Text

Enclosure 1 Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities:

Results and Status Update

Annual Report for Calendar Year 2023

U.S. Nuclear Regulatory Commission Office of Nuclear Security and Incident Response Washington, DC 20555-0001

ABSTRACT

This report fulfills the requirements of Section 170D.e of the Atomic Energy Act of 1954 (42 U.S.C. §2210 d.(e)), as amended, which states, not less often than once each year, the Commission shall submit to the Committee on Environment and Public Works of the Senate and the Committee on Energy and Commerce of the House of Representatives a report, in classified form and unclassified form, that describes the results of each security response evaluation conducted and any relevant corrective action taken by a licensee during the previous year.

Additionally, Section 170D.a of the Atomic Energy Act of 1954 (42 U.S.C. §2210 d.(a)), as amended, grants the U.S. Nuclear Regulatory Commission (NRC) the authority to determine which licensed facilities must undergo these security evaluations. The NRC is reporting the security response evaluation results for the Nations fleet of operating commercial nuclear power plants (NPPs) and Category I (CAT I) fuel cycle facilities, given the significance of the nature, form, and quantity of nuclear material at these facilities. With respect to NPPs, the scope of this report includes those undergoing decommissioning but not yet transitioned to a dry storage independent spent fuel storage installation and those undergoing a restart due to the continued implementation of Title 10 of the Code of Federal Regulations Part 73, Physical Protection of Plants and Materials. This report includes a comprehensive overview of the combined results of the security programs for calendar year (CY) 2023. To aid in understanding the context of how the NRC conducts inspections, this report also provides descriptions and programmatic status updates for relevant NRC programs, including the Reactor Oversight Process (ROP), security inspection programs for NPPs and CAT I fuel cycle facilities, and NRCs force-on-force (FOF) inspection program.

Paperwork Reduction Act Statement

NUREG-1885, Revision 17, Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities: Results and Status Update, does not contain information collection requirements and, therefore, is not subject to the requirements of the Paperwork Reduction Act of 1995 (44 U.S.C. §3501 et seq.).

Public Protection Notification

The NRC may not conduct nor sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid Office of Management and Budget control number.

iii CONTENTS ABSTRACT............................................................................................................................... iii

1. EXECUTIVE

SUMMARY

....................................................................................................... 1

2. SECURITY OVERSIGHT FOR COMMERCIAL NUCLEAR POWER REACTORS AND CATEGORY I FUEL CYCLE FACILITIES................................................................................. 3 2.1 NRC Security Inspections of Licensed Facilities........................................................... 3 2.2 Reactor Oversight Process Framework......................................................................... 4 2.3 Category I Fuel Cycle Facilities Oversight Process Framework..................................... 6 2.4 NRC Enforcement Policy............................................................................................... 6

3. CALENDAR YEAR 2023 SECURITY INSPECTION RESULTS............................................ 8 3.1 Calendar Year 2023 Commercial Nuclear Power Reactor Inspection Results............... 8 3.2 Calendar Year 2023 Category I Fuel Cycle Facilities Inspection Results....................... 9 3.3 Calendar Year 2023 Overall Security Inspection Results............................................. 10

4. FORCE-ON-FORCE INSPECTIONS.................................................................................. 11 4.1 Force-on-Force Program Description.......................................................................... 11 4.2 Force-on-Force Inspections in Calendar Year 2023.................................................... 11 4.3 Force-on-Force Exercise Results................................................................................ 12

5. CONCLUSION.................................................................................................................... 14

APPENDIX: List of Acronyms.................................................................................................. 15

iv

1. EXECUTIVE

SUMMARY

Calendar Year 2023 Security Inspection Results

In calendar year (CY) 2023, the NRC performed 184 security inspections at operating nuclear power plants (NPPs) and category 1 (CAT I) fuel cycle facilities to assess the multifaceted security programs these licensees implement to protect and safeguard their sites. The number of total security inspections compared to the previous CY is within the expected range for an average year within the inspection cycle. As shown in Table 1, the CY 2023 inspections resulted in 168 findings, a 17-percent increase in the number of findings compared to CY 2022.

