Text

InsiderThreatProgramandSecurityExecutiveAgentDirective3forNRC LicensedFacilitiesUSNRCPublicMeeting 21February2018OfficeofNuclearSecurityandIncidentResponse 9:00amIntroductions

• DarrylParsons,BranchChiefInformationSecurityBranch DivisionofSecurityOperationsOfficeofNuclearSecurityandIncidentResponseDarryl.Parsons@nrc.gov 9:10am-10:00amInformationonSEAD3andInsiderThreatPrograms InsiderThreatProgram*ExecutiveOrder13587wasadoptedbyNationalIndustrialSecurityProgramtocoverallcontractorsandlicenseeswhohaveexposuretoclassifiedinformation.https://www.gpo.gov/fdsys/granule/CFR 2012 title3vol1/CFR 2012 title3vol1 eo13587*TheNationalIndustrialSecurityProgramOperatingManual(NISPOM)Change2incorporatedMay2016coverstheimplementationofanInsiderThreatProgram(ITP)http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/522022M.pdf NonPossessingFacilitySecurityClearance*Anyfacilitywhichhasclearedindividuals(thosewithpersonnelsecurityclearances)anddoesnotpossessclassifiedmaterialonsiteisconsideredanon possessingfacility.*ThemajorityofNRC'scontractorsandlicenseesarenon possessingentities.

PossessingFacilitySecurityClearance*TheNRCissuespossessingfacilityclearancesandassociatedpersonnelsecurityclearancestolicenseesandlicenseecontractorsthatmeettherequirementsof10CFRPart95,FacilitySecurityClearanceandSafeguardingofNationalSecurityInformationandRestrictedData,"and10CFRPart25,"AccessAuthorization,"andpossessademonstrableneedtostoreclassifiedinformationattheirfacility.*OnlytwofacilitieshavepossessingfacilityclearancesissuedbytheNRCastheCognizantSecurityAgency.*Thesefacilitiesneedaccesstoclassifiedinformationinordertomaintaintheirlicense.

NISPOMITPforNonPossessingLicenseesFourMinimumRequirements

• AppointmentbythelicenseeofanITPSeniorOfficialwhoisaU.S.citizenandaseniorofficialofthecompany.-ThiscanbetheFacilitySecurityOfficer(FSO)asdefinedbytheNISPOM.*AnnualselfrevieworselfinspectionoftheITP.*InsiderThreattrainingforclearedprogrammanagementandclearedindividualawareness.*ReportingtotheNRCofanydetectionofaninsiderthreattothelicensee.(Thisprogramisdesignedforthreatstotheprotectionofclassifiedinformation,anddoesnothaveinitsscopeanyotherdetectionofinsiderthreatsatapowerplant).

• AppointmentbythelicenseeofanITPSeniorOfficialwhoisaU.S.citizenandaseniorofficialofthecompany.(sameasnonpossessors)

-ThiscanbetheFacilitySecurityOfficer(FSO)asdefinedbytheNISPOM.*AnnualselfrevieworselfinspectionoftheITP.(sameasnonpossessors)

• InsiderThreattrainingforclearedprogrammanagementandclearedindividualawareness.(sameasnonpossessors)

• ReportingtotheNRCofanydetectionofaninsiderthreattothelicensee.(Thisprogramisdesignedforthreatstotheprotectionofclassifiedinformation,anddoesnothaveinitsscopeanyotherdetectionofinsiderthreatsatapowerplant).(sameasnonpossessors)

• ProvideUserActivityMonitoringonanyclassifiedITsystem.NISPOMITPforPossessingLicensees FiveMinimumRequirements ImplementationofNISPOMITP*TheNRCstaffarerecommendingtotheCommissionthatwepursuealicensecommitmentbyincorporatingtherequirementsintotheStandardPracticeProceduresPlaninaccordancewith10CFRPart95.*ITPrequirementsplannedimplementationbyJune2018.Thestaffareseekinginputfromlicenseesthroughoutthisprocess.*BymodifyingtheSPPP,whichisalreadycommittedtoineachlicense,thelicenseemakestheITPrequirementsalicensecommitmentwithouthavingtodoanamendmenttothelicenseitself.

SecurityExecutiveAgentDirective(SEAD)3*InDecember2016,theOfficeoftheDirectorofNationalIntelligence(ODNI)issuedSEAD3,"ReportingRequirementsforPersonnelwithAccesstoClassifiedInformationorWhoHoldaSensitivePosition,"toexecutivebranchagenciesandcoveredindividuals;theseindividualsincludeNRCemployees,contractors,licensees,licensees'contractors,andotherindividualssuchasmembersoftheNuclearEnergyInstitutewhomNRChasgrantednationalsecurityclearances.

• SEAD3definescoveredindividualsas:-certainpersonswhoperformworkonbehalfoftheexecutivebranchandhavebeengrantedaccesstoclassifiedinformationorholdsensitivepositions;-certainpersonswhoperformworkonbehalfofaState,local,Tribe,orprivatesectorentityandhavebeengrantedaccesstoclassifiedinformationorholdsensitivepositions;and-certainpersonsworkinginorforthelegislativeorjudicialbranchesandhavebeengrantedaccesstoclassifiedinformationandtheinvestigationordeterminationhasbeenconductedbytheexecutivebranch.

