown in Figure 2.

Figure 2 Reactor Oversight Framework The NRC evaluates NPP performance by analyzing two distinct inputs: inspection findings resulting from the NRC's inspection programs and performance indicators reported by the licensees. The staff uses the NRCs baseline security significance determination processes (SDP) to evaluate security inspection-related findings and determine the significance of security program deficiencies 2 as shown in Figure 3. The staff uses the process for an initial screening to identify inspection findings that would not significantly increase risk and, thus, do not need to be further analyzed. Remaining inspection findings are then subject to a more thorough risk assessment to determine whether further regulatory action is warranted. Similarly, each performance indicator is measured against the ROP criteria using a color-coded system for performance. 3 Figure 3 Assessing Significance within the Reactor Oversight Program 1 Additional details regarding the ROP can be found on the NRCs public website:

https://www.nrc.gov/reactors/operating/oversight/rop-description.html.

2 The SDP for nuclear power reactors uses risk insights, where appropriate, to help the NRC to determine the significance of inspection findings. These findings include both programmatic and process deficiencies.

3 Publicly available performance indicator data is posted at https://www.nrc.gov/reactors/operating/oversight/pi-summary.html.

1

Based on the use of the SDP to assess licensee performance, the NRC determines the appropriate level of agency response, including supplemental inspection and pertinent regulatory actions. Information regarding security findings is included in the NRCs action matrix 4 and is identified in the publicly available action matrix summary as either very low significance (i.e., Green), or of greater significance (i.e., white, yellow, or red), which is presented in a different color (i.e., blue) to reflect greater-than-Green significance. 5 The NRC's enforcement jurisdiction is derived from the Atomic Energy Act of 1954, as amended, and the Energy Reorganization Act of 1974, as amended. The enforcement program has two goals: (1) compliance with regulatory requirements, and (2) prompt and comprehensive identification of violations as well as correction of violations. When violations are identified through inspections and investigations, the NRC uses three primary enforcement sanctions:

notices of violation, civil penalties, and orders. Notices of violation and civil penalties are issued based on violations. Orders may be issued for violations or because of a public health and safety or common defense and security issue.

Traditional Enforcement Process The traditional enforcement process applies to all NRC licensees and applicants, to various categories of non-licensees, and to individual employees of licensed and non-licensed entities involved in NRC-regulated activities. It is also used in conjunction with the ROP SDP for violations that resulted in actual security consequences, affected the ability of the NRC to perform its regulatory oversight function, or were deliberate in nature. Traditional enforcement includes four severity levels (SLs) that demonstrate the relative importance of the violation:

4 The action matrix identifies the range of NRC and licensee actions and the appropriate level of communication for different levels of licensee performance. Information on the action matrix is provided in Inspection Manual Chapter 0305, Section 10, ROP Action Matrix, dated November 4, 2020. The current action matrix is posted at https://www.nrc.gov/reactors/operating/oversight/actionmatrix-summary.html.

5 Staff Requirements Memorandum for SECY-04-0191, Withholding Sensitive Unclassified Information Concerning Nuclear Power Reactors from Public Disclosure, dated November 9, 2004 (Agencywide Documents Access and Management System Accession No. ML043140175) ordered the NRC staff to withhold specific information relating to findings and PIs to ensure that security-related information is not provided to a potential adversary, including not specifying the actual color of greater-than-green security findings.

2

2 CALENDAR YEAR 2022 NUCLEAR POWER PLANT INSPECTION RESULTS Table 1 summarizes the results of the security baseline inspection program for commercial NPPs in CY 2022. Table 1 indicates that 121 out of 126 security findings at NPPs issued in CY 2022 were of very low security significance (i.e., green or SL IV violations); five were greater-than-Green. Furthermore, at the end of CY 2022, all licensees reported their security PIs were Green and, therefore, did not warrant additional NRC inspection. Additional information regarding the inspection findings is provided in Enclosure 2.

Table 1 Calendar Year 2022 Security Baseline Inspection Program Summary for Commercial Nuclear Power Reactors Total number of security inspections conducted 181 Total number of inspection findings 126 Distribution of Inspection Findings:

Total number of green findings 115 Total number of greater-than-green findings 5 Total number of SL IV violations 6 Total number of greater-than-SL IV violations 0 Table 2 summarizes the associated findings related to security baseline inspections for commercial nuclear power reactors. The areas with the most inspection findings within the security baseline inspection program are cybersecurity, access control, and protective strategy evaluation. This is consistent with previous years security baseline inspection results.

