10CFR73PowerReactorSecurityFRss

A. JUSTIFICATION

1. Need for and Practical Utility of the Information

In general, the reports and records are necessary for one or more of the following reasons:

a) Information describing the content and planned operation of the licensee's physical protection system (e.g., Security Plan, Contingency Plan, or Training and Qualification Plan). This information is essential to enable the NRC to make a determination as to the adequacy of the licensee's program to meet regulatory requirements.

b) Information describing the normal operation of the physical protection system (e.g., performance evaluation program, equipment performance logs). This information is needed to permit the NRC to make a determination as to reasonable assurance that the physical protection system operates in accordance with the regulatory requirements.

Specific requirements for reports and records in the amendments to Part 73 are identified below.

Section 50.54(hh)(1) requires licensees to develop, implement, and maintain procedures to address preparatory actions to be taken in the event of a potential aircraft threat to a nuclear power reactor facility.

Section 50.54(hh)(2) requires licensees to develop and implement guidance and strategies to address the loss of large areas of the plant due to explosions or fires from a beyond-design basis threat.

Section 73.54(b)(2) requires that licensees establish, implement, and maintain a cyber security program for the protection of the critical digital assets identified through site-specific analysis and incorporate the cyber security program as a component of the physical protection program.

Section 73.54(d)(1) requires reactor licensees to develop and maintain a cyber-security training program.

Section 73.54(d)(2) requires licensees to implement a cyber-security assessment program to systematically assess and manage cyber risks.

Section 73.54(d)(3) requires licensees to implement a configuration and control management program, including a cyber risk analysis, to ensure that modifications to computer system designs, access control measures, configuration, operational integrity, and management processes do not adversely impact facility safety, security, and emergency preparedness systems before implementation of the modifications.

Section 73.54 requires licensees to submit a cyber-security plan for NRC approval prior to implementation.

Section 73.54(e) requires licensees to establish, implement, and maintain an NRC-approved cyber-security plan.

Section 73.54(f) requires licensees to develop and maintain written policies and procedures to implement the cyber security plan.

Section 73.55(a)(1) requires that licensees revise their Physical Security Plan, Training and Qualification Plan, and Safeguards Contingency Plan (these plans are referred to collectively as “approved security plans”).

Section 73.55(a)(3) requires that a licensee’s physical protection program include written implementing procedures to ensure the capability to provide high assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.

Section 73.55(b)(6) requires that licensees establish and maintain a written performance evaluation program in accordance with Appendix B and C to demonstrate and assess the effectiveness of armed responders and armed security officers to perform their assigned duties and responsibilities required for the protection of target sets through implementation of the licensee protective strategy.

Section 73.55(b)(7) requires that each licensee develop, implement, and maintain an access authorization program and describe the program in the Physical Security Plan.

Section 73.55(b)(8) requires that each licensee develop, implement, and maintain a cyber-security program.

Section 73.55(b)(9) requires that each licensee develop, implement, and maintain an insider mitigation program and describe the program in the Physical Security Plan.

Section 73.55(b)(10) requires licensees to develop corrective action measures to ensure that the cause of failures, malfunctions, deficiencies, deviations, defective equipment and nonconformance in security program components, functions, or personnel are promptly tracked, identified, and corrected. These measures also must identify the cause of these conditions to ensure that the conditions do not happen again.

Section 73.55(b)(11) requires licensees to coordinate with other onsite plans and procedures in implementing security plans and related programs to preclude conflict during both normal and emergency conditions.

Section 73.55(c)(3) requires licensees to establish and maintain a physical security plan.

Section 73.55(c)(4) requires licensees to establish, implement, and maintain a training and qualifications plan.

Section 73.55(c)(5) requires licensees to establish, implement, and maintain a safeguards contingency plan.

Section 73.55(c)(7)(i) requires licensees to establish, implement, and maintain written procedures that document the structure of the security organization.

Section 73.55(e)(1)(ii) requires licensees to include in their security plans the function of physical barriers and barrier systems used.

Section 73.55(e)(2) requires licensees to retain all analyses, comparisons, and descriptions of the physical barriers and barrier systems used to satisfy the requirements of this section and protect these records as safeguards of information.

Section 73.55(e)(10)(ii)(A) requires licensees to identify areas from which a waterborne vehicle must be restricted and to coordinate with local, state, and Federal agencies having jurisdiction over waterway approaches to ensure that waterway approach routes are controlled.

Section 73.55(f)(1) requires reactor licensees to document in site procedures the process used to develop and identify target sets, including the analyses and methodologies used to determine and group the target set equipment or elements.

Section 73.55(f)(3) requires licensees to document and identify in site procedures any target set equipment or elements that are not contained within the protected or vital areas.

Section 73.55(f)(4) requires licensees to implement a program for the oversight of plant equipment and systems documented as part of the protective strategy to ensure that changes to the configuration of the identified equipment and systems do not compromise the licensee’s capability to prevent significant core damage and spent fuel sabotage.

Section 73.55(g)(2)(iii) requires licensees to refer to industry shared lists and databases to confirm that individuals are not denied access to another licensed facility.

Section 73.55(g)(5)(i) requires licensees to coordinate with offsite emergency support agencies to ensure the proper restrictions to site access and egress are maintained during emergency conditions.