Figure 1: Summary of Security Inspection Table 1 and Figure 1 also show that the Program Results for Calendar Year 2023 overwhelming majority of security inspection findings issued were of very low security significance (i.e., the combined Green and Severity Level (SL) IV violations); two findings were greater-than-Green, and there were no greater-than-SL IV findings. The Official Use Only - Security-Related Information version of this report (Enclosure 2) contains additional details on each finding.

Table 1: Combined Security Inspection Results for 2023 184 Total number of security inspections conducted 168 Total number of inspection findings 161 Total number of Green findings 2 Total number of greater-than-Green findings 5 Total number of SL IV violations 0 Total number of greater-than-SL IV violations

1

The number of inspections completed in CY 2023 represents a return to the average number of inspections prior to the start of the COVID-19 public health emergency; however, inspection findings are elevated when compared to that same time period (see Figure 2). The elevated number of security findings is, in part, accounted for by the incorporation of cybersecurity baseline inspections into the Reactor Oversight Process (ROP) in CY 2022.

Table 2 summarizes the results of the Figure 2: Number of Security Inspections and force-on-force (FOF) inspection program Findings (2015-2023) for commercial NPPs in CY 2023. As indicated in the table, there were 18 FOF inspections with 35 FOF exercises conducted during the year. There were no FOF exercises at CAT I fuel cycle facilities in CY 2023. Additional information regarding FOF inspection results is provided in Enclosure 2 (non-public).

Table 2: Force-on-Force Inspection Results for 2023 18 Total number of FOF inspections conducted 33 Total number of effective exercises 1 Total number of indeterminate exercises 0 Total number of marginal exercises 1 Total number of ineffective exercises

Calendar Year-2024 at a Glance

The NRC continues to look for opportunities to risk-inform its security oversight program to ensure that licensee security programs continue to provide reasonable assurance of adequate protection of public health and safety and the common defense and security. One example is the NRCs ongoing self-assessment of the Baseline Security Significance Determination Process to identify areas for improvement including consistency across the agency when screening security inspection findings, further risk-informing the process, and other potential enhancements as identified by staff. The NRC will continue to solicit feedback from external stakeholders, including the public as appropriate, and share progress and outcomes throughout the assessment.

In CY 2024, the NRC will continue to advance efforts to increase realism in the FOF program.

The agency will also continue to monitor the implementation of the cybersecurity inspection program through the second biennial ROP inspection cycle and implement lessons learned from the first biennial cycle. Finally, the NRC will continue its important work to monitor for potential threats to NPPs and CAT I fuel cycle facilities, communicating time-sensitive information to licensees, and assessing the need for any changes to the design-basis threats (DBTs) applicable to these facilities.

2

2. SECURITY OVERSIGHT FOR COMMERCIAL NUCLEAR POWER REACTORS AND CATEGORY I FUEL CYCLE FACILITIES

2.1 NRC Security Inspections of Licensed Facilities

The NRC licenses and regulates the Nation's civilian use of radioactive materials to provide reasonable assurance of adequate protection of public health and safety to promote the common defense and security and to protect the environment. Consistent with its security mission, the NRC requires that NPPs and CAT I fuel cycle facilities design, establish, and maintain security programs that provide reasonable assurance of adequate protection against the DBTs of radiological sabotage. CAT I fuel cycle facilities must protect against an additional DBT of theft or diversion of a formula quantity of strategic special nuclear material (SSNM). 1 These DBTs comprise a set of adversary characteristics, equipment, attack mechanisms, and tactics that NPPs and CAT I fuel cycle facilities must be able to defend against.

To verify that NPPs and CAT I fuel cycle facilities are capable of defending against the applicable DBTs, the NRC regularly performs security oversight activities to assess licensee performance and verify compliance with security requirements.

