ML21188A053
ML21188A053 | |
Person / Time | |
---|---|
Issue date: | 09/15/2021 |
From: | NRC/NSIR/DSO/ISB |
To: | |
DWH1 | |
References | |
Download: ML21188A053 (9) | |
Text
DRAFT SUPPORTING STATEMENT FOR NRC INSIDER THREAT PROGRAM FOR LICENSEES AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION (3150-XXXX)
NEW Description of the Information Collection On October 7, 2011, the President issued Executive Order (EO) 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. In November 2012, following an extensive interagency coordination and vetting process, the president issued the National Insider Threat Policy and the Minimum Standards (NITPMS). Executive Order 12968Access to Classified Information contains the requirements for access to classified information. EO 13587 mandated that an insider threat program (ITP) be implemented for all Executive branch departments and agencies that access classified information. The NITPMS states Consistent with Executive Orders 13587 and 12968, this policy is applicable to all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the federal government); and all classified information on those networks. On May 18, 2016, the Department of Defense (DoD), acting as the Executive Agent for the National Industrial Security Program Operating Manual (NISPOM,) (DoD 5220.22M) issued NISPOM Change 2. This changed the NISPOM to require that federal agencies that provide classified information to contractors, as defined in the NISPOM, develop and maintain an ITP. The scope of affected NRC licensees covers 28 entities with NRC facility clearances that hold approximately 1100 NRC-issued personnel security clearances. Licensees under the new ITP requirements fall within two categories, those who possess, use or transmit classified matter at their site or a cleared contractor site, and those licensees or cleared contractors who only need access to classified matter at a government or appropriately cleared non-government site. The NISPOM contains the requirements as to what information is reportable and what records are required to be kept and maintained. Some collection requirements are recurring.
Some reports or applications are only required as occasioned by the occurrence of specific events, such as an update to key personnel positions identified in the NISPOM, or a report of loss of classified information, would be an event-triggered cost. Periodic training and other requirements for recordkeeping that are necessary for checking the licensees and contractors procedures for maintaining acceptable security education, facility, and classification/declassification programs are examples of recurring costs.
A. JUSTIFICATION
- 1. Need For and Practical Utility of the Collection of Information The scope of EO 13587 applies to all entities, government and private sector that access classified information as defined in the Atomic Energy Act of 1954 (AEA), as amended, or Executive Order 13526, Classified National Security Information. The NRC has determined that licensees and their cleared contractors fall within the scope of the NISPOM leaving the NRC no discretion with respect to imposing the NISPOM ITP requirements upon licensees and their cleared contractors who access classified information.
The information collected is required to demonstrate that ITP requirements have been implemented and maintained by entities who access classified information for which the NRC is the Cognizant Security Agency (CSA) as defined in the NISPOM.
While EO 13587 is an element of determining the suitability of an entity to access classified information, Title 10 of the Code of Federal Regulations Part 95 (10 CFR
- 95) defines the scope for who the NRC grants access to classified information. The respondents of this collection fall into two groups. The first group are licensees and their cleared contractors who require access to classified information as a condition of their license. This group is comprised of fuel cycle licensees using technology that is determined to be Restricted Data as defined in the AEA. The second group is made up of licensees who do not require access to classified information as a condition of their license but for whom the Commission determined it was in the best interest of common defense and security to allow limited access to classified information under EO 13526. The Commission extended the invitation to apply for access to classified information under 10 CFR 95. Acceptance is voluntary.
However, if accepted the invitee is bound by all the requirements necessary to establish and maintain access, including the ITP. However, invitees are free to surrender their access to classified information at any time with no effect upon their license.
- 2. Agency Use of Information As the CSA for its licensees and their cleared contractors, the NRC has assigned responsibilities. The NRC will use this information to monitor ITP performance by its licensees and cleared contractors and to demonstrate the agency is fulfilling its responsibilities under the NISPOM.