Table 2 Calendar Year 2022 Security Baseline Inspections and Associated Findings for Commercial Nuclear Power Reactors by Inspection Procedure Number of Number Variance Inspection Procedure Inspection of from Areas Findings CY-2021 01 - Access Authorization 18 8 +6 02 - Access Control 60 21 +8 03 - Contingency Response (FOF)/Inspection Procedure 18 6 +4 92707 04 - Equipment Performance, Testing and Maintenance 39 10 +2 05 - Protective Strategy Evaluation 24 16 +13 06 - Protection of Safeguards Information 4 6 +6 07 - Security Training 27 2 +2 08 - Fitness-for-Duty Program 10 1 -6 09 - Security Plan Changes 52 0 0 10 - Cybersecurity 26 53 +33 11 - Materials Control and Accounting 25 0 -1 14 - Target Set Inspection 26 3 -1 TOTAL: 329* ^126 +66

  • Note: Security baseline inspections may involve inspection areas, thus a higher total number.

^Note: Security baseline inspections and findings at Category I fuel cycle facilities not included.

3

3 CATEGORY I FUEL CYCLE FACILITY SAFEGUARD AND SECURITY OVERSIGHT PROGRAM 3.1 Category I Fuel Cycle Facility Oversight Process Framework The NRC maintains regulatory oversight of safeguards and security programs at two CAT I fuel cycle facilities: BWX Technologies, Inc., located in Lynchburg, Virginia, and Nuclear Fuel Services, Inc., located in Erwin, Tennessee. These facilities manufacture fuel for government reactors and down-blend highly enriched uranium into low-enriched uranium for use in commercial nuclear power reactors. Each CAT I fuel cycle facility is licensed to use and process a formula quantity of strategic special nuclear material. 6 The strategic special nuclear material must be protected against acts of radiological sabotage as well as theft and diversion.

The primary objectives of the CAT I Fuel Cycle Facility Security Oversight Program are to:

  • determine if the fuel cycle facilities are operating safely, securely, and pursuant to the NRCs regulatory requirements and orders issued to fuel cycle facilities to implement compensatory security measures;
  • detect indications of declining safeguards performance;
  • investigate specific safeguards events and weaknesses; and
  • identify generic security issues.

Like the ROP for NPPs, the CAT I fuel cycle facility oversight program includes an inspection program to identify findings, determine their significance, document the results, and assess licensees corrective actions. The CAT I fuel cycle facility safeguards and security inspection program uses traditional enforcement to assign the appropriate SL based on the significance of the violations as discussed in Section 2 of this report. The core inspection program requires highly enriched uranium-related physical security areas to be inspected annually, biennially, or triennially using established inspection procedures. The results of these inspections contribute to an overall assessment of licensee performance.

The highly enriched uranium inspectable security areas include:

  • access authorization
  • protection of sensitive and
  • access control classified information
  • contingency response
  • target area review
  • equipment performance
  • security training
  • fitness-for-duty
  • transportation security
  • material control and accounting The core inspection program also includes FOF evaluations. In addition, like NPPs, NRC resident inspectors assigned to each CAT I fuel cycle facility provide an onsite NRC presence for direct observation and verification of a licensees ongoing activities. Through the results 6 Special nuclear material is defined by Title I of the Atomic Energy Act of 1954, as amended, as plutonium, uranium-233, or uranium enriched in the isotopes uranium-233 or uranium-235, but does not include source material.

5

obtained from all oversight efforts, the NRC determines whether licensees comply with regulatory requirements and can provide adequate protection against the DBT of radiological sabotage and theft or diversion.

3.2 Calendar Year 2022 Inspection Results Table 3 summarizes the overall results of the safeguards and security inspection program for CAT I fuel cycle facilities during CY 2022. The majority of core inspection safeguards and security violations issued in CY 2022 at CAT I fuel cycle facilities were of very low security significance (i.e., SL IV findings). There were two violations issued as greater than SL IV violations. The SL IV violations at CAT I fuel cycle facilities were attributed to inadequate vehicle searches, security equipment maintenance and testing, providing necessary compensatory measures, assessing security alarms and access to the alarm station, not following procedures, and providing complete and accurate information. Additional information regarding the inspection findings is provided in Enclosure 2.

