Design Basis Threat, 12705-12727 [07-1317]

Download as PDF Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations rule modified existing debt refinancing eligibility language and inadvertently omitted three key words that existed prior to the final rule taking effect. This rule inserts those three words back into the debt refinancing eligibility language. PART 4279—GUARANTEED LOANMAKING 1. The authority citation for part 4279 continues to read as follows: I Authority: 5 U.S.C. 301 and 7 U.S.C. 1989. Subpart B—Business and Industry Loans 2. In § 4279.113, paragraph (r) is revised to read as follows: I Eligible loan purposes. * * * * * (r) To refinance outstanding debt when it is determined that the project is viable and refinancing is necessary to improve cash flow and create new or save existing jobs. Except as provided for in § 4279.108(d)(4) of this subpart, existing lender debt may be included provided that, at the time of application, the loan has been current for at least the past 12 months (unless such status is achieved by the lender forgiving the borrower’s debt) and the lender is providing better rates or terms. Subordinated owner debt is not eligible under this paragraph. Unless the amount to be refinanced is owed directly to the Federal government or is federally guaranteed, the existing lender debt refinancing must be a secondary part (less than 50 percent) of the overall loan. * * * * * Dated: February 23, 2007. Jackie J. Gleason, Administrator, Rural Business—Cooperative Service. [FR Doc. E7–4920 Filed 3–16–07; 8:45 am] cprice-sewell on PROD1PC66 with RULES 15:36 Mar 16, 2007 Jkt 211001 The Nuclear Regulatory Commission (NRC) is amending its regulations that govern the requirements pertaining to the design basis threats (DBTs). This final rule makes generically applicable security requirements similar to those previously imposed by the Commission’s April 29, 2003 DBT Orders, based upon experience and insights gained by the Commission during implementation, and redefines the level of security requirements necessary to ensure that the public health and safety and common defense and security are adequately protected. Pursuant to Section 170E of the Atomic Energy Act (AEA), the final rule revises the DBT requirements for radiological sabotage, generally applicable to power reactors and Category I fuel cycle facilities, and for theft or diversion of NRC-licensed Strategic Special Nuclear Material (SSNM), applicable to Category I fuel cycle facilities. Additionally, a petition for rulemaking (PRM–73–12), filed by the Committee to Bridge the Gap, was considered as part of this rulemaking. The NRC partially granted PRM–73–12 in the proposed rule, but deferred action on other aspects of the petition to the final rule. The NRC’s final disposition of PRM–73–12 is contained in this document. SUMMARY: Accordingly, chapter XLII, title 7, Code of Federal Regulations, is amended as follows: VerDate Aug<31>2005 RIN 3150–AH60 Nuclear Regulatory Commission. ACTION: Final rule. I BILLING CODE 3410–XY–P 10 CFR Part 73 AGENCY: Business and industry, Loan programs, Rural areas, Rural development assistance. § 4279.113 IX. Availability of Documents X. Plain Language XI. Voluntary Consensus Standards XII. Finding of No Significant Environmental Impact: Environmental Assessment: Availability XIII. Paperwork Reduction Act Statement XIV. Regulatory Analysis XV. Regulatory Flexibility Act Certification XVI. Backfit Analysis XVII. Congressional Review Act NUCLEAR REGULATORY COMMISSION Design Basis Threat List of Subjects in 7 CFR Part 4279 DATES: Effective Date: April 18, 2007. FOR FURTHER INFORMATION CONTACT: Manash K. Bagchi, Office of Nuclear Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 20555–0001, telephone 301–415– 2905, e-mail MKB2@NRC.GOV. SUPPLEMENTARY INFORMATION: Table of Contents I. Background II. Analysis of Public Comments and Consideration of the 12 Factors of the Energy Policy Act of 2005 III. Summary of Specific Changes Made to the Proposed Rule as a Result of Public Comments IV. Section by Section Analysis V. Guidance VI. Resolution of Petition (PRM–73–12) VII. Criminal Penalties VIII. Compatibility of Agreement State Regulations PO 00000 Frm 00005 Fmt 4700 Sfmt 4700 12705 I. Background The DBT requirements in 10 CFR 73.1 describe general adversary characteristics that designated licensees must defend against with high assurance. These NRC requirements include protection against radiological sabotage (generally applied to power reactors and Category I fuel cycle facilities) and theft or diversion of NRClicensed SSNM (generally applied to Category I fuel cycle facilities). On November 7, 2005 (70 FR 67380), the Commission published a proposed rule for public comment seeking to amend its regulation that governs the requirements pertaining to the DBTs. The DBTs are used by licensees to form the basis for site-specific defensive strategies implemented through physical security plans, safeguards contingency plans, and security personnel training and qualifications plans. Amendment of the DBT rule was influenced by a number of factors described below. Following the terrorist attacks on September 11, 2001, the NRC conducted a thorough review of security practices to ensure that nuclear power plants and other licensed facilities continued to have effective security measures in place to address the changing threat environment. The NRC recognized that some elements of the DBTs required enhancement. After soliciting and receiving comments from Federal, State, and local agencies, and industry stakeholders, and reviewing an analysis of intelligence information regarding the trends and capabilities of potential adversaries, the NRC imposed supplemental DBT requirements by order on April 29, 2003. The Commission deliberated on the responsibilities of the local, State, and Federal stakeholders to protect the nation and the responsibility of the licensees to protect individual nuclear facilities before issuing the April 29, 2003 DBT Orders. The April 29, 2003 DBT Orders required nuclear power reactors and Category I fuel cycle facility licensees to revise their physical security plans, security personnel training and qualification plans, and safeguards contingency plans to defend against the E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES 12706 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations supplemental DBT requirements. The orders required licensees to make security enhancements such as: Augmented security forces and capabilities; increased patrols; additional security posts and physical barriers; vehicle checks at greater standoff distances; enhanced coordination with law enforcement and military authorities; augmented security and emergency response training, equipment, and communication; and more restrictive site access controls for personnel, including expanded, expedited, and more thorough initial and follow-on screening of power reactor and Category I fuel cycle facility employees. After gaining experience with implementation of these orders, the Commission concluded that the general attributes of the orders should be generically imposed by regulation on certain classes of licensees. In addition, PRM–73–12 was filed by the Committee to Bridge the Gap on July 23, 2004, and was published for comment (69 FR 64690; November 8, 2004). PRM–73–12 requests that the NRC amend its regulations to revise the DBT regulations (in terms of the numbers, teams, capabilities, planning, willingness to die, and other characteristics of adversaries) to a level that encompasses, with a sufficient margin of safety, the terrorist capabilities evidenced by the attacks of September 11, 2001. The petition also requests that security plans, systems, inspections, and force-on-force (FOF) exercises be revised in accordance with the amended DBTs, and that a requirement be added to part 73 to construct shields against air attack (the shields are referred to as ‘‘beamhenges’’) which the petition asserts would enable nuclear power plants to withstand an air attack from a jumbo jet. The NRC partially granted PRM–73–12 in the proposed rule, but deferred action on other aspects of the petition to the final rulemaking. The NRC’s final disposition of PRM–73–12 is discussed in Section VI of this document. Finally, the Energy Policy Act (EPAct) of 2005 was signed into law on August 8, 2005. Section 651(a) of the EPAct amended the AEA by adding Section 170E, that required the Commission to initiate a rulemaking to revise the DBTs. In addition, Section 170E also directed the Commission to consider but not be limited to, the 12 factors specified in the statute in the course of that rulemaking. As stated in the proposed rule, these factors are: (1) The events of September 11, 2001; (2) An assessment of physical, cyber, biochemical, and other terrorist threats; VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 (3) The potential for attack on facilities by multiple coordinated teams of a large number of individuals; (4) The potential for assistance in an attack from several persons employed at the facility; (5) The potential for suicide attacks; (6) The potential for water-based and air-based threats; (7) The potential use of explosive devices of considerable size and other modern weaponry; (8) The potential for attacks by persons with a sophisticated knowledge of facility operations; (9) The potential for fires, especially fires of long duration; (10) The potential for attacks on spent fuel shipments by multiple coordinated teams of a large number of individuals; (11) The adequacy of planning to protect the public health and safety at and around nuclear facilities, as appropriate, in the event of a terrorist attack against a nuclear facility, and (12) The potential for theft or diversion of nuclear material from such facilities; The Commission took into account a number of issues and sources in conducting this rulemaking, which included its experience in the implementation of the DBT Orders, the issues raised in PRM–73–12, EPAct requirements, and the public comments on the proposed rule. The Commission has considered and deliberated on the 12 factors identified in the EPAct. The results of its consideration are set forth in Section II of this document. Additionally, the Commission specifically invited public comments on how these factors should be addressed in the rule. Many of the comments received substantively focused on the 12 factors. Those comments and the Commission’s responses are also discussed in Section II. It is important to note that the Commission was careful to set forth rule text in the final rule that does not compromise licensee security, but also acknowledges the necessity to keep the public informed of the types of attacks against which nuclear power plants and Category I fuel cycle facilities are required to defend. To this end, the final rule maintains a level of detail in the rule language that is generally comparable to the previous regulation, while updating the general DBT attributes in a manner consistent with the insights gained from the application of supplemental security requirements imposed by the April 29, 2003 DBT Orders, the EPAct, and consideration of public comments. The final rule contains the DBT with which licensees must legally comply. PO 00000 Frm 00006 Fmt 4700 Sfmt 4700 More specific details (e.g., specific weapons, ammunition, etc.) are consolidated in adversary characteristics documents (ACDs) which contain classified or Safeguards Information (SGI). The technical bases for the ACDs are derived largely from intelligence information. They also contain classified or SGI that cannot be publicly disclosed. These documents must be withheld from public disclosure and made available only on a need-to-know basis to those who are cleared for access. Because the regulatory guides (RGs) and the ACDs are guidance documents that provide details to the licensees regarding implementation and compliance with the DBTs, these documents may be updated from time to time as a result of the NRC’s periodic threat reviews. The NRC has been conducting threat reviews since 1979. These threat reviews are performed in conjunction with the intelligence and law enforcement communities to identify changes in the threat environment which may, in turn, require adjustments of NRC security requirements. Future revisions to the ACDs would not require changes to the DBT regulations in 10 CFR 73.1, provided the changes remain within the scope of the rule text. II. Analysis of Public Comments and Consideration of the 12 Factors of the EPAct The proposed rule provided a 75-day public comment period that ended on January 23, 2006. The comment period was extended by another 30 days in response to a request from the Nuclear Energy Institute (NEI), an industry group, to allow additional time for review of the proposed rule because the comment period overlapped the yearend holidays. The extended comment period ended on February 22, 2006. A total of 919 comments were received from about 903 individuals, one county, 13 citizen groups, one utility involved in nuclear activities, and two nuclear industry groups. The comments covered a range of issues, some of which were beyond the scope of this rulemaking because they were specific to protective measures but did not relate to the adversary characteristics. The comments have been organized under three groups: Group I, Consideration of the 12 Factors in the EPAct; Group II, In-Scopecomments, that includes comments raising issues and concerns directly related to the contents of the DBT rule; and Group III, Out-of-Scope comments, that includes comments raising issues and questions that are not directly related to the DBT rule, although they E:\FR\FM\19MRR1.SGM 19MRR1 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations are generally relevant to the security of nuclear facilities. Responses are provided in the following format: Group I: Consideration of the 12 Factors in the Energy Policy Act The Commission’s consideration, public comments, and responses to the public comments are provided for the 12 factors described in Section A. Group II: In Scope Comments Comments in Groups II and III are organized under the following general categories. The Commission’s responses to these comment categories are provided in Section B: 1. Definition of the Design Basis Threats 2. Applicability of the Enemy of the State Rule 3. Compliance with Administrative Procedure Act (APA) Notice and Comment Requirements 4. Ambiguous Rule Text 5. Differentiation in Treatment of General and Specific Licenses for ISFSI 6. Applicability of the Radiological Sabotage DBT to New Nuclear Power Plants 7. Consideration of the Uniqueness of Each Plant in Application of the DBTs 8. Continued Exemption of Research and Test Reactors from the DBT Requirements 9. Changes in Security Requirements to be Addressed Under Backfit Rule 10. Compliance with the Paperwork Reduction Act 11. Adequacy of the Regulatory Analysis 12. Compliance with the National Environmental Policy Act (NEPA) 13. Issuance of Annual Report Card on Individual Licensees Group III: Out of Scope Comments 14. Federalization of Security 15. Force-on-Force Tests of Security 16. Screening of Workers in Nuclear Power Plants 17. Self-Sufficient Defense Capabilities 18. Security of Dry Cask Storage 19. Security of Spent Fuel Pools 20. Inherent Design Problems that make Reactors Vulnerable A Comments Matrix has been provided in Appendix A, that references each topic with comments. The NRC’s response to each topic is listed below: cprice-sewell on PROD1PC66 with RULES Section A Group I. Consideration of the 12 Factors in the Energy Policy Act As discussed above, Section 170E of the AEA, as amended by Section 651(a) of the EPAct, directed the Commission to consider but not be limited to, the 12 VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 factors specified in the statute in the course of the DBT rulemaking. Many of the comments received by the Commission focused on one or more of these factors. Prior to discussing the substance of the 12 factors, the Commission notes that several commenters charged that the Commission violated Section 170E by not considering some of the 12 factors, and by deferring final consideration of some of the provisions to the final rule. Those commenters suggested that this not only violated the mandate of Section 170E, but also the Administrative Procedure Act (APA) by not providing adequate notice of the substance of the rule, and thus, the rule should be withdrawn and re-proposed. To be clear, Section 170E stated that the Commission ‘‘shall consider,’’ but not be limited to, the 12 factors when conducting the DBT rulemaking. However, the EPAct did not require that the Commission explicitly include any of the 12 factors in the proposed or final rule text. The Commission carefully considered intelligence information, vulnerability assessments, other Commission-sponsored studies, and each of the 12 factors in formulating the final rule. Accordingly, a number of provisions or rule changes were adopted that specifically incorporate certain language used in the 12 factors. For instance, the final rule contains specific provisions related to multiple, coordinated groups 1 of attackers (Factor 3), suicide attacks (Factor 5), insider assistance (Factors 4 and 8), and waterborne attacks (Factor 6). Additionally, based on the 12 factors, public comment, and other intelligence and law enforcement information, the Commission has decided to explicitly include a cyber threat as an attribute of the DBTs (Factor 2). After careful consideration, the Commission also chose not to adopt elements related to some EPAct factors as part of the rule text. However, that decision should not be misconstrued as lack of consideration of the factors themselves. Nor should the Commission’s statement in the proposed rule soliciting comments on ‘‘whether or how the 12 factors should be addressed in the DBT rule’’ be interpreted to mean that the Commission deferred consideration of the factors until after it 1 For purposes of this rule, there is no substantive difference between the terms ‘‘group’’ and ‘‘team’’ in reference to the operational capabilities of the DBT adversary force. The meaning of the term ‘‘group’’ is the same as the meaning of the term ‘‘team’’ used in the proposed rule. The term ‘‘team’’ was preserved in this final rule only when summarizing comments on the proposed rule or the 12 Factors of the EPAct. PO 00000 Frm 00007 Fmt 4700 Sfmt 4700 12707 received comments. Rather, the Commission proposed requirements that would require licensees to defend against threats the Commission considered appropriate at that time, subject to change in the final rule after further consideration of public comments. Several commenters specifically charged that the Commission deferred its consideration of air-based threats to the final rule, thus undermining stakeholders’ abilities to know the Commission’s position on that factor. At the time that the proposed rule was published, the Commission maintained its view that protection against airborne attack could best be provided by the strengthening of airport and airline security measures. Accordingly, the Commission did not propose to include a provision in the proposed rule that would require licensees to provide defense against an airborne attack but the Commission specifically sought comment on the issue in the proposed DBT rule and has remained open to changing its position. In addition to being raised in PRM–73–12, the Commission has received numerous comments on the airborne threat. It has carefully considered those comments and has responded to them below. The assertion about the lack of APA notice with regard to the EPAct’s 12 factors is without merit. The proposed rule discussion contained, under a section designated ‘‘Proposed Regulations,’’ (70 FR 67381) a detailed listing and clarifying discussion of the 12 factors and a specific request for public comment on ‘‘whether or how the 12 factors should be addressed in the DBT rule.’’ (70 FR 67382). Factor 1. The Events of September 11, 2001 The Commission’s Consideration: The events of September 11, 2001, have been central to the Commission’s efforts in reevaluating the DBTs. As a result of these attacks, the NRC promptly reevaluated the DBTs and imposed additional requirements on licensees through orders, including the April 29, 2003 Orders on the DBTs. A number of revisions to the DBTs have resulted from consideration of the events of September 11, 2001. Those revisions include increased adversaries’ willingness to kill or be killed, and the capability to operate in several different modes of attack, including multiple adversary groups, and multiple adversary entry points. Public Comment: Several commenters specifically challenged the proposed rule’s consideration of the events of September 11, 2001, expressing concern E:\FR\FM\19MRR1.SGM 19MRR1 12708 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES that the DBT rule does not require licensees to defend against a number of attackers comparable to the number of terrorists (19) who participated in the attacks on September 11, 2001. Response to Public Comment: The Commission disagrees with the comment. The Commission’s consideration of the number of attackers comprising the DBT is discussed in more detail below under Factor 3. However, with respect to the assertion that the number of attackers should be comparable to the number of September 11, 2001, attackers (19), the Commission notes that the official U.S. Government terrorism report for 2001, ‘‘Patterns of Global Terrorism,’’ states that the September 11, 2001, attacks consisted of ‘‘four separate but coordinated aircraft hijackings,’’ not a single attack involving 19 assailants. However, in its annual terrorism report for 2001, the Federal Bureau of Investigation (FBI) considered the attacks as one act of international terrorism by ‘‘four coordinated teams of terrorists.’’ Consideration of seemingly inconsistent views was just one part of a significant statistical analysis conducted by the NRC as part of the post-September 11, 2001, DBT process to determine the DBT adversary force size. In summary: • NRC position: Disagrees with the comment. • Action: No action required. Factor 2. An Assessment of Physical, Cyber, Biochemical, and Other Terrorist Threats The Commission’s Consideration: Although the DBT rule does not elaborate on the specifics of vehicle bomb size, numbers of adversaries, or exact types of weapons for operational security purposes, the Commission believes they are appropriate. The DBTs are the result of the NRC’s continuous evaluation of current threats. That evaluation is not limited to a particular kind of threat, but naturally includes consideration of physical threats, cyber threats, and biochemical threats. The DBT rule reflects the Commission’s determination of the composite set of adversary features against which private security forces should reasonably have to defend. The DBT rule has been amended in several significant respects to reflect the current physical, cyber, biochemical, and other terrorist threats. For example, the radiological sabotage DBT has been enhanced to reflect the requirement that the licensees have a capability to defend against attackers with the ability to operate in several modes of attack, including as multiple groups, attacking from multiple entry points. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 Additionally, in § 73.1(a)(1)(i)(C), the phrase ‘‘up to and including’’ was changed to simply ‘‘including’’ to provide flexibility in defining the range of weapons available to the composite adversary force. One significant change to the rule relates to physical threats from the use of vehicles, either as modes of transportation or as vehicle bombs. Section 73.1(a)(1)(i)(E), for example, effectively expands the scope of vehicles available for the transportation of adversaries by deleting the reference to ‘‘four-wheel drive’’ and by adding water-based vehicles. In addition, § 73.1(a)(1)(iii) (the land vehicle bomb provision) is similarly revised to delete the ‘‘four-wheel drive’’ limitation, and to add a capability that the vehicle bomb ‘‘may be coordinated with an external assault,’’ maximizing its destructive potential. Further, an entirely new capability has been added to the DBT involving a waterborne vehicle bomb, which also is encompassed in the coordinated attack concept. The Commission has also carefully considered biochemical threats both before and after the events of September 11, 2001. The previous rule already contained requirements that provided the capability of using ‘‘incapacitating agents,’’ and that attribute has been retained in the final rule. In addition, armed responders are required to be equipped with gas masks to effectively implement the protective strategy and mitigate the effects of the incapacitating agents. Public Comment: Although many of the public comments could generally be characterized as addressing Factor 2, only a few comments specifically fell under this factor. One commenter stated that the NRC needs to engage independent experts to develop a comprehensive computer vulnerability and cyber attack threat assessment, that must evaluate the vulnerability of the full range of nuclear power plant computer systems and the potential consequences of these vulnerabilities. The commenter further suggested that the revised DBTs must incorporate these findings and include a protocol for quickly detecting such an attack and recovering key computer functions in the event of an attack. Two other commenters stated that the regulations do not reflect protections against explosive devices of considerable size, other modern weaponry, and cyber, biochemical, and other terrorist threats. Another commenter did not believe the proposed DBTs protected against all conceivable attacks, such as launching a large PO 00000 Frm 00008 Fmt 4700 Sfmt 4700 explosive device from a boat, clogging the water intakes, dropping a conventional bomb into spent fuel pools, insider sabotage, etc. Response to Public Comment: Regarding the threat of cyber attack comment, the NRC agrees with the statement submitted by the commenter and explicitly included a cyber attack as an element of the DBTs in the final rule. The basis for this addition, and implications of the rule change are discussed further in Section III of this document. In addition, the proposed 10 CFR 73.55(m), ‘‘Digital Computer and Communication Networks,’’ that is included in the proposed rule, ‘‘Power Reactor Security Requirements,’’ (71 FR 62664; October 26, 2006), contains proposed measures to mitigate a cyber attack. With respect to the other comments regarding protection against explosives of considerable size and modern weaponry, as stated earlier, the details of the adversary capabilities can not be specified publicly, but the Commission believes they are appropriate. Furthermore, the land vehicle bomb assault may be coordinated with an external assault, maximizing its destructive potential. The NRC does not intend the DBTs to represent ‘‘worst case’’ scenarios or all conceivable attacks. It is impossible to address all possible attack scenarios, because there is no theoretical limit to what attack scenarios can be conceived. Therefore, the NRC staff considers the tactics that have been observed in use, discussed, or trained for by potential adversaries. These tactics and DBT provisions are subjected to an interagency review process where Federal law enforcement and intelligence community agencies comment and provide feedback. If changes develop in adversary tactics that could significantly impact nuclear facility security, the staff would request that the Commission consider these tactics for inclusion in the DBT provisions. In summary: • NRC position: Agrees with one element of comment—include cyber threat as an attribute; disagrees with the other two elements. • Action: Final rule includes cyber attack as an explicit element of the DBTs. No other action required. Factor 3. The Potential for Attack on Facilities by Multiple Coordinated Teams of a Large Number of Individuals The Commission’s Consideration: The number of attackers and the tactics used by those attackers is now and has always been a core consideration of the DBT. Although the NRC obviously E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cannot comment on the size (specific number of attackers) of the DBT adversary force for operational security reasons, it can address the process how these numbers are derived. As noted in the Commission’s consideration of Factor 1, the size of the DBT adversary force and the number of assault teams were derived through a careful and deliberative process involving not only the NRC staff, but Federal law enforcement, and intelligence community, and homeland security agencies using a variety of classified and unclassified sources. A statistical analysis was done on terrorist group size by looking at hundreds of terrorist attacks over several years, and comparing them with previous group size analyses for changes in long-term trends. Large ‘‘outlier’’ terrorist events, although few in number, were included in this analysis. This statistical analysis was factored into a parallel analysis of known terrorist attacks against protected facilities (also few in number) and terrorist training, tactics, and doctrinal manuals concerning armed assaults against facilities. In addition, the NRC found that the vague qualifiers (‘‘several persons’’ and ‘‘small group’’) in the previous adversary descriptions in 10 CFR 73.1 did little to add to the clarity of the rule because the phrases are highly subjective. Thus, the final rule now contains the more specific language ‘‘by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points.’’ By revising the language in the rule and eliminating the reference to ‘‘several persons’’ and ‘‘small group,’’ the NRC actually increased the potential flexibility of the design basis adversary. The use of multiple adversary groups is not necessarily tactically advantageous to the attacking force in all possible scenarios. In some instances, the adversary force, as simulated in Forceon-Force (FOF) exercises can, based on its analysis of the licensee’s protective strategy, concentrate its force in a single group if necessary to best attack a facility. In other instances, a licensee’s protective strategy may be more vulnerable to multiple groups of attackers attempting entry from different locations. In any event, the final DBT rule now provides enough flexibility to account for all of these scenarios, while VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 the guidance provides sufficient specificity. Public Comment: Several commenters contend that for nuclear power plants, the regulations should provide protection against coordinated attacks by multiple large groups of up to two dozen sophisticated and knowledgeable adversaries. Response to Public Comment: As stated above, the Commission has revised the rule to reflect these considerations and to provide maximum flexibility in developing threat scenarios which licensees must defend against. In summary: • NRC position: Agrees partially with the comment. • Action: No additional action required, beyond adoption of more specific language in the final rule. Factor 4. The Potential for Assistance in an Attack From Several Persons Employed at the Facility The Commission’s Consideration: The Commission has always considered the threat of insider assistance to be a very real and significant threat. Thus, the DBTs have long contained a provision requiring licensees to protect against insider assistance. Also, other NRC regulations contain substantial requirements for access authorization programs (10 CFR 73.56, ‘‘Personnel Access Authorization Requirements for Nuclear Power Plants,’’ and 10 CFR 73.57, ‘‘Requirements for Criminal History Checks of Individuals Granted Unescorted Access to a Nuclear Power Facility or Access to Safeguards Information by Power Reactor Licensees’’). However, the final rule has amended this requirement to expand the threat of insider assistance. For instance, 10 CFR 73.1(a)(1)(A) and (2)(i)(A) add language indicating that the adversaries have ‘‘sufficient knowledge to identify specific equipment or locations necessary for a successful attack.’’ Therefore, this provision suggests that this knowledge could be obtained from an insider who has such knowledge. The insider assistance provision itself has also been revised. The final rule deletes the term ‘‘individual’’ to provide flexibility in defining the number of persons who may be involved in providing inside assistance. Public Comment: One commenter stated that the insider attribute must include an active participant in an attack and should include the possibility of first responders and or National Guardsmen providing insider assistance. Response to Public Comment: The NRC agrees with part one of this PO 00000 Frm 00009 Fmt 4700 Sfmt 4700 12709 comment. The capability of ‘‘active’’ insider assistance is clearly stated in both 10 CFR 73.1(a)(1)(i)(B) for radiological sabotage and 10 CFR 73.1(a)(2)(i)(B) for theft or diversion of strategic special nuclear material. Further, the ‘‘active’’ assistance capability has long been a component of the DBTs. The use of the conjunction ‘‘or’’ provides for increased tactical flexibility on the part of the adversary, based on the specific situation. It does not preclude an active insider in favor of a passive one. The NRC disagrees with the second part of this comment. National Guard, local law enforcement and other nonlicensee security personnel already stationed at the owner-controlled boundary or entry portals of some licensee facilities are not part of the licensee workforce and not subject to NRC regulatory authority; hence, they are considered beyond the scope of the DBTs. Typically, these organizations have their own internal screening procedures to determine reliability and trustworthiness. The NRC recognizes that those processes exist and provide an appropriate level of assurance against an insider threat to that organization. Furthermore, first responders, law enforcement, and National Guard personnel are not given unescorted access to the Protected Area (PA). First responders, law enforcement, and other external security personnel responding to an emergency or security event at a site would do so according to established emergency response protocols. If a particular responding organization had been penetrated by an adversary insider, then that adversary would be considered an external adversary for purposes of the DBTs. The requirement that licensees protect against ‘‘A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions,’’ as described in §§ 73.1(a)(1)(i), and 73.1(a)(2)(i), anticipates such an adversary. In summary: • NRC Position: Agrees with the first element of the comment, disagrees with the second element of the comment. • Action: No action required. Factor 5. The Potential for Suicide Attacks The Commission’s Consideration: The final rule contains language reflecting the potential for suicide attacks. This level of commitment has been assumed since the first DBTs were established by the NRC. Language has been added to §§ 73.1(1)(i)(A) and 73.1(2)(i)(A) indicating that potential adversaries have the attribute of a willingness to ‘‘kill or be killed.’’ E:\FR\FM\19MRR1.SGM 19MRR1 12710 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES Public Comment: No public comment received. Response to Public Comment: No response required. Factor 6. The Potential for Water-Based and Air-Based Threats a. The Commission’s Consideration: Certainly one of the most substantial considerations of the Commission, NRC licensees, the Federal government, and the public is the threat of airborne attacks against critical infrastructures. As stated below, the vast majority of comments received by the Commission on the proposed DBT rule regarded the airborne threat. The Commission has been evaluating the issue of air-based threats long before it was required by the EPAct, and its position on the necessity to add this attribute to the DBTs prior to this rulemaking has been well documented. The Commission’s evaluation of the airborne threat has been an ongoing process, and it has spent a significant amount of time and resources as part of this rulemaking in considering whether to make some type of airborne threat part of the DBTs. Ultimately, the Commission has determined that active protection against the airborne threat requires military weapons and ordnance that rightfully are the responsibilities of the Department of Defense (DOD), such as ground-based air defense missiles, and thus, the airborne threat is one that is beyond what a private security force can reasonably be expected to defend against. This does not mean that the Commission is discounting the airborne threat; merely that the responsibility for actively protecting against the threat lies with other organizations of the Federal government, as it does for any U.S. commercial infrastructures. Beyond active protection, the Commission believes that some considerations involving airborne attack relate to the development of specific protective strategies and physical protection measures that are not within the scope of the DBTs. The deployment of ground-based air defense weapons would be a decision for the Departments of Defense, Homeland Security, Transportation and Justice, not the NRC. In addition, the NRC believes that application of ground-based air defense weapons would present significant command and control challenges, particularly relating to the time required to identify and confirm the presence of a hostile aircraft and for a commercial entity to get permission to engage. The potential for collateral damage to the surrounding community also would have to be considered. Deployment of protective measures such as no-fly VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 zones, combat air patrols, and groundbased air defenses are undertaken by many other Federal organizations working on preventing and protecting critical infrastructure from terrorist attacks, including the U.S. Northern Command (USNORTHCOM) and North American Aerospace Defense Command (NORAD), the Transportation Security Administration (TSA), and the Federal Aviation Administration (FAA). The FAA has issued a Notice to Airmen (NOTAM) strongly advising pilots to avoid the airspace above, or in proximity to, such sites as power plants (nuclear, hydro-electric, or coal), dams, refineries, industrial complexes, military facilities and other similar facilities. Pilots are warned not to loiter in the vicinity of these types of facilities. The significant increase in aviation security since September 11, 2001, goes a long way toward protecting the United States, including nuclear facilities, from an aerial attack. Some of these improvements include: • Criminal history checks on flight crew; • Reinforced cockpit doors; • Checking of passenger lists against ‘‘no-fly’’ lists; • Increased control of cargo; • Random inspections; • Increased Federal Air Marshal presence; • Improved screening of passengers and baggage; • Federal Flight Deck Officer Program; • Controls on foreign passenger carriers; • Requirements on charter aircraft; • Enhanced vigilance of flight training; and • Improved coordination and communication between civilian and military authorities. In February 2002, the Commission, in addition to the actions of other Federal entities, directed nuclear power plant licensees to develop specific plans and strategies to respond to a wide range of threats, including the impact of an aircraft attack. NRC staff conducted mock exercises to practice imminent air attack responses with each licensee. The NRC has continued to work with licensees on these issues and has inspected licensee actions to identify and implement mitigation strategies to limit the effects of such an event. The NRC has conducted detailed, sitespecific engineering studies of a limited number of plants to gain insights on potential vulnerabilities of nuclear power plants to deliberate attacks involving large commercial aircraft. The results of these studies have confirmed the effectiveness of the February 2002 PO 00000 Frm 00010 Fmt 4700 Sfmt 4700 NRC-ordered mitigative measures, and have identified the need for some additional enhancements. For the facilities analyzed, the studies confirm the low likelihood of both damaging the reactor core and releasing radioactivity that could affect public health and safety. Even in the unlikely event of a radiological release due to a terrorist use of a large aircraft against a nuclear power plant, the studies indicate that there would be time to implement the required on-site mitigating actions. These results have also validated the potential radioactive source term for offsite emergency planning basis. Nevertheless, on June 20, 2006, the NRC issued orders to appropriate power reactor licensees requiring the implementation of additional key radiological protection and mitigation strategies to reduce potential consequences from the loss of large areas of the plant due to large fires or explosions. This information is discussed in, ‘‘In the Matter of Operating Power Reactor Licensees Identified in Attachment 1; Orders Modifying Licensees (Effective Immediately),’’ (71 FR 36554; June 27, 2006). Additional studies are being considered to further assess mitigative capabilities. The NRC will continue to coordinate with the Department of Homeland Security (DHS) on this initiative. (See Factor 9 for further discussion of a related topic, ‘‘The potential for fires, especially fires of long duration.’’) Finally, in early March 2006, the NRC hosted an Interagency Aircraft Attack Tabletop Exercise at NRC Headquarters. Representatives from the DHS, the DOD/ USNORTHCOM, and the FBI attended. The purpose of the exercise was to explore Federal responsibilities and interfaces, consistent with the National Infrastructure Protection Plan and National Response Plan, for terrorist incidents at nuclear power plants, with a focus on an aircraft attack on the facility. The tabletop exercise reconfirmed the respective responsibilities of the participating organizations (NRC, DHS, DOD, and FBI) in the event of a nuclear plant aircraft attack and clarified protocols for response-related interagency communication and coordination. The final DBT contains two new provisions that account for the capability of a water-based attack, as discussed under Factor 2. These capabilities were included based on conclusions drawn from the NRC’s continuing review of intelligence information and liaison with Federal law enforcement, intelligence community, and homeland security E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations agencies. Sections 73.1(a)(1)(i)(E) and 73.1(a)(2)(i)(E) add the capability to use water-based vehicles for transporting personnel and equipment to the proximity of vital areas. Sections 73.1(a)(1)(iv) and 73.1(a)(2)(iv) add a new provision for a waterborne vehicle bomb assault. The NRC has concluded that defense against these new DBT provisions will provide a highassurance of protection against the waterborne threat. Public Comment: Approximately 820 comments indicated that the ‘‘beamhenges’’ concept or similar barrier method of protection should be considered for protection against airborne attacks. As generically described by the commenters, a ‘‘beamhenge’’ shield is constructed out of an interlocking series of steel I-beams and cables that would be built at sufficient stand-off distances from safety-related buildings at nuclear power plants to protect against an aircraft attack. Comments also indicated that a ‘‘no-fly’’ zone should be imposed around nuclear power plants and that ground based-air defense systems should be deployed to protect each site. Further, multiple commenters expressed concerns regarding the vulnerabilities of nuclear power plants and other licensed facilities to terrorist waterborne attacks. Commenters suggested that the revised DBTs should require nuclear power plants and other licensed facilities situated on navigable waterways to be equipped with visible, engineered physical barriers. Response to Public Comment: The Commission has spent considerable time and resources considering the threat of airborne and waterborne attacks on nuclear facilities. Based on these considerations, the NRC has chosen a two-track approach to respond to these threats in order to assure adequate protection. First, the NRC has determined that active protection against the airborne threat rests with other organizations of the Federal government, such as NORTHCOM and NORAD, TSA, and FAA. The NRC will continue to test these relationships through exercises. Second, licensees have been directed to implement certain mitigative measures to limit the effects of an aircraft strike. To the extent that commenters have suggested the imposition of specific physical security measures such as the ‘‘beamhenges’’ concept, the NRC has considered on the issue, but has rejected the concept because it believes that the mitigation measures in place are sufficient to ensure adequate protection of the public health and safety. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 With respect to the waterborne attack threat, the DBT rule has been revised to reflect two new water-based capabilities. However, requirements of physical barriers for the protection of the nuclear power plants and other licensed facilities under waterborne attack are not in the scope of DBT rule. Requirements for physical barriers are addressed in a separate rulemaking to amend 10 CFR 73.55. The security requirements in the proposed rulemaking that would amend 10 CFR 73.55 (71 FR 62664; October 26, 2006) address protective strategies and security measures for nuclear power plants and other licensed facilities under waterborne attacks, and require licensees to defend against the DBTs. In summary: • NRC Position: Agrees with the waterborne comment. Disagrees with ‘‘no-fly’’ zones and ‘‘beamhenges’’ concept comments. • Action: No action required. Factor 7. The Potential Use of Explosive Devices of Considerable Size and Other Modern Weaponry The Commission’s Consideration: As part of its consideration of Factor 2, the Commission assessed the potential use of explosive devices of considerable size and other modern weaponry. The Commission notes that the DBTs have been revised to specifically reflect these two considerations. First, §§ 73.1(a)(1)(i)(C) and 73.1(a)(2)(i)(C) were amended to revise the phrase ‘‘up to and including’’ to simply ‘‘including’’ to increase the flexibility in defining the available range of weapons. Second, the vehicle bomb threat has been expanded to include waterborne vehicles. This factor has been further articulated in Factor 2. Public Comment: Refer to Factor 2. Response to Comment: Refer to Factor 2. In summary: • NRC Position: Agrees with the comment. • Action: No action required. Factor 8. The Potential for Attacks by Persons With a Sophisticated Knowledge of Facility Operations The Commission’s Consideration: As noted above under the discussion of Factor 4, §§ 73.1(a)(1)(i)(A) and 73.1(a)(2)(i)(A) added language indicating that the adversaries have ‘‘sufficient knowledge to identify specific equipment or locations necessary for a successful attack.’’ Public Comment: No public comment received. Response to Comment: No response required. PO 00000 Frm 00011 Fmt 4700 Sfmt 4700 12711 Factor 9. The Potential for Fires, Especially Fires of Long Duration The Commission’s Consideration: The DBTs describe specific adversary characteristics against which licensees must be prepared to defend. Fires, in contrast, are not adversary characteristics, but result from a particular adversary attack. Nevertheless, the NRC considered fires resulting from several possible initiating events, both accidental and malicious in nature. The NRC conducted vulnerability assessments for some operating nuclear power plants in the 1970s and 1980s to establish the technical basis for security requirements. The NRC also routinely evaluated the potential impacts of terrorist attacks on power reactors as part of the FOF exercise program on a plant-by-plant basis. After the terrorist attacks on September 11, 2001, the NRC promptly assessed the potential for and consequences of terrorists targeting a nuclear power plant, including its spent fuel storage facilities, for an aircraft attack, the physical effects of such a strike, and how compounding factors (e.g., fires, meteorology, etc.) would affect the impact of potential radioactive releases. As part of a comprehensive assessment, the NRC conducted detailed site-specific engineering studies of a limited number of nuclear power plants to assess potential vulnerabilities of deliberate attacks involving a large commercial aircraft. Additional Commission considerations are provided under the discussion of Factor 6. A summary of the assessment study is available in a publicly available document. Public Comment: One commenter stated that the proposed rule did not consider the potential for fires, especially fires of long duration and thus asserts that the proposed rule does not comply with the Congressional directive because it fails to mention the fire threat. Response to Public Comment: The NRC disagrees with the statement submitted by the commenter. As stated above, the NRC considered fire to be a result of several possible threats. Adversary forces, bombs, and explosives can all result in fires, and potentials for fires have been considered during the DBT rulemaking process. The following is provided as background information related to this comment. As part of a larger NRC effort to enhance the safety and security of the Nation’s nuclear power plants, an initiative was undertaken as part of a February 2002 NRC Order. The order required licensees to look at what might E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES 12712 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations happen if a nuclear power plant lost large areas due to explosions or fires. The licensees then were required to identify and later implement strategies that would maintain or restore cooling for the reactor core, containment building, and spent fuel pool. The requirements listed in Section B.5.b of this order directed licensees to identify ‘‘mitigative strategies’’ (meaning the measures licensees could take to reduce the potential consequences of a large fire or explosion) that could be implemented with resources already existing or ‘‘readily available.’’ The NRC held inspections in 2002 and 2003 to identify if licensees had implemented the required mitigative strategies. These inspections, as well as additional studies, showed significant differences in the strategies implemented by the plants. As a result, the NRC developed additional mitigative strategy guidance. The guidance was based on ‘‘lessons learned’’ from NRC engineering studies and included a list of ‘‘best practices’’ for mitigating losses of large areas of the plant. Each plant was requested to consider implementation of applicable additional strategies by August 31, 2005. The NRC inspected each plant in 2005 to review their implementation of any additional mitigative measures. The NRC is continuing to ensure licensees appropriately implement these measures. Finally, aircraft attack, another threat likely to result in fires was also considered and studies analyzing the consequences of successful commercial airline attacks were performed. In conducting these studies, the NRC drew on national experts from several DOE laboratories using state-of-the-art structural and fire analyses. The NRC also enhanced its ability to realistically predict accident progression and radiological release consequences. For the facilities analyzed, the studies found that the likelihood of both damaging the reactor core and releasing radioactivity that could affect public health and safety is low. Even in the unlikely event of a radiological release due to terrorist use of a large aircraft, there would be time to implement mitigating actions and off-site emergency plans such that the NRC’s emergency planning basis remains valid (71 FR 36554; June 27, 2006). Additional site-specific studies of operating nuclear power plants are underway or being planned to determine the need, if any, for additional mitigating capability on a site-specific basis. In summary, the NRC considered the potential for fires during the DBT rulemaking process, as required by the EPAct. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 • NRC position: Disagrees with the comment. • Action: No action required. Factor 10. The Potential for Attacks on Spent Fuel Shipments by Multiple Coordinated Teams of a Large Number of Individuals The Commission’s Consideration: As stated in response to Factor 3, the Commission considered the potential for attacks on nuclear facilities by multiple coordinated groups of a large number of individuals. The number of attackers and the tactics used by those attackers is now and has always been a core consideration of the DBTs. In addition, the Commission has considered the potential for attacks on spent fuel shipments and issued an order, requiring specific protective measures. The Commission is planning to propose a rule on spent fuel shipments in the near future. Public Comment: No public comment received. Response to Public Comment: No response required. Factor 11. The Adequacy of Planning To Protect the Public Health and Safety at and Around Nuclear Facilities, as Appropriate, in the Event of a Terrorist Attack Against a Nuclear Facility The Commission’s Consideration: The DBT rule does not include requirements imposing specific emergency planning considerations. Nevertheless, the Commission considered the implications of security-related incidents on emergency planning. As part of those efforts, following the terrorist attacks of September 11, 2001, the NRC evaluated the emergency preparedness (EP) planning basis and determined that the planning basis for nuclear power reactors remains valid. Further, the NRC issued orders requiring compensatory measures for nuclear security and safety, and observed licensee performance during security-based EP drills and exercises and security FOF exercise evaluations. Also, the NRC reviewed current public radiological protective action guidance, and discussed security-based EP issues with various stakeholders, including licensees and Federal, State and local government officials. Based on the information obtained from the reviews and evaluations, the NRC determined that EP of nuclear power plants could be enhanced. The Commission approved the communication of enhancements to EP and response actions for securitybased events to power reactor licensees. NRC Bulletin 2005–02, ‘‘Emergency Preparedness and Response Actions for Security-Based Events,’’ dated July 18, PO 00000 Frm 00012 Fmt 4700 Sfmt 4700 2005, communicated enhancements in the following areas: • Security-based emergency classification levels and emergency action levels; • A 15 minute prompt notification to the NRC for security-based events; • On-site protective actions to maximize personnel safety during security-based events; • Enhanced emergency response organization augmentation; and • Development of a security-based emergency drill and exercise program. As of February 18, 2006, all power reactor licensees have implemented the enhancements to their EP programs with the exception of the drill and exercise program. A majority of nuclear power plant licensees indicated that adoption of the security-based EP drill and exercise program is contingent on NRC and the Department of Homeland Security (DHS) endorsement. The NRC continues to work with DHS and the Nuclear Energy Institute to develop and implement a security-based drill and exercise program at power reactor licensees. This program is being conducted in a phased approach. Tabletop drills at four power reactor sites and a facility drill were conducted successfully, and areas for improvement were identified and incorporated by the industry into draft guidelines. Over the next three years, the industry plans to conduct security-based EP drills at each power reactor licensee with an end state of the integration of security-based EP scenarios into the biennial EP exercise program. In addition to those security-related emergency planning efforts, the NRC and DHS worked together to develop and improve EP for a terrorist attack through federal initiatives such as comprehensive review programs and integrated response planning efforts. The NRC and DHS have enhanced the coordination of integrated EP programs through evaluations of licensee and State/local/tribal response capabilities, and reviews of critical infrastructure preparedness and response plans for commercial nuclear power plants. Our combined efforts have resulted in specific enhancements to securityrelated EP measures, and continued improvement in capabilities for licensees and off-site response organizations to respond to a wide spectrum of events. Public Comment: No public comment received. Response to Public Comment: No response required. E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations Factor 12. The Potential for Theft or Diversion of Nuclear Material From Such Facilities The Commission’s Consideration: The DBT rule includes two separate components, the DBT of radiological sabotage, and the DBT of theft or diversion of formula quantities of special nuclear materials. Although the legal requirements of the radiological sabotage DBT and the theft or diversion DBT, as embodied in the rule text of §§ 73.1(a)(1) and in 73.1(a)(2), respectively, are the same, the ACDs and RGs differ in describing how power reactor and Category I fuel cycle facility licensees should implement and comply with the separate rules. These differences are classified and are not elaborated on here. As stated in 10 CFR 73.55(a), power reactor licensees are only required to protect against the threat of radiological sabotage. Spent fuel is not an attractive theft or diversion target due to its large physical size and high thermal heat and radioactivity (most power reactor spent fuel is considered ‘‘self-protecting’’). As stated in the response to Group III Comments No. 18 (Security of Dry Cask Storage) and 19 (Security of Spent Fuel Pools), the NRC has required that licensees take additional security and mitigating measures against a radioactive release of spent fuel. The NRC has authorized the Duke Energy Corporation, owner and operator of the Catawba plant, to irradiate four fuel assemblies of Mixed-Oxide (MOX) fuel at the Catawba plant on a test basis as part of its license amendment issued on March 3, 2005. MOX fuel technically meets the criteria of a formula quantity of Strategic Special Nuclear Material, in this case plutonium, and would be subject to the DBT provisions of § 73.1(a)(2) for theft or diversion. However, the NRC staff found that MOX fuel is not attractive to potential adversaries from a theft and diversion standpoint at the reactor site due to its low plutonium concentration, composition, and form (size and weight). The MOX fuel consists of plutonium oxide particles dispersed in a ceramic matrix of depleted uranium oxide with a plutonium concentration of less than six weight percent. The MOX fuel assemblies are the same form as conventional fuel assemblies designed for a commercial light-water power reactor and are over 12 feet long and weigh approximately 1,500 pounds. A large quantity of MOX fuel and an elaborate extraction process would be required to yield enough material for use in an improvised nuclear device or weapon. On the ‘‘attractiveness’’ bases, VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 the NRC staff found that the complete application of 10 CFR 73.45(d)(1)(iv), 73.46 (C)(1), 73.46(h)(3), 73.46(b)(3)– (b)(12), 73.46(d)(9), and 73.46(e)(3) for MOX fuel was not necessary. The staff therefore approved the exemptions requested to these regulations, finding that they were authorized by law, and will not endanger life or property or the common defense and security, and that are otherwise in the public interest. The Commission later approved this determination in an adjudicatory order issued on June 20, 2005. Duke Energy Corporation (Catawba Nuclear Station, Units 1 and 2), CLI–05–014, 61 NRC 359,363 (2005). Furthermore, transportation of the MOX fuel assemblies to Catawba will be done by the Department of Energy’s (DOE’s) Office of Secure Transportation, that has legal responsibility for the MOX fuel assemblies until custody is transferred to the licensee. Afterwards, the spent MOX fuel is cooled and stored like other spent fuel on site and is subject to the radiological sabotage DBT while stored in the spent fuel pool inside the Protected Area of the plant. Public Comment: No public comment received. Response to Public Comment: No response required. Section B Group II. In Scope Comments 1. Defining the ‘‘Design Basis Threat’’ Public Comment: Multiple commentators expressed concern that the NRC has not publicly defined or explained the ‘‘design basis threat.’’ Specifically, commenters were unclear what the Commission means by the statement that the DBTs are based on a ‘‘determination as to the attacks against which a private security force can reasonably be expected to defend.’’ These commenters suggested that the Commissions’s failure to articulate the DBT concept creates an ambiguity in establishing the division of responsibility between NRC licensees and the DOD, or DHS. Several commenters suggested that if the NRC does not require plants to defend against air attack because it is unreasonable for a private security force to be able to do so, then it has no choice but to federalize security by requesting that DHS or the military assume full responsibility for the protection of nuclear power facilities. Other commenters suggested that the NRC’s rationale for limiting the characteristics of the DBTs to the attacks against which a private security force could reasonably be expected to defend appears to be based on cost PO 00000 Frm 00013 Fmt 4700 Sfmt 4700 12713 considerations, which is not permitted for measures that are necessary for the protection of public safety. Other commenters representing the nuclear industry, while agreeing that the DBT scope must be clear, asserted that the DBT can not be greater than the largest threats against which private sector facilities can reasonably be requested to defend themselves, and threats beyond the DBT are reasonably the responsibility of the national defense system. Response to Public Comment: The Commission has determined that the DBTs, as articulated in the rule, are based on adversary characteristics against which a private security force can reasonably be expected to defend. This formulation provides the Commission with the flexibility necessary to make reasoned, wellinformed decisions regarding the DBTs. In contrast, detailed, prescriptive criteria would be unduly restrictive, and would unnecessarily limit the Commission’s judgment. This judgment is guided by the Commission’s considerable expertise in nuclear security matters, developed over the course of 30 years of experience regulating the physical protection of nuclear facilities. With regard to the federalization of nuclear plants security forces, the Commission does not have the authority to federalize nuclear security forces and cannot demand deployment of military forces to protect nuclear facilities. Nor has Congress chosen to require these measures. As it has stated publicly many times, the Commission is confident that neither measure is necessary or even prudent. A primary reason for this is that the introduction of a federalized nuclear security force or military unit to provide day-to-day security would create command and control issues for plant management because it would essentially establish two classes of employees at commercial nuclear facilities, both of whom would be responsible for reactor safety in the event of a terrorist attack. This could result in a reduction in the licensee’s ability to ensure reactor safety. In contrast, the continued use of private nuclear security officers responsible to the licensee maintains a unitary command structure focused on a unitary objective. The tightly-regulated private nuclear security forces in use today are well trained on the unique security considerations specific to nuclear power facilities and through rigorous FOF training have proven themselves to be effective and reliable. These conclusions were also documented when the Commission originally studied the issue E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES 12714 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations in 1976 in a report to Congress titled the ‘‘Security Agency Study.’’ The DBT rule is also guided by the Commission’s knowledge that, in addition to being among the most robust industrial facilities in the world, nuclear power plants are arguably the most physically secured industrial facilities. No other civilian industry security force is subject to as much regulatory oversight as the nuclear industry. However, the Commission acknowledges that the use of private security forces to defend nuclear power facilities faces limitations. For instance, there are legal limitations on the types of weapons and tactics available to private security forces. Generally, nuclear security officers have access only to weapons that are available to civilians. Although authority recently granted the Commission under the EPAct of 2005 will allow the Commission to authorize the use of more sophisticated weaponry, the most powerful weapons and defensive systems will remain reserved for use only by the military and law enforcement. Thus, it would be unreasonable to establish a DBT that could only be defended against with weapons unavailable to private security forces. In addition, the Commission previously decided not to require licensees to defend against attacks by ‘‘Enemies of the State’’ as defined by 10 CFR 50.13. However, these limitations on weapons and defensive systems available to private security forces do not undermine the Commission’s confidence in those forces to provide adequate protection. The defense of our nation’s critical infrastructure is a shared responsibility between the NRC, the DOD, the DHS, Federal and State law enforcement, and other Federal agencies. A reasonable approach in determining the threat requires making certain assumptions about these shared responsibilities. Although licensees are not required to develop protective strategies to defend against beyond-DBT events, it should not be concluded that licensees can provide no defense against those threats. The Commission’s regulations at 10 CFR 73.55(a) require power reactor licensees’ security programs to provide ‘‘high assurance that activities involving special nuclear material are not inimical to the common defense and security and do not constitute an unreasonable risk to the public health and safety.’’ Within this requirement is the expectation that, if confronted by an adversary beyond its maximum legal capabilities, on-site security would continue to respond with a graded reduction in effectiveness. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 The Commission is confident that a licensee’s security force would respond to any threat no matter the size or capabilities that may present itself. The Commission expects that licensees and State and Federal authorities will use whatever resources are necessary in response to both DBT and beyond-DBT events. Several commenters felt that the DBT rule should define clearly demarcated boundaries where the responsibilities of the licensee end and those of the Government begin for defending nuclear facilities. In the Commission’s view, establishing set boundaries demarcating a division of responsibilities is neither possible nor desirable. The better approach is for the Commission to continue its efforts to encourage licensees and Government organizations to integrate and complement their respective security and incidentresponse duties so that facilities subject to the DBTs have the benefit of all available incident-response resources during the widest possible range of security events. Currently, these integrated response planning efforts include prearranged plans with local law enforcement and emergency planning coordination. Licensees also must comply with event reporting requirements to the NRC so that a Federal response is readily available, if necessary. However, the DBTs are not defined by cost considerations, as suggested by several commenters. The rule text set forth at § 73.1 represents the largest adversary against which the Commission believes private security forces can reasonably be expected to defend. Thus, when the DBT rule is used by licensees to design their site specific protective strategies, the Commission is thereby provided with reasonable assurance that the public health and safety and common defense and security are adequately protected. The Commission agrees with the commenters that it may not legally consider economic factors in determining the level of adequate protection of public health and safety and common defense and security (Union of Concerned Scientists v. NRC, 824 F.2d 108, 117118 (D.C. Cir. 1987)), and it did not do so in deciding what level of protection it considers to be adequate in this rulemaking. Rather, as the Commission has clearly set forth above, the requirements in the DBT rule are determined by the Commission’s consideration of the staff’s threat assessments based on coordination with law enforcement, intelligence, and homeland security agencies, the Commission’s considerable experience PO 00000 Frm 00014 Fmt 4700 Sfmt 4700 in these matters, and the legal limitations on security forces available to licensees. In contrast, the Commission’s determination of specific aspects of implementation of and compliance with the DBT rule, as described in the ACDs and regulatory guidance, may involve consideration, along with other factors, of the relative costs of various methods of implementing particular requirements of the DBTs. In summary: • NRC position: Disagrees with the comments. • Action: No action required. 2. Applicability of the Enemy of the State Rule Public Comment: Several commenters also suggested that the proposed rule does not clearly distinguish between a threat posed by an ‘‘enemy of the state’’ excluded by 10 CFR 50.13, and threats covered by the DBTs. They asserted that the phrase ‘‘enemy of the state’’ is ambiguous and can no longer be relied on to preclude the development of defensive measures at nuclear power plants. Those commenters again expressed concern that the division of responsibilities between the licensees and the national defense system are ambiguous. Other commenters argued that the Commission has failed to explain why the DBTs exclude an ‘‘Al-Qaeda like terrorist organization’’ as an ‘‘enemy of the state’’ notwithstanding the Commission’s statements in the vehicle bomb rulemaking, that described the characteristics of an ‘‘enemy of the state,’’ that seemingly would have included organization like an Al-Qaeda. Commenters representing industry stated that licensees are not and should not be required to defend against threats posed by enemies of the United States. They argued that the DBTs represent the largest threat against which a private security force can reasonably be expected to defend, and that any escalation of this adversary would be inconsistent with 10 CFR 50.13. These threats are properly the responsibility of the national defense establishment and other security agencies. Response to Public Comment: The enemy of the state rule, 10 CFR 50.13, was promulgated in 1967 amid concerns that Cuba might launch attacks against nuclear power plants in Florida. That rule (32 FR 13455; September 26, 1967) was primarily intended to make clear that privately-owned nuclear facilities were not responsible for defending against attacks that typically could only be carried out by foreign military organizations. By contrast, the DBT rule does not focus on the identity, E:\FR\FM\19MRR1.SGM 19MRR1 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES sponsorship, or nationality of the adversaries. Instead, it affirmatively defines a range of attacks and capabilities against which nuclear power plants and Category I fuel cycle facilities must be prepared to defend. An adversary force that falls outside of the range of attacks against which nuclear facilities are reasonably expected to defend is considered to be ‘‘beyond-DBT,’’ regardless of whether it would or would not be deemed an ‘‘enemy of the state.’’ The Commission disagrees that any extension of the DBTs automatically conflicts with 10 CFR 50.13. The Commission may revise the DBTs in response to changes in the threat environment without necessarily implicating 10 CFR 50.13. To be clear, ‘‘beyond-DBT’’ and ‘‘enemy of the state’’ are not equivalent concepts. In addition, improved response capabilities may become available to private security forces in the future. In that case, potential increases to the DBTs may be ‘‘reasonable to expect a private force to protect against’’ without coming into conflict with ‘‘enemy of the state.’’ In summary: • NRC position: Disagrees with the comments. • Action: No action required. 3. Compliance With Administrative Procedure Act (APA) Notice and Comment Requirements Public Comment: Multiple commenters stated that sharing the ACDs with an exclusive group of parties constitutes a violation of the APA because the technical basis for the proposed rule is contained in those documents. Those commenters stated that the NRC should disclose the general and legal principles discussed in the exchange of the documents without releasing Safeguards Information. Another commenter expressed concern that the DBT rule is based on ex parte communications received from the nuclear industry after sharing the contents of the proposed rule only with certain parties. Also, because the general public has no idea what general legal or technical principles were discussed in these private communications, it could not intelligently comment on the proposed rule. Other commenters charged that the DBT rulemaking is simply codifying secret orders to avoid public scrutiny. Thus, they suggest that because the proposed rule did not contain specifics of the DBTs, the NRC is free to change the specific requirements without notice to the public, effectively conducting a secret rulemaking in violation of the APA. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 Industry commenters suggested that the ACDs and RGs should be incorporated by reference into the DBT rule to ensure adequate stakeholder participation in changes to the specific details of the DBTs. Otherwise, these commenters argue that the use of the ACDs and RGs has the potential for circumventing the APA and Paperwork Reduction Act. Response to Public Comment: The Commission is confident that the rulemaking process for the DBT rule complies with the APA. As set forth in the statements of consideration to the proposed rule (70 FR 67380, 67382; November 7, 2005), the Commission has carefully balanced the public interest in knowing the security considerations for the protection of special nuclear material and the need for meaningful comment with security interests related to the disclosure of specific details of DBT adversaries. The result is a DBT rule that defines in reasonable detail a range of attacks against which licensees are required to defend. The DBT rule contains all of the requirements with which licensees must legally comply. No additional information was necessary to understand or to comment on the proposed DBT rule. The ACDs and RGs are guidance documents containing SGI and classified information, and describe how licensees can comply with the regulations. The ACDs and RGs are not regulations, and are not legally enforceable. The APA permits agencies to develop guidance documents like the ACDs and RGs without following notice-and-comment rulemaking requirements (5 U.S.C. 553(b)(3)(A)). Changing the guidance in the ACDs or RGs based on changes to the threat environment would not change the requirements of the rule. The text of the proposed rule provided ample information to enable meaningful comment on what the current level of protection for nuclear power plants and Category I fuel cycle facilities should entail. Members of the public can and have provided the Commission their views in this rulemaking on the number of attackers, amounts of explosives, and types of weapons that licensees should be required to defend against, even without having access to classified information or SGI. Therefore, access to the ACDs and the RGs was not necessary to enable meaningful public comment on the proposed DBT rule. One commenter suggested that it was improper for the Commission to share the draft ACDs and RGs with members of the nuclear industry but not members of the general public. The NRC shared PO 00000 Frm 00015 Fmt 4700 Sfmt 4700 12715 the draft ACDs and RGs with licensees at the request of NEI before expiration of the initial comment period because NEI, in its capacity as the representative of the nuclear industry, had the appropriate clearance and a specific need to know the information in order to assist licensees in planning and designing protective strategies capable of defending against the DBTs. The NRC also shared those documents with the States of New Jersey and Illinois that had established a need to know and obtained appropriate clearance. Other NRC stakeholders do not necessarily share this need to know, and therefore, have not been granted access to the classified and SGI ACDs and RGs. The NRC did not provide the draft ACDs and RGs to enable industry comments on the rule, nor has the Commission received or considered non-public comments on the rule. The Commission reiterates that no SGI or classified information was necessary to enable public comment, nor were any non-public comments received or considered over the course of this rulemaking. All of the comments received and considered in this rulemaking have been made publicly available. Finally, the Commission disagrees that the ACDs and RGs should be incorporated by reference in the text of the final rule. As explained above, the ACDs and RGs are guidance documents. The legally-binding requirements are contained in the text of the rule. Incorporating these documents by reference would not only be inconsistent with that approach, but would potentially subject these documents to public disclosure based on the requirements of Section 552 of the APA, and the Office of the Federal Register regulations. In summary: • NRC position: Disagrees with the comments. • Action: No action required. 4. Ambiguous Rule Text Public Comment: Several commenters stated that the continued use of the phrase ‘‘one or more teams’’ in the rule ignores the inherent ambiguity of this type of construction, as identified in the Atomic Safety and Licensing Board’s 2005 decision in the Catawba licensing proceedings. See Duke Energy Corporation (Catawba Nuclear Station, Units 1 and 2), LBP–05–10, 61 NRC 241, 297 (2005). The commenters argued that this construction i.e. use of the conjunction ‘‘or’’) permits licensees to select from one of two options (i.e. either one team or more teams), and thus permits licensees to develop their protective strategy ignoring the E:\FR\FM\19MRR1.SGM 19MRR1 12716 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES possibility of three teams or more. The commenters therefore suggested that the rule be revised to eliminate use of this ambiguous construction. One commenter suggested rule text that read ‘‘capable of operating in multiple teams, up to the maximum number of teams that can be formed from the adversary force, where a team has no fewer than two members.’’ Response to Public Comment: Though the Commission does not necessarily agree that the phrase ‘‘capable of operating as one or more teams’’ is ambiguous, in the final rule, it has nevertheless modified this language to be clear that licensees are required to defend against multiple modes of attack, including both a single group as well as multiple groups. Notably, the prior radiological sabotage DBT rule did not contain language requiring licensees to defend against multiple groups of adversaries, as specified in the theft or diversion DBT. The final rule adds a requirement to the radiological sabotage DBT that licensees protect against an adversary ‘‘capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points,’’ and the theft or diversion DBT has been revised for consistency. The rule therefore requires that licensees evaluate a wide range of possible attack scenarios when developing their protective strategies. Under the final rule, licensees must be able to defend against an attack from multiple entry points by a number of groups and/or individuals. Neither a protective strategy that is only capable of defending against a single group nor one that is only capable of defending against a number of smaller groups would meet the requirements of the rule. The revision of this language does not, however, change the scope of this provision as originally intended by the Commission in the proposed rule. The purpose of the change is merely to provide the clearest possible articulation of the rule’s requirements. In summary: • NRC position: Disagrees with the comments. • Action: No action required. 5. Differentiation in Treatment of General and Specific Licenses for ISFSI Public Comment: One commenter stated that the NRC did not provide a specific rationale in the proposed rule as to why a specific license ISFSI with security requirements arising from the VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 security requirements in 10 CFR 72.182 should be subject to a different DBT than a general license ISFSI with security requirements arising from 10 CFR 72.212, especially when nearly identical spent fuel in identical storage casks is stored at these two classes of licensees. The commenter requested that the NRC describe why these two types of ISFSIs should be treated differently from a DBT perspective in the final rule, or indicate that these licensees are subject to the same security requirements. Response to Public Comment: The commenter is correct in noting that specifically-licensed and generallylicensed ISFSIs are treated differently in the current regulations. For example, the current regulation in 10 CFR 73.1(a) contains an exemption for specificallylicensed ISFSIs, subject to 10 CFR 72.182. However, the physical protection regulations for specificallylicensed ISFSIs, found at 10 CFR 72.180 and 72.182, do not require protection against the DBT, so it is unnecessary to exempt specifically-licensed ISFSIs from the DBT regulation. By contrast, generally-licensed ISFSIs are required to protect against the DBT for radiological sabotage by 10 CFR 72.212(b)(5), but by the same regulation, are excepted from certain specific requirements contained in the DBT. Ultimately, these discrepancies have no effect on the security of the facilities because both generally-licensed and specificallylicensed ISFSIs have equivalent protective measures in place, including those imposed by the October 2002 Order. The intent of this rulemaking was to update the DBTs applicable to power reactors and Category I fuel cycle facilities. Conforming changes were made to preserve the existing regulatory structure for other licensees. However, the NRC is currently considering future rulemakings to align the generallylicensed and specifically-licensed ISFSI requirements and to evaluate the application of the DBT. In summary: • NRC position: Agrees with the comments. • Action: No action required as part of this rulemaking. 6. Applicability of the Radiological Sabotage DBT to New Nuclear Power Plants Public Comments: Two commenters stated that the DBT for new nuclear power plants should be the same as for operating nuclear power plants. One commenter specifically stated that the proposed rule did not justify the adoption of different DBTs for new nuclear power plants. The commenter believes that the NRC has already set the PO 00000 Frm 00016 Fmt 4700 Sfmt 4700 DBTs at the level of the largest threat against which a private guard force can reasonably be expected to defend. Therefore, there is no reason to have a different set of DBTs for new nuclear power plants. The commenter expressed a concern that different DBTs for new plants could result in two different sets of DBTs for the same nuclear power plant site with a currently operating nuclear power plant. Response to Public Comment: The NRC agrees with the commenters that the radiological sabotage DBT should be uniformly applicable to new and currently operating nuclear power plants. In fact, the NRC did not propose different radiological sabotage DBTs for new nuclear power plants in the proposed rule. As stated by the Commission in the staff requirements memorandum on SECY–05–120, ‘‘Security Design Expectations for New Reactor Licensing Activities,’’ the expectation is that new reactors will be designed and constructed to be inherently more secure with less reliance on other elements of a traditional security program. To assess the security of new reactors, the NRC is developing proposed requirements for new reactor licensees to submit security assessments as part of their license application package. In summary: • NRC position: Agrees with the comments. • Action: No action required as part of this rulemaking. 7. Consideration of the Uniqueness of Each Facility in Application of the DBTs Public Comment: One commenter stated that each nuclear facility is unique due to its location and surrounding population, and therefore, the DBT for each facility must have its own specific requirements. The DBT cannot be a one-size fits all program. Response to Public Comment: The DBT rule specifies threat characteristics, and does not specify or include requirements for any specific programs. Site-specific security requirements are embodied in site security plans and security measures. The NRC does not agree with the statement submitted by the commenter that each facility must have its own specific requirements. Sitespecific requirements are taken into account by licensees during development of their physical security plans. The NRC considers the sitespecific requirements when it reviews and approves the plans, and tests the adequacy of the site-specific requirements when it conducts FOF exercises at nuclear power plants. It should be noted that the DBTs are comprised of attributes selected from E:\FR\FM\19MRR1.SGM 19MRR1 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES the overall threat environment. The technical bases for the DBTs are based on the NRC’s periodic threat assessments performed in conjunction with the Federal intelligence and law enforcement communities for identification of changes in the threat environment. The assessments contain classified and SGI that cannot be publicly disclosed. The NRC believes that the DBTs should be uniformly applicable to all comparable nuclear facilities and will continue to ensure adequate protection of public health and safety and the common defense and security by requiring the secure use and management of radioactive materials. In summary: • NRC position: Disagrees with the comments. • Action: No action required. reactor fuel as a target, and the risk of radiological release. RTR security programs and systems provide for detection and response to unauthorized activities. In general, these programs include access control to the facilities, observation of activities within the facilities, and alarms or other devices to detect unauthorized presence. RTRs also have emergency plans in place to respond to emergency situations. Those RTRs that are still licensed to use HEU are either already scheduled to convert to low-enriched uranium (LEU) or intend to do so. The DOE is the lead agency for converting RTRs to LEU fuel. The NRC has been working with the DOE to facilitate this effort. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 8. Continued Exemption of Research and Test Reactors From the DBT Requirements Public Comment: Two commenters stated that research reactors possessing Category I quantities of highly-enriched uranium (HEU) must provide protection against theft at the same level as any other Category I facility. Response to Public Comment: The NRC disagrees with this comment. The NRC has made a policy decision that Research and Test Reactors (RTRs) who possess Category I quantities of Special Nuclear Material protect this material as specified in the physical protection requirements for non-power reactor fuel in 10 CFR 73.60(a) through (e) and 73.67. These regulations do not require licensees to protect against either the radiological sabotage or the theft or diversion DBT. Under 10 CFR 73.60, non-power reactor licensees who possess or use 5 kilograms or greater of HEU are exempt from the requirements in 10 CFR 73.60(a) through (e) if the HEU is not readily separable and has a total external radiation dose rate in excess of 100 rems per hour at a distance of 3 feet from any accessible surface without intervening shielding. It should also be noted that most RTRs possess limited quantities of nuclear material on-site, and that the nature and form of this material is not easily dispersed or handled. As a result, the NRC has determined that RTRs pose a relatively low risk to public health and safety from potential radiation exposure and has tailored the security requirements and oversight for these facilities consistent with their relatively low risk. The NRC requires that RTR licensees have security plans and/or procedures that reflect a graded approach which considers the attractiveness of the 9. Changes In NRC Security Requirements To Be Addressed Under the Backfit Rule Public Comment: One commentator stated that the Backfit Rule requires that the NRC perform a backfit analysis for changes in regulatory position. The commenter observed that the NRC has determined that a backfit analysis is not necessary in connection with the changes to the DBTs because the changes result from redefining the level of protection that should be regarded as adequate, but that such a determination should be supported by a documented evaluation and the proposed rulemaking does not provide such an evaluation, and each future change to the ACDs and RGs will require a separate backfit analysis. Response to Public Comment: The Commission disagrees with the comment that the proposed rulemaking does not provide a documented evaluation of its decision. As stated in the Federal Register (70 FR 67387; November 7, 2005), the NRC has determined, pursuant to the exception in 10 CFR 50.109(a)(4)(iii) and 10 CFR 70.76(a)(4)(iv), that a backfit analysis is unnecessary for this rule. Sections 50.109 and 70.76(a)(4)(iv) state, in pertinent part, that a backfit analysis is not required if the Commission finds and declares with appropriate documented evaluation for its finding that a ‘‘regulatory action involves defining or redefining what level of protection to the public health and safety or common defense and security should be regarded as adequate.’’ When the Commission imposed security enhancements by order in April 2003, it did so in response to an escalated domestic threat level. Since that time, the Commission has continued to monitor intelligence reports regarding VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 PO 00000 Frm 00017 Fmt 4700 Sfmt 4700 12717 plausible threats from terrorists currently threatening the U.S. The Commission has also gained experience from implementing the order requirements and reviewing revised licensee security plans. The Commission has considered all of this information and finds that the security requirements similar to those previously imposed by the April 29, 2003 Orders, which applied only to existing licensees, should be made generically applicable. The Commission further finds that the rule redefines the security requirements stated in existing NRC regulations, and is necessary to ensure that the public health and safety and common defense and security are adequately protected in the current, post-September 11, 2001, environment. The Commission concurs with the commenter’s position that documented evaluation should be performed when there are changes in ACDs and RGs necessitated by changes in the threat environment. In summary: • NRC position: Disagrees with first element of the comment. Concurs with the second element of the comment. • Action: No current action is required. Future changes in the ACDs and RGs will require a documented evaluation. 10. Compliance With the Paperwork Reduction Act Public Comment: Several commenters stated that the Paperwork Reduction Act is circumvented by this approach. The commenters assert that the proposed approach using RGs and ACDs to establish the details of the DBTs has the potential for circumventing the Paperwork Reduction Act, and avoiding proper regulatory analyses and backfit analyses. The rule provides broad requirements that lack details and provides the NRC with significant flexibility to change the details of the DBTs, which drives the design of protective measures and protective strategies without appropriate input from the affected regulated licensees. The Paperwork Reduction Act Statement in the proposed rule (70 FR 67380; November 7, 2005) states that: ‘‘This proposed rule does not contain new or amended information collection requirements subject to the Paperwork Reduction Act of 1995.’’ The commenter believes that this statement is incorrect and underestimates the impact on licensees due to future changes to the RGs and ACDs. The Paperwork Reduction Act Statement is flawed and should be revised. Response to Public Comment: The DBT rule specifies threat characteristics used by licensees to design their E:\FR\FM\19MRR1.SGM 19MRR1 12718 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES protective strategies. The rule does not contain prescriptive measures to be adopted by individual licensees. The ACDs and RGs include certain details and guidance related to such threat characteristics. This approach has been adopted because the ACDs and RGs contain SGI or classified information that cannot be disclosed in the public domain and would be useful to potential adversaries. This approach is not a circumvention of the Paperwork Reduction Act, but reflects the inherent dichotomy of the DBT rulemaking in trying to reach a balance between the needs for meaningful public participation and the requirement to protect SGI and classified information, where public disclosure of specific attributes or details of security designs or protective measures would have the potential of making them ineffective. The statement, ‘‘This proposed rule does not contain new or amended information collection * * *. Act of 1995,’’ is accurate. The final rule consolidates the supplemental requirements put in place by the orders with the previous DBTs in § 73.1(a), and does not impose additional burden for the current licensees even though the rule contains a cyber threat as an additional attribute of the threat. This is because the licensees subject to the DBTs were directed by the Interim Compensatory Measures (ICM) Order (EA–02–026) to consider and address cyber safety and security vulnerabilities. In April 2003, the Orders (EA–03–086) and (EA–03–087) that supplemented the DBT, also contained language concerning the cyber threat. Licensees were subsequently provided with a cyber security self-assessment methodology, the results of pilot studies, and a guidance document issued by the NEI to facilitate development of site cyber security programs. The designated licensees have done so accordingly.The burden for future licensees will be covered under 10 CFR Part 52 (3150–0151). In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 11. Adequacy of the Regulatory Analysis Public Comment: A commenter stated that the regulatory analysis is based on an incorrect premise and should be revised. A statement in the Regulatory Analysis states that ‘‘Impacts upon the licensees from this proposed rule would be minimal. Because the adversary characteristics would remain consistent with those promulgated by orders, no technical changes will be required. Licensees may need to update VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 references in their security plan documentation, which could be accomplished without NRC review and in conjunction with future plan updates.’’ One commenter believes that this statement is incorrect and underestimates the impact on licensees. Response to Public Comment: The Commission disagrees with the commenter that the regulatory analysis is based on an incorrect premise and should be revised. The regulatory analysis contained in the proposed rule stated that, ‘‘The proposed regulatory action would not involve imposition of any new requirements, and would not expand the DBTs beyond the requirements in place under NRC regulations and orders.’’ Consequently, the DBT amendments would not require existing licensees to make additional changes to their current NRC-approved security plans. This premise was correct then and is correct even now because a cyber threat is explicitly included as an attribute of the final rule. Even though the regulatory action involves the imposition of a cyber threat as an explicit requirement, this does not impose additional burden for the licensees. This is because the licensees subject to the DBTs were directed by the ICM Order (EA–02–026) to consider and address cyber safety and security vulnerabilities. Licensees were subsequently provided with a cyber security self-assessment methodology, the results of pilot studies, and a guidance document issued by the NEI to facilitate development of site cyber security programs. This additional requirement in the final rule does not expand the DBTs beyond the requirements currently in place under existing NRC regulations and orders. Consequently, DBT amendments will not require existing licensees to make additional changes to their current NRCapproved security plans. However, the NRC acknowledges that any future changes to the threat environment may effect the ACDs and RGs, and could possibly effect the licensees’ security plans that would require either NRC’s approval or official communications noting the changes to the NRC. This may also impose additional burden on the licensees. In those events, the regulatory analysis would be changed accordingly. In summary: • NRC Position: Disagrees with the comment. • Action: Regulatory Analysis to be changed when there is change in the threat environment in the future. PO 00000 Frm 00018 Fmt 4700 Sfmt 4700 12. Compliance With the National Environmental Policy Act (NEPA) Public Comment: Several commenters stated that the proposed rule fails to satisfy NEPA, and the NRC must prepare an Environmental Impact Statement (EIS) for the proposed rule because this is a major federal action significantly affecting the quality of the human environment. These commenters stated that the action is significant because ‘‘the NRC’s limitations on the scope of adversaries against which ‘a private security force could reasonably be expected to defend’ bears directly on the degree to which public health and the environment will be protected against the impacts of accidents caused by terrorist attacks.’’ Further, commenters suggested that the NEPA commenting process would be a better forum to disclose and discuss the policy considerations associated with development of the DBTs. Response to Public Comment: The Commission disagrees that this rule requires the completion of an EIS, and that the NEPA commenting process would provide a better forum for discussion of sensitive security issues. The NEPA and the Commission’s regulations at 10 CFR 51.20(a)(1) only require preparation of an EIS if the proposed action is a major Federal action significantly affecting the quality of the human environment. The NRC prepared an environmental assessment (EA) for the proposed rule (70 FR 67387; November 7, 2005) and found that there would be no significant environmental impact associated with implementation of the proposed rule if adopted; and therefore, concluded that no EIS was necessary. NEPA (40 CFR.1508.8(b)) only requires that the Commission consider the ‘‘reasonably foreseeable’’ environmental effects of its actions in determining whether an EIS is necessary. Effects that are remote, speculative, or embody the worst-case outcome of a particular action do not require an EIS.2 In this instance, the consequences of a terrorist attack cannot be said to be ‘‘an effect’’ of this rule, and analyzing the effects of a terrorist attack 2 The Commission recognizes that its position on the necessity of a terrorism analysis as part of an environmental review for a specific proposed facility has been called into question by a recent decision in the 9th Circuit Court of Appeals (San Luis Obispo Mothers for Peace v. NRC, 449 F.3d 1016 (9th Cir. 2006)). However, the 9th Circuit’s determination that the potential environmental effects of a terrorist attack as a result of the licensing of an Independent Spent Fuel Storage Installation should be considered, does not necessarily lead to the conclusion that such effects should be considered as part of this rulemaking action. E:\FR\FM\19MRR1.SGM 19MRR1 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES would be speculative at best. NEPA does not require such an inquiry. The Commission does not agree that the NEPA process would provide a better forum for disclosure and discussion of the DBT rule than this rulemaking action. It is not clear how publishing an EIS for public comment would result in the disclosure of additional information because NEPA does not provide any other mechanism how additional information on a proposed rule could be obtained by commenters; the APA notice and comment process provides ample opportunity to comment and provide pertinent information on the proposed rules. Nor does a request by a member of the public to have access to additional information on a particular agency action mandate that the agency conduct a full EIS. All information necessary for public comment on the proposed rule has been made available and therefore, no greater level of detail contained in the ACDs and RGs need to be discussed in the NEPA comment process. The Commission’s public comment process in developing an EIS is not a forum for sensitive security issues. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 13. Issuance of Annual Report Card on Individual Licensees Public Comment: One commenter stated that the NRC should publish an annual report card assessing specific plant performance to defeat attacks in ongoing ‘‘table top’’ and mock ‘‘forceon-force’’ exercises. Response to Public Comment: The NRC partially agrees with the statements submitted by the commenter. Section 651 of the EPAct required that the Commission submit two annual reports to the Congress, one classified and another unclassified, describing the results of the Commission’s force-onforce exercises and related corrective actions. The detailed results of securityrelated drills and exercises are, and will remain, protected as SGI because this information can provide insights to potential adversaries in planning of attacks. The Commission recently submitted the first set of these reports to Congress. The unclassified version of the annual report to the Congress is publicly available, and posted on the NRC’s website. Through these reports, the NRC provides information regarding the overall security performance of the commercial nuclear power plants to keep Congress and the public informed of the NRC’s efforts to help protect our nation’s electric power infrastructure VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 against terrorist attacks. In addition, the NRC recently revised its policy on public availability of security inspection results. Under the revised policy, the existence of inspection findings for a specific site’s FOF exercises will be identified in the publicly available cover letter transmitting the inspection results to the licensee. In summary: • NRC Position: Partially agrees with the comment. • Action: No action required as part of this rulemaking. Group III. Out of Scope Comments Though the following topics and comments are pertinent to the security issues of nuclear facilities, they are not directly relevant to the DBT rulemaking. The DBT rule identifies general threat characteristics, but does not require specific protective strategies and security measures to defend against and thwart attacks. Accordingly, the following comments are deemed outside the scope of this rule. However, relevant information is provided as background material to facilitate a better understanding of the existing security measures in place and planned for the future, and to answer the underlying questions and issues raised in the following public comments. 14. Federalization of Security Public Comment: Commenters stated that the proposed rule should indicate that the threat of an air attack exceeds the defensive capabilities of a plant’s security forces, and that the Federal government should either take over the security of the plant and/or integrate the response from local, State, and Federal government resources. Response to Public Comment: The Commission disagrees with the comment. Federalization of nuclear power plant security is outside of the scope of the proposed rule. However, the following background information is provided for a clearer understanding of the issues involved and the rationale of the Commission’s position. The issue of a Federal protective security force to provide protection at commercial power reactors was initially studied by the NRC and documented in a report to Congress, ‘‘Security Agency Study,’’ (August 1976). The study found that the ‘‘* * * creation of a Federal guard force would not result in a higher degree of guard force effectiveness than can be achieved by the use of private guards, properly trained, qualified, trained and certified by the NRC.’’ Shortly after September 11, 2001, this issue was again raised. The NRC continues to support the concept that a private security guard force with special PO 00000 Frm 00019 Fmt 4700 Sfmt 4700 12719 emphasis on performance based training and full accountability is the best approach to securing our nation’s commercial nuclear facilities. The security for nuclear facilities should be addressed in the context of the protection of other sensitive infrastructure. Society should allocate its security resources according to the relative risks, and, as a result, the separation of nuclear facilities from all other types of sensitive infrastructure will fragment the analysis inappropriately. Past legislation proposed that the NRC establish a security force for sensitive nuclear facilities. Current security forces at sensitive nuclear facilities are welltrained, and have high retention rates. This change would bring about a fundamental shift in the responsibility and mission of the NRC, diverting the agency from being an independent regulator of nuclear safety and security to being a provider of nuclear security. This could create command and control issues because it would establish two classes of employees at nuclear sites: licensee staff to ensure the safe operation of the reactors and Federal staff to ensure security. This could lead to conflicts and confusion in emergency situations, that could diminish nuclear safety. The change would serve to increase the Federal budget needlessly. Presumably, given the enhancement in the security threat against which the guard force would be required to defend, the NRC would be required to hire more guards than currently exists at sensitive nuclear facilities (more than 7,000 new Federal workers, which is more than twice the number of staff now employed by the NRC.) These new workers would have to undergo extensive background checks, be trained and qualified, and be armed and equipped. The training of this force alone would likely overload any Federal law enforcement agency’s training capability. Presumably, the NRC would have to assume the responsibility for establishment of new security barriers and communications capabilities at the nuclear facilities that by itself raises complicated issues associated with the interplay of security barriers and safety considerations. The NRC estimates that the additional cost to the Federal government to implement these changes may well be over $1 billion a year. Supplementing the guard force with Federal forces inside the plant areas raises similar concerns. National Guard forces and local/State law enforcement units have been used successfully at a number of facilities to provide additional security external to the plants E:\FR\FM\19MRR1.SGM 19MRR1 12720 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES when deemed necessary, circumventing difficult command and control issues. Such an external capability can more easily be ‘‘surged’’ when needed. In sum, the Commission does not believe such a change is needed. In the Commission’s view, the qualified, trained, and tightly regulated private guard forces at nuclear plants should not be replaced by a new Federal security force. In summary: • NRC position: Disagrees with the comment. • Action: No action required. 15. Force-on-Force (FOF) Testing of Security Public Comment: Several commenters stated that security and FOF exercises must be upgraded in order to demonstrate a high degree of confidence that site security forces are able to repel an assault like the September 11, 2001, attack. In addition, under Section 651(a)(1)(b) of the EPAct, the NRC shall mitigate any potential conflict of interest that could influence the results of a FOF exercise. In some instances, the same contractor had supplied both the security guards as well as the mock terrorists. Response to Public Comment: The Commission disagrees with the comment. The requirements related to FOF testing are outside the scope of this rule. However, the following is provided as background information pertinent to this comment. The NRC FOF exercise program is designed to provide a realistic evaluation of the proficiency of licensee security forces against a threat consistent with the supplemented DBTs reflected in the orders issued by the Commission on April 29, 2003. After the attacks of September 11, 2001, the agency has expanded and refined its FOF program to make the exercises more realistic. These changes have significantly increased the level of complexity for each exercise in terms of planning, preparation, and logistical support. The NRC agrees that a credible, welltrained, and consistent mock adversary force is vital to the NRC’s FOF program. Therefore, the NRC has worked with the nuclear industry to develop a composite adversary force (CAF) that is trained to the standards issued by the Commission. The new CAF has been used for all FOF exercises conducted after October 2004 and represents a significant improvement in ability, consistency, and effectiveness over the previous adversary forces. The NRC continues to evaluate the CAF at each exercise using rigorous NRC performance standards. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 The CAF is currently managed by a company (Wackenhut) that provides much of the security for U.S. nuclear power plants and is, therefore, wellversed in the security operations of nuclear power plants. The NRC recognizes that there may be a perception of a conflict of interest. The NRC established a clear separation of functions between the CAF and plant security force to ensure an independent, reliable, and credible mock adversary force. In addition, the CAF composition includes security officers that are not employed by Wackenhut and no member of the CAF may participate in an exercise at his or her home site. It is important to emphasize that the NRC, not the CAF, designs, runs, and evaluates the results of the FOF exercises. Because the CAF does not establish the exercise objectives, boundaries, or timelines, and the CAF’s performance is subject to continual observation and evaluation by the NRC and its contractors, the agency controls the exercise. If the industry is unable to maintain an adequate and objective CAF that meets the standards mandated by the NRC, the NRC will take the necessary actions to ensure the effectiveness of the force-on-force evaluation program. The NRC is documenting requirements for the performance of FOF testing as well as implementing EPAct requirements for the mitigation of conflict of interest in a separate rulemaking. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 16. Screening of Workers in Nuclear Power Plants Public Comment: One commenter stated that the NRC must be able to regulate or at least oversee the initial and follow-up screening of temporary and permanent workers who will have access to the reactor vessel, the spent fuel pool, and the related valves, generators, pumps, electrical systems, and miles of piping that are required for the plant’s operation and are vulnerable as terrorist targets. Response to Public Comment: The Commission agrees with the comment to the extent that the NRC does regulate the screening of both permanent and temporary workers with unescorted access to the protected area. The DBT rule does not regulate or oversee specific programs. Instead, it defines the general threat against which licensees must be able to defend against with high assurance. Accordingly, NRC regulation or oversight of screening of workers at nuclear power plants is outside the scope of this rule. PO 00000 Frm 00020 Fmt 4700 Sfmt 4700 However, it should be noted that the NRC requires licensees to have an access authorization program that meets NRC requirements. 10 CFR 73.56, ‘‘Personnel access authorization requirements for nuclear power plants,’’ requires all 10 CFR 50 and 52 licensees to include the required access authorization program as part of their site Physical Security Plan. Specifically, 10 CFR 73.56 states that the licensee is responsible for granting, denying, or revoking unescorted access authorization to any contractor, vendor, or other affected organization employee. Those requirements are intended to ensure that personnel granted unescorted access to vital areas of a nuclear power plant are trustworthy and reliable, and do not constitute an unreasonable risk to the health and safety of the public, including a potential to commit radiological sabotage. In summary: • NRC Position: Agrees with the comment. • Action: No action required. 17. Self-Sufficient Defense Capabilities Public Comment: Two commenters stated that in some regions, notably in large metropolitan areas, communication and transportation modes make it impossible to provide outside help in time to aid in facility defense following a terrorist attack. Response to Public Comment: The Commission disagrees with the comment. The capabilities of off-site responders are beyond the scope of this rule. However, the following provides an overview of the existing programs and policies in place for addressing issues raised in this comment. After the September 11, 2001 attacks, the NRC has worked with licensees, the DHS, and State and local governments to improve the capabilities of first responders as part of the National Infrastructure Protection Plan. Part of this program includes conducting Comprehensive Reviews of commercial nuclear site security. The Comprehensive Review, led by the DHS, is a Government and private sector analysis of critical infrastructure facilities to determine the facilities’ exposure to potential terrorist attack, the consequences of such an attack, and the integrated prevention and response capabilities of the owner/operator, local law enforcement, and emergency response organizations. The results are used to enhance the security posture of the facilities and community first responders by using short-term improvements in equipment, training, and processes; and informing longer-term risk-based investments and E:\FR\FM\19MRR1.SGM 19MRR1 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations cprice-sewell on PROD1PC66 with RULES science and technology decisions. In less than a year, Comprehensive Reviews have resulted in identifying readily adaptable, low-cost protective measures for increased readiness and preparedness in the event of a terrorist attack or natural disaster. The nuclear sector was the first of the sectors to participate in these reviews. A number of Federal agencies participated in various assessments involving these facilities. Although recognizing that nuclear plants are the best-protected assets of our critical infrastructure, those Federal agencies and the nuclear industry also recognized the value of a unified, collaborative effort to enhance the protection of these vital assets. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 18. Security of Dry Cask Storage Public Comment: Multiple commenters expressed concerns regarding vulnerabilities of dry cask storage at nuclear power plants under terrorist attacks. The commenters suggested that dry cask storage should be protected by: (i) Separation with a minimum spacing of 50 yards between each cask, (ii) Hardening with beamhenge, and/ or (iii) Burial in earthen mounds. One commenter stated that the NRC must require berming of dry storage casks as part of the DBT. Response to Public Comment: The Commission disagrees with the commenters’ statements. In addition, requirements related to the security of dry cask storage are beyond the scope of this rulemaking. However, design basis and vulnerabilities assessment of dry cask storage facilities are provided below as background information for better understanding of existing requirements. Dry cask storage facilities (e.g., independent spent fuel storage installations (ISFSIs)) at nuclear power plants are designed to protect against external events such as tornados, hurricanes, fires, floods, and earthquakes. The standards in 10 CFR Part 72 Subpart E, ‘‘Siting Evaluation Factors,’’ and Subpart F, ‘‘General Design Criteria,’’ ensure that the dry cask storage designs are very rugged and robust. The casks must maintain structural, thermal, shielding, criticality, and confinement integrity during a variety of postulated external events including cask drops, tip-over, and wind driven missile impacts. After the terrorist attacks of September 11, 2001, the Commission VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 initiated a program in 2002 to assess the capability of nuclear facilities to withstand terrorist attacks. As part of the program, the Commission analyzed the performance of ISFSIs under aircraft attacks and has evaluated the results of detailed security assessments involving large commercial aircraft attacks, which were performed on four representative spent fuel casks. The large aircraft impact studies included structural analyses of the aircraft impact into a single cask and the resulting cask-tocask interactions. Those evaluations indicate that it is highly unlikely that a significant release of radioactivity would occur from an aircraft impact on a dry spent fuel storage cask. The Commission is finalizing the security assessments for a number of representative spent fuel storage casks for additional types of attacks and weaponry (including ground attacks), and will continue to evaluate the results of the ongoing assessments. Based upon these results and any other new information, the Commission will evaluate whether any change to its spent fuel storage policy is warranted. The Commission issued a security order for ISFSIs in October 2002, and required the licensees to implement additional enhancement measures for dry cask storage. These enhancements to security included increased vehicle standoff distances, additional security posts, and improved coordination with law enforcement and intelligence communities, as well as strengthened safety-related mitigation procedures and strategies. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 19. Security of Spent Fuel Pools Public Comment: Four commenters expressed concerns regarding vulnerabilities of spent fuel storage pools at nuclear power reactors under terrorist attacks. The comments referenced the summary of the study performed by the National Academy of Science (NAS) which indicated that a terrorist attack on spent fuel pools is a credible threat and may lead to a release of a large amount of radioactive materials to the environment if it were successful. One comment specifically stated that not only is the NRC’s response to the findings of the NAS study slow, but also, that the NRC has no intention of addressing these risk issues. It further stated that the apparent absence of a concerted spent fuel security program in the revised DBT is further evidence of the NRC’s failure to recognize and address the problem. PO 00000 Frm 00021 Fmt 4700 Sfmt 4700 12721 Response to Public Comment: Security program requirements are the subject of another rulemaking, namely 10 CFR 73.55. Accordingly, the need for a concerted spent fuel security program in the revised DBT is beyond the scope of this rule. In addition, the Commission disagrees with the statements submitted by the commenters. The following is provided as background information pertinent to these comments. The NRC has taken numerous actions to enhance the security of spent nuclear fuel, and will take appropriate additional action as necessary as a result of on-going evaluations. Before September 11, 2001, spent fuel was well protected by physical barriers, armed guards, intrusion detection systems, area surveillance systems, access controls, and access authorization requirements for employees working inside the plants. After September 11, 2001, the NRC has enhanced its requirements, and licensees have increased their resources to improve security at nuclear power plants. For example, the NRC’s February 25, 2002 Order to power reactor licensees dealt with spent fuel pool cooling capabilities in the event of a terrorist attack. As a result of the supplemented DBT, the security of spent fuel pools has been enhanced at operating power reactors. The NRC also initiated a program in 2002 to assess the capability of nuclear facilities to withstand a terrorist attack. The early focus of that program was on power reactors, including spent fuel pools. As the results of that program became available, the NRC provided power reactor licensees additional guidance in February 2005 on the implementation of the February 2002 Order regarding spent fuel mitigation measures. The power reactor licensees responded to these additional specific recommendations in May 2005. Mitigating measures that are being or have been established include those specifically recommended in the NAS study regarding fuel distribution and enhanced cooling capabilities. The NRC is working with industry to conduct additional plant-specific damage assessments for a range of potential attack scenarios. The NRC continues to evaluate spent fuel pool security in FOF exercises, which the NRC conducts at least once every three years at each power reactor site. In summary: • NRC Position: Disagrees with the comment. • Action: No action required. 20. Inherent Design Problems That Make Power Reactors Vulnerable Public Comment: One commenter stated that the present DBTs ignore E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES 12722 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations vulnerabilities inherent in the design of nuclear facilities. The commenter stated that the NRC has granted exemptions from certain safety regulations (e.g., Appendix R fire protection standards) to many licensees that present obvious and unacceptable vulnerabilities. The commenter stated that the vulnerability of fire-safety related pump rooms at a nuclear power plant under an attack scenario was disregarded. The commenter further related the documentation of concerns of vulnerabilities regarding inherent design problems through numerous petitions and allegations to the NRC. Response to Public Comment: The Commission disagrees with the commenter’s statement that the present DBTs ignore vulnerabilities inherent in the design of nuclear facilities. The Commission has high assurance that the designs of currently operating reactors are safe, and provide adequate security protection. Moreover, the notion of ‘‘inherent design vulnerabilities’’ of nuclear facilities is beyond the scope of this rule, since the DBTs do not specify specific protective measures, such as design features. However, plant specific vulnerabilities are considered during the process of target set development and are utilized during force-on-force testing to assure the licensee is capable of defending the plant. In addition, the NRC is undertaking several separate rulemakings related to this issue. For instance, the Commission has proposed a rule that would amend its regulations related to security requirements for power reactors (71 FR 62664; October 26, 2006). Also, the Commission is considering issuing a proposed rule that would require applicants to assess specific design features that would be incorporated into the final design to support overall security effectiveness of nuclear power plants. With respect to the commenter’s statement on the exemptions from certain safety regulations (e.g., Appendix R fire protection standards), the NRC staff believes that the comment is out of scope of this rulemaking. However, a response to the issue raised in this question is in order. To that end, the following information is provided as background information. Plants licensed to operate before January 1, 1979, must comply with fire protection requirements as specified in 10 CFR 50.48(b) that backfit paragraphs III.G, J and O of Appendix R. Plants licensed to operate after January 1, 1979, must comply with the approved fire protection program incorporated into their operating license. When the Commission promulgated 10 CFR Part 50, Appendix R, the Commission VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 recognized that there would be plant specific conditions and configurations where strict compliance with the prescriptive features specified in Appendix R would not significantly enhance the level of fire safety already provided by the licensee. Therefore, in certain cases, where the licensee could demonstrate an equivalent level of fire safety that satisfied the underlying purpose of the rule, the licensee could apply for a specific exemption from Appendix R. Thus, the exemption process allowed through 10 CFR 50.12 provides a means of allowing licensees to meet Appendix R through alternate means. The NRC has granted and continues to grant exemptions when a licensee meets the criteria of 10 CFR 50.12 and demonstrates that the alternate means provide an adequate level of fire safety. The NRC believes that individual fire protection exemptions have had a small impact on plant risk. Regarding the commenter’s statement concerning the petitions and allegations documented and submitted to the NRC, the NRC is currently preparing responses to those that have been received. • NRC Position: Disagrees with the comment that the present DBTs ignore vulnerabilities inherent in the design of nuclear facilities. • Action: No action is required with respect to this DBT rulemaking. However, the NRC will provide proper responses to the petitions and allegations that have been received. III. Summary of Specific Changes Made to the Proposed Rule as a Result of Public Comment One change is being made to the rule to add a cyber threat as an explicit element of the DBT rule for both external and internal adversaries. The previous DBT requirements in 10 CFR 73.1 did not specifically include the threat of a cyber attack. However, a cyber attack capability was implied in the proposed 10 CFR 73.1 issued for public comment in the Federal Register on November 7, 2005 (70 FR 67380). Under Section 651(a)(2) of the EPAct of 2005, Congress also directed NRC to consider making an ‘‘assessment of physical, cyber, biochemical, and other terrorist threats’’ when developing the revised rule, and the NRC specifically asked for public comment on whether this and a number of other aspects should be included in the DBT. One commenter specifically referred to the need for the DBT rule to contain requirements pertaining to cyber attack capabilities. PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 The NRC has historically required licensees to evaluate cyber vulnerabilities. In February 2002, licensees subject to the DBTs were directed by ICM Order (EA–02–026) to consider and address cyber safety and security vulnerabilities. In April 2003, NRC Orders (EA–03–086 and EA–03– 087) that supplemented the DBTs contained language concerning the threat of a cyber attack. Licensees were subsequently provided with a cyber security self-assessment methodology and the results of pilot studies, as well as additional guidance issued by the nuclear industry, to facilitate development of site cyber security programs. The February 2003, U.S. National Strategy to Secure Cyberspace suggests that the cyber threat likely will increase both in capability and frequency in the future. In light of this threat, the cyber security programs already initiated by the industry, the proposed draft 10 CFR 73.55(m), ‘‘Digital Computer and Communication Networks,’’ that is included in the proposed rule on power reactor security requirements (71 FR 62664; October 26, 2006), and the requirements of the EPAct of 2005, the Commission has decided to include a cyber attack as an element of the DBT. IV. Section-by-Section Analysis The following provides a comparison between the previous rule text and the final rule text in 10 CFR 73.1. (a) Previous Rule: Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft of special nuclear material. Licensees subject to the provisions of §§ 72.182, 72.212, 73.20, 73.50, and 73.60 are exempt from 73.1(a)(1)(i)(E) and 73.1(a)(1)(iii). (a) Final Rule: Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations theft or diversion of special nuclear material. Licensees subject to the provisions of § 73.20 (except for fuel cycle licensees authorized under part 70 of this chapter to receive, acquire, possess, transfer, use, or deliver for transportation formula quantities of strategic special nuclear material), §§ 73.50, and 73.60, are exempt from §§ 73.1(a)(1)(i)(E), 73.1(a)(1)(iii), 73.1(a)(1)(iv), 73.1(a)(2)(iii), 73.1(a)(2)(iv). Licensees subject to the provisions of § 72.212 are exempt from § 73.1(a)(1)(iv). (a) Change: The paragraph is modified to clarify that the DBT is designed to protect against diversion in addition to theft of special nuclear material. The exemptions are updated based on the order requirements and conforming changes to other paragraphs of this part. (1)(i) Previous Rule: Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, of several persons with the following attributes, assistance and equipment: (1)(i) Final Rule: Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (1)(i) Change: The paragraph adds new capabilities to the DBT including operation in multiple modes of attack. The language in the final rule was modified to provide specificity that licensees are required to maintain the capability to protect against several modes, and that a physical security plan only capable of defending against one of the prescribed modes would not satisfy the requirements of the rule. (1)(i)(A) Previous Rule: Well-trained (including military training and skills) and dedicated individuals, (1)(i)(A) Final Rule: Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack, (1)(i)(A) Change: The paragraph adds adversaries who are willing to kill or be killed and are knowledgeable about specific target selection to the DBT. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 (1)(i)(B) Previous Rule: Inside assistance which may include a knowledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack), or both, (1)(i)(B) Final Rule: Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance, (1)(i)(B) Change: The reference to an individual is removed and the paragraph reworded to provide flexibility in defining the scope of the inside threat. (1)(i)(C) Previous Rule: Suitable weapons, up to and including handheld automatic weapons, equipped with silencers and having effective long range accuracy, (1)(i)(C) Final Rule: Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long range accuracy, (1)(i)(C) Change: The phrase ‘‘up to and including’’ is changed to ‘‘including’’ to provide flexibility in defining the range of weapons licensees must be able to defend against. (1)(i)(D) Previous Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system, and (1)(i)(D) Final Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system, and (1)(i)(D) Change: This description is not revised by the final rule. (1)(i)(E) Previous Rule: A four-wheel drive land vehicle used for transporting personnel and their hand-carried equipment to the proximity of vital areas, and (1)(i)(E) Final Rule: Land and water vehicles, which could be used for transporting personnel and their handcarried equipment to the proximity of vital areas, and (1)(i)(E) Change: The scope of vehicles licensees must defend against is expanded to include water vehicles and a range of land vehicles beyond fourwheel drive vehicles. (1)(ii) Previous Rule: An internal threat of an insider, including an employee (in any position), and (1)(ii) Final Rule: An internal threat, and PO 00000 Frm 00023 Fmt 4700 Sfmt 4700 12723 (1)(ii) Change: The current rule describes the internal threat as a threat posed by an individual. The language is revised to provide flexibility in defining the scope of the internal threat. (1)(iii) Previous Rule: A four-wheel drive land vehicle bomb. (1)(iii) Final Rule: A land vehicle bomb assault, which may be coordinated with an external assault, and (1)(iii) Change: The paragraph is updated to reflect that licensees are required to protect against a wide range of land vehicles. A new mode of attack not previously part of the DBT regulations is added indicating that adversaries may coordinate a vehicle bomb assault with another external assault. (1)(iv) Previous Rule: None. (1)(iv) Final Rule: A waterborne vehicle bomb assault, which may be coordinated with an external assault, and (1)(iv) Change: The paragraph adds a new mode of attack not previously part of the DBT, that being a waterborne vehicle bomb assault. This paragraph also adds a coordinated attack concept. (1)(v) Previous Rule: None. (1)(v) Final Rule: A cyber attack. (1)(v) Change: Adds a cyber attack. The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls. (2)(i) Previous Rule: Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined, violent, external assault, attack by stealth, or deceptive actions by a small group with the following attributes, assistance, and equipment: (2)(i) Final Rule: Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (2)(i) Change: The paragraph adds new adversary capabilities to the DBT including operation in multiple modes of attack. The language in the final rule was modified to provide specificity that E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES 12724 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations licensees are required to maintain the capability to protect against several modes, and that a physical security plan only capable of defending against one of the prescribed modes would not satisfy the requirements of the rule. (2)(i)(A) Previous Rule: Well-trained (including military training and skills) and dedicated individuals; (2)(i)(A) Final Rule: Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (2)(i)(A) Change: The paragraph adds to the DBT adversaries who are willing to kill or be killed and are knowledgeable about specific target selection. (2)(i)(B) Previous Rule: Inside assistance that may include a knowledgeable individual who attempts to participate in a passive role (e.g., provide information), an active role (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack), or both; (2)(i)(B) Final Rule: Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (2)(i)(B) Change: The reference to an individual is removed and the paragraph reworded to provide flexibility in defining the scope of the inside threat. (2)(i)(C) Previous Rule: Suitable weapons, up to and including handheld automatic weapons, equipped with silencers and having effective longrange accuracy; (2)(i)(C) Final Rule: Suitable weapons, including hand-held automatic weapons, equipped with silencers and having effective long-range accuracy; (2)(i)(C) Change: The phrase ‘‘up to and including’’ is changed to ‘‘including’’ to provide flexibility in defining the range of weapons licensees must be able to defend against. (2)(i)(D) Previous Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; (2)(i)(D) Final Rule: Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 (2)(i)(D) Change: This description is not revised by the final rule. (2)(i)(E) Previous Rule: Land vehicles used for transporting personnel and their hand-carried equipment; and (2)(i)(E) Final Rule: Land and water vehicles, which could be used for transporting personnel and their handcarried equipment. (2)(i)(E) Change: The scope of vehicles licensees must defend against is expanded to include water vehicles and a range of land vehicles beyond fourwheel drive vehicles. (2)(i)(F) Previous Rule: The ability to operate as two or more teams. (2)(i)(F) Final Rule: Deleted. (2)(i)(F) Change: This requirement is included in (2)(i). (2)(ii) Previous Rule:An individual, including an employee (in any position), and (2)(ii) Final Rule: An internal threat, (2)(ii) Change: The current rule describes the internal threat as a threat posed by an individual. The language is revised to provide flexibility in defining the scope of the internal threat. (2)(iii) Previous Rule: A conspiracy between individuals in any position who may have: (A) Access to and detailed knowledge of nuclear power plants or the facilities referred to in § 73.20(a), or (B) Items that could facilitate theft of special nuclear material (e.g., small tools, substitute material, false documents, etc.), or both. (2)(iii) Final Rule: A land vehicle bomb assault, which may be coordinated with an external assault, and (2)(iii) Change: The paragraph is updated to reflect that licensees are required to protect against a wide range of land vehicles. A new mode of attack not previously part of the DBT is added indicating that adversaries may coordinate a vehicle bomb assault with another external assault. (2)(iv) Previous Rule: None. (2)(iv) Final Rule: A waterborne vehicle bomb assault, which may be coordinated with an external assault. (2)(iv) Change: The paragraph would add a new mode of attack not previously part of the DBT, that being a waterborne vehicle bomb assault. This coordinated attack concept is another upgrade to the current regulation. (2)(v) Previous Rule: None. (2)(v) Final Rule: A cyber attack. (2)(v) Change: Adds a cyber attack. The capability to exploit site computer and communications system vulnerabilities to modify or destroy data and programming code, deny access to systems, and prevent the operation of the computer system and the equipment it controls. PO 00000 Frm 00024 Fmt 4700 Sfmt 4700 The Commission concludes that the amendments to § 73.1 will continue to ensure adequate protection of public health and safety and the common defense and security by requiring the secure use and management of radioactive materials. The revised DBTs represent the largest threats against which private sector facilities must be able to defend with high assurance. The amendments to 10 CFR 73.1 reflect requirements currently in place under existing NRC regulations and orders. V. Guidance The NRC staff is preparing new regulatory guides (RGs) to provide detailed guidance on the revised DBT requirements in 10 CFR 73.1. These guides are intended to assist current licensees in ensuring that their security plans meet requirements in the revised rule, as well as future license applicants in the development of their security programs and plans. The new guidance incorporates the insights gained from applying the earlier guidance that was used to develop, review, and approve the site security plans that licensees put in place in response to the April 2003 Orders. As such, this regulatory guidance is expected to be consistent with revised security measures at current licensees. The publication of the RGs is planned to coincide with the publication of the final rule. 1. Regulatory Guide (RG–5.69) , ‘‘Guidance for the Implementation of the Radiological Sabotage Design-Basis Threat (Safeguards).’’ This regulatory guide will provide guidance to the industry on the radiological sabotage DBT. RG–5.69 contains SGI and, therefore, is being withheld from public disclosure and distributed on a need-toknow basis to those who otherwise qualify for access. 2. Regulatory Guide (RG–5.70), ‘‘Guidance for the Implementation of the Theft or Diversion Design-Basis Threat (Classified).’’ This regulatory guide will provide guidance to the industry on the theft or diversion DBT. RG–5.70 contains classified information and, therefore, is withheld from public disclosure and distributed only on a need to know basis to those who otherwise qualify for access. VI. Resolution of Petition (PRM–73–12) The staff incorporated consideration of a petition for rulemaking into this rulemaking filed by the Committee to Bridge the Gap (PRM–73–12) on July 23, 2004. The petition requests that NRC conduct a rulemaking to revise the DBT regulations (including numbers, teams, capabilities, planning, willingness to die, and other characteristics of E:\FR\FM\19MRR1.SGM 19MRR1 12725 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations adversaries) to a level that encompasses, with a sufficient margin of safety, the terrorist capabilities demonstrated during the attacks of September 11, 2001. The petition also requests that security plans, systems, inspections, and FOF exercises be revised in accordance with the amended DBTs. Finally, the petition requests that a requirement be added to Part 73 to require licensees to construct shields against air attack (referred to as ‘‘beamhenges’’) so that nuclear power plants would be able to withstand an air attack from a jumbo jet similar to the September 11, 2001, attacks. PRM–73–12 was published for public comment in the Federal Register on November 8, 2004 (69 FR 64690). There were 845 comments submitted on PRM– 73–12, of which 528 were form letters. The staff reviewed both the petition and the comments on the petition against the supplemental DBTs to determine if the DBTs should be revised as requested by the petitioner. Based on this review, the NRC staff determined that a number of the proposed revisions in PRM–73–12 had already been set forth in the proposed DBT rule language. The NRC partially granted PRM–73–12 as stated in the public notice of the proposed 10 CFR 73.1 DBT rulemaking, (See, 70 FR 67380; November 7, 2005), but deferred action on other aspects of the petition, particularly with respect to its consideration of the airborne threat, to the final rulemaking. During the course of this rulemaking, the Commission considered if it would be necessary to add some type of airborne threat as part of the DBTs. After careful evaluation and consideration, the Commission has chosen a two-track response to the air threat that excludes physical security measures such as ‘‘beamhenge.’’ First, the Commission determined that active protection against the airborne threat requires military weapons and ordinance (i.e., ground-based air defense missiles), that rightfully belong to the Department of Defense. Thus, the airborne threat is one which is beyond what a private security force can reasonably be expected to defend against. Second, licensees have been directed to implement certain mitigative measures to limit the effects of an aircraft strike. Therefore, the Commission has denied the request of the petition PRM–73–12 regarding the inclusion of the airborne threat in the DBTs, as well as beamhenge as physical security measures. More detailed information in support of the Commission’s position is provided in the comment resolutions for Factor 6, the potential for water-based and airbased threats, and Factor 9, the potential for fires, especially fires of long duration. VII. Criminal Penalties For the purposes of Section 223 of the Atomic Energy Act, as amended, the Commission is issuing the final rule to revise 10 CFR 73.1 under Sections of 161b, 161i, or 161o of the Atomic Energy Act of 1954 (AEA). Criminal penalties, as they apply to regulations in Part 73, are discussed in 10 CFR 73.81. VIII. Compatibility of Agreement State Regulations Under the ‘‘Policy Statement on Adequacy and Compatibility of Agreement States Programs, ‘‘approved by the Commission on June 20, 1997, and published in the Federal Register (62 FR 46517; September 3, 1997), this rule is classified as compatibility ‘‘NRC.’’ Compatibility is not required for Category ‘‘NRC’’ regulations. The NRC program elements in this category are those that relate directly to areas of regulation reserved to the NRC by the AEA or the provisions of Title 10 of the Code of Federal Regulations, and although an Agreement State may not adopt program elements reserved to NRC, it may wish to inform its licensees of certain requirements via a mechanism that is consistent with the particular State’s administrative procedure laws, but does not confer regulatory authority on the State. IX. Availability of Documents Some documents discussed in this notice are not available to the public. The following table indicates which documents are available to the public and how they may be obtained. Public Document Room (PDR). The NRC Public Document Room is located at 11555 Rockville Pike, Rockville, Maryland 20852. Rulemaking Website (Web). The NRC’s interactive rulemaking Website is located at: //ruleforum.llnl.gov. These documents may be viewed and downloaded electronically via this Web site. NRC’s Electronic Reading Room (ERR). The NRC’s electronic reading room is located at http://www.nrc.gov/ reading-rm.html. PDR Web ERR Environmental Assessment ....................................................................................................... Regulatory Analysis ................................................................................................................... Public Comments on PRM–73–12 ............................................................................................ Radiological Sabotage Adversary Characteristics document ................................................... Theft or diversion Adversary Characteristics document ........................................................... Technical Basis Document ........................................................................................................ RG 5.69 on Radiological Sabotage ........................................................................................... RG -5.70 on Theft or Diversion ................................................................................................. Memorandum: Status of Security-Related Rulemaking ............................................................ Commission SRM dated August 23, 2004 ................................................................................ Memorandum: Schedule for Part 73 Rulemakings ................................................................... Letter to Petitioner ..................................................................................................................... Commission SRM dated October 27, 2005 .............................................................................. Proposed Rulemaking dated November 7, 2005 ...................................................................... Public Comments on Proposed Rule ........................................................................................ Commission SRM dated January 29, 2007 .............................................................................. Final Rulemaking ....................................................................................................................... cprice-sewell on PROD1PC66 with RULES Document X X X no no no no no X .............................. X X X X X X X X X X no no no no no X .................... X X X X X X X ML070530261 ML070530193 ML053040061 no no no no no ML041180532 ML042360548 ML043060572 ML052920150 ML053000448 ML060090310 ML062130575 ML070290286 ML070520692 X. Plain Language The Presidential memorandum dated June 1, 1998, entitled ‘‘Plain Language in Government Writing,’’ published on June 10, 1998 (63 FR 31883) directed VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 that the Government’s documents be in plain, clear, and accessible language. The NRC requested comments on the proposed rule specifically with respect to the clarity and effectiveness of the PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 language used. No specific comments were received on the proposed rule related to this issue. E:\FR\FM\19MRR1.SGM 19MRR1 12726 Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations XI. Voluntary Consensus Standards XIV. Regulatory Analysis The National Technology Transfer and Advancement Act of 1995, Pub. L. 104–113, requires that Federal agencies use technical standards that are developed or adopted by voluntary consensus standards bodies unless using such a standard is inconsistent with applicable law or is otherwise impractical. The NRC is not aware of any voluntary consensus standard that could be used instead of the proposed Government-unique standards. The NRC will consider using a voluntary consensus standard if an appropriate standard is identified. The Commission has prepared a regulatory analysis on this regulation. The analysis examines the costs and benefits of the alternatives considered by the Commission. The Commission requested public comment on the draft regulatory analysis. Comments on the draft analysis have been addressed in Section II of this document. Availability of the regulatory analysis is provided in Section VIII of this document. XII. Finding of No Significant Environmental Impact: Environmental Assessment: Availability The Commission has determined under the National Environmental Policy Act of 1969, as amended, and the Commission’s regulations in Subpart A of 10 CFR Part 51, that this rule is not a major Federal action significantly affecting the quality of the human environment and, therefore, an environmental impact statement is not required. The determination of this environmental assessment is that there will be no significant off-site impact to the public from this action. The NRC sent a copy of the environmental assessment and the proposed rule to every State Liaison Officer and requested their comments on the environmental assessment. No comments were received from the State Liaison Officer on the environmental assessment. XIII. Paperwork Reduction Act Statement This final rule does not contain new or amended information collection requirements and, therefore is not subject to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). Existing information collection requirements were approved by the Office of Management and Budget, approval number 3150–0002. The burden for all future licensees will be covered under 10 CFR Part 52 (3150–0151) as part of the combined operator license applications. cprice-sewell on PROD1PC66 with RULES Public Protection Notification The NRC may not conduct or sponsor, and a person is not required to respond to, a request for information or an information collection requirement unless the requesting document displays a currently valid OMB control number. VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 XV. Regulatory Flexibility Certification Under the Regulatory Flexibility Act (5 U.S.C. 605(b)), the Commission certifies that this rule does not have a significant economic impact on a substantial number of small entities. This final rule affects only the licensing and operation of nuclear power plants and Category I fuel cycle facilities. The companies that own these plants do not fall within the scope of the definition of ‘‘small entities’’ set forth in the Regulatory Flexibility Act or the size standards established by the NRC (10 CFR 2.810). XVI. Backfit Analysis The NRC has determined, pursuant to the exception in 10 CFR 50.109(a)(4)(iii) and 10 CFR 70.76(a)(4)(iv), that a backfit analysis is unnecessary for this final rule. Sections 50.109 and 70.76(a)(4)(iv) state, in pertinent part, that a backfit analysis is not required if the Commission finds and declares with appropriate documented evaluation for its finding that a ‘‘regulatory action involves defining or redefining what level of protection to the public health and safety or common defense and security should be regarded as adequate.’’ The final rule increases the security requirements currently prescribed in NRC regulations, and is necessary to protect nuclear facilities against potential terrorists. When the Commission imposed security enhancements by order in April 2003, it did so in response to an escalated domestic threat level. Since that time, the Commission has continued to monitor intelligence reports regarding plausible threats from terrorists currently facing the U.S. The Commission has also gained experience from implementing the order requirements and reviewing revised licensee security plans. The Commission has considered all of this information and finds that security requirements similar to those previously imposed by the DBT Orders, which applied only to existing licensees, should be made generically applicable. The Commission further finds that the PO 00000 Frm 00026 Fmt 4700 Sfmt 4700 final rule would redefine the security requirements stated in existing NRC regulations, and is necessary to ensure that the public health and safety and common defense and security are adequately protected in the current, post-September 11, 2001 environment. XVII. Congressional Review Act Under the Congressional Review Act of 1996, NRC has determined that this action is not a ‘‘major rule’’ and has verified this determination with the Office of Information and Regulatory Affairs of OMB. List of Subjects in 10 CFR Part 73 Criminal penalties, Export, Hazardous materials transportation, Import, Nuclear materials, Nuclear power plants and reactors, Reporting and recordkeeping requirements, and Security measures. I For the reasons set out in the preamble and under the authority of the Atomic Energy Act of 1954, as amended; the Energy Reorganization Act of 1974, as amended; and 5 U.S.C. 552 and 553; the NRC is adopting the following amendments to 10 CFR part 73. PART 73—PHYSICAL PROTECTION OF PLANTS AND MATERIALS 1. The authority citation for part 73 continues to read as follows: I Authority: Secs. 53, 161, 68 Stat. 930, 948, as amended, sec. 147, 94 Stat. 780 (42 U.S.C. 2073, 2167, 2201); sec. 201, as amended, 204, 88 Stat. 1242, as amended, 1245, sec. 1701, 106 Stat. 2951, 2952, 2953 (42 U.S.C. 5841, 5844, 2297f); sec. 1704, 112 Stat. 2750 (44 U.S.C. 3504 note). Section 73.1 also issued under secs. 135, 141, Pub. L. 97–425, 96 Stat. 2232, 2241 (42 U.S.C, 10155, 10161). Section 73.37(f) also issued under sec. 301, Pub. L. 96–295, 94 Stat. 789 (42 U.S.C. 5841 note). Section 73.57 is issued under sec. 606, Pub. L. 99–399, 100 Stat. 876 (42 U.S.C. 2169). 2. In § 73.1, paragraph (a) is revised to read as follows: I § 73.1 Purpose and scope. (a) Purpose. This part prescribes requirements for the establishment and maintenance of a physical protection system which will have capabilities for the protection of special nuclear material at fixed sites and in transit and of plants in which special nuclear material is used. The following design basis threats, where referenced in ensuing sections of this part, shall be used to design safeguards systems to protect against acts of radiological sabotage and to prevent the theft or diversion of special nuclear material. Licensees subject to the provisions of § 73.20 (except for fuel cycle licensees authorized under Part 70 of this chapter E:\FR\FM\19MRR1.SGM 19MRR1 cprice-sewell on PROD1PC66 with RULES Federal Register / Vol. 72, No. 52 / Monday, March 19, 2007 / Rules and Regulations to receive, acquire, possess, transfer, use, or deliver for transportation formula quantities of strategic special nuclear material), §§ 73.50, and 73.60 are exempt from §§ 73.1(a)(1)(i)(E), 73.1(a)(1)(iii), 73.1(a)(1)(iv), 73.1(a)(2)(iii), and 73.1(a)(2)(iv). Licensees subject to the provisions of § 72.212 are exempt from § 73.1(a)(1)(iv). (1) Radiological sabotage. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: A single group attacking through one entry point, multiple groups attacking through multiple entry points, a combination of one or more groups and one or more individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including handheld automatic weapons, equipped with silencers and having effective long range accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safeguards system; and (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment to the proximity of vital areas; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. (2) Theft or diversion of formula quantities of strategic special nuclear material. (i) A determined violent external assault, attack by stealth, or deceptive actions, including diversionary actions, by an adversary force capable of operating in each of the following modes: a single group attacking through one entry point, multiple groups attacking through VerDate Aug<31>2005 15:36 Mar 16, 2007 Jkt 211001 multiple entry points, a combination of one or more groups and one or individuals attacking through multiple entry points, or individuals attacking through separate entry points, with the following attributes, assistance and equipment: (A) Well-trained (including military training and skills) and dedicated individuals, willing to kill or be killed, with sufficient knowledge to identify specific equipment or locations necessary for a successful attack; (B) Active (e.g., facilitate entrance and exit, disable alarms and communications, participate in violent attack) or passive (e.g., provide information), or both, knowledgeable inside assistance; (C) Suitable weapons, including handheld automatic weapons, equipped with silencers and having effective longrange accuracy; (D) Hand-carried equipment, including incapacitating agents and explosives for use as tools of entry or for otherwise destroying reactor, facility, transporter, or container integrity or features of the safe-guards system; (E) Land and water vehicles, which could be used for transporting personnel and their hand-carried equipment; and (ii) An internal threat; and (iii) A land vehicle bomb assault, which may be coordinated with an external assault; and (iv) A waterborne vehicle bomb assault, which may be coordinated with an external assault; and (v) A cyber attack. * * * * * Dated at Rockville, Maryland this 13th day of March 2007. For the Nuclear Regulatory Commission. Annette L. Vietti-Cook, Secretary of the Commission. [FR Doc. 07–1317 Filed 3–16–07; 8:45 am] BILLING CODE 7590–01–P DEPARTMENT OF TRANSPORTATION Federal Aviation Administration 14 CFR Part 39 [Docket No. FAA–2006–25085; Directorate Identifier 2006–SW–02–AD; Amendment 39– 14996; AD 2007–06–15] RIN 2120–AA64 Airworthiness Directives; Eurocopter France Model AS350B, AS350B1, AS350B2, AS350B3, AS350BA, AS350C, AS350D, and AS350D1 Helicopters Federal Aviation Administration, DOT. AGENCY: PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 ACTION: 12727 Final rule. SUMMARY: This amendment adopts a new airworthiness directive (AD) for the specified Eurocopter France (Eurocopter) model helicopters that requires replacing a certain hydraulic drive belt (drive belt). Also required is reducing the lubrication time interval for a certain hydraulic pump drive shaft (drive shaft). This amendment is prompted by in-flight failures of the drive belt and the drive shaft. The actions specified by this AD are intended to prevent in-flight failure of the drive belt or drive shaft, loss of hydraulic power to the flight control system, and subsequent loss of control of the helicopter. DATES: Effective April 23, 2007. ADDRESSES: You may get the service information identified in this AD from American Eurocopter Corporation, 2701 Forum Drive, Grand Prairie, Texas 75053–4005, telephone (972) 641–3460, fax (972) 641–3527. Examining the Docket: You may examine the docket that contains this AD, any comments, and other information on the Internet at http:// dms.dot.gov, or at the Docket Management System (DMS), U.S. Department of Transportation, 400 Seventh Street, SW., Room PL–401, on the plaza level of the Nassif Building, Washington, DC. FOR FURTHER INFORMATION CONTACT: Gary Roach, Aviation Safety Engineer, FAA, Rotorcraft Directorate, Regulations and Guidance Group, Fort Worth, Texas 76193–0111, telephone (817) 222–5130, fax (817) 222–5961. SUPPLEMENTARY INFORMATION: A proposal to amend 14 CFR part 39 to include an AD for the specified model helicopters was published in the Federal Register on June 30, 2006 (71 FR 37515). That action proposed to require the following: • At or before the next 500-hour timein-service (TIS) inspection, replacing the drive belt with an airworthy drive belt that is not included in the applicability of this AD, and • Within 110 hours TIS or at the next scheduled lubrication interval for the drive shaft splines, and thereafter at intervals not to exceed 110 hours TIS or 6 months, whichever occurs first, lubricating the drive shaft splines. Eurocopter has issued the following: • Service Bulletin No. 63.00.08, dated May 27, 2002, which specifies installing a poly-v type drive belt on the driving hydraulic pump; and • Service Bulletin No. 29.00.04, Revision 1, dated January 27, 2004, which specifies reducing the lubrication E:\FR\FM\19MRR1.SGM 19MRR1