- 3. Reduction of Burden Through Information Technology The NRC has issued Guidance for Electronic Submissions to the NRC which provides direction for the electronic transmission and submittal of documents to the NRC. Electronic transmission and submittal of documents can be accomplished via the following avenues: the Electronic Information Exchange (EIE) process, which is 2
available from the NRC's Electronic Submittals Web page, by Optical Storage Media (OSM) (e.g. CD-ROM, DVD), by facsimile or by e-mail. It is estimated that once established, approximately 80% of the responses will be filed electronically.
- 4. Effort to Identify Duplication and Use Similar Information No sources of similar information are available. There is no duplication of requirements.
- 5. Effort to Reduce Small Business Burden Currently, no licensees subject to ITP requirements qualify as a small business.
The requirements to access classified information under the ITP are based on statutes or Executive Orders that must be complied with regardless of the size of the business.
- 6. Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently Failure to collect the information or collecting the information would prevent the NRC from fulfilling its responsibility as a CSA under the NISPOM. The information collected is necessary to verify ITP program requirements have been properly implemented and are being maintained.
- 7. Circumstances Which Justify Variation from OMB Guidelines Information reporting requirements are set forth in the NISPOM and the NRC has no discretion in their implementation. The NRC will not collect information more frequently than the NISPOM requires.
- 8. Consultations Outside the NRC Opportunity for public comment on the information collection requirements for this clearance package has been published in the Federal Register.
- 9. Payment or Gift to Respondents Not applicable.
- 10. Confidentiality of Information Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 95, Section 9.17(a) and 10 CFR 2.390(b).
However, no information normally considered confidential or proprietary is requested.
3
- 11. Justification for Sensitive Questions There is no Privacy Act concern as the information collected is not retrieved using personal identifiable information.
- 12. Estimated Burden and Burden Hour Cost The NRC estimates that there are 28 respondents and 71 responses to the information collection in the ITP. The annual reporting burden is 2,630 hours0.00729 days <br />0.175 hours <br />0.00104 weeks <br />2.39715e-4 months <br /> and recordkeeping burden is 1,198 hours0.00229 days <br />0.055 hours <br />3.27381e-4 weeks <br />7.5339e-5 months <br />, for a total of 3,828 burden hours for the collection. It should be noted that 679 of the reporting hours capture the burden for program implementation. However, each time a new Insider Threat Program Senior Official (ITPSO) is assigned, the burden associated with assigning or training them will be incurred. In the future, that burden will decrease but since the ITP is a new program, the NRC has no estimate of what the ITPSO turnover rate will be. The following table summarizes respondent burden, responses, and cost at $288/hr. Details of reporting and recordkeeping burden and cost estimates to the respondents, broken down by requirement, are reflected in Tables 1 and 2.
Cost at Responses Hours $288/hr.
Reporting 71 2630 $757,440 Recordkeeping 28 1198 $345,024 Total 99 3828 $1,102,464 Records must be available for NRC review upon demand for such purposes as required inspections.
It should be noted that burden is not uniformly distributed across the twenty-eight respondents. The bulk of the burden is driven by two factors, the number of cleared personnel a respondent has and whether or not the respondent operates classified information systems. Three respondents account for 865 of 1106 NRC-cleared personnel coming under the program. Only three of the twenty-eight respondents operate classified information systems.
The $288 hourly rate used in the burden estimates is based on the Nuclear Regulatory Commissions fee for hourly rates as noted in 10 CFR 170.20 Average cost per professional staff-hour. For more information on the basis of this rate, see the Revision of Fee Schedules; Fee Recovery for Fiscal Year 2021 (86 FR 32146, June 16, 2021).
- 13. Estimate of Other Additional Costs None.
4
- 14. Estimated Annualized Cost to the Federal Government The staff has developed estimates of annualized costs to the Federal Government related to the conduct of this collection of information. These estimates are based on staff experience and subject matter expertise and include the burden needed to review, analyze, and process the collected information and any relevant operational expenses.