Table 3 Calendar Year 2022 Security Inspection Summary for Category I Fuel Cycle Facilities Total number of security inspections conducted 12 Total number of inspection findings 14 Total number of SL IV findings* 12 Total number of greater-than-SL IV findings 2

  • Note: In CY 2022, SL IV findings were identified during access control; equipment performance, testing, and maintenance; and protective strategy areas of inspections.

6

4 FORCE-ON-FORCE EVALUATIONS 4.1 Overview FOF inspections include both tabletop drills and performance-based FOF inspection exercises.

These FOF inspection exercises simulate combat between a mock adversary force and a licensees security force. At an NPP, the mock adversary force attempts to reach and simulate damage to significant components of safety-related systems (referred to as target sets) that protect the reactors core or the spent fuel. Compromise of target sets could potentially cause a radioactive release to the environment. The licensees security force, in turn, attempts to interdict the mock adversary force to prevent the adversary from reaching target sets, thus preventing such a release. At a CAT I fuel cycle facility, a similar process is used to assess the effectiveness of a licensees protective strategy capabilities relative to the DBT of radiological sabotage and theft or diversion of strategic special nuclear material.

4.2 Background

Shortly after the PHE declaration in March 2020, FOF inspections were temporarily suspended due to the complex nature of the inspections that could create a heightened risk of virus transmission. Specifically, FOF exercises use IP 71130.03, Contingency Response -

Force-on-Force Testing, which requires extensive in-person planning, a large number of interdisciplinary participants, and a broad range of activities that require gatherings of both small and large groups (e.g., site walkdowns, meetings, interviews, and tabletop exercises). In addition, some FOF elements involve close interactions between individuals (e.g., controllers, players, and on-duty staff in a bullet-resistant enclosure) using the Multiple Integrated Laser Engagement System (MILES). These factors required thorough consideration Figure 4 Responder in Action during and mitigation. FOF Inspection in CY 2022 In August 2020, the NRC resumed inspections using a new special use IP 92707, Security Inspection of Facilities Impacted by a Local, State, or Federal Emergency Where the NRCs Ability to Conduct Triennial Force-on-Force Exercises is Limited, for limited-scope tactical response drills that allowed key elements of the sites physical protection strategy to be tested in 7

a manner that mitigated the risk of COVID-19 transmission. This IP was used in accordance with Inspection Manual Chapter 2201, Appendix C, Generic, Special, and Infrequent Inspections, to perform prudent inspection activities during the special circumstances associated with the PHE. The IP enabled a limited resumption of onsite, performance-based inspections in August 2020, by using select elements of the routine triennial inspection procedure (e.g., walkdowns, tabletop exercises) and adapting elements to limit the risk of COVID-19 transmission. For example, entrance and exit meetings and safety briefings were held remotely where possible, and an increased acceptance of simulations was applied to reduce close contact conditions. To reduce the number of individuals onsite and further reduce the potential for COVID-19 transmission, limited-scope tactical response drills were used instead of full-scope FOF exercises to assess key elements of the licensee protective strategy, including responder performance. In addition, licensees were able to choose to use site- or fleet-provided MILES equipment and mock adversary forces, rather than the typical NRC-provided MILES equipment and an NRC-approved industry mock adversary force to further reduce the potential for COVID-19 transmission through contact. While these factors presented a shift from the well-established FOF approach used for NPPs, the NRC sought to balance the need for routine licensee demonstrations with the adjustments made due to the COVID-19 PHE.

The use of IP 92707 through the remainder of CY 2020 allowed the NRC to verify some key aspects of licensee protective strategies and security responder performance and ensure confidence in licensees security posture.

In CY 2021, the NRC issued revisions to IP 71130.03 and IP 92707. The revision to IP 71130.03 added Addendum 5, Interim Guidance Related to the Implementation of Inspection Procedure 71130.03, Contingency Response - Force-on-Force Testing, During the COVID-19 PHE. This addendums objective is to balance protecting the health and safety of NRC inspectors and site personnel from the risk of exposure to COVID-19 with the need to conduct effective oversight that supports NRCs critical safety mission. This addendum is in effect only when conditions during the COVID-19 PHE permit the use of IP 71130.03. Some of the key attributes of this addendum are that the inspection team should take every effort to reduce time onsite by conducting debriefs, entrance, and exit briefings remotely. For all aspects of the inspection, the inspection team should advise the licensee that only the minimum number of site personnel will be used during the conduct of the exercise (i.e., limited to the number of responders that would have the opportunity to engage adversaries in the exercise scenario).

