Download:
pdf |
pdfFINAL SUPPORTING STATEMENT FOR
NUCLEAR REGULATORY COMMISSION
INSIDER THREAT PROGRAM FOR LICENSEES
AND OTHERS REQUIRING ACCESS TO CLASSIFIED
INFORMATION
(3150‑0251)
REVISION
Description of the Information Collection
On October 7, 2011, the President issued Executive Order (EO) 13587, “Structural Reforms to
Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information.” In November 2012, following an extensive interagency coordination and
vetting process, the President issued the National Insider Threat Policy and the Minimum
Standards (NITPMS).
EO 12968, “Access to Classified Information,” contains the requirements for access to classified
information. EO 13587 mandated that an insider threat program (ITP) be implemented for all
executive branch departments and agencies that access classified information. The NITPMS
states, “Consistent with Executive Orders 13587 and 12968, this policy is applicable to all
executive branch departments and agencies with access to classified information, or that
operate or access classified computer networks; all employees with access to classified
information, including classified computer networks (and including contractors and others who
access classified information, or operate or access classified computer networks controlled by
the Federal Government); and all classified information on those networks.”
On May 18, 2016, the Department of Defense (DoD), acting as the Executive Agent for the
National Industrial Security Program Operating Manual (NISPOM,) (DoD 5220.22 M) issued
NISPOM Change 2. This changed the NISPOM to require that Federal agencies that provide
classified information to contractors, as defined in the NISPOM, develop and maintain an ITP.
On February 24, 2021, the NISPOM was codified as a Federal rule under Title 32 of the Code of
Federal Regulations (32 FR) Part 117, “National Industrial Security Program Operating Manual
(NISPOM)” (NISPOM rule).
For the Nuclear Regulatory Commission (NRC), the rule affects 19 licensees with facility
clearances and approximately 900 NRC-issued personnel security clearances. Licensees
subject to the ITP requirements fall into two categories:
1) Those who possess, use or transmit classified matter at their site or a cleared contractor
site, and
2) Those licensees or cleared contractors who only need access to classified matter at a
government or appropriately cleared non-government site.
The NISPOM rule contains reporting and recordkeeping requirements. Some collection
requirements are recurring, such as periodic training, and procedures for maintaining
acceptable security education, facility, and classification/declassification programs. Some
reports or applications are only required as occasioned by the occurrence of specific events,
such as an update to key personnel positions identified in the NISPOM rule, or a report of loss
of classified information. This clearance covers only those sections of 32 CFR Part 117 that
�pertain to the establishment of an insider threat program. Additional procedures for obtaining
facility security clearance and for safeguarding Secret and Confidential National Security
Information and Restricted Data are covered under Office of Management and Budget (OMB)
clearance 3150-0047, “Title 10 of the Code of Federal Regulations (10 CFR) Part 95, Facility
Security Clearance and Safeguarding of National Security Information and Restricted Data.”
A.
JUSTIFICATION
1. Need For and Practical Utility of the Collection of Information
The scope of EO 13587 applies to all entities (government and private sector) that
access classified information as defined in the Atomic Energy Act of 1954 (AEA), as
amended, or EO 13526, “Classified National Security Information.” The NRC has
determined that licensees and their cleared contractors fall within the scope of the
NISPOM rule leaving the NRC no discretion with respect to imposing the NISPOM
rule ITP requirements upon licensees and their cleared contractors who access
classified information.
The annual report on the condition of the ITP is required to demonstrate that all
requirements have been implemented and maintained by entities who access
classified information for which the NRC is the Cognizant Security Agency (CSA) as
defined in the NISPOM rule. While EO 13587 is an element of determining the
suitability of an entity to access classified information, 10 CFR Part 95, “Facility
Security Clearance and Safeguarding of National Security Information and Restricted
Data,” defines the scope for who the NRC grants access to classified information.
In addition to the annual report, licensees are expected to report the detection of an
insider threat.
The respondents of this collection fall into two groups:
1. The first group is comprised of licensees and their cleared contractors who
require access to classified information as a condition of their license. This
group is comprised of fuel cycle licensees using technology that is
determined to be Restricted Data as defined in the AEA. The information
collection is mandatory for this group.
2. The second group is made up of licensees who do not require access to
classified information as a condition of their license, but for whom the
Commission determined it was in the best interest of common defense and
security to allow limited access to classified information under EO 13526. The
Commission extended the invitation to apply for access to classified
information under 10 CFR 95. Acceptance is voluntary. However, if accepted,
the invitee is bound by all the requirements necessary to establish and
maintain access, including the ITP. However, invitees are free to surrender
their access to classified information at any time with no effect upon their
license. For these respondents, the information collection is
voluntary/necessary to receive a benefit.
