Revision as of 22:42, 14 October 2018

Text

DG-5019, Reporting of Safeguards Events
	ML071710233
Person / Time
Issue date:	06/28/2007
From:	; Office of Nuclear Regulatory Research
To:	;
Shared Package
ML071710230	List: ML071710233;
References
	DG-5019
	Download: ML071710233 (34)
	v • d • e

This regulatory guide is being issued in draft form to involve the public in the early stages of the development of a regulatory position in this area. It has not receivedfinal staff review or approval and does not represent an official NRC final staff position.Public comments are being solicited on this draft guide (including any implementation schedule) and its associated regulatory analysis or value/impact statement. Comments should be accompanied by appropriate supporting data. Written comments may be submitted to the Rulemaking, Directives, and Editing Branch, Office ofAdministration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001; emailed to NRCREP@nrc.gov; submitted through the NRC's interactiverulemaking Web page at http://www.nrc.gov; faxed to (301) 415-5144; or hand-delivered to Rulemaking, Directives, and Editing Branch, Office of Administration, USNRC, 11555 Rockville Pike, Rockville, Maryland 20852. Between 7:30 a.m. and 4:15 p.m. on Federal workdays. Copies of comments received may be examined atthe NRC's Public Document Room, 11555 Rockville Pike, Rockville, MD. Comments will be most helpful if received by 60 days from issuance.Requests for single copies of draft or active regulatory guides (which may be reproduced) should be made to the U.S. Nuclear Regulatory Commission, Washington, DC20555, Attention: Reproduction and Distribution Services Section, or by fax to (301)415-2289; or by email to Distribution@nrc.gov. Electronic copies of this draftregulatory guide are available through the NRC's interactive rulemaking Web page (see above); the NRC's public Web site under Draft Regulatory Guides in theRegulatory Guides document collection of the NRC's Electronic Reading Room at http://www.nrc.gov/reading-rm/doc-collections/; and the NRC's AgencywideDocuments Access and Management System (ADAMS) at http://www.nrc.gov/reading-rm/adams.html, under Accession No. ML071710233.U.S. NUCLEAR REGULATORY COMMISSION June, 2007OFFICE OF NUCLEAR REGULATORY RESEARCH Division 5 DRAFT REGULATORY GUIDEContact: B. Schnetzler(301) 415-7883DRAFT REGULATORY GUIDE DG-5019(Proposed Revision 2 of Regulatory Guide 5.62, dated December 2006)REPORTING OF SAFEGUARDS EVENTSA. INTRODUCTIONThis draft regulatory guide provides an approach acceptable to the NRC staff for use by licenseesfor reporting of security events. In 10 CFR Part 73, "Physical Protection of Plants and Materials,"

Section 73.71 requires licensees to report to the Operations Center of the Nuclear RegulatoryCommission (NRC) or to record in a log certain security events. Appendix G, "Reportable SafeguardsEvents," to 10 CFR Part 73 (Appendix G) describes reporting requirements in detail. Appendix E to10 CFR Part 50 (Appendix E), "Emergency Planning and Preparedness for Production and UtilizationFacilities," provides more detailed information for emergency planning and preparedness. The events to be reported or recorded are those th at represent actual or potential threats, suspicious activities, externalattacks, or internal tampering with equipment that threaten or affect safe plant operations or effectivesecurity operations. The events to be recorded are those that affect or lessen the effectiveness of thesecurity systems, components, and procedures as established by security regulations and the licensee'sapproved security plans.

Licensee should consider obtaining access to NRC's Protected Webserver (PWS) in order toobtain routine threat bulletins and analyses from the Federal Bureau of Investigation (FBI) andU.S. Department of Homeland Security (DHS). Licensee should contact region and headquarters stafffor further information on obtaining access to PWS.This regulatory guide provides acceptable methods for use by licensees for determining whenand how an event should be reported or recorded. The examples provided represent the types of events that should be reported but are not intended to be all inclusive. Should questions arise regarding thereporting or recording of an event or activities, the licensee may consider discussing the matter withappropriate region or headquarters NRC staff, if time permits. Otherwise, the report should be made andlater discussed with the staff. The licensee is solely responsible for the decision and content of reportsmade to the NRC. Reporting or recording events under the provisions of this guidance should not beconsidered by licensee managers as indicative of performance failures. Rather, the NRC considers timely DG-5019, Page 2and comprehensive communications of matters relating to threat assessment and protecting public healthand safety as a primary and positive means of ensuring both. Fitness-for-duty events are not addressed in this guide; licensees must report fitness-for-dutyevents under the provisions of 10 CFR 26.73.Any information collection activities mentioned in this regulatory guide are included asrequirements in 10 CFR Part 73.8, which provides the regulatory basis for this guide. The NRCconsiders the guidance contained herein to be the most current on acceptable approach for reporting.The NRC issues regulatory guides to publically describe the methods that the staff considersacceptable for use in implementing specific parts of the agency's regulations, to explain techniques thatthe staff uses in evaluating specific problems or postulated accidents, and to provide guidance to applicants. This draft regulatory guide relates to information collections that are covered by the requirements of 10 CFR Part 73 and that the Office of Management and Budget (OMB) has approved under OMBcontrol number 3150-0002. The NRC may neither conduc t nor sponsor, and a person is not required torespond to, an information collection request or requirement unless the requesting document displays acurrently valid OMB control number.

DG-5019, Page 3Table of ContentsA. INTRODUCTION................................................................1B. DISCUSSION....................................................................4 C. REGULATORY POSITION........................................................5 1.Licensees Subject to 10 CFR 73.71...............................................52. Telephonic Reportable Events...................................................52.1Security Events to be Reported Within 15 Minutes............................6 2.2Examples of Security Events to be Reported Within 15 Minutes..................7 2.3Security Events to be Reported Within 1 Hour................................7 2.4Examples of Security Events to be Reported Within 1 Hour....................10 2.5Security Events of Suspicious Activities to be Reported Within 4 Hours..........122.6Examples of Security Events to be Reported Within 4 Hours....................133. Recordable Events (Do Not Require Telephonic Notification).........................143.1Security Events to be Recorded in the Security Log...........................15 3.2Examples of Security Events to be Recorded in the Security Log................15 3.3Security Events Not Expected to be Recorded in the Security Log...............17 3.4Examples of Security Events Not Expected to Be Recordedin the Security Event Log...............................................174. Procedures for Telephonic Reports and Dual Reporting..............................194.1 Telephonic Reports....................................................194.1.115-minute Reports ..............................................194.1.21-hour Reports.................................................204.1.3 4-hour Reports.................................................204.1.4 Telephonic Followup Requirements.................................204.1.5 Telephonic Followup Guidelines...................................214.2Dual Reporting........................................................22 4.3Written Reports.......................................................224.3.1 NRC Form 366.................................................234.3.2Content of Written Reports........................................234.3.3 Submittal of Written Reports......................................254.4 Security Event Log....................................................254.5 Training of Non-Security Staff...........................................26D. IMPLEMENTATION............................................................27Glossary...................................................................28 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Bibliography................................................................32Appendix A:Reporting Suspicious Aviation-related Activities and Coordination with the Federal Aviation Agency.............................A-1 DG-5019, Page 4B. DISCUSSION BackgroundThe information reportable under 10 CFR Section 73.71 is required to inform the NRC ofsecurity-related events that are, or have the potential to, endanger public health and safety or commondefense and security, which provide threat-related information, or which could generate public inquiries. The required information also permits analysis of security system reliability and effectiveness, andpotential changes in the local, State, and Federal threat environments.The regulations in 10 CFR 73.71 provide the structure for reporting security-related informationto the NRC. These reports require licensees to notify the NRC by telephone within 15 minutes, within1 hour, or within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months , as applicable. These reports also include events that licensees do not routinelytransmit to the NRC but are recorded and maintained onsite for NRC review and analysis. The types ofinformation to be reported generally are focused on event description, threat-related information, andsecurity system reliability and effectiveness. This guidance follows the format of the revised rule. Appendix G provides a more detailed description of the types of events and information to be reported or recorded.Certain significant security events warrant immediate involvement by the NRC. Therefore,licensees must report some events by telephone to the NRC within 15 minutes and others within 1 hourof initial discovery. Licensees should note that the required 15-minute notifica tions are, particularlyimportant during a security-related event, and (1) support subsequent notifications to other licenseesregarding a potential security threat and (2) inform other Federal organizations in accordance with theNational Response Plan. Effective response by those affected could depends on the rapid and timelydissemination of information relating to imminent or actual security threats. Other significant security-related events continue to require prompt NRC notification within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Additionally, licenseesfrequently become aware of activities at their facilities or in their communities that may be suspicious orindicative of potential pre-operational threat activities focused on their facilities. Suspicious activitiesare now required to be reported within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . Revisions to the rule and this guidance are intended toprovide consistency in reporting among all applicable licensees.Other security events not addressed above should be recorded by the licensee in a log within 24hours of discovery and copies of the log are maintained as records for 3 years, from the date of thelogged event. These log entries allow the NRC and licensees to analyze events at a particular site andsimilar events among licensees. In addition to providing valuable information regarding failures,degradations, or discovered vulnerabilities, an analysis of this information allows for the identification ofgeneric issues that can be communicated to all. The NRC intends that licensees report and record required information only. Consequently, inorder to provide balanced guidance, this regulatory guide also provides information and examples of occurrences that are not be reportable or recordab le. As with other portions of this Guide, theinformation contained in Section 3.4, "Examples of Security Events Not Expected to be Recorded in theSecurity Event Log," is neither limiting nor constraining, and the responsibility for compliance withregulatory requirements is the licensees'.For the purposes of this regulatory guide, and to assist in implementing the regulations, aglossary is provided at the end of this guide.