Agencies

[Federal Register Volume 72, Number 52 (Monday, March 19, 2007)]
[Rules and Regulations]
[Pages 12705-12727]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-1317]


=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

RIN 3150-AH60


Design Basis Threat

AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Nuclear Regulatory Commission (NRC) is amending its 
regulations that govern the requirements pertaining to the design basis 
threats (DBTs). This final rule makes generically applicable security 
requirements similar to those previously imposed by the Commission's 
April 29, 2003 DBT Orders, based upon experience and insights gained by 
the Commission during implementation, and redefines the level of 
security requirements necessary to ensure that the public health and 
safety and common defense and security are adequately protected. 
Pursuant to Section 170E of the Atomic Energy Act (AEA), the final rule 
revises the DBT requirements for radiological sabotage, generally 
applicable to power reactors and Category I fuel cycle facilities, and 
for theft or diversion of NRC-licensed Strategic Special Nuclear 
Material (SSNM), applicable to Category I fuel cycle facilities. 
Additionally, a petition for rulemaking (PRM-73-12), filed by the 
Committee to Bridge the Gap, was considered as part of this rulemaking. 
The NRC partially granted PRM-73-12 in the proposed rule, but deferred 
action on other aspects of the petition to the final rule. The NRC's 
final disposition of PRM-73-12 is contained in this document.

DATES: Effective Date: April 18, 2007.

FOR FURTHER INFORMATION CONTACT: Manash K. Bagchi, Office of Nuclear 
Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001, telephone 301-415-2905, e-mail MKB2@NRC.GOV.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Analysis of Public Comments and Consideration of the 12 Factors 
of the Energy Policy Act of 2005
III. Summary of Specific Changes Made to the Proposed Rule as a 
Result of Public Comments
IV. Section by Section Analysis
V. Guidance
VI. Resolution of Petition (PRM-73-12)
VII. Criminal Penalties
VIII. Compatibility of Agreement State Regulations
IX. Availability of Documents
X. Plain Language
XI. Voluntary Consensus Standards
XII. Finding of No Significant Environmental Impact: Environmental 
Assessment: Availability
XIII. Paperwork Reduction Act Statement
XIV. Regulatory Analysis
XV. Regulatory Flexibility Act Certification
XVI. Backfit Analysis
XVII. Congressional Review Act

I. Background

    The DBT requirements in 10 CFR 73.1 describe general adversary 
characteristics that designated licensees must defend against with high 
assurance. These NRC requirements include protection against 
radiological sabotage (generally applied to power reactors and Category 
I fuel cycle facilities) and theft or diversion of NRC-licensed SSNM 
(generally applied to Category I fuel cycle facilities). On November 7, 
2005 (70 FR 67380), the Commission published a proposed rule for public 
comment seeking to amend its regulation that governs the requirements 
pertaining to the DBTs. The DBTs are used by licensees to form the 
basis for site-specific defensive strategies implemented through 
physical security plans, safeguards contingency plans, and security 
personnel training and qualifications plans. Amendment of the DBT rule 
was influenced by a number of factors described below.
    Following the terrorist attacks on September 11, 2001, the NRC 
conducted a thorough review of security practices to ensure that 
nuclear power plants and other licensed facilities continued to have 
effective security measures in place to address the changing threat 
environment. The NRC recognized that some elements of the DBTs required 
enhancement. After soliciting and receiving comments from Federal, 
State, and local agencies, and industry stakeholders, and reviewing an 
analysis of intelligence information regarding the trends and 
capabilities of potential adversaries, the NRC imposed supplemental DBT 
requirements by order on April 29, 2003. The Commission deliberated on 
the responsibilities of the local, State, and Federal stakeholders to 
protect the nation and the responsibility of the licensees to protect 
individual nuclear facilities before issuing the April 29, 2003 DBT 
Orders.
    The April 29, 2003 DBT Orders required nuclear power reactors and 
Category I fuel cycle facility licensees to revise their physical 
security plans, security personnel training and qualification plans, 
and safeguards contingency plans to defend against the

[[Page 12706]]

supplemental DBT requirements. The orders required licensees to make 
security enhancements such as: Augmented security forces and 
capabilities; increased patrols; additional security posts and physical 
barriers; vehicle checks at greater standoff distances; enhanced 
coordination with law enforcement and military authorities; augmented 
security and emergency response training, equipment, and communication; 
and more restrictive site access controls for personnel, including 
expanded, expedited, and more thorough initial and follow-on screening 
of power reactor and Category I fuel cycle facility employees. After 
gaining experience with implementation of these orders, the Commission 
concluded that the general attributes of the orders should be 
generically imposed by regulation on certain classes of licensees.
    In addition, PRM-73-12 was filed by the Committee to Bridge the Gap 
on July 23, 2004, and was published for comment (69 FR 64690; November 
8, 2004). PRM-73-12 requests that the NRC amend its regulations to 
revise the DBT regulations (in terms of the numbers, teams, 
capabilities, planning, willingness to die, and other characteristics 
of adversaries) to a level that encompasses, with a sufficient margin 
of safety, the terrorist capabilities evidenced by the attacks of 
September 11, 2001. The petition also requests that security plans, 
systems, inspections, and force-on-force (FOF) exercises be revised in 
accordance with the amended DBTs, and that a requirement be added to 
part 73 to construct shields against air attack (the shields are 
referred to as ``beamhenges'') which the petition asserts would enable 
nuclear power plants to withstand an air attack from a jumbo jet. The 
NRC partially granted PRM-73-12 in the proposed rule, but deferred 
action on other aspects of the petition to the final rulemaking. The 
NRC's final disposition of PRM-73-12 is discussed in Section VI of this 
document.
    Finally, the Energy Policy Act (EPAct) of 2005 was signed into law 
on August 8, 2005. Section 651(a) of the EPAct amended the AEA by 
adding Section 170E, that required the Commission to initiate a 
rulemaking to revise the DBTs. In addition, Section 170E also directed 
the Commission to consider but not be limited to, the 12 factors 
specified in the statute in the course of that rulemaking. As stated in 
the proposed rule, these factors are:
    (1) The events of September 11, 2001;
    (2) An assessment of physical, cyber, biochemical, and other 
terrorist threats;
    (3) The potential for attack on facilities by multiple coordinated 
teams of a large number of individuals;
    (4) The potential for assistance in an attack from several persons 
employed at the facility;
    (5) The potential for suicide attacks;
    (6) The potential for water-based and air-based threats;
    (7) The potential use of explosive devices of considerable size and 
other modern weaponry;
    (8) The potential for attacks by persons with a sophisticated 
knowledge of facility operations;
    (9) The potential for fires, especially fires of long duration;
    (10) The potential for attacks on spent fuel shipments by multiple 
coordinated teams of a large number of individuals;
    (11) The adequacy of planning to protect the public health and 
safety at and around nuclear facilities, as appropriate, in the event 
of a terrorist attack against a nuclear facility, and
    (12) The potential for theft or diversion of nuclear material from 
such facilities;
    The Commission took into account a number of issues and sources in 
conducting this rulemaking, which included its experience in the 
implementation of the DBT Orders, the issues raised in PRM-73-12, EPAct 
requirements, and the public comments on the proposed rule. The 
Commission has considered and deliberated on the 12 factors identified 
in the EPAct. The results of its consideration are set forth in Section 
II of this document. Additionally, the Commission specifically invited 
public comments on how these factors should be addressed in the rule. 
Many of the comments received substantively focused on the 12 factors. 
Those comments and the Commission's responses are also discussed in 
Section II.
    It is important to note that the Commission was careful to set 
forth rule text in the final rule that does not compromise licensee 
security, but also acknowledges the necessity to keep the public 
informed of the types of attacks against which nuclear power plants and 
Category I fuel cycle facilities are required to defend. To this end, 
the final rule maintains a level of detail in the rule language that is 
generally comparable to the previous regulation, while updating the 
general DBT attributes in a manner consistent with the insights gained 
from the application of supplemental security requirements imposed by 
the April 29, 2003 DBT Orders, the EPAct, and consideration of public 
comments.
    The final rule contains the DBT with which licensees must legally 
comply. More specific details (e.g., specific weapons, ammunition, 
etc.) are consolidated in adversary characteristics documents (ACDs) 
which contain classified or Safeguards Information (SGI). The technical 
bases for the ACDs are derived largely from intelligence information. 
They also contain classified or SGI that cannot be publicly disclosed. 
These documents must be withheld from public disclosure and made 
available only on a need-to-know basis to those who are cleared for 
access.
    Because the regulatory guides (RGs) and the ACDs are guidance 
documents that provide details to the licensees regarding 
implementation and compliance with the DBTs, these documents may be 
updated from time to time as a result of the NRC's periodic threat 
reviews. The NRC has been conducting threat reviews since 1979. These 
threat reviews are performed in conjunction with the intelligence and 
law enforcement communities to identify changes in the threat 
environment which may, in turn, require adjustments of NRC security 
requirements. Future revisions to the ACDs would not require changes to 
the DBT regulations in 10 CFR 73.1, provided the changes remain within 
the scope of the rule text.

