FINAL SUPPORTING STATEMENT
FOR
NRC INSIDER THREAT PROGRAM FOR LICENSEES
AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION
(3150-XXXX)
NEW
Description of the Information Collection
On October 7, 2011, the President issued Executive Order (EO) 13587, “Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information. In November 2012, following an extensive interagency coordination and vetting process, the president issued the National Insider Threat Policy and the Minimum Standards (NITPMS). Executive Order 12968—Access to Classified Information contains the requirements for access to classified information. EO 13587 mandated that an insider threat program (ITP) be implemented for all Executive branch departments and agencies that access classified information. The NITPMS states “Consistent with EO 13587 and 12968, this policy is applicable to all executive branch departments and agencies with access to classified information, or that operate or access classified computer networks; all employees with access to classified information, including classified computer networks (and including contractors and others who access classified information, or operate or access classified computer networks controlled by the federal government); and all classified information on those networks.” On May 18, 2016, the Department of Defense (DoD), acting as the Executive Agent for the National Industrial Security Program Operating Manual (NISPOM,) (DoD 5220.22M) issued NISPOM Change 2. This changed the NISPOM to require that federal agencies that provide classified information to contractors, as defined in the NISPOM, develop and maintain an ITP. The scope of affected the Nuclear Regulatory Commission (NRC) licensees covers 28 entities with NRC facility clearances that hold approximately 1100 NRC-issued personnel security clearances. Licensees under the new ITP requirements fall within two categories, those who possess, use or transmit classified matter at their site or a cleared contractor site, and those licensees or cleared contractors who only need access to classified matter at a government or appropriately cleared non-government site. The NISPOM contains the requirements as to what information is reportable and what records are required to be kept and maintained. Some collection requirements are recurring. Some reports or applications are only required as occasioned by the occurrence of specific events, such as an update to key personnel positions identified in the NISPOM, or a report of loss of classified information, would be an event-triggered cost. Periodic training and other requirements for recordkeeping that are necessary for checking the licensees’ and contractors’ procedures for maintaining acceptable security education, facility, and classification/declassification programs are examples of recurring costs.
A. JUSTIFICATION
Need For and Practical Utility of the Collection of Information
The scope of EO 13587 applies to all entities, government and private sector that access classified information as defined in the Atomic Energy Act of 1954 (AEA), as amended, or EO 13526, Classified National Security Information. The NRC has determined that licensees and their cleared contractors fall within the scope of the NISPOM leaving the NRC no discretion with respect to imposing the NISPOM ITP requirements upon licensees and their cleared contractors who access classified information.
The information collected is required to demonstrate that ITP requirements have been implemented and maintained by entities who access classified information for which the NRC is the Cognizant Security Agency (CSA) as defined in the NISPOM.
While EO 13587 is an element of determining the suitability of an entity to access classified information, Title 10 of the Code of Federal Regulations Part 95 (10 CFR 95) defines the scope for who the NRC grants access to classified information. The respondents of this collection fall into two groups. The first group are licensees and their cleared contractors who require access to classified information as a condition of their license. This group is comprised of fuel cycle licensees using technology that is determined to be Restricted Data as defined in the AEA. The second group is made up of licensees who do not require access to classified information as a condition of their license but for whom the Commission determined it was in the best interest of common defense and security to allow limited access to classified information under EO 13526. The Commission extended the invitation to apply for access to classified information under 10 CFR 95. Acceptance is voluntary. However, if accepted the invitee is bound by all the requirements necessary to establish and maintain access, including the ITP. However, invitees are free to surrender their access to classified information at any time with no effect upon their license.
Agency Use of Information
As the CSA for its licensees and their cleared contractors, the NRC has assigned responsibilities. The NRC will use this information to monitor ITP performance by its licensees and cleared contractors and to demonstrate the agency is fulfilling its responsibilities under the NISPOM.