Total Annual cost - professional effort (100 hrs x $288/hr.) = $28,800
- 15. Reasons for Change in Burden or Cost This is a new clearance.
- 16. Publication for Statistical Use There is no application of statistics in the information collected. There is no publication of this information.
- 17. Reason for Not Displaying the Expiration Date There are no forms currently required for the ITP.
- 18. Exceptions to the Certification Statement There are no exceptions.
B. COLLECTIONS OF INFORMATION EMLOYING STATISTICAL METHODS Statistical methods are not used in this collection of information.
5
TABLE 1 INSIDER THREAT PROGRAM ESTIMATE (REPORTING)
No. of No. of Burden Per Total Annual Responses Per Section Requirement Respondents Responses Response Burden Hrs Respondent 2021 2021 2021 2021(Hours) 2021 Establish program including formal appointment and training by the DoD licensee of an ITP 5220.22-M, senior official 28 1 28 24.25 679 (NISPOM), (ITPSO) who is a 1-202.b U.S.
citizen employee and a senior official of the company.
Annual licensee DoD self-review 5220.22-M, including self- 28 1 28 16 448 (NISPOM),
inspection of the 1-207.b ITP.
Requirements to DoD report to the NRC 5220.22-M, any detection of 28 .1 3 1 3 (NISPOM),
an insider threat to 1-300 the licensee DoD Monitor user 5220.22-M, activity on 3 4 12 125 1500 (NISPOM),
classified IS 8-100.d Totals 28 71 2630
TABLE 2 INSIDER THREAT PROGRAM ESTIMATE (RECORDKEEPING)
No. of Annual Hours Per Total Annual Requirement/Record Recordkeepers Recordkeeper Recordkeeping Section Retention 2021 2021 Hours 2021 Formal appointment by the licensee of an DoD ITP senior official 5220.22-M, (ITPSO) who is a U.S.
(NISPOM),
citizen employee and 1-202.b a senior official of the company. 28 10 280 DoD Annual licensee self-5220.22-M, review including self- 28 16 (NISPOM),
inspection of the ITP.
1-207.b 448 DoD 5220.22-M, Maintain ITP Training 28 2 (NISPOM), Records 3-103.c 280 DoD Requirements to 5220.22-M, report to the NRC any 28 3 (NISPOM), detection of an insider 1-300 threat to the licensee 84
No. of Annual Hours Per Total Annual Requirement/Record Recordkeepers Recordkeeper Recordkeeping Section Retention 2021 2021 Hours 2021 DoD Monitor user activity 5220.22-M, on classified 3 110 (NISPOM),
information systems 8-100.d 330 Totals 28 141 1198
DESCRIPTION OF INFORMATION COLLECTION REQUIREMENTS CONTAINED IN NRC INSIDER THREAT PROGRAM FOR LICENSEES AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION 3150-XXXX DoD 5220.22-M, (NISPOM), Section 1-202.b: This section requires an entity under an ITP to appoint, train, and report the assignment of an Insider Threat Senior Program Manager. This is a new requirement since the last OMB Information Collection.
DoD 5220.22-M, (NISPOM), Section1-207.b: This section requires an entity under the ITP to perform and annual self-assessment/inspection and report it to the NRC.
DoD 5220.22-M, (NISPOM), 3-103.b: This section requires initial and annual insider threat awareness training for all persons with access to classified information.
DoD 5220.22-M, (NISPOM), 3-103.c: This section specifies the records retention requirements for the ITP.
DoD 5220.22-M, (NISPOM), 1-300: This section requires an entity under an ITP to report suspicious activity indicating a possible insider threat to the NRC.
DoD 5220.22-M, (NISPOM), 8-100.d: This section requires an entity with classified information systems to continuously monitor those systems to detect potential activity indicating an insider threat.