DG-5019, Page 5C. REGULATORY POSITION1.Licensees Subject to 10 CFR 73.71In order to clarify the applicability of the revised 10 CFR 73.71 and Appendix G to10 CFR Part 73 (Appendix G) to categories of licensees, the staff notes the applicability of the followingregulations:*The regulations in 10 CFR 73.71(a) and paragraph I of Appendix G currently apply to powerreactors subject to the provisions of 10 CFR 73.55.*The regulations in 10 CFR 73.71(b) and paragraph II of Appendix G currently apply to licenseessubject to the provisions of 10 CFR 73.25, 73.26, 73.27(c), 73.37, 73.67(e), or 73.67(g).*The regulations in 10 CFR 73.71(c) and paragraph II of Appendix G currently apply to licenseessubject to the provisions of 10 CFR 73.20, 73.37, 73.50, 73.51, 73.55, or 73.60.*The regulations in 10 CFR 73.71(d) and paragraph III of Appendix G currently apply to powerreactors subject to the provisions of 10 CFR 73.55. *The regulations in 10 CFR 73.71(e) currently apply to various licensees and describe howlicensees should make telephoni c notification to the NRC.*The regulations in 10 CFR 73.71(f) currently apply to licensees subject to the provisions of 10 CFR 73.20, 73.37, 73.50, 73.51, 73.55, or 73.60, and licensees possessing strategic specialnuclear material (SSNM) subject to the provisions of 10 CFR 73.67(d).*The regulations in 10 CFR 73.71(g) currently apply to all licensees who are required to submit awritten report. 2. Telephonic Reportable EventsThe regulations in 10 CFR 73.71(a), (b), (c), (d), and (e) require licensees to make a telephonicreport to the NRC. Guidance regarding the types of information to be provided by telephone is discussedbelow. The purpose of a telephonic report is to ensure timely, direct, and accurate communication ofinformation to the NRC relating to security matters that may require action on the part of licensees, theNRC, or other Government agencies. These actions may involve a change in the NRC HeadquartersOperations Center response mode or response to media inquiries. Other methods of communication suchas email or text messaging should not be used unless extreme conditions prohibit telephonic reporting. Some examples of these reports are also provided to assist licensees and the NRC in evaluating thereportability of security events and information received by licensees. The examples provided are notintended to be either limiting or all inclusive, but only illustrative. Depending on the type of licensee, and the type of information required to be reported, thetimeliness of telephonic reports differs, as described below. Timeliness in telephonic reporting is important to ensure effective communication among potential responders and within the threat analysiscommunity. The accuracy of information provided in telephonic reports is likewise important to ensurethat decisions relating to potential response and threat analysis are appropriate. Licensees should providethe most complete and accurate information available to them at the time telephonic reports are requiredto be made. It is recognized that information changes as events develop and as additional related information is received. Additional calls describing substantive changes, additions or modifications tothe initial information provided should be made in a timely manner, but after immediate actions to DG-5019, Page 6stabilize the plant have been taken in accordance with the licensee's emergency operations and imminent threat procedures. It is recognized that some of the required telephonic security reports may result in an emergencyclassification in accordance with Appendix E to 10 CFR Part 50. Licensees should understand that whiledual-reporting (making two phone calls to report the same information) is not normally required, areportable security event is to be communicated under the most immediate reporting requirements. Thiscommunication can be concurrent but should not delay reporting in accordance with 10 CFR 73.71. Telephonic reports should not interfere with actual response or summoning assistance; however, telephonic reports should be considered actions of the highest priority to ensure require action on the partthe NRC, or other Government agencies. Specific guidance is provided in Section 4.2, "Dual Reporting."The importance of telephonic reports is emphasized by the fact that 10 CFR 73.22(f)(3) exemptsthe information transmitted under the provisions of 10 CFR 73.71 from protection requirements. Security information must only be transmitted by secure telecommunications equipment except inemergencies or extraordinary conditions in accordance with 10 CFR 73.22(f)(3) . The NRC considers telephonic reports that must be made pursuant to 10 CFR 73.71 to be the type of emergency orextraordinary condition contemplated by 10 CFR 73.22(f)(3) , and therefore would be subject to theexceptions. However, licensees should endeavor to protect sensitive information whenever possible andas conditions permit.It is recommended that the determination for reporting events should be made by on-site securitymanagers, licensees' agent managers, or their equivalent when practical. It is also suggested thatprocedures be developed to assist managers and other site personnel in making decisions regardingreporting and to describe the specific method each facility uses to make required notification(s).The method and content of telephonic and written follow-up reports are described in Section 4. The licensee is not expected to report information that has been already provided to them by the NRC,such as the threat warning system addressed in Appendix C, "Licensee Safeguards Contingency Plans,"

to 10 CFR Part 73.2.1Security Events to be Reported Within 15 MinutesThe regulations in 10 CFR 73.71(a) require that each licensee subject to the provisions of10 CFR 73.55 notify the NRC Headquarter s Operations Center as soon as possible but not later than15 minutes after the discovery of an imminent threat or actual threat against the facility described inparagraph I of Appendix G. This requirement only applies to power reactors.As noted in paragraph I of Appendix G, these reports involve threats that result in the initiationof a security response consistent with a licensee's physical security plan, safeguards contingency plan, ordefensive strategy and which are based on an actual or imminent threat. Although many levels ofsecurity response are described in the plans and strategy, for the purposes of this reporting requirement,the security response means the substantive implementation of the armed response capabilities (securitycontingency event). Licensees need not report response information initiated as a result of informationprovided to them by the NRC (e.g., NRC Bulletin 2005-02, "Emergency Preparedness and ResponseActions for Security-Based Events," (Ref. 1) and RIS 2006-12, "Endorsement of Nuclear EnergyInstitute Guidance 'Enhancements to Emergency Preparedness Program for Hostile Action'," (Ref. 2)).Reports made under the provisions of this section are applicable only to security events, eitheractual or imminent which are also security contingency events. In the first situation, a licensee has been DG-5019, Page 7attacked - a hostile act toward a Nuclear Power Plant or its personnel has been committed or in progressthat includes the use of violent force to destroy equipment, take hostages, and/or intimidate the licenseeto achieve an end. It includes attack by air, land, or water using guns, explosives, projectiles, vehicles, orother devices used to deliver destructive force. For reporting under this section, an imminent securityevent is one that is believed to be real, believed to have characteristics as described above, and whichwill likely manifest itself within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . Because an actual or imminent security event is also a securitycontingency event, a very short reporting time is required. The information provided in these reportsmay ensure that threat-related information is made available to other entities, which have the potential tobe affected, in a timely manner. The purpose of this notification is to allow the NRC to warn other licensees and initiate Federalresponse through DHS in accordance with the National Response Plan, when applicable. In support of this notification process the NRC Operations Center will not request an "open communications line" forthe initial (<15 minute) notification. See Section 4.1.1 of this regulatory guide for additional informationregarding the suggested content of these calls. If the licensee has classified the event before this call andthat information is provided to the NRC, then the initial notification to the NRC as required by10 CFR 50.72(a)(1)(i) will be considered met. Following the prompt notificati on, licensees are expectedto provide additional information in accordance with the requirements of 10 CFR 50.72(c) and thelicensee may be requested to maintain "open communications" at that time. See Section 4 of thisRegulatory Guide for additional information on the process for making telephonic reports. 2.2Examples of Security Events to be Reported Within 15 MinutesThe following list provides, but is not limited to, some examples of security events to be reportedwithin 15 minutes: (1)an actual or imminent assault on a licensees' facility that has characteristics or components of theDesign Basis Threat (DBT) or an assault that exceeds the DBT characteristics or components(2) detonation of an explosive device (e.g., a land or water vehicle bomb) at or near the facility(3)notification from law enforcement authorities or other reliable source that a vehicle bomb orassault force is imminent at the facility(4) a vehicle that attempts to forcefully (a deliberate, malevolent act) gain access through site vehicle barriers(5) shots being fired at the facility - a threat to the site is believed to exist, and a securitycontingency response is initiated (6)site-specific imminent threats - an imminent th reat has been reported to the site and securityresponse has been initiated (including discovery of intent to commit such an act, when a personor organization claims responsibility, or there is a pattern of threats)(7)observed malevolent actions taken by an insider or other individual(s) that interrupt normaloperation of a nuclear power reactor (e.g., mis-positioned valves or hand switches, severedconnections, adding foreign substances into lubricants)(8)taking of hostage(s) (e.g., onsite or offsite hostage taking as related to site operations) 2.3Security Events to be Reported Within 1 Hour Licensees should note that 10 CFR 73.71(a) and (b) require prompt 1-hour reports. Theserequirements are detailed in paragraph II of Appendix G.