II. Analysis of Public Comments and Consideration of the 12 Factors of 
the EPAct

    The proposed rule provided a 75-day public comment period that 
ended on January 23, 2006. The comment period was extended by another 
30 days in response to a request from the Nuclear Energy Institute 
(NEI), an industry group, to allow additional time for review of the 
proposed rule because the comment period overlapped the year-end 
holidays. The extended comment period ended on February 22, 2006. A 
total of 919 comments were received from about 903 individuals, one 
county, 13 citizen groups, one utility involved in nuclear activities, 
and two nuclear industry groups. The comments covered a range of 
issues, some of which were beyond the scope of this rulemaking because 
they were specific to protective measures but did not relate to the 
adversary characteristics. The comments have been organized under three 
groups: Group I, Consideration of the 12 Factors in the EPAct; Group 
II, In-Scope-comments, that includes comments raising issues and 
concerns directly related to the contents of the DBT rule; and Group 
III, Out-of-Scope comments, that includes comments raising issues and 
questions that are not directly related to the DBT rule, although they

[[Page 12707]]

are generally relevant to the security of nuclear facilities. Responses 
are provided in the following format:

Group I: Consideration of the 12 Factors in the Energy Policy Act

    The Commission's consideration, public comments, and responses to 
the public comments are provided for the 12 factors described in 
Section A.

Group II: In Scope Comments

    Comments in Groups II and III are organized under the following 
general categories. The Commission's responses to these comment 
categories are provided in Section B:
    1. Definition of the Design Basis Threats
    2. Applicability of the Enemy of the State Rule
    3. Compliance with Administrative Procedure Act (APA) Notice and 
Comment Requirements
    4. Ambiguous Rule Text
    5. Differentiation in Treatment of General and Specific Licenses 
for ISFSI
    6. Applicability of the Radiological Sabotage DBT to New Nuclear 
Power Plants
    7. Consideration of the Uniqueness of Each Plant in Application of 
the DBTs
    8. Continued Exemption of Research and Test Reactors from the DBT 
Requirements
    9. Changes in Security Requirements to be Addressed Under Backfit 
Rule
    10. Compliance with the Paperwork Reduction Act
    11. Adequacy of the Regulatory Analysis
    12. Compliance with the National Environmental Policy Act (NEPA)
    13. Issuance of Annual Report Card on Individual Licensees

Group III: Out of Scope Comments

    14. Federalization of Security
    15. Force-on-Force Tests of Security
    16. Screening of Workers in Nuclear Power Plants
    17. Self-Sufficient Defense Capabilities
    18. Security of Dry Cask Storage
    19. Security of Spent Fuel Pools
    20. Inherent Design Problems that make Reactors Vulnerable
    A Comments Matrix has been provided in Appendix A, that references 
each topic with comments. The NRC's response to each topic is listed 
below:

Section A

Group I. Consideration of the 12 Factors in the Energy Policy Act
    As discussed above, Section 170E of the AEA, as amended by Section 
651(a) of the EPAct, directed the Commission to consider but not be 
limited to, the 12 factors specified in the statute in the course of 
the DBT rulemaking. Many of the comments received by the Commission 
focused on one or more of these factors. Prior to discussing the 
substance of the 12 factors, the Commission notes that several 
commenters charged that the Commission violated Section 170E by not 
considering some of the 12 factors, and by deferring final 
consideration of some of the provisions to the final rule. Those 
commenters suggested that this not only violated the mandate of Section 
170E, but also the Administrative Procedure Act (APA) by not providing 
adequate notice of the substance of the rule, and thus, the rule should 
be withdrawn and re-proposed.
    To be clear, Section 170E stated that the Commission ``shall 
consider,'' but not be limited to, the 12 factors when conducting the 
DBT rulemaking. However, the EPAct did not require that the Commission 
explicitly include any of the 12 factors in the proposed or final rule 
text. The Commission carefully considered intelligence information, 
vulnerability assessments, other Commission-sponsored studies, and each 
of the 12 factors in formulating the final rule. Accordingly, a number 
of provisions or rule changes were adopted that specifically 
incorporate certain language used in the 12 factors. For instance, the 
final rule contains specific provisions related to multiple, 
coordinated groups \1\ of attackers (Factor 3), suicide attacks (Factor 
5), insider assistance (Factors 4 and 8), and waterborne attacks 
(Factor 6). Additionally, based on the 12 factors, public comment, and 
other intelligence and law enforcement information, the Commission has 
decided to explicitly include a cyber threat as an attribute of the 
DBTs (Factor 2).
---------------------------------------------------------------------------

    \1\ For purposes of this rule, there is no substantive 
difference between the terms ``group'' and ``team'' in reference to 
the operational capabilities of the DBT adversary force. The meaning 
of the term ``group'' is the same as the meaning of the term 
``team'' used in the proposed rule. The term ``team'' was preserved 
in this final rule only when summarizing comments on the proposed 
rule or the 12 Factors of the EPAct.
---------------------------------------------------------------------------

    After careful consideration, the Commission also chose not to adopt 
elements related to some EPAct factors as part of the rule text. 
However, that decision should not be misconstrued as lack of 
consideration of the factors themselves. Nor should the Commission's 
statement in the proposed rule soliciting comments on ``whether or how 
the 12 factors should be addressed in the DBT rule'' be interpreted to 
mean that the Commission deferred consideration of the factors until 
after it received comments. Rather, the Commission proposed 
requirements that would require licensees to defend against threats the 
Commission considered appropriate at that time, subject to change in 
the final rule after further consideration of public comments.
    Several commenters specifically charged that the Commission 
deferred its consideration of air-based threats to the final rule, thus 
undermining stakeholders' abilities to know the Commission's position 
on that factor. At the time that the proposed rule was published, the 
Commission maintained its view that protection against airborne attack 
could best be provided by the strengthening of airport and airline 
security measures. Accordingly, the Commission did not propose to 
include a provision in the proposed rule that would require licensees 
to provide defense against an airborne attack but the Commission 
specifically sought comment on the issue in the proposed DBT rule and 
has remained open to changing its position. In addition to being raised 
in PRM-73-12, the Commission has received numerous comments on the 
airborne threat. It has carefully considered those comments and has 
responded to them below. The assertion about the lack of APA notice 
with regard to the EPAct's 12 factors is without merit. The proposed 
rule discussion contained, under a section designated ``Proposed 
Regulations,'' (70 FR 67381) a detailed listing and clarifying 
discussion of the 12 factors and a specific request for public comment 
on ``whether or how the 12 factors should be addressed in the DBT 
rule.'' (70 FR 67382).
Factor 1. The Events of September 11, 2001
    The Commission's Consideration: The events of September 11, 2001, 
have been central to the Commission's efforts in reevaluating the DBTs. 
As a result of these attacks, the NRC promptly reevaluated the DBTs and 
imposed additional requirements on licensees through orders, including 
the April 29, 2003 Orders on the DBTs. A number of revisions to the 
DBTs have resulted from consideration of the events of September 11, 
2001. Those revisions include increased adversaries' willingness to 
kill or be killed, and the capability to operate in several different 
modes of attack, including multiple adversary groups, and multiple 
adversary entry points.
    Public Comment: Several commenters specifically challenged the 
proposed rule's consideration of the events of September 11, 2001, 
expressing concern

[[Page 12708]]

that the DBT rule does not require licensees to defend against a number 
of attackers comparable to the number of terrorists (19) who 
participated in the attacks on September 11, 2001.
    Response to Public Comment: The Commission disagrees with the 
comment. The Commission's consideration of the number of attackers 
comprising the DBT is discussed in more detail below under Factor 3. 
However, with respect to the assertion that the number of attackers 
should be comparable to the number of September 11, 2001, attackers 
(19), the Commission notes that the official U.S. Government terrorism 
report for 2001, ``Patterns of Global Terrorism,'' states that the 
September 11, 2001, attacks consisted of ``four separate but 
coordinated aircraft hijackings,'' not a single attack involving 19 
assailants. However, in its annual terrorism report for 2001, the 
Federal Bureau of Investigation (FBI) considered the attacks as one act 
of international terrorism by ``four coordinated teams of terrorists.'' 
Consideration of seemingly inconsistent views was just one part of a 
significant statistical analysis conducted by the NRC as part of the 
post-September 11, 2001, DBT process to determine the DBT adversary 
force size. In summary:
     NRC position: Disagrees with the comment.
     Action: No action required.
Factor 2. An Assessment of Physical, Cyber, Biochemical, and Other 
Terrorist Threats
    The Commission's Consideration: Although the DBT rule does not 
elaborate on the specifics of vehicle bomb size, numbers of 
adversaries, or exact types of weapons for operational security 
purposes, the Commission believes they are appropriate. The DBTs are 
the result of the NRC's continuous evaluation of current threats. That 
evaluation is not limited to a particular kind of threat, but naturally 
includes consideration of physical threats, cyber threats, and 
biochemical threats. The DBT rule reflects the Commission's 
determination of the composite set of adversary features against which 
private security forces should reasonably have to defend.
    The DBT rule has been amended in several significant respects to 
reflect the current physical, cyber, biochemical, and other terrorist 
threats. For example, the radiological sabotage DBT has been enhanced 
to reflect the requirement that the licensees have a capability to 
defend against attackers with the ability to operate in several modes 
of attack, including as multiple groups, attacking from multiple entry 
points. Additionally, in Sec.  73.1(a)(1)(i)(C), the phrase ``up to and 
including'' was changed to simply ``including'' to provide flexibility 
in defining the range of weapons available to the composite adversary 
force.
    One significant change to the rule relates to physical threats from 
the use of vehicles, either as modes of transportation or as vehicle 
bombs. Section 73.1(a)(1)(i)(E), for example, effectively expands the 
scope of vehicles available for the transportation of adversaries by 
deleting the reference to ``four-wheel drive'' and by adding water-
based vehicles.
    In addition, Sec.  73.1(a)(1)(iii) (the land vehicle bomb 
provision) is similarly revised to delete the ``four-wheel drive'' 
limitation, and to add a capability that the vehicle bomb ``may be 
coordinated with an external assault,'' maximizing its destructive 
potential. Further, an entirely new capability has been added to the 
DBT involving a waterborne vehicle bomb, which also is encompassed in 
the coordinated attack concept.
    The Commission has also carefully considered biochemical threats 
both before and after the events of September 11, 2001. The previous 
rule already contained requirements that provided the capability of 
using ``incapacitating agents,'' and that attribute has been retained 
in the final rule. In addition, armed responders are required to be 
equipped with gas masks to effectively implement the protective 
strategy and mitigate the effects of the incapacitating agents.
    Public Comment: Although many of the public comments could 
generally be characterized as addressing Factor 2, only a few comments 
specifically fell under this factor. One commenter stated that the NRC 
needs to engage independent experts to develop a comprehensive computer 
vulnerability and cyber attack threat assessment, that must evaluate 
the vulnerability of the full range of nuclear power plant computer 
systems and the potential consequences of these vulnerabilities. The 
commenter further suggested that the revised DBTs must incorporate 
these findings and include a protocol for quickly detecting such an 
attack and recovering key computer functions in the event of an attack.
    Two other commenters stated that the regulations do not reflect 
protections against explosive devices of considerable size, other 
modern weaponry, and cyber, biochemical, and other terrorist threats. 
Another commenter did not believe the proposed DBTs protected against 
all conceivable attacks, such as launching a large explosive device 
from a boat, clogging the water intakes, dropping a conventional bomb 
into spent fuel pools, insider sabotage, etc.
    Response to Public Comment: Regarding the threat of cyber attack 
comment, the NRC agrees with the statement submitted by the commenter 
and explicitly included a cyber attack as an element of the DBTs in the 
final rule. The basis for this addition, and implications of the rule 
change are discussed further in Section III of this document. In 
addition, the proposed 10 CFR 73.55(m), ``Digital Computer and 
Communication Networks,'' that is included in the proposed rule, 
``Power Reactor Security Requirements,'' (71 FR 62664; October 26, 
2006), contains proposed measures to mitigate a cyber attack.
    With respect to the other comments regarding protection against 
explosives of considerable size and modern weaponry, as stated earlier, 
the details of the adversary capabilities can not be specified 
publicly, but the Commission believes they are appropriate. 
Furthermore, the land vehicle bomb assault may be coordinated with an 
external assault, maximizing its destructive potential.
    The NRC does not intend the DBTs to represent ``worst case'' 
scenarios or all conceivable attacks. It is impossible to address all 
possible attack scenarios, because there is no theoretical limit to 
what attack scenarios can be conceived. Therefore, the NRC staff 
considers the tactics that have been observed in use, discussed, or 
trained for by potential adversaries. These tactics and DBT provisions 
are subjected to an interagency review process where Federal law 
enforcement and intelligence community agencies comment and provide 
feedback. If changes develop in adversary tactics that could 
significantly impact nuclear facility security, the staff would request 
that the Commission consider these tactics for inclusion in the DBT 
provisions. In summary:
     NRC position: Agrees with one element of comment--include 
cyber threat as an attribute; disagrees with the other two elements.
     Action: Final rule includes cyber attack as an explicit 
element of the DBTs. No other action required.
Factor 3. The Potential for Attack on Facilities by Multiple 
Coordinated Teams of a Large Number of Individuals
    The Commission's Consideration: The number of attackers and the 
tactics used by those attackers is now and has always been a core 
consideration of the DBT. Although the NRC obviously

[[Page 12709]]

cannot comment on the size (specific number of attackers) of the DBT 
adversary force for operational security reasons, it can address the 
process how these numbers are derived. As noted in the Commission's 
consideration of Factor 1, the size of the DBT adversary force and the 
number of assault teams were derived through a careful and deliberative 
process involving not only the NRC staff, but Federal law enforcement, 
and intelligence community, and homeland security agencies using a 
variety of classified and unclassified sources. A statistical analysis 
was done on terrorist group size by looking at hundreds of terrorist 
attacks over several years, and comparing them with previous group size 
analyses for changes in long-term trends. Large ``outlier'' terrorist 
events, although few in number, were included in this analysis. This 
statistical analysis was factored into a parallel analysis of known 
terrorist attacks against protected facilities (also few in number) and 
terrorist training, tactics, and doctrinal manuals concerning armed 
assaults against facilities.
    In addition, the NRC found that the vague qualifiers (``several 
persons'' and ``small group'') in the previous adversary descriptions 
in 10 CFR 73.1 did little to add to the clarity of the rule because the 
phrases are highly subjective. Thus, the final rule now contains the 
more specific language ``by an adversary force capable of operating in 
each of the following modes: a single group attacking through one entry 
point, multiple groups attacking through multiple entry points, a 
combination of one or more groups and one or more individuals attacking 
through multiple entry points, or individuals attacking through 
separate entry points.'' By revising the language in the rule and 
eliminating the reference to ``several persons'' and ``small group,'' 
the NRC actually increased the potential flexibility of the design 
basis adversary. The use of multiple adversary groups is not 
necessarily tactically advantageous to the attacking force in all 
possible scenarios. In some instances, the adversary force, as 
simulated in Force-on-Force (FOF) exercises can, based on its analysis 
of the licensee's protective strategy, concentrate its force in a 
single group if necessary to best attack a facility. In other 
instances, a licensee's protective strategy may be more vulnerable to 
multiple groups of attackers attempting entry from different locations. 
In any event, the final DBT rule now provides enough flexibility to 
account for all of these scenarios, while the guidance provides 
sufficient specificity.
    Public Comment: Several commenters contend that for nuclear power 
plants, the regulations should provide protection against coordinated 
attacks by multiple large groups of up to two dozen sophisticated and 
knowledgeable adversaries.
    Response to Public Comment: As stated above, the Commission has 
revised the rule to reflect these considerations and to provide maximum 
flexibility in developing threat scenarios which licensees must defend 
against. In summary:
     NRC position: Agrees partially with the comment.
     Action: No additional action required, beyond adoption of 
more specific language in the final rule.
Factor 4. The Potential for Assistance in an Attack From Several 
Persons Employed at the Facility
    The Commission's Consideration: The Commission has always 
considered the threat of insider assistance to be a very real and 
significant threat. Thus, the DBTs have long contained a provision 
requiring licensees to protect against insider assistance. Also, other 
NRC regulations contain substantial requirements for access 
authorization programs (10 CFR 73.56, ``Personnel Access Authorization 
Requirements for Nuclear Power Plants,'' and 10 CFR 73.57, 
``Requirements for Criminal History Checks of Individuals Granted 
Unescorted Access to a Nuclear Power Facility or Access to Safeguards 
Information by Power Reactor Licensees''). However, the final rule has 
amended this requirement to expand the threat of insider assistance. 
For instance, 10 CFR 73.1(a)(1)(A) and (2)(i)(A) add language 
indicating that the adversaries have ``sufficient knowledge to identify 
specific equipment or locations necessary for a successful attack.'' 
Therefore, this provision suggests that this knowledge could be 
obtained from an insider who has such knowledge.
    The insider assistance provision itself has also been revised. The 
final rule deletes the term ``individual'' to provide flexibility in 
defining the number of persons who may be involved in providing inside 
assistance.
    Public Comment: One commenter stated that the insider attribute 
must include an active participant in an attack and should include the 
possibility of first responders and or National Guardsmen providing 
insider assistance.
    Response to Public Comment: The NRC agrees with part one of this 
comment. The capability of ``active'' insider assistance is clearly 
stated in both 10 CFR 73.1(a)(1)(i)(B) for radiological sabotage and 10 
CFR 73.1(a)(2)(i)(B) for theft or diversion of strategic special 
nuclear material. Further, the ``active'' assistance capability has 
long been a component of the DBTs. The use of the conjunction ``or'' 
provides for increased tactical flexibility on the part of the 
adversary, based on the specific situation. It does not preclude an 
active insider in favor of a passive one.
    The NRC disagrees with the second part of this comment. National 
Guard, local law enforcement and other non-licensee security personnel 
already stationed at the owner-controlled boundary or entry portals of 
some licensee facilities are not part of the licensee workforce and not 
subject to NRC regulatory authority; hence, they are considered beyond 
the scope of the DBTs. Typically, these organizations have their own 
internal screening procedures to determine reliability and 
trustworthiness. The NRC recognizes that those processes exist and 
provide an appropriate level of assurance against an insider threat to 
that organization. Furthermore, first responders, law enforcement, and 
National Guard personnel are not given unescorted access to the 
Protected Area (PA).
    First responders, law enforcement, and other external security 
personnel responding to an emergency or security event at a site would 
do so according to established emergency response protocols. If a 
particular responding organization had been penetrated by an adversary 
insider, then that adversary would be considered an external adversary 
for purposes of the DBTs. The requirement that licensees protect 
against ``A determined violent external assault, attack by stealth, or 
deceptive actions, including diversionary actions,'' as described in 
Sec. Sec.  73.1(a)(1)(i), and 73.1(a)(2)(i), anticipates such an 
adversary. In summary:
     NRC Position: Agrees with the first element of the 
comment, disagrees with the second element of the comment.
     Action: No action required.
Factor 5. The Potential for Suicide Attacks
    The Commission's Consideration: The final rule contains language 
reflecting the potential for suicide attacks. This level of commitment 
has been assumed since the first DBTs were established by the NRC. 
Language has been added to Sec. Sec.  73.1(1)(i)(A) and 73.1(2)(i)(A) 
indicating that potential adversaries have the attribute of a 
willingness to ``kill or be killed.''