Figure 3: NRC Security Inspector Observing These oversight activities include Security System Testing at an NPP in August 2023 monitoring daily licensee activities and performing routine inspections that closely focus on a cross section of areas that the agency has determined have the greatest impact on security. These areas include personnel access authorization; access control; equipment performance, testing, and maintenance; protective strategy evaluation and performance evaluation program; protection of safeguards information; security training; fitness-for-duty; material control and accounting; transportation security; cybersecurity; and target set identification.

The NRC conducts performance-based security response FOF inspections at NPPs and CAT I fuel cycle facilities. The NRC uses FOF inspections to evaluate the effectiveness of a licensees

1 Strategic Special nuclear material (SSNM) is defined in Title 10 of the Code of Federal Regulations Section 73.2 as uranium-235 (contained in uranium enriched to 20 percent or more in the U-235 isotope), uranium-233, or plutonium. A formula quantity of SNM is defined in the same section as any combination in a quantity of 5,000 grams or more computed by the formula, grams = (grams contained U-235) + grams plutonium).

3

protective strategy through an integrated response exercise during which the licensees security force executes its protective strategy in response to a simulated attack by an opposing force with the characteristics and attributes of the DBT. These simulated attack scenarios are designed to probe and challenge potential weaknesses in the sites protective strategies.

Additional information regarding these FOF inspections is contained in Section 4 of this report.

The NRCs security baseline inspections, including FOF inspections, verify that security programs at NPPs and CAT I fuel cycle facilities have been adequately designed, implemented, and maintained in a manner consistent with regulatory requirements, and that these security programs effectively integrate to provide adequate protection against the DBTs.

While NPPs and CAT I fuel cycle facilities licensed by the NRC must provide reasonable assurance of protection against the applicable DBT and are subject to periodic baseline security inspections, including FOF inspections, the NRCs oversight and enforcement process framework differs slightly for these two types of facilities, as described in the sections below.

2.2 Reactor Oversight Process Framework

The ROP is the NRC's program to inspect, measure, and assess the safety and security performance of operating NPPs and to respond to any decline in their performance. The ROP encompasses three strategic performance areas and measures NPP performance in seven specific cornerstones of safety as shown in Figure 4. Performance is also measured across three cross-cutting areas, which can affect each of the cornerstones across all the strategic performance areas. Additional information regarding the ROP can be found on the NRCs public website at https://www.nrc.gov/reactors/operating/oversight/rop-description.html.

Figure 4: Reactor Oversight Framework

The NRC evaluates NPP performance under the ROP by analyzing two inputs: performance indicators (PIs) reported by the licensees and inspection findings identified through the NRC's inspection programs.

Performance Indicators

The NRC established PIs to quantitatively measure licensee performance in risk-significant areas of each cornerstone in the ROP. Each PI has objective criteria and thresholds for measuring acceptable performance using a color-coded system. Licensees submit PI data quarterly and the NRC regularly conducts inspections to verify the accuracy and completeness

4

of the submittals. Publicly available PI data is posted at https://www.nrc.gov/reactors/operating/oversight/pi-summary.html.

The NRC established one PI under the security cornerstone that measures the operability of intrusion detection systems at NPPs. This PI provides insight into the effectiveness of the licensees maintenance of these systems and provides a method of monitoring security equipment degradation that could adversely impact reliability.

All NPP licensees maintained a Green security PI for CY 2023. Specific details about the security PIs are withheld from public disclosure to ensure that security-related information is not made available to a potential adversary.

Inspection Findings

Findings identified during NRC security inspections are evaluated under a security significance determination process and assigned a significance level using a color-coded system similar to PIs. These findings can range from Green to Red in significance described below as shown in Figure 5.

Green indicates a finding of very low safety or security significance.

White indicates a finding of low-to-moderate safety or security significance.

Yellow indicates a finding of substantial safety or security significance.

Red indicates a finding of high safety or security significance.

