ML23030A576

From kanterella
Revision as of 10:21, 15 November 2024 by StriderTol (talk | contribs) (StriderTol Bot insert)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
Rulemaking - Proposed Rule - 10 CFR Part 73 OMB Supporting Statement Risk-Informed, Technology-Inclusive Regulatory Framework for Advanced Reactors (Part 53)
ML23030A576
Person / Time
Issue date: 10/30/2024
From:
Office of Nuclear Material Safety and Safeguards
To:
References
10 CFR Part 73, 10 CFR Part 53, NRC-2019-0062, RIN 3150-AK31
Download: ML23030A576 (1)
v  d  e


Text

DRAFT SUPPORTING STATEMENT FOR INFORMATION COLLECTIONS CONTAINED IN THE RISK-INFORMED, TECHNOLOGY-INCLUSIVE REGULATORY FRAMEWORK FOR ADVANCED REACTORS PROPOSED RULE

10 CFR PART 73 PHYSICAL PROTECTION OF PLANTS AND MATERIALS

3150- 0002

REVISION

DESCRIPTION OF INFORMATION COLLECTION

The U.S. Nuclear Regulatory Commission (NRC) is propos ing to establish an optional technology-inclusive regulatory framework for use by applicants for new commercial nuclear plant designs. The regulatory requirements developed in this rulemaking would use methods of evaluation, including risk-informed and performance-based methods, that are flexible and practicable for application to a variety of new reactor technologies. The NRCs goals in amending these regulations are to continue to provide reasonable assurance of adequate protection of public health and safety and the common defense and security at reactor sites at which new nuclear reactor designs are deployed to at least the same degree of protection as required for current-generation light-water reactors; protect health and minimize danger to life or property to at least the same degree of protection as required for current-generation light-water reactors; provide greater operational flexibilities where supported by enhanced margins of safety that may be provided in new nuclear designs; and promote regulatory stability, predictability, and clarity.

The proposed rule covers a wide range of topics, including the following that would result in recordkeeping and reporting requirements:

  • Physical security,
  • Cybersecurity,
  • Access authorization.
  • Plant design and analysis,
  • Siting,
  • Construction and manufacturing,
  • Facility operations,
  • Programs,
  • Staffing,
  • Decommissioning,
  • Content of applications,
  • Licensing basis information, and
  • Quality assurance.

This supporting statement describes how the proposed rule would impact the information collections in 10 CFR Part 73 (3150- 0002). In assuring the physical protection of licensed activities against radiological sabotage, Part 53 applicants and licensees may elect to implement a physical protection program under proposed 10 CFR 73.100, which offers a performance-based approach to physical security, as an alternative to the prescriptive 2

requirements and performance criteria to which Part 50 and 52 licensees are subject under the current 10 CFR 73.55. If a Part 53 licensee chooses to comply with the requirements of 10 CFR 73.100 rather than 10 CFR 73.55, proposed 10 CFR 73.100 would require licensees to develop a physical security plan, training and qualification plan, safeguards contingency plan, and cybersecurity plan (the security plans), conduct performance reviews and audits, implement corrective actions as necessary, and maintain records related to program implementation for inspection.

Proposed 10 CFR 73.110 outlines additional requirements for the development of a cybersecurity program using a consequence-based approach. Under this proposed requirement, licensees would develop and maintain written policies, implementing procedures, and supporting technical information, which would be subject to NRC inspection. In amended 10 CFR 73.77, the NRC would add new notification requirements to ensure that potentially adverse cyber events are escalated to senior management of the Part 53 facility, and to the NRC as necessary. These amendments would be applicable to Part 53 licensees, and not to licensees under Parts 50 or 52.

Finally, 10 CFR 73.120 would establish information collection requirements related to access authorization programs, including background checks of individuals who require unescorted access to the facility and reporting requirements for the behavioral observation program.

Accordingly, these proposed sections introduce information collection requirements for applicants and licensees that elect to implement these sections as an alternative to the physical security requirements under 10 CFR 73.55, the cybersecurity requirements under 10 CFR 73.54, and the access authorization requirements under 10 CFR 73.55, 73.56, and 73.57.