2
�2. Agency Use of Information
As the CSA for its licensees and their cleared contractors, the NRC has assigned
responsibilities. The NRC will use this information to monitor ITP performance by its
licensees and cleared contractors and to demonstrate the agency is fulfilling its
responsibilities under the NISPOM rule. If a licensee reports an ITP issue, the NRC
will refer the report to the Federal Bureau of Investigation.
3. Reduction of Burden Through Information Technology
There are no legal obstacles to reducing the burden associated with this information
collection. The NRC encourages respondents to use information technology when it
would be beneficial to them. The NRC has issued Guidance for Electronic
Submissions to the NRC which provides direction for the electronic transmission and
submittal of documents to the NRC. Electronic transmission and submittal of
documents can be accomplished via the following avenues: the Electronic
Information Exchange (EIE) process, which is available from the NRC's “Electronic
Submittals” Web page, by Optical Storage Media (OSM) (e.g., CD-ROM, DVD), or by
email. It is estimated that 100 percent of the responses are filed electronically.
4. Effort to Identify Duplication and Use Similar Information
No sources of similar information are available. There is no duplication of
requirements.
5. Effort to Reduce Small Business Burden
Currently, no licensees subject to ITP requirements qualify as a small business.
The requirements to access classified information under the ITP are based on
statutes or EO that must be complied with regardless of the size of the business.
6. Consequences to Federal Program or Policy Activities if the Collection Is Not
Conducted or Is Conducted Less Frequently
Annual collections with a frequency of once per year (or as needed) shows that the
NRC is fulfilling the duty of the CSA and is in compliance with 32 CFR Part 117.7(d),
“Insider Threat Program.” The information collected is necessary to verify ITP
program requirements have been properly implemented and are being maintained.
7. Circumstances Which Justify Variation from OMB Guidelines
There are no variations from OMB Guidelines.
8. Consultations Outside the NRC
Opportunity for public comment on the information collection requirements for this
clearance package was published in the Federal Register on June 9, 2025 90 FR
24303. As part of the process three fuel cycle facility licensees were contacted via
email. No comments were received in response to these consultations. One public
comment was received from DTEX Federal. The comment was determined to be out
of scope as it did not directly apply to NRC programs.
3
�9. Payment or Gift to Respondents
Not applicable.
10. Confidentiality of Information
Confidential and proprietary information is protected in accordance with NRC
regulations at 10 CFR 95, Paragraph 9.17(a) and 10 CFR 2.390(b). However, no
information normally considered confidential or proprietary is requested.
11. Justification for Sensitive Questions
There is no Privacy Act concern as the information collected is not retrieved using
personal identifiable information.
12. Estimated Burden and Burden Hour Cost
The NRC estimates that there are 19 respondents and 53 responses to the
information collection in the ITP. The annual reporting burden is 2,268 hours
and recordkeeping burden is 919 hours, for a total of 3,187 burden hours for
the collection. It should be noted that 461 of the reporting hours capture the
burden for program implementation. However, each time a new Insider Threat
Program Senior Official is assigned, the burden associated with assigning or
training them will be incurred.
The following table summarizes respondent burden, responses, and cost at
$317 per hour. Details of reporting and recordkeeping burden and cost
estimates to the respondents, broken down by requirement, are reflected in
Tables 1 and 2.
Reporting
Recordkeeping
Total
Responses
53
19
72
Hours
2,268
919
3,187
Cost at $317
per hour.
$718,956
$291,323
$1,010,279
Records must be available for NRC review upon demand for such purposes as
required inspections.
It should be noted that burden is not uniformly distributed across the 19
respondents. The bulk of the burden is driven by two factors: (1) the number of
cleared personnel a respondent has, and (2) whether or not the respondent
operates classified information systems. Three respondents account for 800 of 900
NRC-cleared personnel coming under the program. Only 3 of the 19 respondents
operate classified information systems.
The $317 hourly rate used in the burden estimates is based on the NRC’s fee for
hourly rates as noted in 10 CFR 170.20, “Average cost per professional staff-hour.”
For more information on the basis of this rate, see the Revision of Fee Schedules;
Fee Recovery for Fiscal Year 2024 (89 FR 51789; June 20, 2024).
4
�13. Estimate of Other Additional Costs
None.