Security findings determined to be of very low security significance (i.e., Green) yield no need for further regulatory action after the performance deficiencies 2 have been corrected. For those findings that have a greater potential for adversely impacting security at an NPP (i.e., White, Yellow, Red), the NRC will apply additional regulatory action as determined by the NRCs action matrix.

Figure 5: Assessing Significance within the Reactor Oversight Program

Action Matrix

The NRC collects information from inspection findings and PIs to make objective conclusions about the licensee's safety and security performance. The NRC then determines the appropriate level of agency response using an action matrix. Depending on the number and significance of inspection findings and PIs at an NPP, the NRCs response can include supplemental

2 The NRC defines a performance deficiency as the licensees failure to satisfy one or more regulatory requirements or self-imposed standards where such failure was reasonably foreseeable and preventable.

5

inspections and a range of appropriate regulatory actions up to and including orders to shut down the NPP. Information on current NPP performance is provided on the NRCs public website at https://www.nrc.gov/reactors/operating/oversight/plant-by-plant-summaries.html.

Information regarding security findings is identified in the publicly available action matrix summary as either very low significance (i.e., Green) or greater-than-Green significance (i.e.,

White, Yellow, or Red). The NRC does not disclose the specific significance of greater-than-Green findings to ensure that potentially useful information regarding NPP security vulnerabilities is not provided to possible adversaries.

2.3 Category I Fuel Cycle Facilities Oversight Process Framework

The NRC maintains regulatory oversight of safeguards and security programs at two CAT I fuel cycle facilities: BWX Technologies, Inc., located in Lynchburg, Virginia, and Nuclear Fuel Services, Inc., located in Erwin, Tennessee. Each CAT I fuel cycle facility is licensed to use and process a formula quantity of SSNM. The SSNM must be protected against acts of radiological sabotage as well as theft and diversion. The NRC conducts periodic security inspections at these facilities to ensure these licensees are maintaining adequate protection of their sites.

The primary objectives of the NRCs CAT I fuel cycle facility safeguards and security oversight program are to determine if the fuel cycle facilities are operating securely and pursuant to the NRCs regulatory requirements and orders, detect indications of declining security performance, investigate specific security events and weaknesses, and identify generic security issues. The NRC inspects highly-enriched uranium-related physical security areas annually, biennially, or triennially using established inspection procedures (IPs). The results of these inspections contribute to an overall assessment of licensee performance.

Inspection reports for CAT I fuel cycle facilities can be found on the NRCs public website at https://www.nrc.gov/info-finder/fc/index.html#facility-list. Like NPPs, detailed information regarding security violations at CAT I fuel cycle facilities is withheld from public disclosure.

Since CAT I fuel cycle facilities are not subject to the ROP, performance issues identified at these sites are not assigned a color-coded finding. All violations identified at CAT I fuel cycle facilities are assessed and assigned severity levels (SLs) in accordance with the NRCs Enforcement Policy.

The NRC has not established PIs for CAT I fuel cycle facility licensees.

2.4 NRC Enforcement Policy

The NRC's enforcement authority is derived from the Atomic Energy Act of 1954, as amended, and the Energy Reorganization Act of 1974, as amended. The enforcement program has two goals: (1) deter noncompliance by emphasizing the importance of adherence to NRC requirements, and (2) encourage prompt identification and prompt comprehensive correction of violations of NRC requirements. The NRCs Enforcement Policy can be found on the NRCs public website at https://www.nrc.gov/about-nrc/regulatory/enforcement/enforce-pol.html.

When inspections and investigations identify violations of NRC requirements, the NRC uses three primary enforcement sanctions: notices of violation, civil penalties, and orders to modify, suspend, or revoke a license. Notices of violation and civil penalties are issued based on violations. The NRC may issue orders in response to violations or because of a public health

6

and safety or common defense and security issue. The NRCs enforcement program applies to NPP and CAT I fuel cycle facility licensees.

