Text

Enclosure 2 Additional Background on NRCs Force-on-Force Program As part of the baseline security inspection program, the NRC conducts FOF exercises at each operating nuclear power plant. Following the September 11, 2001, terrorist attacks, the NRC initiated a comprehensive review of its safeguards and security programs and temporarily suspended FOF evaluations at nuclear power plants while conducting the review. In November 2004, the NRC implemented a redesigned, full-scale, performance-based FOF evaluation program.

Currently, licensees are subject to two separate inspections that relate to performance testing the sites contingency response: IP 71130.03 and IP 71130.05. In IP 71130.03, the NRC designs and executes exercise scenarios based on the licensees protective strategy and site-specific conditions identified during the planning portion of the inspection. The primary objective of this inspection is to verify and assess the ability of the licensees physical security systems and security organization to meet the general performance objective of 10 CFR 73.55(b). In IP 71130.05, the NRC observes the licensees design and performance of an FOF exercise to verify that the licensee implements a performance evaluation program consistent with the requirements of 10CFR Part 73, Appendix B. This inspection activity was added in 2014 in response to the reduction of NRC-led FOF exercises from three to two. The primary objective of IP 71130.05 is to ensure that the licensees protective strategy and physical protection program are properly developed, effectively implemented, and compliant with NRC-approved security plans and 10 CFR 73.55(b). This includes evaluation of security personnel training, performance evaluation programs, and annual licensee force-on-force exercises to identify and correct deficiencies.

Over the last two decades, licensees security programs have matured and substantial improvements to nuclear plant security have been made. The NRC FOF program, including NRC-led exercises and NRC observation of licensee exercises, have verified the effectiveness of integrated defenses, confirming that the combination of well-trained security forces, robust physical barriers, intrusion detection and surveillance systems, and plant access controls provide a multi-layered defense against radiological sabotage. This program has provided the NRC with significant insights that would have been difficult to replicate elsewhere, as observations made during these activities have better informed the NRCs evaluation of how the physical protection program integrates and executes in response to simulated attack scenarios.

For example, NRC observations during FOF exercises have resulted in feedback to licensees to improve security force movement and target identification to better protect against friendly fire engagements.

While the identification of vulnerabilities and weaknesses in the licensees protective strategies have decreased over time, the exercises continue to reveal weaknesses in licensee protective strategies that are not readily observable through security plans or other programmatic documents without the performance-based demonstration of a FOF exercise. NRC inspection teams continue to identify deficiencies in licensee performance during FOF exercises (e.g., ineffective exercises) despite multiple previous inspections and FOF exercises.

Overview of the FOF Inspection and Protective Strategy Inspections The NRC FOF inspection program for operating reactors is implemented through Inspection Procedure (IP) 71130.03, Contingency Response - Force-on-Force Testing. Currently, the

NRC inspectors conduct in-office preparation and then perform 2 weeks of onsite inspection as follows:

During the first week onsite, referred to as planning week, NRC inspectors perform site tours, assess the licensees written protective strategy, and perform tabletop drills to inform development of realistic and credible exercise scenarios. At the end of planning week, the inspectors provide the scenarios to the mock adversary force (MAF) to develop detailed mission narratives. The completed mission narratives are approved by the inspection team and provided to the licensee for development of the event and controller matrices.

There are 2 weeks between the onsite weeks.1 During this period, the licensee develops the event and controller matrices and formulates any necessary simulations for the implementation of the exercise. The MAF also develops and rehearses the mission.

Additionally, the two-week interim period provides the licensees with an opportunity to challenge aspects of the developed scenarios that they feel are unrealistic, beyond the scope of the DBT, or lacking sufficient detail.

During the second week onsite, referred to as exercise week, the licensee security response force and MAF conduct the exercises that were developed by the NRC during the planning week. Inspectors evaluate the exercises and licensee post-exercise critiques to verify and assess the ability of the licensees physical protection systems and security organization to defend against the DBT of radiological sabotage. Additionally, the inspectors verify that any deficiencies in the implementation of the protective strategy are identified and entered into the licensees problem identification and resolution program. The inspection concludes with an assessment of the licensees implementation of its protective strategy and whether the performance is effective,2 ineffective,3 or indeterminate4. An ineffective exercise results in a performance deficiency that is assigned regulatory significance in accordance with Inspection Manual Chapter (IMC) 0609, Appendix E, Part II, Force-on-Force Significance Determination Process.