1This addition to paragraph II of Appendix G, Part 73, is being considered for final rule language of the proposed rule,"Power Reactor Security Requirements," published in the Federal Register on October 26, 2006, Pages 62664 - 62874.(Ref. 3)DG-5019, Page 8The regulations in 10 CFR 73.71(b) relate to the loss or recovery of any shipment of specialnuclear material (SNM) or spent nuclear fuel. These events involve security events in which theft, loss,or diversion of a shipment of SNM or spent nuclear fuel has occurred or is believed by the licensee tohave occurred.In addition, 10 CFR 73.71(c) points to the reporting of events listed in paragraph II ofAppendix G. These events generally relate to events not addressed in the 15-minute reports. Thesesecurity events are reportable if the NRC or licensee staff believes that a person has committed, caused,attempted to cause, or made a threat to commit or cause the following: (1)theft or diversion of SNM(2)significant physical damage to a power reactor, SNM processing facility, or carrier equipmenttransporting SNM or spent nuclear fuel(3)interruption of normal operation of any NRC-licensed power reactor through unauthorized use ofor tampering with its components, controls, or security systems(4)actual or attempted entry of an unauthorized pe rson into an area that the licensee is required to control access (5)any uncompensated for failure, degradation, or vulnerability in a security system that could allowundetected or unauthorized access to a controlled area(6)actual or attempted introduction of contraband into an area which the licensee is required to control access(7)for power reactor licensees, an actual or attempted introduction of contraband into theowner-controlled area (OCA) when the contraband has been determined to represent a threatcapable of reducing the effectiveness of the physical security program 1These types of reports include security events or information not reported as a the 15-minuteimmediate reports (actual and substantial armed response) but which provide reason to believe that aperson has caused or attempted to cause an event, or has made a threat to cause the types of events outlined in paragraph II(a) of Appendix G. In terms of this reporting requirement, "reason to believe"should be supported by reliable and substantive information that includes physical evidence supportingthe threat, additional information independent of the threat, or the identification of a specific, knowngroup, organization or individual which claims responsibility for the threat. "Attempts to cause" a threatmeans that reliable and substantive information exists that an effort to accomplish the threat, even thoughit has not occurred or has not been completed because it was interrupted or stopped before completion.These reports include security events which are less imminent in nature and which may notnecessarily result in a substantive armed response or deployment of the security force or a contingency response. They may result, for example, in a commitment of staff to search a facility or the request ofassistance from law enforcement authorities, or cause a search for an overdue shipment.The types of actions that should be reported include (1) the theft or unlawful diversions of SNMor (2) physical damage to power reactors, SNM processing facility, or transportation equipment. Licensees should evaluate these security-related events to determine whether these events involve a DG-5019, Page 9threat or are non-threat-related, such as mechanical failure or obvious accidents. Nevertheless, licenseesshould report theft or diversion of SNM, regardless of the cause.The interruption of normal operations of a nuclear power reactor that is the result of intentionaltampering or unauthorized use of equipment or components is also reportable. This could includeintentional tampering with systems or equipment that is normally in standby but would need to operate if called upon. Licensees should ensure that an appropriate preliminary evaluation of potential or actualinterruptions of operations-related occurrences is initiated to determine whether the causes would likelybe simple human error, mechanical failure, or intentional acts. This evaluati on should include reasonableactions or information collected within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . At that time, licensees should make the decision whetherthe information indicates an actual or attempted threat and make a telephonic report as applicable. Should a licensee determine that the collected information does not represent an actual or attemptedthreat and later changes its determination, the licensee can make a report at that time, when thedetermination changes.Paragraph II(b) of Appendix G refers to the actual or attempted entry of an unauthorized personinto any area that the licensee is required to control. This would include, for example, protected areas,vital areas, material access areas, controlled access areas, or transportation equipment. The delineationand control measures for each of these areas are desc ribed in applicable portions of 10 CFR Part 73. Anactual entry refers to the penetration or the actual circumvention of those control measures by a personwho is not, at the time, authorized into the area in question. "Attempts of entry by unauthorized persons,vehicles, or material" means that reliable and substantive information indicates that (1) an effort toaccomplish the entry, even though it has not yet occurred, is possible, or (2) the entry was not successfulbecause it was interrupted or stopped before completion. An attempt at entry that was stopped byresponders or other security system elements w ould be included. Licensees should ensure that anappropriate evaluation is conducted within the reporting time to determine whether the entry or attemptedentry was unauthorized. Power reactor licensees may have a situation that is an exception to the 1-hourreporting requirements of the regulation: personnel who attempt to enter or actually enter a controlledarea (e.g., vital area) by tailgating into areas where they do not have current authorization but would havebeen authorized, if needed. For power reactor licensees, this event is not a threat to the plant. For powerreactor licensees, unauthorized entry of personnel does not include the vehicle barrier system unless anactual or attempted entry was made that threatens security. See Sections 2.4 and 3.2 of this regulatoryguide for more examples of security events. The actual or attempted introduction of contraband material, such as weapons, explosives,incendiary devices, which represents a threat to the safe operation or security integrity of the facility,should be reported as noted in paragraph II(d) of Appendix G. Licensees should ensure that anappropriate evaluation is conducted within the reporting time to determine whether the actual orattempted introduction of contraband into a controlled area occurred. Power reactor licensees would notinclude the OCA in this evaluation unless an actual or attempted introduction of contraband is made thatthreatens security. Uncompensated failures and degradations or discovered vulnerabilities of safeguard systems thatcould likely allow unauthorized or undetected access to an area required to be controlled should bereported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , as described in paragraph II(c) of Appendix G. "Uncompensated" meanscompensatory measures included in security plans or procedures that have either not been implemented,were implemented incorrectly, or were ineffective. To clarify, for the uncompensated failures justdiscussed, licensees should report not only mechani cal or electrical problem s but also failures inprocedures and personnel practices or performance. Exercises, testing, maintenance, audits, inspections,and recurring observations are intended to or may identify failures, degradations, or vulnerabilities in DG-5019, Page 10security systems, and some may be required to be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . However, it is not intendedthat all findings are reported. Only those types of security events that could actually allow undetected orunauthorized access should be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . These types of events would usually affectmultiple layers of physical security systems or an individual, critical, single-failure of a program elementthat would allow undetected or unauthorized access. Other failures, degradations, or discoveredvulnerabilities of security systems not relating to unescorted or undetected access may need to berecorded as described in paragraph IV of Appendix G. To determine the appropriate reporting categoryfor security events, licensees should review the lists for each category (e.g., Section 3.4, "Examples ofSecurity Events Not Expected to Be Recorded in the Security Event Log").See Section 4.1.2 of this regulatory guide for additional information regarding the suggested content of these calls.2.4Examples of Security Events to be Reported Within 1 HourThe following list includes, but is not limited to, some examples of security events to be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . (1)The following are examples for theft or diversions of SNM:*discovery of a suspicious vehicle following a licensed carrier transporting formulaquantities of SSNM or spent fuel for which law enforcement authorities have been notified*actual breakdown of transport vehicle for SSNM

actual or believed theft, diversion, or loss of SNM or spent fuel

mass demonstration near plant which could cause a threat to the facility(2)The following are examples of significant physical damage to a power reactor, SNM processingfacility, or carrier equipment transporting SNM or spent nuclear fuel:*bomb or extortion threats that are considered reliable and substantive, when the event hasnot been reported under Section 2.2, "Examples of Security Events to be ReportedWithin 15 Minutes" (This includes the discovery of intent to commit such an act. Inaddition, the results of any bomb search should be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of completion. Unsubstantiated bomb or extortion threats which are part of a pattern of harassment should also be reported within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months .)*fire or explosion of suspicious or unknown origin within an OCA, protected area,controlled area, material access area, vital area, or target set area that has not beenreported under the 15-minute guidelines(3)The following are examples for interruption of normal operation of any NRC-licensed powerreactor through unauthorized use of or tampering with its components, controls, or securitysystems:*tampering with plant equipment or physical security equipment that is either confirmedto be suspicious or malevolent in origin or is determined not to be reasonable mechanicalfailure or human error (Events which are suspicious in nature and for which no general assessment can be made within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , should be reported)

DG-5019, Page 11*confirmed cyber attacks on or failures of computer systems that may adversely impactsafety, security, and emergency preparedness*an actual or imminent strike by the security force(4)The following are examples of actual or attempted entry of an unauthorized person into an area that the licensee is required to control access: *actual entry of unauthorized person into a controlled access area (for power reactor licensees, this does not include the OCA unless an actual or attempted entry was madethat threatens security)*discovery of a criminal act involving individuals granted unescorted access, which in thejudgment of the licensee, could afford an opportunity to adversely effect plant safety or represents a threat*discovery of falsified identification badges or key-cards that could allow access to controlled areas*uncompensated for loss of all ac power to security systems that could allow unauthorizedor undetected access to areas which are required to be controlled*improper control of access control area or media (e.g., key-cards, passwords, ciphercodes) that results in the use of the media during the time it is not controlled (e.g.,

tailgating into an area to which the individual would not have been authorized),*incomplete or inaccurate preauthorization screening that would have resulted in the denial or suspension of unescorted access authorization had the screening been completeand accurate (this involves either the authorization or the granting of unescorted access) (5)The following are examples of any uncompensated for failure, degradation, or vulnerability in asecurity system that could allow undetected or unauthorized access to a controlled area:*discovery of lost or stolen classified documents (e.g., National Security Information orRestricted Data) pertaining to a facility or transportation*discovery of lost or stolen unclassified safeguards information that would substantiallyassist in the circumvention of security systems or which has been lost in a manner thatcould allow a significant opportunity for compromise*the unavailability of the minimum number of security response personnel areunavailable even after the appropriate recall procedure for the security force has beenimplemented*loss of intrusion detection capability that is not compensated within NRC-approvedsecurity plan requirements*failure to adequately compensate for an event or identified failure, degradation, orvulnerability that could allow undetected or unauthorized access (licensees need notreport within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months if the failure involves a very short period of time, i.e., 10 minutes orless, those events should be logged)*loss of either the alarm capability or locking mechanism on a material access portal*an uncompensated design flaw or vulnerability in a physical protection system that couldhave allowed unauthorized access or which could have substantively eliminated or significantly reduced response capabilities DG-5019, Page 12*loss of all offsite communications(6)The following are examples of actual or attempted introduction of contraband into an area which the licensee is required to control access: *discovery of unaccounted, lost, or stolen keys (but not key-cards or badges) that allow access to controlled areas*loss of a security weapon that is not retrieved within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months (7)An example for power reactor licensees is an actual or attempted introduction of contraband intothe OCA when the contraband has been determined to represent a threat capable of reducing theeffectiveness of the physical security program.

12.5Security Events of Suspi cious Activities to be Reported Within 4 HoursThis telephonic reporting requirement applies only to power reactor licens ees. Licensees shouldreport suspicious activities, as these may indicate pre-operational surveillance, reconnaissance, orintelligence gathering targeted against the facility. The NRC intends that this category address thereporting of suspicious activities only and not other security events. The reporting of suspiciousactivities assists the NRC in evaluating threats and potential threats that may be directed at licensednuclear power reactors. In some cases, the intelligence community has benefitted from followup investigations based on reports of what originally appeared to be innocuous activity, made under the NRC's advisory guidance. Additionally, experience in threat evaluation in recent years has shown thatthe intelligence and homeland security communities are assisted by the inclusion of reports that provideinformation regarding suspicious activities in evaluating threats across the critical infrastructure. Although these requirements apply only to power reactors, the NRC strongly encourages other licenseesto report suspicious activities, in accordance with guidance previously provided. When reporting events under these requirements, licensees also should consider the additionalguidance that the NRC provided since the September 11, 2001, terrorist attacks on the United States(e.g., Regulatory Information Summaries, Information Assessment Team Advisories). Often these eventsare time-sensitive and transitory in nature so that, as noted in Section 4.3, written reports are not necessary. The NRC believes that the reporting interval of 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months should be sufficient to meet thebroader goals of threat assessment. However, licensees should recognize that some suspicious activities,by their nature, may be more sensitive or significant than others and may need to be reported sooner.