Section 73.55(g)(5)(ii)(A)-(B) requires licensees to develop procedures for emergency conditions to ensure authorized emergency personnel are provided prompt access to affected areas and equipment, attempted or actual unauthorized entry to vital equipment is detected, and the capability to prevent significant core damage and spent fuel sabotage is maintained.

Section 73.55(g)(6)(i)(B) requires reactor licensees to maintain a record (name and affiliation) of all individuals to whom access control devices have been issued and inventory appropriate access control devices at least annually.

Section 73.55(g)(6)(ii)(C) requires licensees to maintain a record (name and areas to which unescorted access is granted) of all individuals to whom photo identification badge/key-cards have been issued.

Section 73.55(g)(6)(iii)(A) requires licensees to control and account for keys, locks, and related access control devices used to control protected and vital areas and security systems.

Section 73.55(g)(6)(iii)(B) requires licensees to control and periodically change passwords and combinations used to control access to protected and vital areas and security systems.

Section 73.55(g)(7)(i)(A) requires licensees to develop procedures for processing, escorting, and controlling visitors.

Section 73.55(g)(7)(i)(C) requires licensees to maintain a visitor control register into which all pertinent visitor information must be written.

Section 73.55(g)(8)(v) requires licensees to describe visitor to escort ratios and implementing procedures for protected and vital areas in physical security plans.

Section 73.55(h)(2)(ii) requires that licensees describe in implementing procedures, areas of a vehicle to be searched before access is granted to each vehicle access portal.

Section 73.55(h)(3)(v) requires licensees to describe any exceptions to search requirements for certain materials necessary for safety or operational reasons.

Section 73.55(i)(4)(i)(H) requires licensees to maintain a record of all alarm annunciations, the cause of the alarm, and the disposition of each alarm.

Section 73.55(i)(5)(i) requires licensees to define detection capabilities provided by security organization personnel and intrusion detection equipment in the site’s implementing procedures.

Section 73.55(i)(6)(iii) requires licensees to describe in the security plans how the lighting requirements are met and, if used, the type(s) of low-light technology.

Section 73.55(j)(6) requires licensees to identify site areas where communication could be interrupted or cannot be maintained. Licensees also must establish alternative communication measures in the site’s implementing procedures.

Section 73.55(k)(5)(i)(A) requires licensees to document in the security plans the minimum number of armed responders necessary to protect against the design basis threat.

Section 73.55(k)(6)(ii) requires licensees to document in the security plans the minimum number of armed security officers used on site.

Section 73.55(k)(7) requires licensees to maintain procedures to reconstitute the documented number of available armed response team members.

Section 73.55(k)(8) requires licensees to develop and maintain a written protective strategy in accordance with the requirements of Section 73.55 and Appendix C.

Section 73.55(k)(8)(iv) requires licensees to notify all local law enforcement agencies (LLEAs) in accordance with site procedures.

Section 73.55(k)(9) requires licensees to document and maintain current agreements with local, state, and federal law enforcement agencies, to include estimated response times and capabilities.

Section 73.55(l)(3)(i) requires licensees to describe in the security plans the operational and administrative controls to be implemented for the receipt, inspection, movement, storage, and protection of unirradiated MOX fuel assemblies.

Section 73.55(l)(3)(vi) requires licensees to develop a Material Control and Accountability Program to focus on recordkeeping which describes the inventory and location of the SSNM within the assemblies.

Section 73.55(l)(3)(vii) requires licensees to protect and store records that identify the storage locations of unirradiated MOX fuel assemblies in accordance with the safeguards information requirements in Section 73.21.

Section 73.55(m)(3) requires licensees to document and maintain written reports offering results and recommendations following onsite physical protection program reviews and audits, management’s findings regarding program effectiveness, and any actions taken as a result of recommendations from prior reviews.

Section 73.55(m)(4) requires reactor licensees to enter findings from onsite physical protection program reviews, audits, and assessments into the site corrective action program.

Section 73.55(n)(1)(i) requires licensees to establish, implement, and maintain a calibration program in the physical security plan to ensure that security systems and equipment are tested for operability and performance at predetermined intervals.

Section 73.55(n)(1)(ii) requires licensees to describe the maintenance, testing and calibration program in the physical security plan and the site’s implementing procedures.

Section 73.55(n)(1)(iii) requires reactor licensees to document problems, failures, deficiencies, and other findings (including the cause of each) into the site corrective action program.

Section 73.55(n)(8) requires licensees to specify in their security plans a program for testing or verifying the operability of devices or equipment located in hazardous areas. Licensees also must define alternate measures to ensure the timely completion of testing or maintenance when the hazardous condition or radiation restrictions are no longer applicable.

Section 73.55(p)(1)(i) requires licensees to get approval, at a minimum, from a licensed senior operator prior to suspending safeguards measures during an emergency.

Section 73.55(p)(1)(ii) requires licensees who suspend safeguards due to severe weather to get approval from the security supervisor and a licensed senior operator prior to taking this action.

Section 73.55(p)(3) requires licensees to document the suspension of safeguard measures in accordance with Section 73.71.