Under its traditional enforcement process, the NRC assesses significance by assigning an SL to all violations. The traditional enforcement process uses four SLs to demonstrate the relative importance of a violation:

SL I violations are those that resulted in, or could have resulted in, serious safety or security consequences.

SL II violations are those that resulted in, or could have resulted in, significant safety or security consequences.

SL III violations are those that resulted in, or could have resulted in, moderate safety or security consequences.

SL IV violations are those that are less serious but are of more-than-minor concern that resulted in no or relatively inappreciable potential safety or security consequence s.

Traditional enforcement is also used at NPPs to address certain aspects of violations (e.g.,

willfulness and individual actions) that cannot be addressed solely through the ROP. These violations include those that resulted in actual safety or security consequences, affected the ability of the NRC to perform its regulatory oversight function, or involve willfulness.

7

3. CALENDAR YEAR 2023 SECURITY INSPECTION RESULTS

3.1 Calendar Year 2023 Commercial Nuclear Power Reactor Inspection Results

Table 3 summarizes the results of the security baseline inspection program for NPPs in CY 2023. As indicated in this table, 163 out of 165 security findings at NPPs issued in CY 2023 were of very low security significance (i.e., Green or SL IV violations) and two were of greater-than-Green significance. Additional information regarding the inspection findings is provided in Enclosure 2 (non-public).

Table 3: Summary of Calendar Year 2023 Commercial Nuclear Power Reactors Inspection Results Total number of security inspections conducted 173 Total number of inspection findings 165 Distribution of Ins pection Findings:

Total number of Green findings 161 Total number of greater-than-Green findings 2 Total number of SL IV violations 2 Total number of greater-than-SL IV violations 0

Table 4 summarizes the number of findings related to each security IP for NPPs. The areas with the most inspection findings within the security baseline inspection program are cybersecurity (see Enclosure 2), access control, and fitness-for-duty. Cybersecurity inspections have consistently resulted in the highest number of security inspection findings since the baseline cybersecurity inspection program was implemented in CY 2022.

Table 4: Summary of Calendar Year 2023 Security Number of IP Baseline Inspections and Associated Findings for Completions in Number of Commercial Nuclear Power Reactors by CY23 Findings in Inspection Procedure 71130 CY23 01 - Access Authorization 23 8 02 - Access Control 54 16 03 - Contingency Response - Force -on-Force Inspection s 18 4 04 - Equipment Performance, Testing, and Maintenance 28 10 05 - Protective Strategy Evaluation and Performance 15 10 Evaluation Program 06 - Protection of Safeguards Information 5 2 07 - Security Training 31 3 08 - Fitness-for-Duty Program 35 15 09 - Security Plan Changes 54 0 10 - Cybersecurity 32 94 11 - Materials Control and Accounting 12 1 14 - Review of Power Reactor Target Sets 13 2 TOTAL: 3203 165

3 More than one baseline IP is often completed during a security inspection at an NPP. Therefore, the total number of IP completions is higher than the total number of inspections documented in Table 3.

8 3.2 Calendar Year 2023 Category I Fuel Cycle Facilities Inspection Results

Table 5 summarizes the overall results of the safeguards and security inspection program for CAT I fuel cycle facilities during CY 2023. All security violations issued in CY 2023 at CAT I fuel cycle facilities were of very low security significance (i.e., SL IV violations). There were no greater-than-SL IV violations. Additional information regarding these inspection findings is provided in Enclosure 2.

Table 5: Calendar Year 2023 Safeguards and Security Inspection Summary for CAT I Fuel Cycle Facilities Total number of security inspections conducted 11 Total number of inspection violation s 3 Distribution of Inspection Violations:

Total number of SL IV violation s* 3 Total number of greater-than-SL IV violations 0

Table 6 summarizes the associated findings related to each security IP for CAT I fuel cycle facilities. The areas with the most inspection findings within the security baseline inspection program are access control and materials control and accounting. This is consistent with previous years security baseline inspection results.