The revision to IP 92707 was issued based on lessons learned from its implementation in CY 2020, specifically to provide direction when performance issues are identified during the limited-scope tactical response drills. Due to the limited security force participation, an issue identified in a limited-scope drill may not provide enough information to determine whether a performance deficiency exists. To accurately identify if a performance deficiency exists, the inspection team may expand the number of drill samples to gain additional information and insights into those key elements of the protective strategy (e.g., by rotating the existing participants to different positions). The expanded sample will be used to determine if a performance deficiency exists that will be screened in accordance with Inspection Manual Chapter 0612, Appendix B. In cases where a more-than-minor performance deficiency exists, NRC inspectors will utilize the baseline security SDP outlined in Inspection Manual Chapter 0609, Appendix E, Part I to evaluate the significance of the performance deficiency.

In CY 2022, the NRC used a tiered approach in conducting FOF inspections to mitigate the lingering COVID-19 conditions. The primary approach was to conduct the IP 71130.03, Contingency Response - Force-on-Force Testing, without modification. The next tier would utilize the IP 71130.03, Contingency Response - Force-on-Force Testing, with Addendum 5 8

for licensees that could not conduct two full exercises safely due to the limitations imposed by the COVID-19 mitigation processes. The last tier would utilize the IP 92707, Security Inspection of Facilities Impacted by a Local, State, or Federal Emergency Where the NRCs Ability to Conduct Triennial Force-on-Force Exercises is Limited, to conduct limited scope tactical response drills at licensees that were granted an approved COVID-19-related hardship.

4.3 Program Activities for CY 2022 Program activities in CY 2022 marked the third year of the current 3-year FOF inspection cycle, the sixth cycle in the history of the program. A total of 19 NRC-evaluated FOF inspections were scheduled at NPPs for CY 2022. During CY 2022 the NRC completed FOF inspections utilizing IP 71130.03 at 17 NPP sites: Palo Verde, River Bend, Beaver Valley, Calvert Cliffs, Dresden, Browns Ferry, Perry, Byron, Vogtle, D.C. Cook, Braidwood, Fermi, Watts Bar, Ginna, Comanche Peak, Hatch, and McGuire. The remaining scheduled FOF inspections were conducted with IP 92707 using limited-scope tactical response drill exercises at two NPP sites:

Diablo Canyon and Catawba. There was one scheduled NRC-evaluated FOF inspection at the Nuclear Fuel Services, Inc. CAT I fuel cycle facility in CY 2022.

4.4 Force-on-Force Evaluation Results Pursuant to the FOF SDP, an effective exercise is one in which the licensee demonstrates effective implementation of its protective strategy in accordance with security plans approved by the NRC and related implementation procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters. An indeterminate exercise is one in which the results were significantly skewed by an anomaly or anomalies, resulting in the inability to determine the outcome of the exercise (e.g., site responders neutralize the adversaries using procedures or practices unanticipated by the design of the site protective strategy or in conflict with the training of security personnel to implement the site protective strategy, or significant exercise control failures were experienced, including controller performance failures). A marginal exercise is one in which the licensees performance prevented the loss of a complete target set; however, the sites response force did not neutralize the adversary before the adversary simulated the loss of target set elements. An ineffective exercise is one in which the licensee did not demonstrate effective implementation of its protective strategy in accordance with plans approved by the NRC and related implementation procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters.

Table 4 summarizes the 20 inspections conducted in CY 2022.

Table 4 Calendar Year 2022 Force-on-Force Evaluations Summary Total number of inspections of limited-scope tactical response drill exercises using 2

IP 92707 7 Total number of fully integrated FOF inspections conducted (two exercises per 17 inspection) using IP 71130.03 Total number of fully integrated FOF inspections conducted at a CAT I fuel cycle 1

facility (two exercises per inspection) using IP 96001 7 Inspections conducted using IP 92707 were not assigned an exercise outcome.