The licensee's security and plant management may decide to submit a report sooner than required byNRC regulations. A suspicious activity may quickly lead to a response or event. Licensees should report thatresponse or event in accordance with 10 CFR 73.71 and Appendix G and include the suspicious activity as factual information.Suspicious activities to be reported should be concrete events and not based solely onspeculation. Concrete events include observations by staff, local law enforcement personnel, evidence ofthe presence of unknown personnel, telephone contacts, documents obtained, and testimonies of credible witnesses.Licensees should also recognize that NRC is neither requesting licensees to actively gatherintelligence nor designating licensees with the authority to conduct law enforcement activities. The NRC 2Care should be taken to recognize accredited working journalists conducting normal and recognizable research. If theirinterest is routine or typical and understandable, their elicitation of information should not be reported.DG-5019, Page 13intends that licensees report information that comes to their attention. These reporting requirementsprovide for a consistent means of communicating this type of information to the NRC.Licensees can obtain additional information regarding possible indicators of terrorist activitiesthat may be encountered during the course of normal activities in a jointly published DHS-FBI report entitled, "Terrorist Threats to the U.S. Homeland: Reporting Guide for Critical Infrastructure and KeyResources, Owners, and Operators," designated Unclassified and For Official Use Only. Licensees canobtain this 18-page document from the NRC, available as Event 2464 on the NRC's PWS.

2.6Examples of Security Events to be Reported Within 4 HoursThe following list includes, but is not limited to, examples of security events to be reported within 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months s:(1)The following are examples for any security-related incident involving suspicious activity thatmay be indicative of potential pre-operational surveillance, reconnaissance, or intelligence-gathering activities directed against the facility: *persons showing uncommon interest or inquiries in security measures or personnel, entrypoints or access controls, or perimeter barriers such as barriers, fences, or walls*persons showing uncommon interest in facilities by photographing or videotaping*suspicious attempts to recruit employees or persons knowledgeable about key personnel,facilities, or systems*persons loitering for no apparent pur pose who do not fit into the surroundingenvironment (e.g., such as persons wearing improper attire for the conditions)*suspicious behavior (e.g., fleeing, staring, moving quickly away from personnel,unexpected vehicle movement when approached)*secretive use of still cameras, video recorders, sketching, map making, or note-taking thatis not usually associated with normal tourist interest or behavior*elicitation of information from security or other site personnel regarding security systemsand/or vulnerabilities 2 *unauthorized attempts to probe or gain access to business secrets or other licensee-sensitive information or control systems, to include the use of social engineeringtechniques (e.g., impersonating users)*theft or suspicious loss of official company identification documents, uniforms, orvehicles necessary for accessing plant facilities*use of forged, stolen, or fabricated documents to support access control or authorizationactivities*use of forged, stolen, or fabricated documents to gain access to the OCA for any purposes DG-5019, Page 14*boating activities conducted in atypical locations or attempts to loiter near restricted areas*any unusual attempts to obtain information or documents relating to training in sitesecurity techniques, pr ocedures, or practices*discoveries of Web site postings which make violent threats relating to NRC-licensed facilities*unusual threat- or terrorist-related activities that become known to plant security ormanagement staff within the local community or other local critical infrastructure or keyresources involving the following: (a) unusual surveillance, probing or reconnaissance, (b) attempts to gain unauthorized access, (c) attempts to gain access to or acquire hazardous or dangerous materials, (d) unusual use of materials, or (e) financing tosupport terrorist activities*a stated threat against the facility(2)An example for any security-related incident involving suspicious aircraft overflight activity issuspicious aircraft activity. (Appendix A of this regulatory guide outlines the guidance forreporting suspicious aircraft activity and for interfacing with Federal partners. In accordance with Appendix A, licensees are requested to continue to use previously establishedcommunications protocols.)(3)An example for incidents resulting in the notification of local, State or national law enforcement,or law enforcement, or law enforcement response to the site not reported under other areas of thisguidance is calls to law enforcement for support or response relative to events not alreadyreported in 15 minutes or 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . In particular, reports should be made of calls made to local lawenforcement agencies requesting a security response. This does not include when law enforcement personnel are on-site for non-response official duties, training exercises, otherscheduled activities, or sharing of information related to the 4 hour4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months report category.3. Recordable Events (Do Not Require Telephonic Notification)Recordable or "loggable" events do not require telephonic notification to the NRC. Rather, licensees should record these events in a security event log that may be hard-copy or, preferably, asearchable electronic database. The event must be recorded in the licensee's chosen system within24 hours of discovery. Generally, these events are less significant than those required to be reported within 15 minutes,1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , or 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months . However, analysis or follow-up to these logged events may re sult in the identificationof system or performance vulnerabilities or deficiencies that may require corrective action and whichmay be generic in nature. The NRC expects that all loggable events be recorded regardless of whoidentifies them (i.e., licensee staff, contractors, the NRC or State inspectors, or independent auditors).These events include any failures, degradations, or discovered vulnerabilities that could haveallowed either unauthorized or undetected access to any area or transport controlled by NRC regulation(e.g., OCAs, protected areas, vital areas, mate rial access areas, or controlled access areas) ifcompensatory measures had not been in place at the time of discovery.

DG-5019, Page 15Compensatory measures are described in facility security plans. Such measures may includebackup equipment, additional security personnel, or other measures taken to ensure that the effectivenessof the physical protection program and systems or subsystem is not reduced by the failure or othercontingency affecting the operation of the security-related equipment or structure. In order to considercompensatory measures in place, in terms of logging, they need to be implemented prior to the event or ina timely fashion as described in approved security plans. Compensatory measures should also provide alevel of protection equivalent to the system or systems that were degraded or that protect against theidentified vulnerability. The significance and duration of a system defect or vulnerability are key factors in determiningwhether an event is reportable or simply recorded in the security event log. Even compensatory measuresimplemented promptly after discovery of the defect or vulnerability cannot provide protection for theperiod of time that the defect or vulnerability existed. Therefore, any failure, degradation, or discoveredvulnerability that is known to have existed for a significant period of time and that should or could havebeen discovered in the course of patrols, surveillance, operational tests, or other means should beconsidered for reporting within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months . "Uncompensated" means compensatory measures included insecurity plans or procedures have either not been implemented, were determined to be ineffective, orwere implemented incorrectly. The aforementioned reports on failure and degradation should include notonly mechanical or electrical problems but also failures in procedures or personnel practices orperformance. Exercises, testing, maintenance, audits, inspections, and recurring observations areintended to identify failures, degradations or vulnerabilities in security systems, and may be required tobe logged. Only those types of events that could actually allow undetected or unauthorized access shouldbe reported by telephone. Loggable types of events would usually affect single elements of physicalsecurity systems or any individual, a critical single-failure program element that would not allowundetected or unauthorized access. Additionally, administrative errors could represent such failures. Other failures, degradations or discovered vulnerabilities of security system not relating to likely unescorted or undetected access should be recorded as described in paragraph IV(a) of Appendix G.3.1Security Events to be Recorded in the Security LogOther less significant threatened, attempted, or committed acts or identifiedweaknesses/vulnerabilities not defined in previous sections of this guidance may have the potential toreduce the effectiveness of the physical protection below that described in physical security orcontingency plans. Licensees should log these identified acts or vulnerabilities within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months ofidentification or occurrence. For example, such an act is the failure to properly control securityinformation that could not significantly assist in gaining access to a facility. Another example is a bombthreat in which the caller is easily identified as a child, with no specificity nor other corroboratinginformation.3.2Examples of Security Events to be Recorded in the Security LogThe following list includes, but is not limited to, some examples of security events to be recordedin the Security Log: (1)The following are examples of any failure, degradation, or discovered vulnerability in asafeguards system that could have allowed unauthorized or undetected access to any area ortransport in which the licensee is required by Commission regulation to control access had compensatory measure not been established:

DG-5019, Page 16*properly compensated computer failures*properly compensated card reader failures

properly compensated loss of the ability to detect intrusion (a) at the protected areaperimeter when the loss involves several zones or (b) within a single intrusion detectionzone*failure of search equipment for a short period which could have allowed un-searchedpersonnel and packages from entering controlled areas*an individual requiring escort becomes separated from his or her escort for a short periodof time (e.g., less than about 10 minutes), and it is determined that no unauthorized areas were entered*an individual is incorrectly issued a badge granting access to areas not authorized, butwho does not or cannot enter those areas and, when corrected, may be granted access*an individual who is incorrectly (i.e., through an error not amounting to falsification)authorized unescorted access, but who has not been granted access through the issuanceof control media (e.g., badge)*incomplete or inaccurate pre-access screening information, testing, and other proceduresthat would not have been required to support access authorization or result in denial of access*failure to adequately compensate for an event or identified failure, degradation, orvulnerability that would not have allowed undetected or unauthorized access or that hasexisted for only a very short period of time (e.g., posting a compensatory officer in 12 minutes instead of 10 minutes)*tailgating into an area to which an individual is authorized or could have been authorized(2)The following are examples of any other threatened, attempted, or committed act not previously defined in Appendix G to Part 73, "Reportable Safeguards Events," with the potential forreducing the effectiveness of the physical protection program below that described in a licenseephysical security or safeguards contingency pl an, or the actual condition of such reduction ineffectiveness: *the failure or degradation of lighting below security plan requirements as long as theentire perimeter Intrusion Detection System (IDS) remains operational*for power reactors, loss of the partial capability of one alarm station to remotely monitor,assess, or initiate response to alarms if the same capability remains operable in the otheralarm station*for shipments of formula quantities of SSNM, loss of intra-convoy communicationswhen communications capability with the movement control center remains*loss of control or protection of unclassified safeguards information when there does notappear to be evidence of theft or compromise, and is recovered within 1 hour*loss of control or protection of unclassified safeguards information which would nothave allowed unauthorized or undetected access or significantly affected contingency response*loss of control of a security weapon that is retrieved within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months of the discovery 3An unsubstantiated bomb or extortion threat is a threat in which no specific organization or individual claimsresponsibility, is patently fake, and is not supported by evidence other than the threat message.DG-5019, Page 17*discovery of prohibited items inside a controlled area that is not a significant threat to thefacility (see glossary for definition of prohibited items)*access control feature failures that unlock a door, but with a continuing operable alarm,or a failed alarm with a secure door*unsubstantiated bomb or extortion threats 3 *frequent nuisance alarms caused by mechanical or environmental conditions and falsealarms that meet or exceed the rates committed to in the licensee's approved physicalsecurity plans or procedures which may degrade system or staff performance but do notdegrade the implementation of the site protective strategy*unplanned missed security patrols