Table 6: Calendar Year 2023 Security Baseline Inspections and Associated Findings for CAT I Fuel Cycle Facilities by Inspection Procedure Number of IP Number of Completions CAT I Fuel Inspection Procedures at CAT I Fuel Cycle Cycle Violations Facilities in in CY 23 CY 23 81700.01 - SSNM Security Controls 0 0 81700.02 - Access Control Measures 4 2 85305-Item Control 4 1 81700.04 - Equipment Performance, Testing and 1 0 Maintenance 81700.05 - Protective Strategy Evaluation 2 0 81700.06 - Licensee Conducted Force-On-Force 0 0 81700.07 - Security Training 0 0 81700.08 - Fitness-for-Duty Program 0 0 81700.09 - Security Measures 0 0 81700.10 - Protection of Safeguards Information 0 0 81700.11 - Annual Observation of Licensee Conducted 0 0 Force-On-Force TOTAL: 11 3

9 3.3 Calendar Year 2023 Overall Security Inspection Results

Table 7 summarizes the combined number of security inspections and findings in CY 2023.

Table 7: Combined Security Inspection Results for 2023 173 Total number of security inspections conducted at commercial nuclear power reactor s 11 Total number of security inspections conducted at Category I fuel cycle facilities 184 Total number of security inspections 16 1 Total number of Green findings at NPPs 2 Total number of greater-than-Green findings at NPPs 2 Total number of SL IV violations at NPPs 0 Total number of greater-than-SL IV violations at NPPs 3 Total number of SL IV violations at CAT I Fuel Cycle Facilities 0 Total number of greater-than-SL IV violations at CAT I Fuel Cycle Facilities 168 Total number of inspection findings

10

4. FORCE-ON-FORCE INSPECTIONS

4.1 Force-on-Force Program Description

A FOF inspection is a two-phased, performance-based inspection that is designed to verify and assess a licensees ability to defend against the applicable DBTs of radiological sabotage and/or theft or diversion of SSNM through implementation of its protective strategy. These FOF inspections are conducted at each NPP and CAT I fuel cycle facility on a triennial cycle.

During the first phase of the inspection, NRC security inspectors conduct briefings and site walkdowns to assess the number of defenders, their protective positions, and the licensees overall protective strategy. The inspectors also conduct table-top drills on a mock-up of the facility to evaluate the effectiveness of the licensees security strategy against a series of attack scenarios. The role of local, State, and Federal law enforcement and emergency planning officials is also discussed in the table-top drills. Using information obtained from the table-top drills, briefings, site walkdowns, security procedures, and previous inspection reports, the NRC inspection team, with technical support from active-duty members of the U.S. Special Operations Command, develops attack scenarios designed to probe and challenge potential weaknesses in the sites protective strategy.

During the second phase of the inspection, a mock adversary force carries out the attack scenarios developed by the NRC inspection team during a performance-based exercise. At NPPs, the mock adversary force attempts to reach and simulate destroying enough safety equipment to set in motion an event that would damage the reactor's core or spent fuel pool, and potentially cause a release of radiation to the environment. At CAT I fuel cycle facilities, a similar process is used to assess the effectiveness of a licensees protective strategy capabilities relative to the DBTs of radiological sabotage and theft or diversion of SSNM. The security force at each facility attempts to interdict the mock adversary force and prevent them from achieving radiological sabotage or the theft or diversion of SSNM. During these exercises, the licensee maintains both its normal security force, which is not involved in the exercise, and a second security force that actively participates in the exercise. The use of weapons and explosives is simulated using electronic equipment and other means.

The purpose of these exercises is to identify any significant deficiencies in the protective strategy. Any such deficiencies are promptly reviewed and compensatory measures are established when appropriate while the licensee implements long-term corrective actions. These exercises provide the most realistic evaluation of the licensee's protective strategy, short of an actual attack. Additional information on the NRCs FOF program can be found on the NRCs public website at https://www.nrc.gov/security/faq-force-on-force.html.

