Text

NRC INSPECTION MANUAL NSIR/DSO INSPECTION MANUAL CHAPTER 2201 APPENDIX A SECURITY BASELINE INSPECTION PROGRAM Effective Date: 08/01/2020 2201A-01 PURPOSE This baseline inspection program is part of the U.S. Nuclear Regulatory Commissions (NRC) security inspection program to assess the security performance of operating nuclear power reactor licensees subject to the requirements of Title 10 of the Code of Federal Regulations (10 CFR) Part 73, 10 CFR Part 26, and NRC imposed requirements, such as orders.

2201A-02 OBJECTIVES The objectives of the security baseline inspection program are:

a. To gather sufficient, factual inspection information to determine whether a licensee is meeting the objective of the security cornerstone, which is to provide assurance that the licensees security programs and protective strategy can protect against the design basis threat of radiological sabotage consistent with the general performance objective of 10 CFR 73.55(b); and that the licensees material control and accounting (MC&A) program includes processes for the control and accountability of special nuclear material to include the identification and notification of theft or loss consistent with 10 CFR Part 74.

b. To determine the licensees ability to identify, assess the significance of, and effectively correct security issues commensurate with the significance of the issue.

c. To verify the accuracy and completeness of performance indicator (PI) data used in conjunction with inspection findings to assess the security performance of power reactor licensees.

d. To provide a mechanism for the NRC to remain cognizant of security status and conditions.

e. To identify those significant issues that may have generic applicability or cross-cutting applicability to the safe and secure operation of licensee facilities subject to the requirements of 10 CFR Part 73.

Issue Date: 07/23/20 1 2201 Appendix A

2201A-03 APPLICABILITY This inspection manual chapter (IMC) appendix is applicable to all operating commercial power reactor licensees that possess a license under 10 CFR Part 50 or 10 CFR Part 52. The program requirements identified within this document apply to all NRC offices and personnel who are tasked with the inspection and oversight of security performance through the NRCs Reactor Oversight Process (ROP) at nuclear power reactors licensed by the NRC.

2201A-04 SCOPE Security baseline inspections provide a sufficient examination of licensee activities in order to monitor licensee performance and to meet the objectives identified above and to assure that licensees security programs are meeting the objectives of the security cornerstone of the ROP.

2201A-05 RESOURCES The baseline inspection procedures (IPs) and their attachments define the effort and requirements necessary to obtain an adequate assessment of an inspectable area. For resource planning purposes, each baseline IP attachment includes an estimate of the average inspection hours necessary to complete the procedure. These estimates are not goals, standards, or limitations; rather, they are included to assist in planning resource allocations, and will be revised periodically, based on insights gained through the implementation of inspection activity. It is expected that the actual hours required to complete an individual IP at a particular plant will vary from the estimate. See IMC 2515, Light-Water Reactor Inspection Program-Operations Phase, and IMC 2201, Security Inspection Program for Commercial Nuclear Power Reactors, Section 08.02 for additional discussion.

The Office of Nuclear Security and Incident Response provide the regional offices with a band of expected effort (approximately +/- 10 percent) for each baseline IP per site as a process control. Regional management is expected to review those situations when inspection effort falls outside of the control bands for possible programmatic insights and recommended changes to the program.

2201A-06 PHILOSOPHY OF THE SECURITY BASELINE INSPECTION PROGRAM The security baseline inspection program provides indication of licensee performance with respect to the implementation of security programs and MC&A processes. The program was developed utilizing risk insights, lessons learned, and a risk-informed approach, where applicable, to determine a comprehensive list of areas to inspect within the security cornerstone of the ROP (see IMCs 2515, 2201, and 0305, Operating Reactor Assessment Program, for additional discussion). The assessment of plant performance relies on information provided by PIs and inspections.

Issue Date: 07/23/20 2 2201 Appendix A

2201A-07 DESCRIPTION OF SECURITY BASELINE INSPECTION PROGRAM The security baseline inspection program is currently comprised of three parts: inspection of inspectable areas, verification of PI data, and problem identification and resolution.