Reduction of Burden Through Information Technology
The NRC has issued Guidance for Electronic Submissions to the NRC which provides direction for the electronic transmission and submittal of documents to the NRC. Electronic transmission and submittal of documents can be accomplished via the following avenues: the Electronic Information Exchange (EIE) process, which is available from the NRC's “Electronic Submittals” Web page, by Optical Storage Media (OSM) (e.g. CD-ROM, DVD), by facsimile or by e-mail. It is estimated that once established, approximately 80% of the responses will be filed electronically.
Effort to Identify Duplication and Use Similar Information
No sources of similar information are available. There is no duplication of requirements.
Effort to Reduce Small Business Burden
Currently, no licensees subject to ITP requirements qualify as a small business. The requirements to access classified information under the ITP are based on statutes or EO that must be complied with regardless of the size of the business.
Consequences to Federal Program or Policy Activities if the Collection Is Not Conducted or Is Conducted Less Frequently
Failure to collect the information or collecting the information would prevent the NRC from fulfilling its responsibility as a CSA under the NISPOM. The information collected is necessary to verify ITP program requirements have been properly implemented and are being maintained.
Circumstances Which Justify Variation from OMB Guidelines
Information reporting requirements are set forth in the NISPOM and the NRC has no discretion in their implementation. The NRC will not collect information more frequently than the NISPOM requires.
Consultations Outside the NRC
Opportunity for public comment on the information collection requirements for this clearance package was published in the Federal Register on September 22, 2021 (86 FR 52697). No responses or comments were received as a result of the FRN or the staff’s direct solicitation of comment.
Payment or Gift to Respondents
Not applicable.
Confidentiality of Information
Confidential and proprietary information is protected in accordance with NRC regulations at 10 CFR 95, Section 9.17(a) and 10 CFR 2.390(b).
However, no information normally considered confidential or proprietary is requested.
Justification for Sensitive Questions
There is no Privacy Act concern as the information collected is not retrieved using personal identifiable information.
Estimated Burden and Burden Hour Cost
The NRC estimates that there are 28 respondents and 71 responses to the information collection in the ITP. The annual reporting burden is 2,630 hours and recordkeeping burden is 1,198 hours, for a total of 3,828 burden hours for the collection. It should be noted that 679 of the reporting hours capture the burden for program implementation. However, each time a new Insider Threat Program Senior Official (ITPSO) is assigned, the burden associated with assigning or training them will be incurred. In the future, that burden will decrease but since the ITP is a new program, the NRC has no estimate of what the ITPSO turnover rate will be. The following table summarizes respondent burden, responses, and cost at $288/hr. Details of reporting and recordkeeping burden and cost estimates to the respondents, broken down by requirement, are reflected in Tables 1 and 2.
|
Responses |
Hours |
Cost at $288/hr. |
Reporting |
71 |
2630 |
$757,440 |
Recordkeeping |
28 |
1198 |
$345,024 |
Total |
99 |
3828 |
$1,102,464 |
Records must be available for NRC review upon demand for such purposes as required inspections.
It should be noted that burden is not uniformly distributed across the twenty-eight respondents. The bulk of the burden is driven by two factors, the number of cleared personnel a respondent has and whether or not the respondent operates classified information systems. Three respondents account for 865 of 1106 NRC-cleared personnel coming under the program. Only three of the twenty-eight respondents operate classified information systems.
The $288 hourly rate used in the burden estimates is based on the Nuclear Regulatory Commission’s fee for hourly rates as noted in 10 CFR 170.20 “Average cost per professional staff-hour.” For more information on the basis of this rate, see the Revision of Fee Schedules; Fee Recovery for Fiscal Year 2021 (86 FR 32146, June 16, 2021).
Estimate of Other Additional Costs
None.
Estimated Annualized Cost to the Federal Government
The staff has developed estimates of annualized costs to the Federal Government
related to the conduct of this collection of information. These estimates are based on
staff experience and subject matter expertise and include the burden needed to
review, analyze, and process the collected information and any relevant operational
expenses.
Total Annual cost - professional effort
(100 hrs x $288/hr.) = $28,800
Reasons for Change in Burden or Cost
This is a new clearance.