SEAD3*SEAD3wastobeeffectiveonJune12,2017.TheNRCrequestedanextensiontotherequirementsuntilJune12,2018.*SEAD3requiresreportingof19newdataelementsconsistentwiththeStandardForm 86,"QuestionnaireforNationalSecurityPositions,"whichapplicantsandclearanceholderscompleteduringtheinitialandperiodicreinvestigationprocesses,respectively.However,SEAD3nowrequirestheseelementstobereportedpriortoparticipationinsuchactivitiesorotherwiseassoonaspossiblefollowingthestartoftheirinvolvement.

SEAD3*Mostnotably,SEAD3requirescoveredindividualstoobtainprioragencyapprovalbeforeconductingunofficialforeigntravel.*Thestaffbenchmarked10otherFederalagenciestounderstandthedifferentimplementationapproachesacrosstheGovernment.-Thestaff'sbenchmarkingeffortsconcludedthatotherFederalagenciesapplySEAD3toallclearedstaffandcontractors,andinsomecasestoothersdeemedtobeinsensitivepositions.

-Generally,otherFederalagenciesrequirepretravelapprovalfortraveltocountriesthatdonotresideonanagencydevelopedapproveddestinationcountrylist.-Additionally,someotherFederalagenciesdisapprovetraveltodestinationcountriesonanagencydevelopedthreatcountrylist.-NoagenciesareallowingcoveredindividualstotravelwithoutpretravelapprovalexceptasnotedinSEAD3,suchastraveltoU.S.territoriesorshortnoticeemergenttravel.

SEAD3,Element1-UnofficialForeignTravelReporting*Completeitinerary*Datesoftravel*Modeoftransportationandidentificationofcarriers*Passportdata*Namesandassociation(business,friend,relative,etc.)offoreignnationaltravelingcompanions

• Plannedcontactswithforeigngovernments,companies,orcitizensduringforeigntravelandreasonforcontact(business,friend,relative,etc.)*Unplannedcontactswithforeigngovernments,companies,orcitizensduringforeigntravelandreasonforcontact(posttravelreporting)

• Name,address,telephonenumber,andrelationshipofemergencypointofcontact*Unusualorsuspiciousoccurrencesduringtravel,includingthoseofpossiblesecurityorcounterintelligencesignificance(posttravelreporting)

• Anyforeignlegalorcustomsincidentsencountered(posttravelreporting)

SEAD3,Other18ReportingElements*Unofficialcontactwithaknownorsuspectedforeignintelligenceentity*Continuingassociationwithaknownforeignnational(s)orforeignnationalroommate(s)

• InvolvementinForeignBusiness*Foreignbankaccounts(new)*OwnershipofForeignProperty(new)*ForeignCitizenship(new)*Applicationforaforeignpassportoridentitycardfortravel(new)*Possessionofaforeignpassportoridentitycardfortravel(new)*Useofaforeignpassportoridentitycardfortravel*Votinginaforeignelection(new)*AdoptionofnonU.S.citizenchildren(new)*Attemptedelicitation,exploitation,blackmail,coercion,orenticementtoobtainclassifiedinformationorotherinformationspecificallyprohibitedbylawfromdisclosure(new)*MediaContacts*Arrests*Financialissuesandanomalies*Cohabitant(s)

• Marriage*Alcohol anddrugrelatedtreatment*NewtoPart25requirementsbutsimilartorequirementsalreadyinStandardForm86-timeframeforreportinghaschanged CurrentReportingRequirements under10CFRPart25*Arrests/charges/detentions

• Involvementincivilcourtactions*Changeinmaritalstatus(includinglegalseparation)

• Changeofname*Changeincohabitation

• Outsideemploymentthatcreatesaconflictofinterest*Foreignnationalcontactsincludingbusinessorpersonalcontacts*AnytraveltoforeigncountriesforwhichtheU.S.DepartmentofStatehasissuedatravelwarning*Enrollmentinadrugoralcoholtreatmentprogram*Changesinfinancialstatus(debtcollection,bankruptcy,foreclosure,federallyguaranteedloans,taxliens,orfailuretofileorpayFederalorStatetaxes)*Treatmentforemotional,mental,orpersonalitydisorders(exceptmarriage,grief,orfamilycounselingnotrelatedtoviolencebyyouorstrictlyrelatedtoadjustmentsfromserviceinamilitarycombatenvironment)

• TraveltoaforeigncountrywhereapassportotherthanaU.S.passportisusedtoenterorleavethecountry*Whileontravel,anyarrests,anddetentions,issueswithcustomsorlawenforcement,orconcernsthatyouwerebeingfollowedormonitoredwhileonofficialorunofficialforeigntravel ImplementationofSEAD3StaffproposedimplementationofSEAD3isconsistentwiththestaff'sproposedimplementationoftheNISPOMITPaspreviouslydiscussed:*TheNRCstaffarerecommendingtotheCommissionthatwepursuealicensecommitmentbyincorporatingtherequirementsintotheStandardPracticeProceduresPlaninaccordancewith10CFRPart95.*SEAD3requirementsplannedimplementationbyJune2018.Thestaffareseekinginputfromlicenseesthroughoutthisprocess.*BymodifyingtheSPPP,whichisalreadycommittedtoineachlicense,thelicenseemakestherequirementsalicensecommitmentwithouthavingtodoanamendmenttothelicenseitself.