Section 73.55(q)(2) requires licensees to maintain all records required to be kept by Commission regulations, orders, or license conditions, as a record until the Commission terminates the license for which the records were developed and to maintain superseded portions of these records for at least three years after the record is superseded, unless otherwise specified by the Commission.

Section 73.55(q)(3) requires licensees to retain any written agreement with a contracted security force for its duration.

Section 73.55(q)(4) requires licensees to retain all audit reports for three years, and make them available for inspection.

Section 73.55(r)(2) requires licensees to submit in accordance with Sections 50.4 and 50.90, alternative measures to the Commission for review and approval before these measures are implemented.

Section 73.55(r)(3) requires licensees to submit a technical basis for alternative measures, to include any analysis or assessment conducted in support of a determination that the alternative measure provide a level of protection that is at least equal to the specific requirements in Section 73.55.

Section 73.56(a)(1) requires licensees to amend their Physical Security Plans to comply with the requirements in Section 73.56.

Section 73.56(a)(4) requires contractors and vendors (C/Vs) to develop, implement, and maintain authorization programs or program elements that meet the requirements of Section 73.56.

Section 73.56(d)(1) requires entities subject to this section to obtain written consent from individuals who are applying for unescorted access authorization before initiating the background investigation. The paragraph also requires licensees, applicants, and C/Vs to inform the individual of his or her right to review information that is collected to assure its accuracy.

Section 73.56(d)(1)(i) requires licensees, applicants and C/Vs to inform individuals that withdrawal of consent will withdraw the individual’s current application for access authorization, and other licensees applicants, and C/Vs will have access to information documenting the withdrawal.

Section 73.56(d)(1)(ii) requires licensees, applicants and C/Vs to complete any background investigation elements that were in progress when an applicant withdraws his or her consent. The licensee must record the individual’s application for unescorted access authorization, his or her withdrawal of consent for the background investigation, the reason given for the withdrawal, if any, and any pertinent information collected from the background investigation elements that were completed.

Section 73.56(d)(1)(iii) requires licensees, applicants and C/Vs to inform in writing any individual who is applying for unescorted access authorization of the actions related to providing and sharing personal information under this section which are sufficient cause for denial or unfavorable termination of unescorted access authorization.

Section 73.56(d)(2)(i) requires individuals who are applying for unescorted access authorization to disclose the personal history information that is required by the licensee’s, applicant’s or C/V’s authorization program, and any other information that may be necessary for the reviewing official to make a determination of the individual’s trustworthiness and reliability.

Section 73.56(d)(3) requires licensees, applicants, and C/Vs to validate the social security number or the alien registration number that the individual provides. In addition, the licensee, applicant, and C/V must determine whether the results of the fingerprinting confirm the individual’s claimed identity.

Section 73.56(d)(4)(iv)(A) requires that licensees, applicants, and C/Vs document in the licensee’s, applicant’s, or C/V’s record of investigation instances where a company, previous employer, or educational institution to whom the licensee, applicant, or C/V has directed a request for information refuses to provide information or indicates an inability or unwillingness to provide information within 3 business days of the request.

Section 73.56(d)(4)(v) requires licensees, applicants, and C/Vs to share employment history information that they have collected, if contacted by another licensee, applicant or C/V.

Section 73.56(d)(4)(vi) allows licensees, applicants, and C/Vs to use electronic means to obtain the employment history information for an individual but must ensure that a record is made.

Section 73.56(e)(5) requires licensees to develop procedures to provide communication between the licensed psychologist or psychiatrist and other medical personnel; requires the licensed clinical psychologist or psychiatrist conducting the psychological assessment to inform the reviewing official of any indications or information related to a medical condition that could adversely impact the individual’s fitness for duty or trustworthiness and reliability.

Section 73.56(f)(2)(iv) allows individuals to take, as an alternative to annual refresher training, a comprehensive examination on behavioral observation.

Section 73.56(f)(3) requires individuals who are subject to an authorization program to report to the reviewing official any concerns arising from behavioral observation.

Section 73.56(g)(i) requires individuals who have applied for or are maintaining unescorted access authorization to promptly report to the reviewing official any formal actions taken against the individual by a law enforcement authority or court of law. This would include an arrest, indictment, the filing of charges or a conviction.

Section 73.56(i)(1)(v)(A) requires licensees, applicants and C/Vs to complete a criminal history update, credit history re-evaluation, and psychological re-assessment of the individual within five years of the date on which these elements were last completed, or more frequently, based on job assignment.

Section 73.56(i)(1)(vi) requires licensees, applicants and C/Vs to administratively withdraw an individual’s unescorted access authorization if the criminal history update, credit history re-evaluation, psychological re-assessment, and supervisory review have not been completed.

Section 73.56(j) requires licensees to establish, implement, and maintain a list of individuals who are authorized to have unescorted access to specific nuclear power plant vital areas to assist in limiting access to those vital areas during non-emergency conditions. The list must be approved by a cognizant licensee or applicant manager or supervisor who is responsible for directing the work activities of the individual who is granted unescorted access to each vital area, and updated and re-approved no less frequently than every 31 days.

Section 73.56(k) requires licensees, applicants, and C/Vs to conduct background checks on individuals who collect, process, or have access to the sensitive personal information required under this section increasing the scope of individuals who are subject to background checks.