the unfavorable termination of personnel whose job duties and responsibilities activelysupport insider threat mitigation*discovery of contraband material outside the protected area or inside a designated vehicle barrier or control point that does not constitute a threat or potential threat to the facility3.3Security Events Not Expected to be Recorded in the Security LogIn general, reporting and recording security events should provide relevant, timely, and factualinformation regarding events, system failures, or vulnerabilities and information that may be of value toassessing the significance of the threat. The NRC recognizes that there may be other failures that wouldnot reduce system effectiveness and/or have little or no security significance. The NRC has evaluatedprevious security reports and determined that some reports were unnecessary, causing unnecessary burden on both licensees and the NRC. Licensees should use the guidance in this section to determine whether some events are requiredby the regulations to be reported or recorded. Nothing in this section should suggest that an eventrequired by the regulations to be reported should not be reported. The NRC intends that this sectionclarifies reporting requirements. This section does not obviate, circumvent, or change reportingrequirements. Licensees should use sound and reasonable technical judgement and experience whendetermining whether or not to record or report an event. The examples provided below represent thetypes of events that need not be reported and are not intended to be all-inclusive or limiting. Shouldquestions arise regarding not reporting or recording of an event, the licensees may consider discussingthe matter with the appropriate region or headquarters NRC, if time permits.Certain failures of the security system that do not and could not reduce the effectiveness of thesystem have little or no security significance, and should not be reported or logged.3.4Examples of Security Events Not Expected to Be Recorded in the Security Event LogThe following list includes, but is not limited to, some examples of security events not expectedto be reported or recorded in the Security Event Log:

4Examples of prohibited items include but are not limited to illegal drugs, alcohol, large knives, ammunition for afirearm, and prescription medication not prescribed for the person in possession.

5Some similar events may be required to be logged or reported.

6Escort of visitors does not require intrusion into personal activities, but monitoring to ensure physical whereabouts of visitors is supervised.DG-5019, Page 18(1)failure, degradation, or compromise of security systems that are preplanned and for whichadequate compensatory measures are in place before the event(2)a child attempting but failing to climb a protected area fence (3)a fire or explosion if the origin can be determined within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months that is not suspicious and isconsistent with normal mechanical or human error, and the facility sustains no significantdamage (e.g., a fire in a trash bin, a lightening strike)(4)infrequent nuisance alarms caused by mechanical or environmental problems and false alarmsthat do not exceed the rates committed to in the licensee's approved security plans, or theirimplementing procedures, or do not degrade system effectiveness(5)suspected tampering with safety equipment that is determined, within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , not to be tampering(6)discovery of prohibited material 4 outside the protected area, or inside a designated vehicle barrier or control point that does not constitute a threat or potential threat to the facility(7)cuts or holes made through required barriers made by authorized persons for legitimate reasons(e.g., to install a pipe) with prior approv al, coordination, and proper implementation ofcompensatory measures(8)infrequent and nonrecurring failure of search equipment if the licensee discovers the failurebefore anyone enters unsearched(9)lost, stolen, unaccounted, or improperly controlled (to include unauthorized, offsite removal)access control devices, including picture badges, keys, key cards, or access control computercodes that the licensee determines could not be used to allow unauthorized or undetected access 5(10)an individual requiring an escort, becomes separated from the escort, who recognizes andreestablishes the escort in 5 minutes or less and the licensee determines that the individual didnot enter any unauthorized areas(11)an individual requiring escort enters a nonsensitive area with limited ingress/egress (such as arest room) while the escort maintains observation of the ingress/egress point 6(12)infrequent and nonrecurring access control feature failures that unlock a door, but with acontinuing operable alarm, or a failed alarm with a secure door, provided the licenseeimplements compensatory measures before anyone enters(13)discovery of a suspicious vehicle following a licensed carrier transporting formula quantities ofSSNM or spent fuel, for which the licensee notified law enforcement authorities, when thevehicle is determined, within 1 hour1.157407e-5 days 2.777778e-4 hours 1.653439e-6 weeks 3.805e-7 months , not to be a threat(14)individuals photographing facilities from tourist overlooks or stations, provided no othersuspicious activity is involved 7Care should be taken to recognize accredited working journalists conducting normal and recognizable research. If theirinterest is common and understandable, their elicitation of sensitive information should not be reported.DG-5019, Page 19(15)normal and routine inquiries from students or members of the public regarding facilities oractivities, 7(16)routine, prearranged, or non-suspicious aircraft activity(17)response information initiated due to information provided to licensees by the NRC4. Procedures for Telephonic Reports and Dual Reporting4.1 Telephonic ReportsAll telephonic reports (15-minute reports, 1-hour reports, or 4-hour "suspicious activities" reports) aremade to the NRC Headquarters Op erations Center at (301) 816-5100. Telephonic no tifications should bemade via the NRC's Emergency Notification System (ENS), or other telephonic system that may bedesignated by the NRC, if the licensee is party to that system. If the ENS (or other designated system) isinoperable or unavailable, a commercial telephone or other effective means should be used to ensure thatthe required notification is received by the NRC Operations Center in the time required. Should the use of other emergency notification systems replace or supplement the ENS, licensees shoulduse those systems as directed by the NRC.If pertinent new information or errors are uncov ered after the initial telephone report, but prior tosubmittal of a written report (as required), the licensee should notify the NRC Headquarters OperationsCenter of the information or error by telephone, using the same timeliness guid eline as the initial report.Safeguards information must be transmitted only by secure telecommunications equipment except inemergencies or extraordinary conditions. The telephoni c reports discussed herein are considered to beextraordinary conditions and regulations in 10 CFR 73.21(f)(3) exempt the information transmitted underthe provisions of 10 CFR 73.71 from protection requirements, so telephone reports made pursuant to10 CFR 73.71 may be transmitted over unprotected lines when necessary. However, licensees shouldendeavor to protect sensitive information whenever possible and as conditions permit.4.1.115-minute Reports Licensees should ensure that the 15-minute telephonic reports clearly but concisely communicate thenature, magnitude, imminency, or effect of the actual or imminent threat against the plant, known at thetime of the report, to the on-duty NRC Headquarters Op erations Officer. At a minimum, licensees should include the following information in the call:(1)name and location of facility(2)threat description including brief desc ription of initiated response (see Section 2.1)(3)current event status, e.g., ongoing, completed, imminent, unknown(4)caller's name and call-back number (5) emergency classification (only if already determined)

DG-5019, Page 204.1.21-hour ReportsLicensees should ensure that the 1-hour telephonic reports clearly but concisely communicate allknown, relevant information at the time of the report to the on-duty NRC Oper ations Officer. At aminimum, licensees should include the following information in the call:(1)name and location of facility (2)caller's name and call-back number (3)event description including the following information:(a)who was involved (b)what comprised event or what happened (c)when the event initiated and when completed, if known (d )where the event occurred (this may include plant or security systems or geographic locations effected)(e)why the event occurred, if known (f)how the event occurred(4 )current event status, e.g., ongoing, completed, anticipated, unknown (5)response or corrective actions taken (6 )offsite assistance or media interest4.1.3 4-hour Reports (Suspicious Activity)Licensees should ensure that the 4-hour telephonic reports clearly but concisely communicate allknown, relevant information at the time of the telephonic report to the on-duty NRC Operati ons Officer. At a minimum, licensees should include the following information in the call:(1)name and location of the facility reporting the activity(2)facility type (3) caller's name and call-back number (4)event date and time (5) description of information (6) source of information (if law enforcement agency, provide telephone number)4.1.4 Telephonic Followup RequirementsThe guidance in this section is intended to provide a "bridge" between the initial report of anevent and the communications protocols already established by emergency response plans andprocedures. This establishes the possible use of an open, continuous communication channel with the NRC Operations Center. Many of the events required to be reported under 10 CFR 73.71 may havealready resulted in the declaration of an emergency class by the licensee, and the communications protocols for those declarations should be used. Other events and information may not result in the DG-5019, Page 21activation of emergency or contingency response communications protocols. The NRC OperationsCenter will not request an open communications line for the initial (<15 minute) notification. Questionsfrom NRC during this call should be limited to those questions which would give the NRC anunderstanding of which facility is involved and the nature of the event. Subsequent to the initial report,licensees are expected to provide additional information in accordance with the requirements of 10 CFR50.72(c) and at that time a licensee may be requested to maintain "open communications." The NRCdoes not require licensees to maintain an open, continuous means of communication for reportingsuspicious activities. The NRC emphasizes the importance of initially providing critical information in a timelymanner. The NRC also recognizes that events can develop rapidly and information can significantlychange over time. Consequently, providing telephonic followup is important to ensure that the NRC andlicensees continue to make decisions based on a common set of facts. 4.1.5 Telephonic Followup GuidelinesThe licensees should use the following guidelines when following up on telephonic reports:(1)If pertinent information or errors are uncovered after the initial telephone report (for <15 minutereports and 1-hour reports) but prior to the submittal of the written report, the licensee shouldnotify the NRC Operations Center of the information or error in a timely manner. (2)It is anticipated that the suspicious activities reported within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months of discovery will betransitory, and will usually not require followup telephonic notifications. However, if pertinentinformation or errors are uncovered after the initial telephone report, licensees may choose to contact the NRC Operations Center to ensure accuracy of the information already provided. Forsuspicious activity reports, a licensee should not be requested to provide a continuouscommunications channel. However, should the licensee later obtain additional information, orshould any followup be necessary, communications should be handled through the NRC's threatassessment process and may be communicated directly with region or headquarters InformationAssessment Team (IAT) members. Contact with IAT members may be established withassistance from the NRC Operations Center. Should suspicious activity lead to an event thatrequires response, established emergency response communications procedures should be used todetermine reportability. (3)An open, continuous communication channel with the NRC Operations Center may be requestedfor 15-minute reports of actual or imminent security threats, made in accordance with10 CFR 73.71(a). Subsequent to the 15-minute report, this communications link may berequested at the time when the licensee is expected to provide additional information inaccordance with the requirements of 10 CFR 50.72 (c). The establishment of a continuous communications channel would not supercede current emergency preparedness or securityrequirements to notify State and local officials or local law enforcement authorities, nor would itsupercede requirements to take immediate action to stabilize the reactor plant. When established,the continuous communications channel should be staffed by a knowledgeable individual in thelicensees security or operations organizations such as a security supervisor, alarm stationoperator, operations personnel. The location of this communicator should be designated in licensee procedures and should be appropriate to obtain and communicate information regardingthe status of the event or response. The continuous communications channel may be establishedusing the ENS (or other telephonic system that may be designated by the NRC) if the licenseehas access, or by commercial telephone line with phone(s) identified for this purpose.