9

The fully integrated triennial FOF exercise conducted at a CAT I fuel cycle facility in CY 2022 resulted in one effective and one indeterminate exercise. For the FOF inspections conducted at commercial power reactors with IP 71130.03, Table 5 shows two ineffective and two indeterminate exercise outcomes. For the two limited-scope tactical response drills conducted under IP 92707, a complete assessment of the FOF exercise was not possible because the drills were limited in scope and a determination of a licensees overall protective strategy effectiveness could not be made, consistent with the intended use of IP 92707. However, use of IP 92707 provided NRC inspectors the ability to conduct prudent inspection activities while minimizing the risk of COVID-19 transmission.

Table 5 Force-On-Force Exercise Outcomes Total number of effective exercises 30 Total number of indeterminate exercises 2 Total number of marginal exercises 0 Total number of ineffective exercises 2 Total number of canceled (fully integrated) exercises 1 Figure 5 provides a summary of FOF inspection findings from 2015 through 2022. While the figure shows a declining number of inspection findings in the FOF program overall in previous years, the number of ineffective exercises has remained at a frequency of about once or twice per year (or once or twice per 20 inspections). The trend of decreasing FOF-related findings can be attributed to the licensees security programs becoming more mature and the NRC inspection teams increasingly taking a risk-informed approach to conducting inspections.

10

Figure 5 Total Force-on-Force Findings Issued by Level of Significance 11

5 OVERALL SECURITY INSPECTION RESULTS FOR 2022 5.1 Overview In CY 2022, the NRC performed 193 security inspections at operating commercial NPPs and CAT I fuel cycle facilities (including FOF inspections). This was an 9-percent increase in the number of total security inspections compared to the previous CY. The increase is attributed to NRC inspectors resuming normal inspections. The CY 2022 inspections resulted in a total of 140 findings, a significantly higher outcome of the number of findings in CY 2021. The NRC issued revised ROP guidance in response to the COVID-19 PHE and implemented both onsite and remote inspection activities.

5.2 Inspection Results Table 6 summarizes the overall results of the NRCs security inspection program at operating NPPs and CAT I fuel cycle facilities during CY 2022, including FOF inspections (see Figure 6).

Table 6 indicates that 133 out of 140 security inspection findings issued in CY 2022 were of very low security significance (i.e., the combined Green and SL IV violations); five findings were greater-than-Green, and two were greater-than-SL IV. This information gives an overview of licensee performance within the ROP security cornerstone. The Official Use Only -

Security-Related Information version of this report (Enclosure 2) contains additional details on each finding.

Table 6 Security Inspection Results for 2022 193 Total number of security inspections conducted 140 Total number of inspection findings 115 Total number of green findings 5 Total number of greater-than-green findings 18 Total number of SL IV violations 2 Total number of greater-than-SL IV violations 13

Figure 6 Summary of Security Inspection Program Results for Calendar Year 2022 14

Figure 7 shows the overall trend in security inspection findings from CY 2015 through CY 2022.

Figure 7 Number of Security Inspections (2015-2022) 15

6 CONCLUSION The NRC remains focused on the mission of protecting public health and safety and has applied risk insights and the use of technology to perform oversight activities. As 2023 progresses, the staff will continue to implement its normal inspection activities.

The NRC has a long history of evaluating the ROP and its effectiveness to enact continuous improvement, and the security oversight program is no exception. In addition to tailoring inspection procedures to focus on licensee processes and programs to maintain a healthy security posture, the NRC actively monitors the threat environment to assess the need to communicate advisory information to licensees or to consider changes to the DBT. The NRC also maintains frequent engagement with Federal counterparts, the intelligence community, and law enforcement to maintain the agencys understanding of the evolving security landscape and to facilitate prompt screening and follow-up for suspicious activity reports and events. This enables the NRC to provide security oversight to help ensure that licensee programs are focused on protecting their sites in a dynamic environment.

As evidenced in this report, sustained performance has been demonstrated in NPP and CAT I fuel cycle security during CY 2022. Sites employ defense-in-depth strategies to protect against terrorism and radiological sabotage, including well-trained security forces, robust physical barriers, intrusion detection systems, surveillance systems, and plant access controls. The NRC oversight continues to probe for any vulnerabilities or deficiencies in site protective strategies and programs and takes prompt action where identified. In addition, kinetic assessment methods, such as FOF inspections, continue to provide performance-based insights regarding licensee readiness to defend their sites.