Section 73.56(m) requires licensees who collect personal information about an individual for the purpose of complying with this section to establish and maintain a system of files and procedures to protect the personal information.

Section 73.56(m)(1) requires licensees to obtain a signed consent from the subject individual that authorizes the disclosure of the personal information collected and maintained under this section before disclosing the personal information.

Section 73.56(m)(1)(i)-(vi) requires licensees to disclose personal information to other licensees and applicants, or their authorized representatives, such as contractors or vendors, who are legitimately seeking the information for unescorted access or unescorted access authorization determinations under this section and who have obtained signed consent to release this information from the subject individual.

Section 73.56(m)(2) requires licensees, applicants, and C/Vs to provide copies of all records pertaining to a denial or unfavorable termination of unescorted access authorization to the subject individual or his or her designated representative upon written request.

Section 73.56(m)(4) requires licensees, applicants, and C/Vs to establish and maintain procedures for the secure storage and handling of the personal information collected.

Section 73.56(n)(2) requires that if a licensee or applicant relies upon a C/V program or program element to meet the requirements of this section, and if the C/V personnel providing the access authorization program service are off site or, if they are on site but not under the direct daily supervision or observation of the personnel of the licensee or applicant, then the licensee or applicant must audit the C/V program or program element on a nominal 12-month frequency. Also, it requires that any authorization program services that are provided to C/Vs by subcontractor personnel who are off site or are not under the direct daily supervision or observation of the C/V’s personnel must be audited on a nominal 12-month frequency.

Section 73.56(n)(4) requires licensees’ and applicants’ contracts with C/Vs, and C/V’s contracts with subcontractors to specify that the licensee or applicant will be provided with, or permitted access to, copies of any documents that may be needed to ensure that C/Vs and their subcontractors are properly performing their functions.

Section 73.56(n)(6) requires licensees to document the results of audits, any recommendations, and the resolution of the audit findings and corrective actions. These documented findings must be shared with senior corporate and site management.

Section 73.56(n)(7)(iii) requires each sharing licensee, applicant and C/V to maintain a copy of the shared audit, including findings, recommendations, and corrective actions.

Section 73.56(o) requires licensees, applicants, and C/Vs to maintain the records required by this section for the period specified by regulatory provisions. If no time period is specified in the regulatory language, then the licensee, applicant, or C/V must retain records until the Commission terminates the facility’s license, certificate, or other regulatory approval. The language would replace the current records requirement which requires retention of records on which UAA is granted for a period of 5 years following termination of UAA, retention of records upon which a denial of UAA is based for 5 years, and retention of audit records for 3 years.

Section 73.56(o)(2)(i) requires each licensee, applicant, and C/V to retain for at least 5 years after the licensee, applicant, or C/V terminates or denies an individual’s unescorted access authorization or until the completion of all related legal proceedings, whichever is later, records of the information that must be collected under paragraphs (d) and (e) of this section that results in the granting of unescorted access authorization.

Section 73.56(o)(2)(ii) requires each licensee, applicant, and C/V to retain for at least 5 years after the licensee, applicant, or C/V terminates or denies an individual’s unescorted access authorization or until the completion of all related legal proceedings, whichever is later, records pertaining to denial or unfavorable termination of unescorted access authorization and related management actions.

Section 73.56(o)(2)(iii) requires each licensee, applicant, and C/V to retain for at least 5 years after the licensee, applicant, or C/V terminates or denies an individual’s unescorted access authorization or until the completion of all related legal proceedings, whichever is later, documentation of the granting and termination of unescorted access authorization.

Section 73.56(o)(3)(i) requires each licensee, applicant, and C/V who is subject to the section to retain, for at least 3 years or until the completion of all related legal proceedings, whichever is later, records of behavioral observation training conducted under paragraph (f)(2).

Section 73.56(o)(3)(ii) requires each licensee, applicant, and C/V who is subject to the section to retain, for at least 3 years or until the completion of all related legal proceedings, whichever is later, records of audits, audit findings, and corrective actions taken under paragraph (n).

Section 73.56(o)(4) requires licensees, applicants, and C/Vs to retain written agreements for the provision of services under this section for the life of the agreement or until all legal proceedings related to a denial or unfavorable termination of unescorted access authorization are completed, whichever is later.

Section 73.56(o)(5) requires licensees, applicants, and C/Vs to retain records of background checks and psychological assessments of authorization program personnel for the length of the individual’s employment by or contractual relationship with the licensee, applicant, or C/V, or until the completion of legal proceedings related to the actions of authorization program personnel, whichever is later.

Section 73.56(o)(6) requires licensees, applicants, and C/Vs to record and retain information about individuals who have applied for unescorted access authorization in an information-sharing mechanism. Licensees, applicants, and C/Vs must ensure that only correct information is included in the information-sharing mechanism. If information about an individual changes or new information is developed, licensees, applicants, and C/Vs must correct the information included in this mechanism. If the changed or new information adversely affects an individual’s trustworthiness and reliability, the licensee, applicant, or C/V must inform the reviewing official of any authorization program under which the individual maintains unescorted access authorization status of the updated information. The reviewing official must take appropriate action, which may include denial or unfavorable termination of the individual’s unescorted access authorization.