The supporting statements describing recordkeeping and reporting requirements in 10 CFR Part 53 (3150-XXXX), NRC Forms 893 and 894 (3150- XXXX), NRC Forms 366, 366A, and 366B (3150- 0104), and NRC Form 361 (3150-0238) have been submitted under the respective clearances. Burden associated with 10 CFR Part 26 (3150-0146) and 10 CFR Part 50 (3150-0011) has been submitted under new clearances due to the recent submission of the Part 26 and Part 50 renewals.

Affected Entities

For the purposes of this supporting statement, the NRC staff estimates that there would be 0 respondents during the three-year period covered by this clearance (2025-2027).

The information collection requirements under proposed 10 CFR 73.100 would be triggered for all Part 53 licensees that intend to operate a commercial nuclear power plant prior to initial fuel load or the physical removal of any one of the independent mechanisms to prevent criticality required under 10 CFR 53.620(d)(1) for a fueled manufactured reactor. All Part 53 licensees would also be required to fulfill t he information collection requirements associated with implementing a cybersecurity program under proposed 10 CFR 73.110. The holders of combined licenses and applicants for operating licenses under Part 53 would be subject to additional information collection requirements in connection with the access authorization program detailed in proposed 10 CFR 73.120. Under the proposed rule, 10 CFR 73.77 would also be amended to introduce information collection requirements for all Part 53 licensees upon the discovery of a cybersecurity event. Because the information collection requirements under proposed 10 CFR 73.100, 73.110, 73.120, and 73.77 would apply to licensed facilities, and no 3

facilities are expected to be licensed during the clearance period, no entities would incur burden during the clearance period (2025-2027).

Information Collections

The Part 73 information collections that would be imposed by the proposed rule are identified below by rulemaking topic. A more detailed description of the proposed rule changes is provided at the end of this supporting statement in Description of Information Collection Requirements.

  • Information about cyber events. Reports of events having adverse consequences, or potentially adverse consequences, on the digital assets used to prevent fission product release and perform physical security functions.
  • Information about the physical security program. Documents including a physical security plan, training and qualification plan, safeguards contingency plan, and cybersecurity plan, and processes and procedures for implementing and evaluating these programs.
  • Information about the cybersecurity program. Documents including written policies, implementing procedures, and supporting technical information, as well as program reviews.
  • Information related to the access authorization program. Background investigations, signed consent forms, information connected to the behavioral observation program, self-reports of legal actions, access authorization lists, written notifications of unfavorable termination and denial of unescorted access, access authorization program reviews, and processes and procedures for determining trustworthiness for access determinations.

A. JUSTIFICATION

1. Need for the Collection of Information

The reporting and recordkeeping requirements in Part 73 are necessary for one or more of the following reasons:

  • Information describing the content and planned operation of the licensee's physical protection system (e.g., cyber security plan, physical security plan, safeguards contingency plan, or t raining and qualification Plan) is essential to enable the NRC to make a determination about the adequacy of the licensee's planned system in meeting regulatory requirements.
  • Information describing the normal operation of the physical protection system (e.g., access authorizations) is needed to permit the NRC to make a determination as to reasonable assurance that the physical protection system operates in accordance with the regulatory requirements.
2. Agency Use and Practical Utility of Information

Applicants or licensees requesting approval to construct or operate commercial nuclear plants are required by the Atomic Energy Act of 1954, as amended (the 4

Act), to provide information and data that the NRC may determine necessary to ensure the health and safety of the public.

The proposed rule would require licensees to maintain records related to the cybersecurity, physical security, and access authorization programs. Records related to the cybersecurity and physical security program must be maintained until the Commission terminates the license for which the records were developed and to maintain superseded portions of these records for at least three years after the record is superseded, unless otherwise specified by the Commission. Additionally, review and audit reports for the physical security program and, if any contracts exist to implement the program, the written agreement with the contractor, must be maintained for the duration specified in Section 73.100(j), as discussed in Description of Information Collection Requirements. Records related to the access authorization program must also be maintained for the duration specified in Section 73.120(c)(10), as discussed in Description of Information Collection Requirements. Furthermore, licensees must report the suspension of security measures to the Commission.