DG-5019, Page 22(4)An open, continuous communication channel with the NRC Operations Center may be requestedfor telephonic reports made within 1-hour of discovery in accordance with 10 CFR 73.27(b) and(c). These events relate to loss of any shipment of SSNM or spent nuclear fuel and eventsdescribed in paragraph II of Appendix G. This communications link may be requested followingthe licensee's completion of other required notifications made in accordance with 10 CFR 50.72or Part 50 Appendix E, and after any immediate actions needed to stabilize the plant. Whenestablished, the continuous communications channel should be staffed by a knowledgeableindividual in the licensees security or operations organizations such as a security supervisor,alarm station operator, or operations personnel. The location of this communicator should bedetermined by the licensee and should be appropriate to obtain and communicate informationregarding the status of the event or response. The continuous communications channel may beestablished using the ENS if the licensee has access, or by commercial telephone line with

phone(s) identified for this purpose.4.2Dual ReportingEvents of a dual nature (i.e., having both safety and security implications and being subject to therequirements of 10 CFR 50.72, 50.73, a nd 73.71) do not require duplicate reports under the requirementsof 10 CFR 73.71. If a power reactor licensee reports an event that is reportable in accordance with both 10 CFR 50.73 and 73.71, the licensee should follow the pr ocedures described in 10 CFR 50.73 (i.e., NRCForm 366, "Licensee Event Report" (LER)). However, if an emergency classification declared per thestation's emergency plan is not provided as part of the 15-minute notifica tion per 10 CFR 73.71(a), thena separate notification shall be made in accordance with 10 CFR 50.72(a)(3).The procedures contained in NUREG-1022, "Event Reporting Guidelines 10 CFR 50.72 and50.73," (Ref. 4) describe how to indicate that an LER meets multiple reporting requirements. Similarly,SNM licensees need not report more than once for events covered under both 10 CFR 70.52 and 73.71,or under both 10 CFR 74.11 and 73.71. Licensees should ensure that sensitive unclassified non-safeguards information (SUNSI) is not included in documents unless the SUNSI is properly controlledboth in electronic or hard-copy formats.4.3Written ReportsLicensees who are required to make a 15- minute or 1-hour report must, by regulation, followupthe initial telephonic notification with a written report within 60 days of the initial telephonicnotification. The purpose of these written reports is to ensure that all the facts of a reported event arecaptured and available for NRC review and analysis and evaluation. Because these followup written reports will be used by NRC for analysis and evaluation and may represent the final description of anevent, the reports should thoroughly detail the facts of the event, its causes (if known), and the actionstaken. This section outlines the information licensees should include in the followup written report.Power reactor licensees should continue to use an LER format as in the past; other licenseesshould use a letter format. Unlike the initial telephonic notification, followup written reports are notexempt from the provisions of 10 CFR 73.21, and any unclassified safeguards information or othersensitive information contained in written reports must be protected as required. Electronic media usingapproved encryption software may be acceptable.

DG-5019, Page 23Some events, and the followup reports describing them, may be extensive, complicated, andmulti-faceted and must be submitted within 60 days of the initial telephonic notifications. Subsequent tothe submittal of the initial written report, the licensees may discover unintentional errors in the report orsupplemental information may become available. As noted below, the licensee should submit a revisedreport as soon as possible which contains the previous information and adds the new information. Toensure clarity, the supplemental report should be a complete revised report, with revisions or changeshighlighted.Licensees are not required to submit followup written reports of suspicious activities made underthe provisions of 10 CFR 73.71(d) and paragraph II of Appendix G. However, should additionalinvestigation or fact gathering be necessary, licensees should be prepared to provide evidence(e.g., photographs, documents, routine voice recordings, voice mail, witness statements) in theirpossession if requested by investigating or regulatory authorities.4.3.1 NRC Form 366When submitting reports that are reportable solely under the provisions of 10 CFR 73.71, power reactor licensees should use the LER, NRC Form 366. Not all items included on NRC Form 366 mayapply when security events are reported. Licensees should include all the information needed by the NRC as described in Secti on 4 and related subsections.The provisions of 10 CFR 73.21(f) must be met when transmitting written safeguardsinformation. Power reactor licensees should modify their LER procedures accordingly. All other licensees should provide the report in a letter that contains the information indicated in thefollowing section.4.3.2Content of Written ReportsAll follow up written reports that must be submitted within 60 days of a telephonic notificationshould contain, at a minimum, the following information:(1)date and time of the event, including chronological time line if applicable; date and time of NRC notifications(2)locations of actual or threatened event in a protected area, material access area, controlled accessarea, vital area, OCA, or other area (specify area)(3)for power reactors, the operating mode, e.g., shut down, operating (4)safety or security systems directly or indirectly affected, damaged, or threatened(5)type of security force onsite, i.e., proprietary or contract (6)number and type of personnel involved such as contractors; security; visitors; plant staff;perpetrators or attackers; NRC personnel; local, state, or Federal responders; and other personnel(please specify)(7)method of discovery of incident, event, or information such as routine patrol or inspection, test,maintenance, alarm annunciation, chance, communicated threat, unusual circumstances (include details)

DG-5019, Page 24(8)immediate actions taken in response to the event and compensatory measures in place(9)local, State, or Federal law enforcement agencies contacted(10)description of media interest and press releases (11)indications or records of previous similar events(12)procedural errors, human errors, or equipment failures, as applicable(13)cause of event or licensee analysis of event (including a brief summary in the report andreference any ongoing or completed detailed investigations, assessments, analyses, or evaluations)(14)corrective actions taken or planned, including dates (15)name and phone number of knowledgeable contactFor reported uncompensated failures, degradations, or discovered vulnerabilities of securitysystems, licensees should also provide the following information in addition to items 1 through 15 above:(a)description of failed, degraded, or vulnerable systems or equipment, e.g., manufacturerand model number, procedure number(b)status of the equipment or system prior to the event (e.g., operating, being maintainedsecure, being implemented) and, as applicable, the compensatory measures in place(c)description of the failure, degradation, or vulnerability identified (specify)(d)any unusual conditions that may have contributed to the failures, degradations, ordiscovered vulnerabilities of security system, e.g., environmental conditions, plantoutage(e)apparent cause of each component or system failure, degradation or vulnerability(f)secondary functions affected (for multiple-function components)(g)effect on plant safetyFor threat-related incidents, licensees should also provide the following information in additionto items 1 through 15 above:(a)type of threat, e.g., bomb threat, extortion, tampering, interruption of normal operations,attempted diversion of SNM, theft, armed assault(b)a detailed description of perpetrators or attackers, e.g., number, armament, method of threat, appearance, personal characteristics(c)method or means of threat communication, e.g., letter, telephone, email(d)text or verbatim transcript of threat (e)clear photocopy of threat letter and accompanying envelope, if applicable Licensees should be aware that any media used to communicate a threat may become evidence inan investigation and the integrity of that material should be maintained.

DG-5019, Page 254.3.3 Submittal of Written ReportsIn accordance with proposed 10 CFR 73.71(f)(2)(a)(4), 73.71(g)(3), 73.71(g)(6), 73.71(g)(8), and(g)(11), licensees should perform the following when submitting a written report:(1) Submit one copy of each written report to NRC Headquarters.United States Nuclear Regulatory Commission Attn: Director, Office of Nuclear Security and Incident Response11555 Rockville Pike Rockville, MD 20852-2738(2) Send a second copy to the appropriate NRC Regional Office listed in Appendix A to 10 CFR Part 73. (3)Submit revised reports (i.e., subsequent to the initial written report) to both NRC headquartersand the Regional Office.(4) Ensure that event reports are legible and of a quality to permit reproduction and processing.(5) Maintain copies of the report in accordance with 10 CFR 73.71(g)(11) for a period of 3 yearsfrom the date of the report.Licensees are not required to submit followup written reports of suspicious activities made underthe provisions of 10 CFR 73.71(d) and paragraph II of Appendix G.

4.4 Security

Event LogEvents reportable under the provisions of 10 CFR 73.71(f) and Appendix G, paragraphs IV(a)and (b), should be logged or recorded rather than reported by telephone. These events should be enteredin the log as soon as practical after the licensee becomes aware of them, but always within 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , asrequired. The licensee should initially log the information as received and then summarize it when theevent or condition terminates. Since licensees are required to investigate, correct, or respond to anyevent or condition that threatens nuclear activity or lessens the effectiveness of the security system, thelicensee should have included the event details when the entry was made in the log. The events thatshould be logged are discussed in Section 3 of this guidance.The NRC does not specify the format and method for maintaining the security event log inregulatory requirements. Events should be included in a security event log that may be hard-copy or preferably in a searchable electronic database. The NRC prefers the use of electronic log maintenance sothat the events recorded may be more easily evaluated and analyzed. Licensees should take care inassuring that the protective requirements of 10 CFR 73.21 and 73.22 are maintained for the data records.Each log must be retained for 3 years after the last entry to that log. Licensees should maintainthe following information in the log: (1)date and time of the event or condition(2)brief (one-line) description of the event (3)brief (one-line) description of compensatory measures or corrective actions taken DG-5019, Page 26(4)area or security element affected (e.g., vital area, OCA, perimeter alarm system, responsecapability, barriers, transport vehicle, communications)(5)how the event was detected (e.g., alarm, patrol, test, informants, plant staff observations)(6)reference to more detail when applicable (e.g., Incident Report 06-1234, SurveillanceTest 04-2348, plant condition report number)4.5 Training of Non-Security StaffDiscovery of reportable or recordable events is not limited to members of the securityorganization. All site employees with unescorted access should receive training to foster awareness andbe briefed on their responsibility to immediately notify site security or management personnel ofanomalies, failures, degradations, or vulnerabilities of security systems, or suspicious activities. Licensees may provide this training during general plant training and periodic refresher training. Severallicensees have also found it beneficial to include training "tips" or elements of the training program inrecurring plant publications, such as newsletters, electronic signs, or other organizational reminders.