Separately, IP 71130.05 focuses on verifying that a licensees protective strategy is properly developed, effectively implemented, and meets the performance objectives of 10 CFR 73.55(b).

This includes assessing compliance with NRC-approved security plans and related requirements. A key element of this procedure is the Performance Evaluation Program (PEP),

which is separate and distinct from NRC conducted FOF and used to demonstrate how the 1 Beginning in calendar year 2027, the FOF inspection schedule will include 3 weeks between the onsite weeks. This change was made in response to external stakeholder feedback.

2 Effective - An exercise where the licensees protective strategy successfully protected the selected target set from simulated destruction and compromise by the MAF in order to prevent significant core damage and spent fuel sabotage in accordance with implementing procedures, regulatory requirements, or other Commission requirements.

3 Ineffective - An exercise where the licensees protective strategy failed to adequately protect the selected target set from simulated destruction and compromise by the MAF in accordance with implementing procedures, regulatory requirements, or other Commission requirements such that all components of the selected target set were simulated destroyed or compromised.

4 Indeterminate - Exercise where the results were significantly skewed by an anomaly or anomalies, resulting in the inability to determine the outcome of the exercise (e.g., site responders neutralize the adversaries using procedures or practices unanticipated by the design of the site protective strategy or training of security personnel to implement the site protective strategy or significant exercise control failures to include controller performance failures). The inability to reliably determine the outcome of the exercise can also create an indeterminate exercise.

licensee evaluates the effectiveness of its physical protection program through tactical response drills and annual, licensee-conducted FOF exercises.

In IP 71130.05, inspectors review the licensees Physical Security Plan, implementing procedures, and training documentation to confirm that the PEP is maintained and referenced in the sites training and qualification plan. The PEP must include processes for conducting drills and licensee-conducted FOF exercises that test the protective strategy and contingency response capabilities. Inspectors also verify that FOF scenarios realistically challenge the protective strategy against elements of the DBT, minimize artificialities, and incorporate credible adversary tactics, target sets, and pathways. Finally, IP 71130.05 directs inspectors to conduct an enhanced observation of a licensee-conducted FOF exercise. Through these reviews, IP 71130.05 ensures licensees maintain a robust protective strategy and evaluation process, providing reasonable assurance of adequate protection of nuclear facilities.

Mitigation of Potential Conflicts of Interest The NRCs FOF program currently has three main components that mitigate potential conflicts of interest in accordance with Section 170D of the AEA of 1954, as amended. First, the NRC utilizes an independent mock adversary force (MAF) for NRC-led exercises. Second, NRC-led exercises utilize standardized Multiple Integrated Laser Engagement System (MILES) equipment and blank-fire weapons that incorporate additional engineered safety features and are tested, maintained, and calibrated to a Department of Energy (DOE) developed standard.

Finally, the NRC independently develops the exercise scenarios with minimal licensee engagement. These components are not utilized during the NRC observation of the licensee exercises.

The first two components maximize licensee engagement to the greatest extent practicable through implementation of Commission direction and coordination with external stakeholders:

1. There are currently two MAF teams utilized during NRC-led triennial FOF exercises at power reactors: The Composite Adversary Force (CAF) administratively managed by the Nuclear Energy Institute (NEI) and the Joint Composite Adversary Force (JCAF) administratively managed by Entergy and NextEra. However, in Staff Requirements Memorandum (SRM)-SECY-19-0046, Options for a Long-Term Alternative to the Nuclear Energy Institute Composite Adversary Force, dated October 9, 2019 (ML19282B628), the Commission approved the implementation and utilization of additional industry-managed MAFs during NRC-led FOF exercises. Licensees have the option to implement their own independent MAF subject to NRC staff review and approval. The staff will inform the Commission of any newly approved MAFs, per commitments made in SECY-19-0046. The NRC inspectors and U.S. Special Operations Command (USSOCOM) Advisors provide oversight of the MAF to ensure MAF preparedness and to identify and mitigate any potential conflict of interest issues.