This information would be used by the NRC to assess the adequacy of the licensees plans to protect computer and communication systems and networks against cyberattacks, protect the plant against physical attacks, and ensure that unauthorized persons do not have access to the commercial nuclear plant, and that authorized persons are trustworthy and reliable.

3. Reduction of Burden Through Information Technology

The NRC has issued Guidance for Electronic Submissions to the NRC, which provides direction for the electronic transmission and submittal of documents to the NRC. Electronic transmission and submittal of documents can be accomplished via the following avenues: the Electronic Information Exchange (EIE) process, which is available from the NRC's Electronic Submittals Web page ; by Optical Storage Media (OSM) (e.g., CD-ROM, DVD); by facsimile; or by e-mail.

The proposed rule would not impact the proportion of documents submitted to the NRC electronically. The percentage of electronic submission remains unchanged at 90 percent.

4. Effort to Identify Duplication and Use Similar Information

No sources of similar information are available. There is no duplication of requirements.

5. Effort to Reduce Small Business Burden

The NRC is currently not aware of any known small entities as defined in 10 CFR 2.810 that are planning to apply for a commercial nuclear plant early site permit, construction permit, operating license, manufacturing license, or combined license under P art 53 that would be impacted by this proposed rule.

5

6. Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently

Physical Security

In 10 CFR 73.100, the NRC would require licensees to maintain records related to the physical security program and report to the Commission the suspension of security measures. If the information were not collected, or were collected less frequently, the NRC would not have reasonable assurance that facilities are protecting health and safety or the common defense and security.

Cybersecurity

Revisions to 10 CFR 73.77 would require Part 53 licensees to notify the NRC Headquarters Operations Center via the Emergency Notification System upon the discovery of cyber events with adverse, or potentially adverse, effects on the digital assets that perform important safety functions at the facility. Additionally, 10 CFR 73.110 would require licensees to maintain records related to the cybersecurity program. If the information were not collected, or collected less frequently, the NRC would not have reasonable assurance that facilities are protected from cyberattacks.

Access Authorization

In 10 CFR 73.120, the NRC would require licensees to maintain records related to the access authorization program. If the information were not collected, or collected less frequently, the NRC would not have reasonable assurance that facilities are ensuring only trustworthy and reliable, authorized persons have access to the commercial nuclear plant.

7. Circumstances which Justify Variations from OMB Guidelines

Three requirements would vary from the OMB provisions described in 5 CFR 1320.5(d)(2)(i) by requiring licensees and other entities to report information more than quarterly. These requirements, described below, would ensure that that the NRC receives information in a timely manner so that it can assess and respond to the situation as needed:

  • 10 CFR 73.77(a)(1) would require a Part 53 licensee to notify the NRC Headquarters Operations Center via the Emergency Notification System (ENS) within one hour of discovering a cyberattack that adversely impacted safety, security, or emergency preparedness functions, support systems and equipment, or functions performed by digital assets to prevent a postulated fission product release or fulfill physical security requirements.
  • 10 CFR 73.77(a)(2) would require a Part 53 licensee to notify the NRC Headquarter Operations Center via the ENS within four hours of discovering a cyberattack that could have adversely impacted safety, security, or emergency preparedness functions, support systems and equipment, or functions performed by digital assets to prevent a postulated fission product release or fulfill physical security requirements. It would also require Part 53 licensees to submit a notification via the ENS within four hours of

6

discovering a suspected or actual cyberattack by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of 10 CFR 73.54 or 10 CFR 73.110.

  • 10 CFR 73.77(a)(3) would require a Part 53 licensee to notify the NRC Headquarter Operations Center via the ENS within eight hours of receiving or collecting information that may indicate intelligence gathering or pre-operational planning related to a cyberattack.