Section 73.56(o)(7) requires licensees to document administratively withdrawn applications for unescorted access, but not as a denial or unfavorable termination. Upon favorable completion of a background check, all records of administrative withdrawal shall be removed.

Section 73.58(a)(1)-(2) requires licensees to assess and manage the potential for adverse effects on safety and security prior to implementing changes to plant configurations, procedures, facility conditions or security. As a result, licensees would need to develop Safety/Security interface written procedures.

Section 73.58(b) requires licensees to communicate identified adverse interactions to the appropriate licensee personnel and to take compensatory and/or mitigative actions to maintain safety and security.

Appendix B Section VI A.3 requires licensees to establish, maintain, and follow a Commission-approved training and qualification plan, describing how the minimum training and qualification requirements set forth in this appendix will be met, to include the processes by which all individuals will be selected, trained, equipped, tested, and qualified.

Appendix B Section VI B.4.b(2)(a)(1) requires licensees to describe the physical fitness test in the Commission-approved training and qualification plan.

Appendix B Section VI C.2.b. requires licensee training instructors to document on-the- job training and security supervisors to attest to an individual’s on-the-job training.

Appendix B Section VI C.3.a. requires licensees to develop, implement, and maintain a Performance Evaluation Program (PEP). The PEP shall be referenced in the Training and Qualifications Plan.

Appendix B Section VI C.3.b requires licensees to include in the PEP procedures for the conduct of tactical response drills and force-on-force exercises designed to demonstrate and assess the effectiveness of the licensee's physical protection program, protective strategy and contingency event response by all individuals with responsibilities for implementing the safeguards contingency plan.

Appendix B Section VI C.3.g requires licensees to document all findings, deficiencies, and failures identified during tactical response drills and force-on-force exercises deemed to adversely affect or decrease the effectiveness of the protective strategy and physical protection in the licensee’s corrective action program.

Appendix B Section VI C.3.h requires licensees to document scenarios and participants of tactical response drills and force-on-force exercises, including a post-exercise critique.

Appendix B Section VI C.3.i requires that licensees must develop and document multiple scenarios for use in conducting quarterly tactical response drills.

Appendix B Section VI C.3.n(1) requires licensees to develop and document multiple scenarios for use in conducting quarterly tactical response drills and annual force-on-force exercises.

Appendix B Section VI D.1.b(1) requires licensees to develop and administer a written exam to demonstrate an acceptable understanding of assigned duties and responsibilities.

Appendix B Section VI D.2.b The results of requalification must be documented by a qualified training instructor and attested by a security supervisor.

Appendix B Section VI E.1.b(2) and (3) requires that licensees only use firearms instructors that are certified from a national or state recognized entity and that the certification specify the weapon type(s) for which the instructor is qualified to teach.

Appendix B Section VI E.1.b(4) requires that licensees only use firearms instructors who receive periodic re-qualification to demonstrate proficiency.

Appendix B Section VI E.1.d requires licensees to include in the training and qualification plan the following additional standards: target identification and engagement, weapon malfunctions, cover and concealment, and weapon familiarization.

Appendix B Section VI E.1.f requires licensees to require that armed members of the security organization participate in weapons range activities on a nominal four month periodicity, rather than the previous annual requirement.

Appendix B Section VI F.1.b requires licensees to document and retain the results of weapons qualification and requalification.

Appendix B Section VI F.2 requires that a licensee’s written training and qualification plan must describe the firearms used, the firearms qualification program, and other tactical training required to implement the Commission-approved security plans, licensee protective strategy, and implementing procedures.

Appendix B Section VI F.5.a requires licensees to re-qualify armed members of the security organization for each assigned weapon at least annually in accordance with Commission requirements and the Commission-approved training and qualification plan and document and retain the results as a record.

Appendix B Section VI G.3.a requires licensees to include in the training and qualifications plan a firearms maintenance and accountability program to ensure weapons and ammunition are properly maintained, function as designed, and are properly stored and accounted for.

Appendix B Section VI H.1 requires licensees to retain all reports, records, or other documentation required by this appendix in accordance with the requirements of 73.55(r).

Appendix C Section II 1.a requires licensees to identify and describe the perceived dangers, threats, and incidents against which the safeguards contingency plan is designed to protect.

Appendix C Section II 1.b requires licensees to describe the general goals, objectives and operational concepts underlying the implementation of the approved safeguards contingency plan.

Appendix C Section II 2 requires licensees to define the criteria for initiation and termination of responses to security events to include the specific decisions, actions, and supporting information needed to respond to each type of incident covered by the approved safeguards contingency plan.

Appendix C Section II 2.a requires licensees to identify those events that will be used for signaling the beginning or aggravation of a safeguards contingency event according to how they are perceived initially by licensee’s personnel.

Appendix C Section II 2.b requires licensees to define the specific objective to be accomplished relative to each identified safeguards contingency event.

Appendix C Section II 2.c requires licensees to identify the data, criteria, procedures, mechanisms and logistical support necessary to achieve the objectives identified.

Appendix C Section II 3.a requires licensees to describe the organization's chain of command and delegation of authority during safeguards contingency events, to include a general description of how command-and-control functions will be coordinated and maintained.