FOCIQuestions*CommentfromIndustry:-FOCIprocessistooburdensome.

• NRC'sComment:-Weagree,pleasesendanemailtomeandletmeresearcheachparticularcase.Wemayhavesomemethodstonowaddresstheissue.-Darryl.Parsons@nrc.gov 10:00am-10:30amQuestionsandAnswers 10:30am-11:00amProposedSPPPLanguageandDiscussion NISPOMITPsuggestedlanguageforSPPPforpossessingfacilities Procedureshavebeendevelopedwhichestablishandmaintainaninsiderthreatprogramthatwillgather,integrate,andreportrelevantandavailableinformationindicativeofapotentialoractualinsiderthreatinaccordancewithDepartmentofDefense(DoD)5220.22 M,NationalIndustrialSecurityProgramOperatingManual(NISPOM)insiderthreatprogramrequirements.Theseproceduresincludeataminimum:(1)appointmentofaninsiderthreatprogramseniorofficial(ITPSO);(2)trainingforemployeescoveredundertheprogram;(3)annualself inspectionsoftheinsiderthreatprogram;(4)timelyreportingforanypotentialoractualinsiderthreat;and(5)useractivitymonitoringonanyclassifiedinformationsystem.

NISPOMITPsuggestedlanguageforSPPPfornon possessingfacilities Procedureshavebeendevelopedwhichestablishandmaintainaninsiderthreatprogramthatwillgather,integrate,andreportrelevantandavailableinformationindicativeofapotentialoractualinsiderthreatinaccordancewithDepartmentofDefense(DoD)5220.22 M,NationalIndustrialSecurityProgramOperatingManual(NISPOM)insiderthreatprogramrequirements.Theseproceduresincludeataminimum:(1)appointmentofaninsiderthreatprogramseniorofficial(ITPSO);(2)trainingforemployeescoveredundertheprogram;(3)annualself inspectionsoftheinsiderthreatprogram;and(4)timelyreportingforanypotentialoractualinsiderthreat.

SEAD3suggestedlanguageforSPPPforbothpossessingandnon possessingfacilitiesProcedureshavebeendevelopedforindividualswhohaveaccesstoclassifiedinformationorholdasensitivepositionwhichestablishandmaintainstandardizedreportingrequirementsinaccordancewiththe19elementsasrequiredbytheOfficeoftheDirectorofNationalIntelligence(ODNI)SecurityExecutiveAgentDirective3,"ReportingRequirementsforPersonnelwithAccesstoClassifiedInformationorWhoHoldaSensitivePosition,"datedDecember14,2016.

ExampleofwhattheStaffwillbelookingforduringSPPPReviewsReviewer'sChecklistforNonPossessorsSPPPDoesthelicenseecommittohavingproceduresthatestablishandmaintainaninsiderthreatprogramthatwillgather,integrate,andreportrelevantandavailableinformationindicativeofapotentialoractualinsiderthreatinaccordancewithDepartmentofDefense(DoD)5220.22 M,NationalIndustrialSecurityProgramOperatingManual(NISPOM)insiderthreatprogramrequirements?Dothelicensee'sinsiderthreatprogramprocedurescommittoaddressingtheappointmentofaninsiderthreatprogramseniorofficial(ITPSO)?Dothelicensee'sinsiderthreatprogramprocedurescommittotrainingforemployeescoveredundertheprogram?Dothelicensee'sinsiderthreatprogramprocedurescommittoannualself inspectionsoftheinsiderthreatprogram?Dothelicensee'sinsiderthreatprogramprocedurescommittotimelyreportingforanypotentialoractualinsiderthreat?DoesthelicenseecommittohavingproceduresforindividualswhohaveaccesstoclassifiedinformationorholdasensitivepositionwhichestablishandmaintainstandardizedreportingrequirementsinaccordancewiththeOfficeoftheDirectorofNationalIntelligence(ODNI)SecurityExecutiveAgentDirective3(SEAD3),"ReportingRequirementsforPersonnelwithAccesstoClassifiedInformationorWhoHoldaSensitivePosition,"datedDecember14,2016?Doesthelicenseeaddressthefactthatthereare19requireddataelementsforreportingunderSEAD3andthattheinformationundereachelementmusteitherbeselfreportedorreportedforothers?Seethetablebelowtoensurethe19dataelementsareacknowledgedandaddressedinlicenseeprocedures.

MeetingAdjournedTherewillbeasecondpublicmeetingonMarch12 th withafocusonansweringquestionsthathavebeenidentifiedtoday.Thankyouforyourparticipation!