DG-5019, Page 27 D. IMPLEMENTATIONThe purpose of this section is to provide information to applicants and licensees regarding theNRC's plans for using this regulatory guide. No backfit is intended or approved in connection with its issuance.The NRC has issued this draft guide to encourage public participation in its development.

Except in those cases in which an applicant or licensee proposes or has previously establishedan acceptable alternative method for complying with specified portions of the NRC's regulations, themethods to be described in the final guide will reflect public comments and will be used in evaluating(1) submittals in connection with applications for construction permits, standard plant designcertifications, operating licenses, early site permits, and combined licenses; and (2) submittals fromlicensees who voluntarily propose to initiate system modifications if there is a clear nexus between theproposed modifications and the subject for which guidance is provided herein.REGULATORY ANALYSISThe regulatory analysis prepared for the amendment of 10 CFR 73.71 and Appendix G of10 CFR Part 73 provides the regulatory basis for this guide and examines the costs and benefits associated with implementing the rule as described in this guide. A copy of that regulatory analysis isavailable for inspection and copying (for a fee) at the NRC's Public Document Room (PDR), which islocated at 11555 Rockville Pike, Rockville, Maryland. The PDR's mailing address is USNRC PDR, Washington, DC 20555-0001. The PDR can also be reached by telephone at (301) 415-4737 or(800) 397-4209, by fax at (301) 415-3548, and by email to PDR@nrc.gov.

BACKFIT STATEMENTThis draft regulatory guide provides licensees and applicants with new guidance that the NRCstaff considers acceptable for reporting of safeguards events as set forth in proposed amendments to 10CFR 73.71 and Appendix G to Part 73. The application of this guide is voluntary. Because certainportions of this regulatory guide do not impose a new or different regulatory position for meeting NRCregulations, the NRC has determined, pursuant to 10 CFR 50.109(a)(3), that the backfit rule does notapply, and that a backfit analysis is therefore not required. For the portions of this regulatory guideprovides an acceptable method for implementation of new or different regulatory requirements thatwould be imposed by proposed 10 CFR 73.71 and Appendix G to Part 73, the NRC has determined, andconcluded that the proposed rule and guidance would provide safety and security-related benefits of asubstantial increase in the overall protection of the public health and safety, the environment, and thecommon defense and security. Therefore, the benefits derived from the backfit and that the direct andindirect cost of implementation are justified in view of this increased protection.

DG-5019, Page 28 GLOSSARYNOTE: This glossary only applies to the requirements of 10 CFR 73.71.Any failure, degradation, or discovered vulnerability - The performance of a security safeguardsmeasure has been reduced to the degree that it is rendered ineffective for the intended purpose. This includes cessation of proper functioning or performance of equipment, pe rsonnel, or procedures that arepart of the physical protection program necessary to meet 10 CFR Part 73 requirements, or a discovereddefect in such equipment, personnel, or procedures that degrades function or performance which could beexploited for the purpose of committing acts described in Appendix G to 10 CFR Part 73.Attempts to cause - This means that reliable and substantive information exists that an effort toaccomplish the threat, even though it has not occurred or has not been completed because it was interrupted, stopped before completion, or which may occur in more than 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months .Contraband - Materials banned from the protected area by security regulations. Contraband consists ofunauthorized firearms, explosives, and incendiary devices that may be carried or concealed by personnel,packages, materials or vehicles.Credible threat - Credible means information received from a source determined to be reliable (e.g.law enforcement, government agency, etc.) or has been verified to be true. A threat can be verified to be true or considered credible when - (1) physical evidence supporting the threat exists, (2) information independent from the actual threat message exists that supports the threat, or (3) a specific known group or organization claims responsibility for the threat.Dedicated observer - A person, not necessarily a member of the security force, posted as a temporarycompensatory measure for a degraded assessment or detection capability of both. While performing thisfunction, duties must be limited to detection and assessment. As a minimum, the person must be able toview the entire area affected by the degradation and must be able to communicate with the alarm stations. Use of optical and/or electronic surveillance devices is recommended.Discovery (time of) - A specific time at which a supervisor, or manager makes a determination that averified degradation of a security safeguards measure or contingency situation exists.Diversion of SNM (at any level) - Unauthorized removal or control of SNM.False alarm - An alarm generated without an apparent cause. Investigation discloses no evidence of avalid alarm condition, including tampering, nuisance alarm conditions and no equipment malfunction.

Hostile Action - An act directed against an NRC-licensed facility or its personnel that includes the useof violent force to destroy equipment, take hostages, and/or intimidate the licensee to achieve an end. This includes attack by air, land, or water using weapons, explosives, projectiles, vehicles, or otherdevices used to deliver destructive force. Other acts that satisfy the overall intent may be included.Interruption of normal operation - A departure from normal ope ration or condition that, ifaccomplished, would result in a challenge to the plant safety systems. This may also include an eventthat causes a significant redistribution of security or safety resources. This could include intentional DG-5019, Page 29tampering with systems or equipment that is normally in standby but would need to operate if called upon. Loss of SNM - A failure to measure or account for material by the material control and accounting(MC&A) system approved for the facility, when the material is authorized to be possessed and is not confirmed to be stolen or divert ed; an accidental (i.e., unplanned) offsite release or dispersal of SNMknown or suspected to be 10 times greater than normal losses; discovery of empty or missing SNMcontainers or fuel elements.

Lost SNM - This means that SNM it is no longer in the possession or control of the party authorized topossess it during a specific time.Memorandum of Understanding (MOU) - A document detailing the agreement between the licenseeand outside Law Enforcement Agencies (at all levels) or Emergency Service agencies (e.g., firefighting,decontamination, medical) for augmentation of site security/safety emergency response or compensatoryactions taken to appropriate onsite events (e.g., personnel, equipment, professional assistance).

Nuisance alarm - An alarm generated by an identified input to a sensor or monitoring device that doesnot represent a safeguards threat and is not a result of normal authorized activity. Nuisance alarms maybe caused by environmental conditions (e.g., rain, sleet, snow, lightning) or mechanical conditions(e.g., natural objects such as animals or tall grass).Prohibited Items - Are items that are not relative to the conduct of work or that do not serve apurposeful function within the environment and are considered contrary to safety and security, whichcould be used to adversely affect personnel, systems or equipment required to protect SNM. Examples ofprohibited items include but are not limited to illegal drugs, alcohol, large knives, ammunition for afirearm, and prescription medication not prescribed for the person in possession (i.e., non-related,prescription drugs). Properly compensated - Measures, including backup equipment, additional security personnel, orspecific procedures, taken to ensure that the effectiveness of the security system is not reduced by failureor other contingencies affecting the operation of the security-related equipment, structures or processes. Preplanned compensatory measures are normally described in NRC approved security plans and theirassociated implementing procedures.

Reason to believe - As mentioned in "credible threat," a licensee may have reason to believe receivedinformation should be considered reliable when substantive information includes physical evidencesupporting the threat, additional information independent of the threat, or the id entification of a specific,known group, organization or individual which claims responsibility for the threat.Reliable Source - The source of information is considered trustworthy, authentic or consistent inperformance or results.

Security Response - As used in this guide this means the substantive implementation of the armed response capabilities.Safeguards - This term has historically referred to the two major components of NRC and internationalrequired protective components: material control, accounting, and security. The term security usuallyrefers to physical or procedural means of preventing harm to the assets of a facility. Common usage DG-5019, Page 30frequently interchanges the words security and safeguards. The term may also have specific contextualmeaning such as "safeguards information" or "Safeguards Event Log."

Security event - Any incident representing an attempted, th reatened, or actual breach of the securitysystem or reduction of the operational effectiveness of that system.Security Event Log - A compilation of log entries for the events described in Paragraph II of Appendix G to 10 CFR Part 73.

Security system - The compilation of all elements that make up the physical protection programnecessary to meet 10 CFR Part 73 requirements, such as, equipment, personnel, procedures, andpersonnel practices to include the way in which each element interacts with and effects other elements.Significant physical damage - Physical damage to the extent that the facility, equipment, transport, orfuel cannot perform its normal function (applies to a power reactor, a facility possessing SSNM or itsequipment, carrier equipment transporting nuclear fuel or spent nuclear fuel, or to the nuclear fuel orspent nuclear fuel a facility or carrier possesses).

Tampering - Altering for improper purposes or in an improper manner, or intentional unauthorizedmanipulation of equipment.Theft of SNM - The unauthorized taking, or controlling of SNM for unauthorized use.Unaccounted for SNM - This means that material has not been received at its delivery point 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ormore after its estimated arrival at the delivery pointUnauthorized person - Any person who gains unescorted access to any area to which the person hasnot been properly authorized or granted unescorted access. This includes otherwise authorized personswho gain access in an unauthorized manner such as circumventing established access control procedures by tailgating another authorized person.Uncompensated - This means compensatory measures included in security plans or procedures haveeither not been implemented, were ineffective, or were implemented incorrectly. To clarify, theaforementioned reports on failure and degradation should include not only m echanical or electricalproblems but also failures in procedures or personnel practices or performance.