Appendix C Section II 3.b requires licensees to include a site map depicting the physical structures located on the site, including onsite independent spent fuel storage installations, and a description of the structures depicted on the map. Safeguards contingency plans must also include a description and map of the site in relation to nearby towns, transportation routes (e.g., rail, water, air, roads), pipelines, hazardous material facilities, and pertinent environmental features that may have an effect upon coordination of response activities. Descriptions and maps must indicate main and alternate entry routes for law enforcement or other offsite response and support agencies and the location of control points for marshaling and coordinating response activities.

Appendix C Section II 3.c requires licensees to include a description of the physical security systems that support and influence how the licensee will respond to an event in accordance with the design basis threat described in 73.1(a), beginning with onsite physical protection measures implemented at the outermost facility perimeter, and moving inward through those measures implemented to protect target set equipment.

Appendix C Section II 3.c(iii) requires licensees to ensure that individuals assigned duties and responsibilities to implement the Safeguards Contingency Plan are trained and qualified in those duties according to the Commission approved security plans, training and qualification plans, and the performance evaluation program.

Appendix C Section II 3.c(v) requires licensees to develop, implement, and maintain a written protective strategy to be documented in procedures that describe in detail the physical protection measures, security systems and deployment of the armed response team relative to site specific conditions, to include but not limited to, facility layout, and the location of target set equipment and elements.

Appendix C Section II 3.d requires licensees to maintain a listing of available law enforcement agencies and a general description of their response capabilities and their criteria for response; and a discussion of working agreements or arrangements for communicating with these agencies.

Appendix C Section II 3.e requires licensees to include a discussion of State laws, local ordinances, and company policies and practices that govern licensee response to incidents.

Appendix C Section II 3.f requires licensees to describe practices which influence how the security organization responds to a safeguards contingency event to include, but not limited to, a description of the procedures that will be used for ensuring that equipment needed to effect a successful response will be readily accessible, in good working order, and in sufficient supply to provide redundancy in case of equipment failure.

Appendix C Section II 4.a requires licensees to develop site procedures that consist of matrices detailing the organizational entities responsible for decisions and actions associated with specific responses to safeguards contingency events. The responsibility matrix and procedures shall be referenced in the licensee’s safeguards contingency plan.

Appendix C Section II 4.b requires licensees to form responsibility matrix procedures based on the events outlined in the licensee’s Generic Planning Base.

Appendix C Section II 4.b(i) requires licensees to include a definition of the specific objective to be accomplished relative to each identified safeguards contingency event.

Appendix C Section II 4.b(ii) requires licensees, for each identified initiating event, to create a tabulation for each response entity which depicts the assignment of responsibilities for decisions and actions to be taken in response to the initiating event.

Appendix C Section II 4.b.(iii) requires licensees to include an overall description of response actions and interrelationships specifically associated with each responsible entity must be included.

Appendix C Section II 5.(i) requires licensees to establish and maintain written implementing procedures that provide specific guidance and operating details that identify the actions to be taken and decisions to be made by each member of the security organization who is assigned duties and responsibilities required for the effective implementation of the Commission-approved security plans and the site protective strategy.

Appendix C Section II 5.(ii) requires licensees to ensure that implementing procedures accurately reflect the information contained in the Responsibility Matrix required by this appendix, the Commission-approved security plans, and other site plans.

Appendix C Section III 3 requires licensees to retain all reports, records, or other documentation required by this appendix in accordance with the requirements of 73.55.

2. Agency Use of the Information

The information included in the applications, reports, and records is reviewed by the NRC staff to assess the adequacy of the applicant's physical plant, equipment, organization, training, experience, procedures, and plans for the common defense and security.

3. Reduction of Burden Through Information Technology

There are no legal obstacles to reducing the burden associated with this information collection. The NRC encourages respondents to use information technology when it would be beneficial to them. NRC issued a regulation on October 10, 2003 (68 FR 58791), consistent with the Government Paperwork Elimination Act, which allows its licensees, vendors, applicants, and members of the public the option to make submissions electronically via CD-ROM, e-mail, special Web-based interface, or other means. It is estimated that 2 % of the potential responses are filed electronically.

4. Effort to Identify Duplication and Use Similar Information

Licensees for nuclear power reactors maintain a system of records on individuals subject to access authorization requirements called the Personnel Access Database System (PADS), to which the licensees send information concerning employment dates, approvals of access authorization, withdrawals of access authorization, and other subjects. All other records maintained by licensees would not be duplicated by other Federal information collection requirements and would not be available from any other source. NRC has in place an on-going program to examine all information collections with the goal of eliminating all duplication and/or unnecessary information collections.

This rulemaking contains access authorization requirements (Section 73.56) that are similar to some of the requirements contained in the newly revised 10 CFR Part 26 (fitness-for-duty regulations). This is necessary to improve the integration of the access authorization requirements, fitness-for-duty requirements, and security program requirements. Further, the final rule would include an increase in the rigor for some elements of the access authorization program, including requirements for the conduct of psychological assessments, requirements for individuals to report arrests to the reviewing official, and requirements to clarify the responsibility for the acceptance of shared information. The final rule also would add requirements to allow NRC to inspect licensee information sharing records and requirements that subject additional individuals, such as those who have electronic access via computer systems or those who administer the access authorization program, to the access authorization information.