2. The NRC provides the MILES equipment for NRC-led FOF exercises through an interagency agreement with DOE. The staff conducted a review to assess the feasibility of utilizing licensee-owned MILES equipment during FOF exercises as directed by the Commission in SRM-SECY-17-0100, Security Baseline Inspection Program Assessment Results and Recommendations for Program Efficiencies, dated October 9, 2018 (ML18283A072). The results of this assessment were communicated to the Commission in COMSECY-19-0006, Revised Security Inspection Program Framework (Option 3) in Response to SRM-17-0100 (ML19058A094). The staff determined that a lack of

standardization in safety and capability of licensee MILES equipment created significant limitations to its use in NRC-led FOF exercises. Additionally, in a letter to the NRC, Use of Licensee Multiple Integrated Laser Engagement System (MILES) Equipment in Force-on-Force Exercises, dated, January 18, 2018 (ML19018A229), NEI indicated that the industry preferred to continue to utilize NRC-provided MILES equipment during NRC-led FOF exercises rather than pursue voluntary MILES standards. The staff terminated efforts in this area based on industry input.

Regarding the third component, the NRC has historically developed scenarios to be used in FOF exercises with limited licensee engagement. However, in response to EO 14300, external stakeholder feedback, and the staffs recent benchmarking efforts with DOE, the staff is proposing an option that would change how the exercise scenarios are developed by maximizing licensee involvement.

Starting in 2024, the NRC staff participated in a Security Policy Verification Committee working group with members of the Defense Threat Reduction Agency (DTRA) and the DOE National Nuclear Security Administration. As part of this working group, the staff conducted a side-by-side comparison of scenario development to harmonize FOF scenarios across the agencies.

The working group determined that the respective agencies are largely harmonized. However, the use of threat-based scenarios to evaluate security programs differed across the respective agencies. As part of DOEs FOF assessments,5 the team selects a scenario for performance testing from a site-specific catalog of approved scenarios. The site-specific scenarios within the catalog are developed by a site Vulnerability Assessment Team, approved by the onsite Officially Designated Federal Security Authority, and maintained until no longer applicable.

Although the DOE scenario development process, in its entirety, is not a precise fit for the NRC FOF inspection program since they test security at government facilities, the staff used this benchmarking to inform this proposed modification - to increase the role of licensees in scenario development - for the current NRC process.

Relatedly, the NRC also received feedback from industry on recommendations that would increase licensee engagement for scenario development:

On March 31, 2025, NEI submitted a letter to the NRC, Proposal for Using Licensee-Developed Scenarios in Force-on-Force Exercises (ML25090A306), that described a proposed approach for NRC consideration. In this letter, NEI proposed a three-step FOF exercise scenario development process that could allow for additional licensee involvement in the design and development of NRC-led FOF exercises. The three steps included: 1) the NRC providing the licensee with the attributes that should be contained in the scenario; 2) the licensee developing a proposed exercise scenario that drives demonstration of the attributes; and 3) the NRC approving the licensees proposed exercise scenario.

On July 31, 2025, NEI submitted a letter to the NRC, Industry Recommendations on Accelerating NRC Reform (ML25213A112). In this letter, NEI recommended that the NRC: (1) eliminate NRC-led FOF exercises for operating nuclear power plants; (2) implement a licensee-led FOF process; and 3) focus the FOF exercise on credible threats and tactics.

5 Safeguards and security program assessments at the DOE are conducted by the Office of Enterprise Assessments to measure the effectiveness of management processes and mission operations associated with the National Nuclear Security Administration security programs.

On August 19, 2025, the staff conducted a public meeting (ML25239A014) to discuss the approaches being considered for FOF scenario development.

On September 2, 2025, NEI submitted a letter to the NRC, Industry Recommendations on Force-on-Force (FOF) Program Modernization in Response to August 19, 2025, Public Meeting (ML25245A250). That letter indicated that NEIs July 2025 letter superseded the March 2025 letter. The September 2025 letter reasserted the industrys support of its recommendation to eliminate NRC-led FOF exercises. However, if the NRC didnt accept that recommendation, NEI indicated that it would support an approach were the NRC defines key scenario parameters and retains final approval authority, while the licensee develops the detailed scenario. The letter further described a grading methodology to bound complexity, ensure realism, and promote consistency.

The model maintains NRC oversight while leveraging licensee expertise to create a structured and repeatable framework for scenario development.

On January 15, 2026, the staff conducted a public meeting (ML26012A021) to discuss the proposal for the security baseline inspection program including the FOF inspection.

Section 5(g) of EO 14300 includes direction for the NRC staff to revise the Reactor Oversight Process to reduce unnecessary burdens. The recommendations provided in this paper reflect the staffs actions to comply with EO 14300 and respond to stakeholder feedback related to the FOF program.