8All bulletins listed herein were published by the U.S. Nuclear Regulatory Commission and are available electronicallythrough the Public Electronic Reading Room on the NRC's public Web site, at http://www.nrc.gov/reading-rm/doc-collections/gen-comm/bulletins/. Copies are also available for inspection orcopying for a fee from the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailingaddress is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; and email PDR@nrc.gov

.9All regulatory issue summaries (RISs) listed herein were published by the U.S. Nuclear Regulatory Commission andare available electronically through the Public Electronic Reading Room on the NRC's public Web site,at http://www.nrc.gov/reading-rm/doc-collections/gen-comm/reg-issues/. Copies are also available for inspection orcopying for a fee from the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailingaddress is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; and email PDR@nrc.gov

.10All Federal Register notices listed herein were issued by the U.S. Nuclear Regulatory Commission, and are availablefor inspection or copying for a fee from the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailing address is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209;fax (301) 415-3548; email PDR@nrc.gov. Many are also available electronically through the Federal Register MainPage of the public GPOAccess Web site, which the U.S. Government Printing Office maintainsat http://www.gpoaccess.gov/fr/index.html

.11All NUREG-series reports listed herein were published by the U.S. Nuclear Regulatory Commission,. Most areavailable electronically through the Public Electronic Reading Room on the NRC's public Web site, at http://www.nrc.gov/ reading-rm/doc-collections/nuregs/. Copies are also available for inspection or copying for a feefrom the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailing address is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; email PDR@nrc.gov. In addition, copies are available at current rates from the U.S. Government Printing Office,P.O. Box 37082, Washington, DC 20402-9328, telephone (202) 512-1800; or from the National Technical Information Service (NTIS), at 5285 Port Royal Road, Springfield, Virginia 22161, online at http://www.ntis.gov, by telephoneat (800) 553-NTIS (6847) or (703)605-6000, or by fax to (703) 605-6900.DG-5019, Page 31 REFERENCES1.Bulletin 2005-02, "Emergency Preparedness and Response Actions for Security-Based Events,"U.S. Nuclear Regulatory Commission, July 18, 2005.

82.RIS 2006-12, "Endorsement of Nuclear Energy Institute Guidance 'Enhancements to EmergencyPreparedness Program for Hostile Action'," U.S. Nuclear Regulatory Commission, July 19, 2006.

93.71 FR 62644, "Power Reactor Security Requirements," Federal Register, Volume 71, Number207, pp. 62664-62874, Washington, DC, October 26, 2006.

104.NUREG-1022, "Event Reporting Guidelines 10 CFR 50.72 and 50.73," U.S. Nuclear RegulatoryCommission, Washingt on, DC, October 2000.

11 12All NRC regulations listed herein are available electronically through the Public Electronic Reading Room on theNRC's public Web site, at http://www.nrc.gov/reading-rm/doc-collections/cfr/. Copies are also available for inspectionor copying for a fee from the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailing address is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209;fax (301) 415-3548; email PDR@nrc.gov

.13 The generic letter listed herein was published by the U.S. Nuclear Regulatory Commission, and is available electronically through the Public Electronic Reading Room on the NRC's public Web site, at http://www.nrc.gov/

reading-rm/doc-collections/nuregs/. Copies are also available for inspection or copying for a fee from the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailing address is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; email PDR@nrc.gov. In addition, copies are available at current rates from the U.S. Government Printing Office, P.O. Box 37082, Washington, DC 20402-9328, telephone (202) 512-1800; or from the National Technical Information Service (NTIS),

5285 Port Royal Road, Springfield, VA 22161, online at http://www.ntis.gov , by telephone at (800) 553-NTIS (6847) or (703) 605-6000, or by fax to (703) 605-6900.

14All NUREG-series reports listed herein were published by the U.S. Nuclear Regulatory Commission,. Most areavailable electronically through the Public Electronic Reading Room on the NRC's public Web site, at http://www.nrc.gov/ reading-rm/doc-collections/nuregs/. Copies are also available for inspection or copying for a feefrom the NRC's Public Document Room at 11555 Rockville Pike, Rockville, MD; the PDR's mailing address is USNRC PDR, Washington, DC 20555; telephone (301) 415-4737 or (800) 397-4209; fax (301) 415-3548; email PDR@nrc.gov. In addition, copies are available at current rates from the U.S. Government Printing Office,P.O. Box 37082, Washington, DC 20402-9328, telephone (202) 512-1800; or from the National Technical Information Service (NTIS), at 5285 Port Royal Road, Springfield, Virginia 22161, online at http://www.ntis.gov, by telephoneat (800) 553-NTIS (6847) or (703)605-6000, or by fax to (703) 605-6900.

15 The regulatory guide listed herein was published by the U.S. Nuclear Regulatory Commission. All other regulatory

guides are available electronically through the Public Electronic Reading Room on the NRC's public Web site, at

http://www.nrc.gov. Active guides may also be purchased from the National Technical Information Service (NTIS) on a standing order basis. Details on this service may be obtained by contacting NTIS at 5285 Port Royal Road, Springfield, VA 22161,online at http://www.ntis.gov , by telephone at (800) 553-NTIS (6847) or (703) 605-6000, or by fax to (703) 605-6900. Copies are also available for inspection or copying for a fee from the NRC's Public Document

Room (PDR), which is located at 11555 Rockville Pike, Rockville, Maryland; the PDR's mailing address is USNRC

PDR, Washington, DC 20555-0001. The PDR can also be reached by telephone at (301) 415-4737 or (800) 397-4205, by fax at (301) 415-3548, and by email to PDR@nrc.gov

.DG-5019, Page 32 BIBLIOGRAPHY 10 CFR Part 73, Appendix G, "Reportable Safeguard Events," U.S. Nuclear Regulatory Commission,Washington, DC

.12Generic Letter (GL) 91-03, "Reporting of Safeguards Events," U.S. Nuclear Regulatory Commission,Washington, DC, March 6, 1991.

13NUREG-1304, "Reporting of Safeguards Events," U.S. Nuclear Regulatory Commission, Washington,DC, February 1988.

14Regulatory Guide 5.62, "Reporting of Safeguards Events," U.S. Nuclear Regulatory Commission,Washington, DC, November 1987.

15 Appendix A to DG-5019, Page 1 Appendix AREPORTING SUSPICIOUS AVIATION-RELATED ACTIVITIES AND COORDINATION WITH THE FEDERAL AVIATION AGENCYThe purpose of this appendix is to provide further guidance on reporting of suspiciousaviation-related activities (required to be reported in 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ) that occurs within the airspace in proximityof licensee facilities. Suspicious activity is defined as behavior that may be indicative of intelligencegathering or pre-operational planning (surveillance) related to terrorism, criminal, espionage, or otherillicit intentions. This appendix also provides guidance on activities that need not be reported.In 2004, the Federal Aviation Administration (FAA) issued the following Notice to Airmen(NOTAM). This NOTAM advises pilots to avoid not only the airspace above or in proximity to U.S.nuclear power plants, but also includes other key infrastructure facilities. The following is the publishedlanguage contained in the most current NOTAM:FDC 4/0811 FDC - Special Notice - This is a restatement of a previously issuedadvisory notice. In the interest of national security and to the extent practicable, pilots are strongly advised to avoid the airspace above, or in proximity to such sitesas power plants (nuclear, hydro-electric, or coal), dams, refineries, industrial complexes, military facilities and other similar facilities. Pilots should not circle asto loiter in the vicinity over these types of facilities.It is recommended that licensees contact their nearest FAA Air Traffic Control (ATC) facility inorder to discuss this NOTAM and its relevance to the facility, and to maintain a rapport. [FAA AirTraffic Organization - Air Traffic Control Towers, Terminal Radar Approach Control facilities(TRACON), Air Route Traffic Control Centers (ARTCC) - and Flig ht Standards District Offices areavailable on the FAA Web site at http://www.faa.gov.]Licensees are urged to immediately report suspicious flight activity above, or in close proximityto, nuclear power plants and other NRC-licensed facilities to their local FAA ATC facility in an attemptto identify suspicious aircraft. Licensee security managers should exercise judgment/discretion in thedetermination of whether flight activity is suspicious with respect to normal air traffic patterns, proximityof the facility to local airports and US military bases, the use of rivers and coastal waterways for navigational purposes, local weather conditions, and other unforeseen local circumstances. However,multiple sightings of the same commercial or general aviation aircraft, circling or loitering above or inclose proximity to facilities, and/or photographing the facility or surrounding area, should be reported.It is important that incident reporting be timely and include key information (i.e., aircraftregistration number (N-number), physical description of aircraft, observed flight activity, date/time of incident, altitude and direction of flight). The use of special photographic or visual sighting equipmentmay enhance the capability to more accurately capture pertinent information. (Several websites areavailable to identify N-numbers: http://registry.faa.gov/aircraftinquiry/NNum_inquiry.asp

,http://registry.faa.gov/aircraftinquiry , and http://www.landings.com

.)If contact with the local FAA facility results in a determination that the aircraft is associated witha municipal, State, or Federal Government entity - or if it can provide a valid explanation for the flightdeviation that satisfies the facility security manager - then the flight activity need not be reported Appendix A to DG-5019, Page 2further. However, if the FAA cannot identify the aircraft or a valid flight plan/explanation of activity,then the suspicious flight activity should be immediately reported to local law enforcement and theFederal Bureau of Investigation. There is no need for licensees to notify the NRC Operations Centerin the event of aviation-related activity involving Government aircraft unless deemed suspicious in nature and it cannot be resolved at the local level. Otherwise, it is requested that suspicious aviation-related activity and incidents be reported to the NRC Operations Center. Th e NRC continues to workclosely with FAA, the Transportation Security Administration and U.S. Northern Command(NORTHCOM)/North American Aerospace Defense Command (NORAD) with respect to these types of suspicious aviation incidents and will conduct additional coordination, if necessary.Consistent with previous NRC advisories, protocols, and the above guidance, licensees are requested to continue to contact and coordinate with the following organizations with respect tosuspicious aviation-related activities or incidents:(1) local FAA ATC facility/office (2)local law enforcement agency (3)local FBI Field Office/Resident Agent(4)NRC Headquarters Operations Center at 301-816-5100The NRC will continue to forward pre-coordinated overflight operations to licensees(i.e., waterfowl surveillance operations, power line surveys). Licensees are encouraged to contact organizations in their local area (military, Government, and private sector) that might have activitieswhich impact the airspace in proximity to their facility in order to coordinate and establish a link foradvance notification of upcoming activity.

ML071710233: Difference between revisions

Revision as of 22:42, 14 October 2018

Text

4.4 Security

Navigation menu

ML071710233: Difference between revisions

Revision as of 22:42, 14 October 2018

Text

4.4 Security

Navigation menu

Search