Four requirements would vary from the OMB provisions described in 5 CFR 1320.5(d)(2)(iv) by requiring licensees and other entities to retain records for more than three years. These requirements, described below, would ensure the availability of records for inspection, oversight, and regulatory proceedings:

  • 10 CFR 73.100 (j)(2) would require a Part 53 licensee to maintain all records that are required to be kept in accordance with Commission regulations, orders, or license conditions, until the Commission terminates the license for which the records were developed, and maintain superseded portions of these records for three years after the record is superseded, unless otherwise specified by the Commission.
  • 10 CFR 73.100(j)(3) would require a Part 53 licensee that elects to implement the onsite physical protection program through the use of a contracted security force to retain a written agreement for the duration of the contract, which may exceed three years.
  • 10 CFR 73.110(e)(5) would require Part 53 licensees to retain all records and supporting technical documentation required to demonstrate compliance with the requirements of 10 CFR 73.110 until license termination, and maintain portions of superseded records for three years afterward, unless otherwise specified by the Commission.
  • 10 CFR 73.120( c)(10) would require documents regarding the trustworthiness and reliability of individual employees to be retained for three years from the date the individual no longer requires unescorted access. It would also require Part 53 licensees to retain access authorization program procedures for three years after the procedure is no longer needed and for superseded material to be retained for three years after it has been superseded. Finally, it would require Part 53 licensees to retain a list of persons approved for unescorted access for three years after the list is superseded or replaced.

One requirement would vary from the OMB provisions described in 5 CFR 1320.5(d)(2)(ii) by requiring licensees and other entities to prepare a written response to a collection of information in fewer than 30 days after receipt:

  • 10 CFR 73.77(b) would require Part 53 licensees to record vulnerabilities, weaknesses, failures, and deficiencies associated with their cybersecurity program in their site corrective action program within twenty -four hours of discovery. This requirement would ensure that program issues are immediately incorporated into and addressed through the corrective action program.

7

8. Consultations Outside the NRC

Opportunity for public comment on the information collection requirements for this clearance package has been published in the Federal Register.

9. Payment or Gift to Respondents

Not applicable.

10. Confidentiality of Information

Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17(a) and 10 CFR 2.390(b). However, no information normally considered confidential or proprietary is requested.

Certain information designated as Safeguards Information is prohibited from public disclosure in accordance with the provisions of the Atomic Energy Act of 1954, as amended, Chapter 12, Section 147, or designated as classified National Security Information, in accordance with Executive Order 12958.

11. Justification for Sensitive Questions

Trade secrets, privileged, or confidential commercial or financial information is marked as proprietary information and is protected in accordance with NRC regulations in 10 CFR 9.17(a) and 10 CFR 2.390(b).

Certain information, designated as Safeguards Information ( SGI), is prohibited from public disclosure in accordance with the provisions of the Atomic Energy Act of 1954, as amended, pursuant to Chapter 12, Section 147, or is designated as classified National Security Information, in accordance with Executive Order 12958, Classified National Security Information, dated April 17, 1995.

For criminal history checks, the NRC collects fingerprints, either on hardcopy cards or electronically; digitizes fingerprints captured on cards; and passes the fingerprints electronically to the FBI. The FBI runs the fingerprints and provides the criminal history report to the NRC. The NRC passes this report on to the licensee without retaining a copy of it. This information collection is listed in the NRCs Privacy Act of 1974; Republication of Systems of Records Notices, Volume 84 of the Federal Register, page 71536 (84 FR 71536, November 5, 2021), under the heading of NRC 39, Personnel Security Files and Associated Records. The NRC does not disclose or share the information with anyone, except when initially submitting fingerprints to the FBI and when passing on the FBI report to the licensee.

12. Estimated Burden and Burden Hour Cost

Detailed burden estimates are included in the supplemental burden Excel spreadsheet titled, Part 73 Burden Tables for the Part 53 Proposed Rule.

The NRC staff does not anticipate applicants or license es would be affected by the Part 73 collections during the period of this clearance.

8

The overall estimated annual burden is 0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> at an estimated annual cost of $0 (0 hours0 days <br />0 hours <br />0 weeks <br />0 months <br /> x $ 300/hour).

13. Estimate of Other Additional Costs

Additional costs remain unchanged at $ 553,289.