17

APPENDIX - LIST OF ACRONYMS 10 CFR Title 10 of the Code of Federal Regulations CAT I Category I COVID-19 coronavirus disease 2019 CY calendar year DBT design-basis threat FOF force-on-force IP inspection procedure MILES Multiple Integrated Laser Engagement System NPP nuclear power plant NRC U.S. Nuclear Regulatory Commission PHE public health emergency ROP reactor oversight process SDP significance determination process SL severity level 19

NRC FORM 335 U.S. NUCLEAR REGULATORY COMMISSION 1. REPORT NUMBER (12-2010) (Assigned by NRG, Add Vol., Supp., Rev.,

NRCMD 3.7 and Addendum Numbers, if any.)

BIBLIOGRAPHIC DATA SHEET (See instructions on the reverse)

NUREG-1885 Revision 16

2. TITLE AND SUBTITLE 3. DATE REPORT PUBLISHED Report to Congress on the Security Inspection Program for Operating MONTH YEAR Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and September 2023 Status Update
4. FIN OR GRANT NUMBER Annual Report for Calendar Year 2022
5. AUTHOR(S) 6. TYPE OF REPORT Daryl Johnson, NSIR Technical
7. PERIOD COVERED (Inclusive Dates)

CY-2022

8. PERFORMING ORGANIZATION - NAME AND ADDRESS (If NRC, provide Division, Office or Region, U. S. Nuclear Regulatory Commission, and mailing address; if contractor, provide name and mailing address.)

Division of Security Operations Office of Nuclear Security & Incident Response U.S. Nuclear Regulatory Commission Washington, D.C. 20555-0001

9. SPONSORING ORGANIZATION - NAME AND ADDRESS (lfNRC, type "Same as above", if contractor, provide NRC Division, Office or Region, U.S. Nuclear Regulatory Commission, and mailing address.)

Same as above

10. SUPPLEMENTARY NOTES
11. ABSTRACT (200 words or less)

This report fulfills the requirements of Section 170D.e of the Atomic Energy Act of 1954 (42 U.S.C. §2210 d(e)), as amended, which states, not less often than once each year, the Commission shall submit to the Committee on Environment and Public Works of the Senate and the Committee on Energy and Commerce of the House of Representatives a report, in classified form and unclassified form, that describes the results of each security response evaluation conducted and any relevant corrective action taken by a licensee during the previous year. Additionally, Section 170D.a of the Atomic Energy Act of 1954 (42 U.S.C. §2210 d(a)), as amended, grants the U.S. Nuclear Regulatory Commission (NRC) the authority to determine which licensed facilities must undergo these security evaluations. The NRC is reporting the security response evaluation results for the Nations fleet of operating commercial nuclear power plants (NPPs) and Category I (CAT I) fuel cycle facilities, given the significance of the nature, form, and quantity of nuclear material at these facilities. With respect to NPPs, the scope of this report includes those undergoing decommissioning but not yet transitioned to a dry-storage independent spent fuel storage installation due to the continued implementation of Title 10 of the Code of Federal Regulations Part 73, Physical Protection of Plants and Materials. This report includes a comprehensive overview of the combined results of the security programs for calendar year (CY) 2022. To aid in understanding the context of how the NRC conducts evaluations, this report also provides a description of relevant security programs, including: Reactor Oversight Process (ROP), Security Baseline Inspection Program for NPPs, a force-on-force (FOF) evaluation description, and CAT I Fuel Cycle Facility Security Oversight Program.

12. KEY WORDS/DESCRIPTORS (List words or phrases that will assist researchers in locating the report.) 13. AVAILABILITY STATEMENT unlimited Category I Fuel Cycle Facilities 14. SECURITY CLASSIFICATION Commercial Power Reactors (This Page)

Congressional Report unclassified Force-on-Force Inspections (This Report)

Report to Congress unclassified Security Inspection Program 15. NUMBER OF PAGES Security Response Evaluation Program

16. PRICE NRC FORM 335 (12-2010)

NUREG-1885 Report to Congress on the Security Inspection Program for Operating Commercial Power September 2023 Revision 16 Reactors and Category I Fuel Cycle Facilities: Results and Status Update Annual Report for Calendar Year 2022

Retrieved from "https://kanterella.com/w/index.php?title=NUREG-1885,_Rev._16,_Report_to_Congress_on_the_Security_Inspection_Program_for_Operating_Commercial_Power_Reactors_and_Category_I_Fuel_Cycle_Facilities:_Results_and_Status_Update_(Annual_Report_for_Calendar_Year_2022)&oldid=3620196"