14. Estimated Annualized Cost to the Federal Government
The staff has developed estimates of annualized costs to the Federal Government
related to the conduct of this collection of information. These estimates are based on
staff experience and subject matter expertise and include the burden needed to
review, analyze, and process the collected information and any relevant operational
expenses.
Total Annual cost - professional effort
(100 hours x $317 per hour.)
=
$31,700
15. Reasons for Change in Burden or Cost
The burden changed from 3,828 hours to 3,187 hours, a decrease of 641 hours. The
number of respondents decreased from 28 to 19. The number of responses
decreased from 99 to 72.
The reason for the changes in the estimate for the upcoming clearance period is
based on termination of Facility Security Clearances for several respondents,
thereby removing their requirement to respond to this information collection.
In addition, the fee rate increased from $288 to $317 per hour since the last
submission of this information collection.
16. Publication for Statistical Use
There is no application of statistics in the information collected. There is no
publication of this information.
17. Reason for Not Displaying the Expiration Date
The expiration date is displayed on the submission templates.
18. Exceptions to the Certification Statement
There are no exceptions.
B.
COLLECTIONS OF INFORMATION EMLOYING STATISTICAL METHODS
Statistical methods are not used in this collection of information.
5
�TABLE 1- INSIDER THREAT PROGRAM ESTIMATE
(REPORTING)
Section
32 CFR
117.7(b)(4)
32 CFR
117.7(h)(2)
32 CFR
117.7(d)
1
Requirement
Establish
program including
formal
appointment and
training by the
licensee of an
Insider Threat
Program Senior
Official (ITPSO)
who is a U.S.
citizen employee
and a senior
official of the
company.
Annual licensee
self-review
including
self-inspection of
the ITP and
report to the NRC
Requirements to
report to the NRC
any detection of
an insider threat
to the licensee
No. of
Respondents
Responses Per
Respondent
No. of
Responses
Burden Per
Response
(Hours)
Total Annual
Burden
Hours1
Total
Burden
Cost $317
19
1
19
24.25
461
$146,137
19
1
19
16
304
$96,368
19
.15
3
1
3
$951
Total hours per requirement have been rounded to the nearest hour.
6
�Section
32 CFR
117.18(b)(4)
Totals
Requirement
Monitor user
activity on
classified IS
No. of
Respondents
Responses Per
Respondent
No. of
Responses
Burden Per
Response
(Hours)
Total Annual
Burden
Hours1
Total
Burden
Cost $317
3
4
12
125
1,500
$475,500
2,268
$718,956
53
19
7
�TABLE 2- INSIDER THREAT PROGRAM ESTIMATE
(RECORDKEEPING)
Section
32 CFR
117.7(b)(4)
32 CFR
117.7(h)(2)
32 CFR
117.12(k)
Requirement/Record Retention
Formal appointment by the licensee
of an ITPSO who is a U.S. citizen
employee and a senior official of the
company.
Annual licensee self-review including
self-inspection of the ITP
Maintain ITP Training Records
32 CFR
117.7(d)
Requirements to report to the NRC
any detection of an insider threat to
the licensee
32 CFR
117.18(b)(4)
Maintain policies and procedures that
address key components of the
contractor's insider threat program
Totals
No. of
Recordkeepers
Annual Hours Per
Recordkeeper
Total Annual
Recordkeeping
Hours
19
10
190
19
16
304
19
2
38
19
3
57
3
19
110
330
919
8
�DESCRIPTION OF INFORMATION COLLECTION
REQUIREMENTS CONTAINED IN
NRC INSIDER THREAT PROGRAM FOR LICENSEES
AND OTHERS REQUIRING ACCESS TO CLASSIFIED
INFORMATION
3150‑0251
32 CFR 117.7(b)(4): This section requires an entity under an ITP to appoint an ITPSO and
establish and execute an insider threat program.
32 CFR 117.7(d): This section requires an entity under an ITP to report relevant and available
information indicative of a potential or actual insider threat to the NRC using NRC provided
template.
32 CFR 117.7(h)(2): This section requires an entity under the ITP to perform an annual
self-assessment/inspection and report it to the NRC.
32 CFR 117.12(g): This section requires initial and annual insider threat awareness training for
all persons with access to classified information.
32 CFR 117.12(k): This section specifies the records retention requirements for the ITP.
32 CFR 117.18(b)(4): This section requires an entity with classified information systems to
continuously monitor those systems to detect potential activity indicating an insider threat.
9
�
| File Type | application/pdf |
| Author | Ryan Ruppert |
| File Modified | 2025-11-25 |
| File Created | 2025-11-25 |