14. Estimated Annualized Cost to the Federal Government

Because the proposed rules changes to Part 73 would not affect any entities during the 3-year period covered by this supporting statement, there is no annualized cost reduction for the NRC. However, once there are facilities licensed and operating under Part 53 there will be an increase in total burden and cost due to an increase in the number of respondents. The following table identifies the anticipated reduced burden hours per action for the NRC should future entities be affected by the proposed rule.

Annualized NRC Cost NRC Action Rule Text No. Actions / Burden Total Total Provision Year Hours / Hours Cost Action Review 73.100(c)(4),

records 73.100(f)(4),

73.100(j)(2)-(4), 0 -16 0 $0 73.110(e)(5),

73.120(c)(4) and (10)

Review 73.100(g)(2),

processes and 73.100(h)(4), 0 -16 0 $0 procedures 73.120(c)(10)

Review reports 73.100(i)(3) on suspension 0 -8 0 $0 of security measures Total 0 0 $0

The staff has developed estimates of annualized costs to the Federal Government related to the conduct of this collection of information. These estimates are based on staff experience and subject matter expertise and include the burden needed to review, analyze, and process the collected information and any relevant operational expenses. The estimated annualized costs to the Federal Government remain unchanged from the estimate of $1,255,500 under the prior clearance because no facilities would be licensed under Part 53 during the clearance period (2025-2027).

15. Reasons for Changes in Burden or Cost

The estimated annual burden for information collection requirements for Part 73 would remain unchanged at 501,471 hours0.00545 days <br />0.131 hours <br />7.787698e-4 weeks <br />1.792155e-4 months <br />. The NRC staff anticipates that no facilities would be licensed under Part 53 in the period covered by this clearance.

The proposed Part 73 requirements would not impose burden on applicants during 9

the clearance period; therefore, there is no change in the estimated burden.

The proposed information collection is essential to permit NRC to make a determination as to the adequacy of the licensees plans to protect computer and communication systems and networks against cyberattacks, protect the plant against physical attacks, and ensure that unauthorized persons do not have access to the commercial nuclear plant, and that authorized persons are trustworthy and reliable.

16. Publication for Statistical Use

The information being collected is not expected to be published for statistical use.

17. Reason for Not Displaying the Expiration Date

The recordkeeping and reporting requirements for this information collection are associated with regulations and are not submitted on instruments such as forms or surveys. For this reason, there are no data instruments on which to display an OMB expiration date. Further, amending the regulatory text of the CFR to display information that, in an annual publication, could become obsolete would be unduly burdensome and too difficult to keep current.

18. Exceptions to the Certification Statement

None.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

10

DESCRIPTION OF INFORMATION COLLECTION REQUIREMENTS CONTAINED IN RISK-INFORMED, TECHNOLOGY-INCLUSIVE REGULATORY FRAMEWORK FOR ADVANCED REACTORS PROPOSED RULE 10 CFR PART 73

3150- 0002

The proposed Part 73 requirements that would impose information collections are discussed below:

Section 73.77 would establish reporting and recordkeeping requirements for Part 53 licensees for cyber events.

  • Section 73.77(a)(1) would require Part 53 licensees to notify the NRC Headquarters Operation Center via the Emergency Notification System within one hour of discovering a cyberattack that adversely impacted safety -related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that compromised support systems and equipment resulting in adverse impacts to safety, security, or emergency preparedness functions; or that adversely compromised the ability of digital assets to: (1) prevent a postulated fission product release that would result in offsite doses exceeding the values in 10 CFR 53.210, or (2) implement the physical security requirements in 10 CFR 53.860(a).
  • Section 73.77(a)(2) would require Part 53 licensees to notify the NRC Headquarters Operations Center within four hours of discovering a cyberattack that caused an adverse impact to safety-related or important-to-safety functions, security functions, or emergency preparedness functions (including offsite communications); or that could have compromised support systems and equipment, which if compromised, could have adversely impacted safety, security, or emergency preparedness functions; or could have caused an adverse impact to the functions performed by digital assets that:

(1) prevent a postulated fission product release that would result in offsite doses exceeding the values in 10 CFR 53.210, or (2) implement the physical security requirements in 10 CFR 53.860(a). Four-hour reports would also be required for suspected or actual attacks by personnel with physical or electronic access to digital computer and communication systems and networks within the scope of § 73.54 or

§ 73.110.