Publication for Statistical Use
There is no application of statistics in the information collected. There is no publication of this information.
Reason for Not Displaying the Expiration Date
There are no forms currently required for the ITP.
Exceptions to the Certification Statement
There are no exceptions.
B. COLLECTIONS OF INFORMATION EMLOYING STATISTICAL METHODS
Statistical methods are not used in this collection of information.
TABLE 1 INSIDER THREAT PROGRAM ESTIMATE (REPORTING)
Section |
Requirement |
No. of Respondents 2021 |
Responses Per Respondent 2021 |
No. of Responses 2021 |
Burden Per Response 2021(Hours) |
Total Annual Burden Hrs 2021 |
DoD 5220.22-M, (NISPOM), 1-202.b |
Establish program including formal appointment and training by the licensee of an ITP senior official (ITPSO) who is a U.S. citizen employee and a senior official of the company. |
28 |
1 |
28 |
24.25 |
679 |
DoD 5220.22-M, (NISPOM), 1-207.b |
Annual licensee self-review including self-inspection of the ITP. |
28 |
1 |
28 |
16 |
448 |
DoD 5220.22-M, (NISPOM), 1-300 |
Requirements to report to the NRC any detection of an insider threat to the licensee |
28 |
.1 |
3 |
1 |
3 |
DoD 5220.22-M, (NISPOM), 8-100.d |
Monitor user activity on classified IS |
3 |
4 |
12 |
125 |
1500 |
Totals |
|
28 |
|
71 |
|
2630 |
TABLE 2 INSIDER THREAT PROGRAM ESTIMATE
(RECORDKEEPING)
Section |
Requirement/Record Retention |
No. of Recordkeepers 2021 |
Annual Hours Per Recordkeeper 2021 |
Total Annual Recordkeeping Hours 2021 |
DoD 5220.22-M, (NISPOM), 1-202.b |
Formal appointment by the licensee of an ITP senior official (ITPSO) who is a U.S. citizen employee and a senior official of the company. |
28
|
10 |
280 |
DoD 5220.22-M, (NISPOM), 1-207.b |
Annual licensee self-review including self-inspection of the ITP. |
28 |
16 |
448 |
DoD 5220.22-M, (NISPOM), 3-103.c |
Maintain ITP Training Records |
28 |
2 |
280 |
DoD 5220.22-M, (NISPOM), 1-300 |
Requirements to report to the NRC any detection of an insider threat to the licensee |
28 |
3 |
84 |
DoD 5220.22-M, (NISPOM), 8-100.d |
Monitor user activity on classified information systems |
3 |
110 |
330 |
Totals |
|
28 |
141 |
1198 |
DESCRIPTION OF INFORMATION COLLECTION REQUIREMENTS CONTAINED IN
NRC INSIDER THREAT PROGRAM FOR LICENSEES
AND OTHERS REQUIRING ACCESS TO CLASSIFIED INFORMATION
3150-XXXX
DoD 5220.22-M, (NISPOM), Section 1-202.b: This section requires an entity under an ITP to appoint, train, and report the assignment of an Insider Threat Senior Program Manager. This is a new requirement since the last OMB Information Collection.
DoD 5220.22-M, (NISPOM), Section1-207.b: This section requires an entity under the ITP to perform and annual self-assessment/inspection and report it to the NRC.
DoD 5220.22-M, (NISPOM), 3-103.b: This section requires initial and annual insider threat awareness training for all persons with access to classified information.
DoD 5220.22-M, (NISPOM), 3-103.c: This section specifies the records retention requirements for the ITP.
DoD 5220.22-M, (NISPOM), 1-300: This section requires an entity under an ITP to report suspicious activity indicating a possible insider threat to the NRC.
DoD 5220.22-M, (NISPOM), 8-100.d: This section requires an entity with classified information systems to continuously monitor those systems to detect potential activity indicating an insider threat.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Benney, Kristen |
| File Modified | 0000-00-00 |
| File Created | 2021-12-10 |