5. Effort to Reduce Small Business Burden

Since the consequences to the common defense and security are the same for large and small entities, it is not possible to reduce the burden on small businesses by less frequent or less complete reports, records, plans, and procedures. However, no small entities are expected to be impacted by the final rule.

6. Consequences to Federal Program or Policy Activities if the Collection is Not Conducted or is Conducted Less Frequently

If the information collection were not conducted or were conducted less frequently, the NRC would be unable to determine whether power reactor licensees are adequately safeguarding public health and the environment.

7. Circumstances Which Justify Variation from OMB Guidelines

Certain sections of Part 73 vary from the OMB Guidelines in 5 CFR 1320.5(d) by requiring that licensees retain records for more than 3 years. Various sections require retention of records for extended periods such as for the duration of an individual’s employment, or until the Commission terminates the facility’s license, certificate, or other regulatory approval. It is necessary for licensees to retain access authorization records for extended periods of time to assist the licensee's reinvestigation process and to assess the applicability of visitor access to the facility. Other records are required for inspection or for reconstruction of events in the event of a safeguards incident.

8. Consultations Outside the NRC

On October 26, 2006, the Commission issued the proposed Power Reactor Security rulemaking (71 FR 62663). The proposed rule was originally published for a 75-day public comment period. In response to several requests for extension, the comment period was extended on two separate occasions (January 5, 2005; 72 FR 480; and February 28, 2007; 72 FR 8951), eventually closing on March 26, 2007. The Commission received 48 comment letters. Responses to all the proposed rule comments are found in section III of the final rule notice and in a separate comment response document (ADAMS accession number ML081690256).

In addition, the Commission held two public meetings to solicit public comment in Rockville, MD on November 15, 2006, and Las Vegas, NV on November 29, 2006. The Commission held a third public meeting in Rockville, MD, on March 9, 2007, to facilitate stakeholder understanding of the proposed requirements, and thereby result in more informed comments on the proposed rule provisions. The Commission also published a supplemental proposed rule on April 10, 2008 (73 FR 19443) seeking additional stakeholder comment on two provisions of the rule for which the Commission had decided to provide additional detail. The supplemental proposed rule moved these requirements from Appendix C to Part 73 in the proposed rule to § 50.54 in the final rule.

Three petitions for rulemaking (PRM) were considered during the development of the final rule requirements, consistent with the previous petition resolution and closure process for these petitions (PRM-50-80, PRM-73-11, and PRM-73-13).

PRM-50-80 was submitted by the Union of Concerned Scientists (UCS) and the San Luis Obispo Mothers for Peace and was originally docketed and noticed for comment on June 16, 2003 (68 FR 35568). The petition requested that the NRC take two actions, the second of which was resolved as part of the final DBT rulemaking on March 19, 2007 (72 FR 12705). The first requested action to require licensees to evaluate whether proposed changes, tests, or experiments cause protection against radiological sabotage to be decreased and, if so, to conduct such actions only with prior NRC approval. It was consolidated for consideration with the power reactor security rulemaking on November 17, 2005 (70 FR 69690). Proposed language addressing the issues raised in the petition was published as proposed Section 73.58, “Safety/security interface requirements for nuclear power reactors.” This section remains in the final rule.

PRM-73-11 was submitted by Scott Portzline, Three Mile Island Alert, and was noticed for public comment on November 2, 2001 (66 FR 55603). In short, the petitioner requested that the NRC regulations governing physical protection of plants and materials be amended to require NRC licensees to post at least one armed guard at each entrance to the ‘‘owner controlled areas’’ (OCA) surrounding all U.S. nuclear power plants. As noted in a Federal Register Notice published December 27, 2006 (72 FR 481), the NRC consolidated PRM-73-11 and the public comments filed on the petition for consideration in this rulemaking. As noted in the draft final rule, the staff does not recommend incorporating the petitioner’s suggestion into Part 73. The NRC concluded that establishing a prescriptive requirement to post armed security personnel in the OCA is not necessary. Instead, the final physical security requirements in § 73.55(k) allow licensees the flexibility to determine the need for armed security personnel in the OCA, as a function of site-specific considerations, such that the licensee can defend against the DBT with high assurance.

PRM-73-13 was submitted by the Union of Concerned Scientists and was noticed for public comment on April 9, 2007 (72 FR 17440). In summary, the petitioner requested several changes to the Commission’s regulations related to unescorted and escorted access including requiring licensees to deny escorted or unescorted access to certain individuals and to require armed escorts for individuals for whom licensees are unable to acquire sufficient background information. The NRC determined that the issues raised in PRM-73-13 were appropriate for consideration in this rulemaking and consolidated the petition. For the reasons set forth in the attached Federal Register Notice, the NRC did not adopt either proposal in the final rule.

The Commission received one comment letter (also sent to the OMB desk officer), from the Nuclear Energy Institute dated January 11, 2007 (ADAMS Accession ML082170579), on the proposed rule information collection analysis. Portions of that comment letter’s input apply to proposed provisions that are not part of the final power reactor security rulemaking (specifically comments that apply to § 73.71 and § 73.18) since the Commission decided to address the enhanced weapons and reporting provisions in a separate rulemaking. The remaining input from that comment letter was considered in the NRC’s development of the final rule’s information collection analysis.