  • Section 73.77(a)(3) would require Part 53 licensees to notify the NRC Headquarters Operations Center within eight hours after receipt or collection of information regarding observed behavior, activities, or statements that may indicate intelligence gathering or pre-operational planning related to a cyberattack against digital computer and communication systems and networks within the scope of § 73.54 or § 73.110
  • Section 73.77(b) would require Part 53 licensees to record vulnerabilities, weaknesses, failures and deficiencies in their § 73.54 or § 73.110 cybersecurity program within twenty-four hours of their discovery.

Section 73.100 would provide technology-inclusive requirements for physical protection of licensed activities at commercial nuclear plants against radiological sabotage.

  • Section 73.100(a)(1) and (a)(2) would require licensees to establish and implement physical security plans, including a training and qualification plan, safeguards contingency plan, and cybersecurity plan, that each identify, describe, and account for site-specific conditions, prior to initial fuel load into the reactor or initiating the physical removal of any one of the independent mechanisms to prevent criticality required under 10 CFR 53.620(d)(1) for a fueled manufactured reactor.

11

  • Section 73.100(b)(1) would require licensees to establish, implement, and maintain a physical protection program and security organization that provides reasonable assurance that activities involving special nuclear material do not pose undue risk to common defense and security and public health and safety.
  • Section 73.100(b)(6) through (b)(10) would require licensees to establish, implement and maintain a performance evaluation program, access authorization program, cybersecurity program, and insider mitigation program, as well as a system to track trends and correct deficiencies in the implementation of these programs.
  • Section 73.100(c)(2) would require the licensees security organization to document security operations activities, security design and configuration controls, training and qualifications, and contingency responses.
  • Section 73.100(c)(3) would require the licensee to establish a process for the head of the physical protection program to seek approval for changes in designs, policies, processes, and procedures and to ensure that these changes continue to satisfy the requirements for a physical protection program.
  • Section 73.100(c)(4) would require the licensee to retain all analyses, assessments, calculations, and descriptions of the technical basis for meeting the requirements in Section 73.100(b) and protect safeguards information in accordance with 10 CFR 73.21 and 73.22.
  • Section 73.100(e) would require licensees to establish and maintain a training and qualification program for personnel responsible for the physical protection of the facility.
  • Section 73.100(f)(1) through (f)(4) would require licensees to establish and implement security reviews to evaluate the physical protection program. Paragraph (f)(1) requires licensees to identify and document vulnerabilities, improvements, and corrective actions related to engineered and administrative controls and the management systems used to implement the physical protection pr ogram. Paragraph (f)(2) requires licensees to perform self-assessments to ensure that capabilities to detect, assess, communicate, delay, interdict, and neutralize threats of radiological sabotage are effective, and perform design verification and assessments of the capabilities of active and passive engineering systems that protect against the design basis threat. Paragraph (f)(3) requires the security review to include several types of audits. Paragraph (f)(4) requires the licensee to maintain in a report the results and recommendations of onsite physical protection program reviews, managements finding regarding program effectiveness, and any actions taken as a result of recommendations from prior program reviews.
  • Section 73.100(g)(1) and (g)(2) would require licensees to perform performance evaluations. Licensees would conduct performance evaluations at a frequency commensurate with the degree of security risk, document processes and procedures for implementing performance evaluations, verifications, and assessments, and maintain records related to the performance evaluations.
  • Section 73.100(h)(4) would require licensees to document processes and procedures and maintain records for implementing corrective actions; compensatory measures; and maintenance, inspection, testing, and calibration of security structures, systems and equipment.
  • Section 73.100(i)(3) would require licensees to report and document the suspension of security measures in accordance with 10 CFR 73.1200 and 73.1205.
  • Sections 73.100(j)(2)-(4) would require licensees to maintain records until the Commission terminates the license for which the records were developed and maintain superseded portions of these records for at least 3 years after the record is superseded, unless otherwise specified by the Commission. If a contracted security force is used to implement the onsite physical protection program, the rule would require licensees to maintain the licensees written agreement with the contractor for the duration of the contract. The rule also would require licensees to maintain audit reports for inspection for 3 years.