4.2 Force-on-Force Inspections in Calendar Year 2023

Calendar Year 2023 marked the first year of the seventh triennial FOF inspection cycle. The NRC staff conducted a total of 18 NRC-evaluated FOF inspections at NPPs during CY 2023.

The NRC completed these inspections utilizing IP 71130.03, Contingency Response - Force-on-Force Testing.

There were no NRC-evaluated FOF inspections scheduled at CAT I fuel cycle facilities in CY 2023.

11 4.3 Force-on-Force Exercise Results

The NRC categorizes FOF exercise results as: 1) effective;

2) indeterminate; 3) marginal; or

4) ineffective. An effective exercise is one in which the licensee demonstrates effective implementation of its protective strategy in accordance with security plans approved by the NRC and related implementation procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters. An indeterminate exercise is one in which the results were significantly skewed by an anomaly or anomalies, resulting in the inability to determine the outcome of the exercise (e.g., site responders neutralize the adversaries using procedures or practices unanticipated by the design of the site protective strategy or in conflict with the training of security personnel to implement the site protective strategy, or significant exercise control Figure 6: Mock Adversary Team Members Making Entry failures were experienced). A During FOF Exercise in CY 2023 marginal exercise is one in which the licensees performance prevented the loss of a complete target set; however, the sites response force did not neutralize the adversary before the adversary simulated the loss of a subset of target set elements. An ineffective exercise is one in which the licensee did not demonstrate effective implementation of its protective strategy in accordance with plans approved by the NRC and related implementation procedures, regulatory requirements, or other Commission requirements, such as orders or confirmatory action letters.

Table 8 summarizes the 18 FOF inspections conducted in CY 2023.

Table 8: Calendar Year 2023 Force-on-Force Inspections Summary Total number of FOF inspections conducted (two exercises per inspection) using 18 IP 71130.03 Total number of FOF inspections conducted at a CAT I fuel cycle facility (two 0 exercises per inspection) using IP 96001

12 Table 9 lists the outcomes for exercises conducted in CY 2023. The results of the re-inspection are included in the effective exercise outcomes (see Enclosure 2).

Table 9: Force-On-Force Exercise Outcomes Total number of effective exercises 33 Total number of indeterminate exercises 1 Total number of marginal exercises 0 Total number of ineffective exercises 1 Total number of canceled (fully integrated) exercises 0

Figure 7: Total Force-on-Force Ineffective Exercises by Year

13

5. CONCLUSION

As evidenced in this report, sustained performance has been demonstrated in NPP and CAT I fuel cycle facility security during CY 2023. Sites employ defense-in-depth strategies to protect against the theft and diversion of radiological materials as well as radiological sabotage, including well-trained security forces, robust physical barriers, intrusion detection systems, surveillance systems, and reactor controls.

The agency recognizes the need for continued vigilance and high levels of security at NRC-licensed facilities. As a result, the NRCs security oversight programs continue to probe for any vulnerabilities or deficiencies in site protective strategies and security programs and takes prompt action where identified. In addition, baseline inspections, including FOF and cybersecurity inspections (discussed in further detail in Enclosure 2), continue to provide performance-based insights regarding licensee readiness to protect their sites. In these ways, the NRC security inspection program ensures that NRC licensees remain aware of and prepared to protect against a wide range of threats.

Additional information regarding the NRCs security oversight programs can be found on the NRCs public website at https://www.nrc.gov/security.html.

14 Report to Congress on the Security Inspection Program for Operating Commercial Power Reactors and Category I Fuel Cycle Facilities:

Results and Status Update

List of Acronyms - Enclosure 1

CAT I Category I CY calendar year DBT design-basis threat FOF force-on-force IP inspection procedure NPP nuclear power plant NRC U.S. Nuclear Regulatory Commission PI performance indicator ROP reactor oversight process SL severity level SSNM strategic special nuclear material

15