2201A-08 ASSESSING INSPECTION FINDINGS The baseline security significance determination process described in IMC 0609, Appendix E, Security Significance Determination Process, is used for determining the security significance of inspection findings and security-related events. The enforcement process, as defined in the NRC Enforcement Manual, is also applicable to security-related findings.

The significance of security inspection findings will be described in inspection reports and their cover letters, as specified in IMC 0611, Power Reactor Inspection Reports, and Exhibit 4. The findings (a redacted description) will also be entered into the Replacement Reactor Program System for tracking, and entered into the Plant Issues Matrix (PIM). This redacted description will not become available to the public through the ROP public website, but will be available to internal NRC users. The existence of a security finding will be displayed on the public website, but will only be characterized as either green or greater-than-green. Inspectors should still provide the specific significance of a finding when making a PIM entry, but the public Website will generically display all greater-than-green findings in blue, to withhold the specific significance. In accordance with current agency policy, no other information or details related to security findings will be displayed on the public website. Safeguards information (SGI) will not be entered into the PIM. For findings where a full description would require disclosure of SGI, the issue should be described broadly in the PIM at the sensitive, unclassified, non-safeguards information (SUNSI) security-related information level and not include SGI.

2201A-09 DOCUMENTING INSPECTIONS The purpose of reporting the results of inspections is to document the scope of inspections and any substantive findings in support of the assessment process. Inspections will be documented in accordance with the guidance and requirements in IMC 0611. Security designation requirements will be adhered to for all inspection reports, temporary instructions, orders, etc.,

that contain or have the potential to contain, SGI. These documents shall be marked and controlled in accordance with NRCs Management Directive, Volume 12, Security. If the document does not contain SGI, but does contain security-related information about a specific site or event, then the document will be designated as Official Use Only - Security-Related Information in accordance with the agencys SUNSI policy. The NRCs SUNSI policy can be found at the following website address. http://www.internal.nrc.gov/ois/divisions/irsd/sunsi/

Issue Date: 07/23/20 3 2201 Appendix A

2201A-10 INSPECTION PLANNING

a. Annual Inspection Planning.

See Attachment 2 to this appendix and IMCs 2201 and 2515 for additional guidance.

b. Resident Inspector Utilization.

See IMCs 2201 and 2515 for additional information.

c. Region-Based Inspection Planning.

See IMCs 2201and 2515 for additional information.

d. Level of effort.

See IMCs 2201 and 2515 for additional information.

e. Adjustments.

See IMCs 2201 and 2515 for additional information.

f. Completion status.

See IMCs 2201and 2515 for additional information.

END Attachments:

1. Inspectable Area Table

2. Resource Estimate Table

3. Revision History for IMC 2201, Appendix A Issue Date: 07/23/20 4 2201 Appendix A

ATTACHMENT 1 INSPECTABLE AREAS WITHIN THE SECURITY CORNERSTONE The baseline inspection program requires the inspectable areas below be reviewed at each NRC-licensed operating power reactor site. The inspectable areas verify aspects of key attributes of the security cornerstone in the safeguards strategic performance area.

Inspectable Area (note 1)

Access Authorization Program Access Control Program Contingency Response - Force-on-Force Testing Equipment Performance, Testing, and Maintenance Protective Strategy Evaluation Protection of Safeguards Information Security Training Security Plan Changes Fitness-For-Duty Program Cyber Security **

Material Control and Accounting Target Set Review Note 1: Temporary instructions will be utilized, as required, to supplant and/or augment the baseline inspection program.

• • This inspectable area attachment has not been developed.