12

Section 73.110 would require protection of digital computer and communication systems and networks.

  • Section 73.110(a) would require Part 53 licensees to establish, implement, and maintain a cybersecurity program.
  • Section 73.110(e)(2) would require the cybersecurity plan to account for site-specific conditions and describe the measures that would be used to satisfy the requirements of 10 CFR 73.110.
  • Section 73.110(e)(3) would require the licensee to develop and maintain written policies, implementing procedures, and other supporting technical information for the cybersecurity plan that may be subject to inspection by NRC staff.
  • Section 73.110(e)(4) would require a review of the cybersecurity program as described in 10 CFR 73.100(f).
  • Section 73.110(e)(5) would require the licensee to maintain all records and supporting technical documentation as a record until the Commission terminates the license and to maintain superseded portions of these records for at least three years after the record is superseded, unless otherwise specified by the Commission.

Section 73.120 would establish access authorization requirements.

  • Section 73.120(a) would require licensees to establish, maintain, and implement an access authorization program before initial fuel load into the reactor or initiating the physical removal of any one of the independent mechanisms to prevent criticality required under 10 CFR 53.620(d)(1) for a fueled manufactured reactor.
  • Section 73.120(c)(1)(i)(A) would require licensees to conduct a background investigation of any individual seeking to obtain or maintain unescorted access to the facility.
  • Section 73.120(c)(1)(i)(B) and (c)(1)(ii) would require background investigations to include the elements in 10 CFR 37.25, a credit history evaluation, fingerprinting, and an FBI identification and criminal history records check.
  • Section 73.120(c)(1)(iii) would require licensees to obtain documented consent from the individual before initiating the background check.
  • Section 73.120(c)(2)(i) would require a third-party disclosure, directing individuals who participate in the behavioral observation program to report information to the licensees when they observe actions or behaviors that may jeopardize health and safety.
  • Section 73.120(c)(3) would require a third-party disclosure, requiring personnel with unescorted access to self-report to plant supervision any legal actions taken against them that could lead to incarceration or a court appearance, with the exception of minor civil actions or misdemeanors.
  • Section 73.120(c)(4) would require the licensee to maintain at all times a list of persons currently approved for unescorted access to a protected area, vital area, material access area, or controlled access area. Licensees would complete an FBI criminal history record check at least every ten years for each individual maintaining unescorted access.
  • Section 73.120(c)(6)(ii) would require a third-party notification to individuals on the right to complete, correct, or explain information obtained through the background investigation prior to any final adverse determination made by the licensee.
  • Section 73.120(c)(7) requires licensees to document procedures for providing written notice to individuals who are denied unescorted access or unfavorably terminated.
  • Section 73.120(c)(8) would require licensees to implement a system of files and procedures to protect personal information against unauthorized disclosure.
  • Section 73.120(c)(9) would require licensees to conduct a review of the access authorization program and the access authorization programs of contractors or vendors to document compliance with the requirements of 10 CFR 73.120.
  • Section 73.120(c)(10) would require licensees, applicants, and contractors or vendors to document the processes and procedures for maintaining records used or created to establish an individuals trustworthiness and reliability or to document access

13

determinations. Specifically, the following records w ould be retained for the specified time periods: Documentation regarding the trustworthiness and reliability of individual employees for 3 years from the date the individual no longer requires unescorted access; a copy of the current access authorization program procedures for 3 years after the procedure is no longer needed, and if any portion of the procedure is superseded, the superseded material must be maintained for 3 years after the record is superseded; and the list of persons approved for unescorted access for 3 years after the list is superseded or replaced.

Retrieved from "https://kanterella.com/w/index.php?title=ML23030A576&oldid=3713908"