FINAL SUPPORTING STATEMENT
FOR
ASSESSMENT OF CYBER SECURITY FOR BYPRODUCT MATERIALS LICENSEES
(3150-XXXX)
NEW
Description of the Information Collection
The U.S. Nuclear Regulatory Commission (NRC) is seeking to better understand the cyber security threats confronting medical, industrial, and academic users of Category 1 and 2 radioactive materials. Therefore, the NRC is requesting information on the potential vulnerabilities and risks associated with digital devices and digital systems utilized by a
cross-section of byproduct materials licensees. This information will be gathered utilizing a questionnaire to be sent to all NRC and Agreement State byproduct materials licensees that possess Category 1 or 2 radioactive materials. Licensees are not required to respond to these questionnaires. The NRC is requesting voluntary information in, but not limited to, the following areas:
The use of devices with software-based control systems, such as irradiators and gamma knives.
The use of access control or intrusion detection systems that may allow an adversary to gain access to material and avoid detection.
The use of computer systems that licensees use for their source inventories.
The use of digital technology used to support response communications/coordination.
Each licensee has a radiation safety officer (RSO) or in the case of reactor licensees, a radiation protection manager (RPM). The questionnaire will be sent to each licensee’s RSO or RPM by e-mail. Licensees will be able to submit their questionnaire responses to the NRC via email, fax, or by mail.
JUSTIFICATION
Need For and Practical Utility of the Collection of Information
After September 11, 2001, the NRC issued a series of security orders that included provisions to improve cyber security. The NRC issued a rule, 10 CFR 73.54, to require certain licensees to protect critical digital assets at power reactors from cyber attacks. In the statements of consideration for the final reactor security rule, the Commission stated that its cyber security requirements were place in a standalone section to “enable the cyber security requirements to be made applicable to other types of facilities and applications through future rulemakings.”
The cyber security landscape for byproduct materials licensees is more complex than other regulated industry segments due to the large number and variety of licenses involved, and the corresponding variety of operating environments and cyber threats. Byproduct licensees operate in environments that vary from large manufacturing facilities, universities, and medical facilities, to small industrial radiographers. Additionally, the majority of materials licensees are not regulated by the NRC directly, but by Agreement States.
NRC has the authority to request this information under Section 161c of the Atomic Energy Act of 1954, which states, “In the performance of its functions the Commission is authorized to…make such studies and investigations, obtain such information, and hold such meetings or hearings as the Commission may deem necessary or proper to assist it in exercising any authority provided in this Act, or in the administration or enforcement of this Act, or any regulations or orders issued thereunder.”
Agency Use of Information
Results from this assessment will inform the NRC’s evaluation of the cyber security environment for each of the different groups of byproduct materials licensees and help form the basis for future NRC actions (e.g., issue orders, engage in rulemaking).
Reduction of Burden Through Information Technology
The NRC encourages respondents to use information technology when it would be beneficial to them. The NRC issued a regulation on October 10, 2003 (68 FR 58791), consistent with the Government Paperwork Elimination Act, which allows its licensees, vendors, applicants, and members of the public the option to make submissions electronically via CD-ROM, e-mail, special Web-based interface, or other means. It is estimated that approximately 75 percent of the potential responses will be filed electronically.
Effort to Identify Duplication and Use Similar Information
No sources of similar information are available. There is no duplication of requirements. The NRC has in place an ongoing program to examine all information collections with the goal of eliminating all duplication and/or unnecessary information collections.
Effort to Reduce Small Business Burden
While some licensees who possess risk significant radioactive materials are small businesses, the safe and secure use of risk significant radioactive materials is critical for both large and small entities, and the Commission needs this information from small businesses to inform its decision making. It is estimated that 38 percent of respondents to this collection are small businesses.
Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently
If the information is not collected, the NRC will not have sufficient information on the cyber security environment at byproduct materials licensees’ facilities to take appropriate action.
Circumstances Which Justify Variation from OMB Guidelines
Not applicable
Consultations Outside the NRC
Opportunity for public comment on the information collection requirements for this clearance package was published in the Federal Register on October 16, 2014
(79 FR 62209). In addition, the NRC directly contacted by email 8 licensees who are potential respondents to the information collection to obtain their input. No comments were received.
Payment or Gift to Respondents
Not applicable
Confidentiality of Information
Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 9.17 and 10 CFR 2.390.
Justification for Sensitive Questions
Not applicable
Estimated Burden and Burden Hour Cost
The questionnaire will be sent to approximately 1,800 licensees. Of those, the NRC anticipates that approximately 40 percent of byproduct materials licensees will respond to the voluntary questionnaire. This is a one-time information collection; therefore, the frequency of response from each licensee is one. It is estimated that each licensee would take approximately 2 hours to respond to the questionnaire; however, it is estimated that an additional hour may be needed to follow up with 50 percent of the responding licensees. Therefore, the estimated burden to licensees completing the questionnaires is estimated to be 1,800 hours
(720 licensees x 2 hours + 360 licensees x 1 hour) at a cost of $489,600 (1,800 hours x $272/hour).
Estimate of Other Additional Costs
Not applicable.
Estimated Annualized Cost to the Federal Government
The NRC estimates approximately 4 hours to review and analyze each licensee response. Therefore, the one-time estimated cost is $783,360 (720 licensees x 4 hours x $272/hour).
Reasons for Change in Burden or Cost
This is a new collection. The NRC is requesting information on the potential vulnerabilities and risks associated with digital devices and digital systems utilized by a cross-section of byproduct materials licensees. This information will be gathered utilizing a voluntary questionnaire to be sent to all NRC and Agreement State byproduct materials licensees that possess Category 1 or 2 radioactive materials, and is estimated to take 1,800 hours. Results from this assessment will inform the NRC’s evaluation of the cyber security environment for each of the different groups of byproduct materials licensees and help form the basis for future NRC actions (e.g., issue orders, engage in rulemaking).
Publication for Statistical Use
The information requested will not be published for statistical use.
Reason for Not Displaying the Expiration Date
None
Exceptions to the Certification Statement
None
File Type | application/msword |
File Modified | 2015-01-15 |
File Created | 2015-01-13 |