Issue Date: 07/23/20 Att1-1 2201 Appendix A

ATTACHMENT 2 BASELINE INSPECTION PROCEDURES AND ESTIMATED RESOURCES Inspection Annualized Procedure Security for Power Reactors - Specific11 Estimated No. (Title) Freq.2 Resources3 71130.01 Access Authorization T 8 71130.02 Access Control A 28 71130.03 Contingency Response - Force-on-Force Testing T 131 71130.04 Equipment Performance, Testing, and Maintenance B 18 71130.05 Protective Strategy Evaluation T 30 71130.06 Protection of Safeguards Information AN 0 71130.07 Security Training B 14 71130.08 Fitness-For-Duty Program T 8 71130.09 Security Plan Changes A 8 71130.10 Cyber Security TBD TBD 71130.11 Material Control and Accounting T 4 71130.14 Review of Power Reactor Target Sets T 3 Security/Safeguards (Specific) Baseline Sub-Total4 252 Inspection Annualized Procedure Security - Coordinated Estimated No. (Title) Freq. Resources3 71151 Performance Indicator Verification A 4 71152 Problem Identification and Resolution A/B 23 Follow-up of Events and Notices of Enforcement 71153 Discretion AN 7 Security/Safeguards (Coordinated) Baseline Sub-Total 34 Security Cornerstone Baseline Inspection-Annualized Grand Total4 286 hours0.00331 days <br />0.0794 hours <br />4.728836e-4 weeks <br />1.08823e-4 months <br /> 1 Inspection budget funded by NSIR.

2 A = Annual, B = Biennial, T = Triennial, Q = Quadrennial, AN = As Needed. See IMC 2201 for definitions.

3 Direct inspection effort (hours), based on conducting the nominal range of inspection requirements within the inspectable area.

4 Total does not include resident inspector plant status activities that are not considered direct inspection effort.

Inspection budget allocation for these inspections will be funded by the Office of Nuclear Reactor Regulation .

Issue Date: 07/23/20 Att2-1 2201 Appendix A

ATTACHMENT 3 - Revision History for IMC 2201, Appendix A Commitment Accession Description of Change Description of Training Comment Tracking Number Required and Resolution and Number Issue Date Completion Date Closed Feedback Change Notice Accession Number (Pre-Decisional, Non-Public Information)

N/A 02/19/04 Initial issuance. None N/A CN 04-007 N/A ML073470672 This document is revised to reflect the removal of None ML073530003 01/10/08 IP 71130.06 from the Security Baseline Inspection CN 08-001 Program.

N/A ML081440350 This document was revised to remove references None ML091380054 09/08/09 to programs other than operating power reactors CN 09-021 and to update program resource estimates.

N/A ML093421276 This document has been revised to address the None ML093421291 01/12/10 changes to 10 CFR Part 73 that resulted from a CN 10-002 rulemaking; and in accordance with the ROP realignment process.

N/A ML100340615 Effective date changed to 04/01/10. None N/A 02/24/10 CN 10-007 N/A ML120930211 This document was revised to reflect reintegration None ML12132A340 06/13/12 of the security cornerstone into the ROP Action CN 12-009 Matrix, and suspension of IMC 0320.

N/A ML13234A525 This document has been revised to incorporate None Ml15209A579 09/22/15 minor administrative changes along with revisions CN 15-017 to resource allocations that reflect current program resource implementation.

Issue Date: 07/23/20 Att3-1 2201 Appendix A

Commitment Accession Description of Change Description of Training Comment Tracking Number Required and Resolution and Number Issue Date Completion Date Closed Feedback Change Notice Accession Number (Pre-Decisional, Non-Public Information)

N/A ML16294A078 This document has been revised to reflect the None ML16294A081 11/09/16 resource estimate associated with the conduct of CN 16-029 the nominal range of inspection requirements in each inspectable area.

N/A ML17306A093 This document was reviewed and updated in N/A ML17306A094 09/11/18 response to Staff Requirements - SECY 16-0073 CN 18-031 (Options and Recommendations for the Force-On-Force Inspection Program) and the March 2017 Assessment Team (Regions and HQ) review for redundancies and efficiencies of the 71130 series IPs for power reactors. Specifically, this document has been revised to incorporate minor administrative changes along with revisions to resource allocations that reflect current program resource implementation. Additionally, during this revision, a complete SUNSI review was conducted in which the staff concluded that this document should be de-controlled. Consistent with the staffs SUNSI determination, the SUNSI markings of this document have been removed.

N/A ML20128J859 This document was changed to add None N/A 07/23/20 Inspection Procedure 71130.09 Security CN 20-034 Plan Changes.

Issue Date: 07/23/20 Att3-2 2201 Appendix A