9. Payment or Gift to Respondents

Not applicable.

10. Confidentiality of Information

Certain information designated as Safeguards Information is prohibited from public disclosure in accordance with the provisions of the Atomic Energy Act of 1954, as amended, Chapter 12, Section 147, or designated as classified National Security Information, in accordance with Executive Order 12958.

Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17(a) and 10 CFR 2.390(b). The NRC otherwise provides no other pledge of confidentiality for this collection.

11. Justification for Sensitive Questions

This rulemaking requires licensees, applicants, and C/Vs to collect information about individuals who are applying for or have unescorted access authorization. This information includes behavioral observations, psychological assessments, and other elements of a background check. The sensitive information is necessary because licensees, applicants, and C/Vs need to determine whether the individual is qualified to gain and maintain unescorted access to the site. Reviewing officials use the sensitive information to evaluate an individual’s trustworthiness and reliability. Licensees, applicants and C/Vs must obtain written consent from any individual who is applying for unescorted access authorization before initiating any element of the required background investigation. The practice of obtaining the individual's written consent for the background investigation has been endorsed by the NRC and is necessary to protect the privacy rights of individuals who are applying for unescorted access authorization. To protect this sensitive information, each licensee, applicant, or C/V who collects personal information about an individual must establish and maintain a system of files and procedures to protect the personal information.

12. Estimated Burden and Burden Hour Cost

The costs associated with the information collection are given in Table 1 for annualized one-time recordkeeping burden, Table 2 for annual recordkeeping burden, Table 3 for annualized one-time reporting burden, Table 4 for annual reporting burden, and Table 5 for third-party annual burden. The estimated recordkeeping and reporting annualized one-time burden is 70,144.5 hours, the estimated recordkeeping and reporting annual burden is 331,400.4 hours, and the estimated third-party annual burden is 20,164.2 hours for an overall annualized burden of 421,709.1 hours. See the burden tables for the estimated burden by regulatory requirement.

The estimated one-time burden hour cost for all affected licensees and certificate holders is $16.7 million (70,144.5 hours x $238/hour), while the estimated annual burden hour cost for all affected licensees and certificate holders is approximately $78.9 million (331,400.4 hours x $238/hour). Therefore, the total estimated burden hour cost is $95.6 million.

13. Estimate of Other Additional Costs

The NRC has determined that the records storage cost is roughly proportional to the recordkeeping burden cost. Based on a typical clearance, the records storage cost has been determined to be equal to .0004 percent of the recordkeeping burden cost. Therefore, the records storage cost for this clearance is estimated to be $37,444 (393,320.8 recordkeeping hours x $238 per hour x .0004).

14. Estimated Annualized Cost to Federal Government

This section calculates the estimated annualized cost to the government over the three-year period covered by the analysis, including both one-time costs and annual costs. The estimated one-time cost to the government for review of required reports and records is approximately $1.9 million (8,000 hours, or 4 full-time equivalents for one year at $238/hr). Averaging this over the three-year period covered by the analysis, this burden amounts to $635,000 (2,667 hours, or 1.3 FTEs per year at $238/hr). The estimated annual cost to the government is approximately $1.2 million (5,200 hours at $238/hr). Combining the one-time cost with the annual cost results in a total annual average cost of $1.87 million. These costs are fully recovered by fee assessments to NRC licensees pursuant to 10 CFR Parts 170 and/or 171.

15. Reason for Change in Burden or Cost

The estimated incremental recordkeeping and reporting burden of the rule is 421,709.1 hours. This analysis estimates the one-time and annual requirements of the rule, including the third-party annual burden. This analysis concludes that 70,144.5 hours are for one-time reporting and recordkeeping requirements. Therefore, the burden increase will be reduced by approximately 17 percent once the one-time requirements have been completed. The rule adds three new sections, specifically §§ 50.54(hh), 73.54 and 73.58, and completely revises §§73.55, 73.56, Part 73 Appendix B, and Part 73 Appendix C.

The factors that account for the increased estimate are the following: The final rule (1) creates more detailed requirements for the content of licensees’ security plans; (2) includes more detailed requirements for correcting security deficiencies through the site’s corrective action program; (3) adds requirements for safety-security interface procedures, including third-party information collection and sharing costs; (4) accounts for recordkeeping associated with alarm annunciations and access control devices; and, (5) creates additional recordkeeping and reporting requirements associated with background investigations for access authorization, including third-party information collection and sharing costs. The final rule contains these new provisions that include reporting and recordkeeping burdens that were not part of previous estimates.

16. Publication for Statistical Use

None.

17. Reasons for Not Displaying the Expiration Date

The requirements are contained in a regulation. Amending the Code of Federal Regulations to display information that, in an annual publication, could become obsolete would be unduly burdensome and too difficult to keep current.

18. Exceptions to the Certification Statement

None.

B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

1 These third-party information collection and sharing costs have been separately calculated in this analysis. The estimated annual burden total is 19,946.6 hours, or about $4.7 million at $238 per hour.

21