[[Page 12710]]

    Public Comment: No public comment received.
    Response to Public Comment: No response required.
Factor 6. The Potential for Water-Based and Air-Based Threats
    a. The Commission's Consideration: Certainly one of the most 
substantial considerations of the Commission, NRC licensees, the 
Federal government, and the public is the threat of airborne attacks 
against critical infrastructures. As stated below, the vast majority of 
comments received by the Commission on the proposed DBT rule regarded 
the airborne threat. The Commission has been evaluating the issue of 
air-based threats long before it was required by the EPAct, and its 
position on the necessity to add this attribute to the DBTs prior to 
this rulemaking has been well documented. The Commission's evaluation 
of the airborne threat has been an ongoing process, and it has spent a 
significant amount of time and resources as part of this rulemaking in 
considering whether to make some type of airborne threat part of the 
DBTs. Ultimately, the Commission has determined that active protection 
against the airborne threat requires military weapons and ordnance that 
rightfully are the responsibilities of the Department of Defense (DOD), 
such as ground-based air defense missiles, and thus, the airborne 
threat is one that is beyond what a private security force can 
reasonably be expected to defend against. This does not mean that the 
Commission is discounting the airborne threat; merely that the 
responsibility for actively protecting against the threat lies with 
other organizations of the Federal government, as it does for any U.S. 
commercial infrastructures.
    Beyond active protection, the Commission believes that some 
considerations involving airborne attack relate to the development of 
specific protective strategies and physical protection measures that 
are not within the scope of the DBTs. The deployment of ground-based 
air defense weapons would be a decision for the Departments of Defense, 
Homeland Security, Transportation and Justice, not the NRC. In 
addition, the NRC believes that application of ground-based air defense 
weapons would present significant command and control challenges, 
particularly relating to the time required to identify and confirm the 
presence of a hostile aircraft and for a commercial entity to get 
permission to engage. The potential for collateral damage to the 
surrounding community also would have to be considered. Deployment of 
protective measures such as no-fly zones, combat air patrols, and 
ground-based air defenses are undertaken by many other Federal 
organizations working on preventing and protecting critical 
infrastructure from terrorist attacks, including the U.S. Northern 
Command (USNORTHCOM) and North American Aerospace Defense Command 
(NORAD), the Transportation Security Administration (TSA), and the 
Federal Aviation Administration (FAA). The FAA has issued a Notice to 
Airmen (NOTAM) strongly advising pilots to avoid the airspace above, or 
in proximity to, such sites as power plants (nuclear, hydro-electric, 
or coal), dams, refineries, industrial complexes, military facilities 
and other similar facilities. Pilots are warned not to loiter in the 
vicinity of these types of facilities. The significant increase in 
aviation security since September 11, 2001, goes a long way toward 
protecting the United States, including nuclear facilities, from an 
aerial attack. Some of these improvements include:
     Criminal history checks on flight crew;
     Reinforced cockpit doors;
     Checking of passenger lists against ``no-fly'' lists;
     Increased control of cargo;
     Random inspections;
     Increased Federal Air Marshal presence;
     Improved screening of passengers and baggage;
     Federal Flight Deck Officer Program;
     Controls on foreign passenger carriers;
     Requirements on charter aircraft;
     Enhanced vigilance of flight training; and
     Improved coordination and communication between civilian 
and military authorities.
    In February 2002, the Commission, in addition to the actions of 
other Federal entities, directed nuclear power plant licensees to 
develop specific plans and strategies to respond to a wide range of 
threats, including the impact of an aircraft attack. NRC staff 
conducted mock exercises to practice imminent air attack responses with 
each licensee. The NRC has continued to work with licensees on these 
issues and has inspected licensee actions to identify and implement 
mitigation strategies to limit the effects of such an event. The NRC 
has conducted detailed, site-specific engineering studies of a limited 
number of plants to gain insights on potential vulnerabilities of 
nuclear power plants to deliberate attacks involving large commercial 
aircraft. The results of these studies have confirmed the effectiveness 
of the February 2002 NRC-ordered mitigative measures, and have 
identified the need for some additional enhancements. For the 
facilities analyzed, the studies confirm the low likelihood of both 
damaging the reactor core and releasing radioactivity that could affect 
public health and safety. Even in the unlikely event of a radiological 
release due to a terrorist use of a large aircraft against a nuclear 
power plant, the studies indicate that there would be time to implement 
the required on-site mitigating actions. These results have also 
validated the potential radioactive source term for off-site emergency 
planning basis. Nevertheless, on June 20, 2006, the NRC issued orders 
to appropriate power reactor licensees requiring the implementation of 
additional key radiological protection and mitigation strategies to 
reduce potential consequences from the loss of large areas of the plant 
due to large fires or explosions. This information is discussed in, 
``In the Matter of Operating Power Reactor Licensees Identified in 
Attachment 1; Orders Modifying Licensees (Effective Immediately),'' (71 
FR 36554; June 27, 2006). Additional studies are being considered to 
further assess mitigative capabilities. The NRC will continue to 
coordinate with the Department of Homeland Security (DHS) on this 
initiative. (See Factor 9 for further discussion of a related topic, 
``The potential for fires, especially fires of long duration.'')
    Finally, in early March 2006, the NRC hosted an Interagency 
Aircraft Attack Tabletop Exercise at NRC Headquarters. Representatives 
from the DHS, the DOD/USNORTHCOM, and the FBI attended. The purpose of 
the exercise was to explore Federal responsibilities and interfaces, 
consistent with the National Infrastructure Protection Plan and 
National Response Plan, for terrorist incidents at nuclear power 
plants, with a focus on an aircraft attack on the facility. The 
tabletop exercise reconfirmed the respective responsibilities of the 
participating organizations (NRC, DHS, DOD, and FBI) in the event of a 
nuclear plant aircraft attack and clarified protocols for response-
related interagency communication and coordination.
    The final DBT contains two new provisions that account for the 
capability of a water-based attack, as discussed under Factor 2. These 
capabilities were included based on conclusions drawn from the NRC's 
continuing review of intelligence information and liaison with Federal 
law enforcement, intelligence community, and homeland security

[[Page 12711]]

agencies. Sections 73.1(a)(1)(i)(E) and 73.1(a)(2)(i)(E) add the 
capability to use water-based vehicles for transporting personnel and 
equipment to the proximity of vital areas. Sections 73.1(a)(1)(iv) and 
73.1(a)(2)(iv) add a new provision for a waterborne vehicle bomb 
assault. The NRC has concluded that defense against these new DBT 
provisions will provide a high-assurance of protection against the 
waterborne threat.
    Public Comment: Approximately 820 comments indicated that the 
``beamhenges'' concept or similar barrier method of protection should 
be considered for protection against airborne attacks. As generically 
described by the commenters, a ``beamhenge'' shield is constructed out 
of an interlocking series of steel I-beams and cables that would be 
built at sufficient stand-off distances from safety-related buildings 
at nuclear power plants to protect against an aircraft attack. Comments 
also indicated that a ``no-fly'' zone should be imposed around nuclear 
power plants and that ground based-air defense systems should be 
deployed to protect each site.
    Further, multiple commenters expressed concerns regarding the 
vulnerabilities of nuclear power plants and other licensed facilities 
to terrorist waterborne attacks. Commenters suggested that the revised 
DBTs should require nuclear power plants and other licensed facilities 
situated on navigable waterways to be equipped with visible, engineered 
physical barriers.
    Response to Public Comment: The Commission has spent considerable 
time and resources considering the threat of airborne and waterborne 
attacks on nuclear facilities. Based on these considerations, the NRC 
has chosen a two-track approach to respond to these threats in order to 
assure adequate protection. First, the NRC has determined that active 
protection against the airborne threat rests with other organizations 
of the Federal government, such as NORTHCOM and NORAD, TSA, and FAA. 
The NRC will continue to test these relationships through exercises. 
Second, licensees have been directed to implement certain mitigative 
measures to limit the effects of an aircraft strike. To the extent that 
commenters have suggested the imposition of specific physical security 
measures such as the ``beamhenges'' concept, the NRC has considered on 
the issue, but has rejected the concept because it believes that the 
mitigation measures in place are sufficient to ensure adequate 
protection of the public health and safety.
    With respect to the waterborne attack threat, the DBT rule has been 
revised to reflect two new water-based capabilities. However, 
requirements of physical barriers for the protection of the nuclear 
power plants and other licensed facilities under waterborne attack are 
not in the scope of DBT rule. Requirements for physical barriers are 
addressed in a separate rulemaking to amend 10 CFR 73.55. The security 
requirements in the proposed rulemaking that would amend 10 CFR 73.55 
(71 FR 62664; October 26, 2006) address protective strategies and 
security measures for nuclear power plants and other licensed 
facilities under waterborne attacks, and require licensees to defend 
against the DBTs. In summary:
     NRC Position: Agrees with the waterborne comment. 
Disagrees with ``no-fly'' zones and ``beamhenges'' concept comments.
     Action: No action required.
Factor 7. The Potential Use of Explosive Devices of Considerable Size 
and Other Modern Weaponry
    The Commission's Consideration: As part of its consideration of 
Factor 2, the Commission assessed the potential use of explosive 
devices of considerable size and other modern weaponry. The Commission 
notes that the DBTs have been revised to specifically reflect these two 
considerations. First, Sec. Sec.  73.1(a)(1)(i)(C) and 73.1(a)(2)(i)(C) 
were amended to revise the phrase ``up to and including'' to simply 
``including'' to increase the flexibility in defining the available 
range of weapons. Second, the vehicle bomb threat has been expanded to 
include waterborne vehicles. This factor has been further articulated 
in Factor 2.
    Public Comment: Refer to Factor 2.
    Response to Comment: Refer to Factor 2.
    In summary:
     NRC Position: Agrees with the comment.
     Action: No action required.
Factor 8. The Potential for Attacks by Persons With a Sophisticated 
Knowledge of Facility Operations
    The Commission's Consideration: As noted above under the discussion 
of Factor 4, Sec. Sec.  73.1(a)(1)(i)(A) and 73.1(a)(2)(i)(A) added 
language indicating that the adversaries have ``sufficient knowledge to 
identify specific equipment or locations necessary for a successful 
attack.''
    Public Comment: No public comment received.
    Response to Comment: No response required.
Factor 9. The Potential for Fires, Especially Fires of Long Duration
    The Commission's Consideration: The DBTs describe specific 
adversary characteristics against which licensees must be prepared to 
defend. Fires, in contrast, are not adversary characteristics, but 
result from a particular adversary attack. Nevertheless, the NRC 
considered fires resulting from several possible initiating events, 
both accidental and malicious in nature. The NRC conducted 
vulnerability assessments for some operating nuclear power plants in 
the 1970s and 1980s to establish the technical basis for security 
requirements. The NRC also routinely evaluated the potential impacts of 
terrorist attacks on power reactors as part of the FOF exercise program 
on a plant-by-plant basis. After the terrorist attacks on September 11, 
2001, the NRC promptly assessed the potential for and consequences of 
terrorists targeting a nuclear power plant, including its spent fuel 
storage facilities, for an aircraft attack, the physical effects of 
such a strike, and how compounding factors (e.g., fires, meteorology, 
etc.) would affect the impact of potential radioactive releases. As 
part of a comprehensive assessment, the NRC conducted detailed site-
specific engineering studies of a limited number of nuclear power 
plants to assess potential vulnerabilities of deliberate attacks 
involving a large commercial aircraft. Additional Commission 
considerations are provided under the discussion of Factor 6. A summary 
of the assessment study is available in a publicly available document.
    Public Comment: One commenter stated that the proposed rule did not 
consider the potential for fires, especially fires of long duration and 
thus asserts that the proposed rule does not comply with the 
Congressional directive because it fails to mention the fire threat.
    Response to Public Comment: The NRC disagrees with the statement 
submitted by the commenter. As stated above, the NRC considered fire to 
be a result of several possible threats. Adversary forces, bombs, and 
explosives can all result in fires, and potentials for fires have been 
considered during the DBT rulemaking process. The following is provided 
as background information related to this comment.
    As part of a larger NRC effort to enhance the safety and security 
of the Nation's nuclear power plants, an initiative was undertaken as 
part of a February 2002 NRC Order. The order required licensees to look 
at what might

[[Page 12712]]

happen if a nuclear power plant lost large areas due to explosions or 
fires. The licensees then were required to identify and later implement 
strategies that would maintain or restore cooling for the reactor core, 
containment building, and spent fuel pool. The requirements listed in 
Section B.5.b of this order directed licensees to identify ``mitigative 
strategies'' (meaning the measures licensees could take to reduce the 
potential consequences of a large fire or explosion) that could be 
implemented with resources already existing or ``readily available.'' 
The NRC held inspections in 2002 and 2003 to identify if licensees had 
implemented the required mitigative strategies.
    These inspections, as well as additional studies, showed 
significant differences in the strategies implemented by the plants. As 
a result, the NRC developed additional mitigative strategy guidance. 
The guidance was based on ``lessons learned'' from NRC engineering 
studies and included a list of ``best practices'' for mitigating losses 
of large areas of the plant. Each plant was requested to consider 
implementation of applicable additional strategies by August 31, 2005. 
The NRC inspected each plant in 2005 to review their implementation of 
any additional mitigative measures. The NRC is continuing to ensure 
licensees appropriately implement these measures.
    Finally, aircraft attack, another threat likely to result in fires 
was also considered and studies analyzing the consequences of 
successful commercial airline attacks were performed. In conducting 
these studies, the NRC drew on national experts from several DOE 
laboratories using state-of-the-art structural and fire analyses. The 
NRC also enhanced its ability to realistically predict accident 
progression and radiological release consequences. For the facilities 
analyzed, the studies found that the likelihood of both damaging the 
reactor core and releasing radioactivity that could affect public 
health and safety is low. Even in the unlikely event of a radiological 
release due to terrorist use of a large aircraft, there would be time 
to implement mitigating actions and off-site emergency plans such that 
the NRC's emergency planning basis remains valid (71 FR 36554; June 27, 
2006). Additional site-specific studies of operating nuclear power 
plants are underway or being planned to determine the need, if any, for 
additional mitigating capability on a site-specific basis. In summary, 
the NRC considered the potential for fires during the DBT rulemaking 
process, as required by the EPAct.
     NRC position: Disagrees with the comment.
     Action: No action required.
Factor 10. The Potential for Attacks on Spent Fuel Shipments by 
Multiple Coordinated Teams of a Large Number of Individuals
    The Commission's Consideration: As stated in response to Factor 3, 
the Commission considered the potential for attacks on nuclear 
facilities by multiple coordinated groups of a large number of 
individuals. The number of attackers and the tactics used by those 
attackers is now and has always been a core consideration of the DBTs. 
In addition, the Commission has considered the potential for attacks on 
spent fuel shipments and issued an order, requiring specific protective 
measures. The Commission is planning to propose a rule on spent fuel 
shipments in the near future.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.
Factor 11. The Adequacy of Planning To Protect the Public Health and 
Safety at and Around Nuclear Facilities, as Appropriate, in the Event 
of a Terrorist Attack Against a Nuclear Facility
    The Commission's Consideration: The DBT rule does not include 
requirements imposing specific emergency planning considerations. 
Nevertheless, the Commission considered the implications of security-
related incidents on emergency planning. As part of those efforts, 
following the terrorist attacks of September 11, 2001, the NRC 
evaluated the emergency preparedness (EP) planning basis and determined 
that the planning basis for nuclear power reactors remains valid. 
Further, the NRC issued orders requiring compensatory measures for 
nuclear security and safety, and observed licensee performance during 
security-based EP drills and exercises and security FOF exercise 
evaluations. Also, the NRC reviewed current public radiological 
protective action guidance, and discussed security-based EP issues with 
various stakeholders, including licensees and Federal, State and local 
government officials. Based on the information obtained from the 
reviews and evaluations, the NRC determined that EP of nuclear power 
plants could be enhanced. The Commission approved the communication of 
enhancements to EP and response actions for security-based events to 
power reactor licensees. NRC Bulletin 2005-02, ``Emergency Preparedness 
and Response Actions for Security-Based Events,'' dated July 18, 2005, 
communicated enhancements in the following areas:
     Security-based emergency classification levels and 
emergency action levels;
     A 15 minute prompt notification to the NRC for security-
based events;
     On-site protective actions to maximize personnel safety 
during security-based events;
     Enhanced emergency response organization augmentation; and
     Development of a security-based emergency drill and 
exercise program.
    As of February 18, 2006, all power reactor licensees have 
implemented the enhancements to their EP programs with the exception of 
the drill and exercise program. A majority of nuclear power plant 
licensees indicated that adoption of the security-based EP drill and 
exercise program is contingent on NRC and the Department of Homeland 
Security (DHS) endorsement. The NRC continues to work with DHS and the 
Nuclear Energy Institute to develop and implement a security-based 
drill and exercise program at power reactor licensees. This program is 
being conducted in a phased approach. Tabletop drills at four power 
reactor sites and a facility drill were conducted successfully, and 
areas for improvement were identified and incorporated by the industry 
into draft guidelines. Over the next three years, the industry plans to 
conduct security-based EP drills at each power reactor licensee with an 
end state of the integration of security-based EP scenarios into the 
biennial EP exercise program.
    In addition to those security-related emergency planning efforts, 
the NRC and DHS worked together to develop and improve EP for a 
terrorist attack through federal initiatives such as comprehensive 
review programs and integrated response planning efforts. The NRC and 
DHS have enhanced the coordination of integrated EP programs through 
evaluations of licensee and State/local/tribal response capabilities, 
and reviews of critical infrastructure preparedness and response plans 
for commercial nuclear power plants. Our combined efforts have resulted 
in specific enhancements to security-related EP measures, and continued 
improvement in capabilities for licensees and off-site response 
organizations to respond to a wide spectrum of events.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.

[[Page 12713]]

Factor 12. The Potential for Theft or Diversion of Nuclear Material 
From Such Facilities
    The Commission's Consideration: The DBT rule includes two separate 
components, the DBT of radiological sabotage, and the DBT of theft or 
diversion of formula quantities of special nuclear materials. Although 
the legal requirements of the radiological sabotage DBT and the theft 
or diversion DBT, as embodied in the rule text of Sec. Sec.  73.1(a)(1) 
and in 73.1(a)(2), respectively, are the same, the ACDs and RGs differ 
in describing how power reactor and Category I fuel cycle facility 
licensees should implement and comply with the separate rules. These 
differences are classified and are not elaborated on here.
    As stated in 10 CFR 73.55(a), power reactor licensees are only 
required to protect against the threat of radiological sabotage. Spent 
fuel is not an attractive theft or diversion target due to its large 
physical size and high thermal heat and radioactivity (most power 
reactor spent fuel is considered ``self-protecting''). As stated in the 
response to Group III Comments No. 18 (Security of Dry Cask Storage) 
and 19 (Security of Spent Fuel Pools), the NRC has required that 
licensees take additional security and mitigating measures against a 
radioactive release of spent fuel.
    The NRC has authorized the Duke Energy Corporation, owner and 
operator of the Catawba plant, to irradiate four fuel assemblies of 
Mixed-Oxide (MOX) fuel at the Catawba plant on a test basis as part of 
its license amendment issued on March 3, 2005. MOX fuel technically 
meets the criteria of a formula quantity of Strategic Special Nuclear 
Material, in this case plutonium, and would be subject to the DBT 
provisions of Sec.  73.1(a)(2) for theft or diversion. However, the NRC 
staff found that MOX fuel is not attractive to potential adversaries 
from a theft and diversion standpoint at the reactor site due to its 
low plutonium concentration, composition, and form (size and weight). 
The MOX fuel consists of plutonium oxide particles dispersed in a 
ceramic matrix of depleted uranium oxide with a plutonium concentration 
of less than six weight percent. The MOX fuel assemblies are the same 
form as conventional fuel assemblies designed for a commercial light-
water power reactor and are over 12 feet long and weigh approximately 
1,500 pounds. A large quantity of MOX fuel and an elaborate extraction 
process would be required to yield enough material for use in an 
improvised nuclear device or weapon. On the ``attractiveness'' bases, 
the NRC staff found that the complete application of 10 CFR 
73.45(d)(1)(iv), 73.46 (C)(1), 73.46(h)(3), 73.46(b)(3)-(b)(12), 
73.46(d)(9), and 73.46(e)(3) for MOX fuel was not necessary. The staff 
therefore approved the exemptions requested to these regulations, 
finding that they were authorized by law, and will not endanger life or 
property or the common defense and security, and that are otherwise in 
the public interest. The Commission later approved this determination 
in an adjudicatory order issued on June 20, 2005. Duke Energy 
Corporation (Catawba Nuclear Station, Units 1 and 2), CLI-05-014, 61 
NRC 359,363 (2005).
    Furthermore, transportation of the MOX fuel assemblies to Catawba 
will be done by the Department of Energy's (DOE's) Office of Secure 
Transportation, that has legal responsibility for the MOX fuel 
assemblies until custody is transferred to the licensee. Afterwards, 
the spent MOX fuel is cooled and stored like other spent fuel on site 
and is subject to the radiological sabotage DBT while stored in the 
spent fuel pool inside the Protected Area of the plant.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.

Section B

Group II. In Scope Comments
1. Defining the ``Design Basis Threat''
    Public Comment: Multiple commentators expressed concern that the 
NRC has not publicly defined or explained the ``design basis threat.'' 
Specifically, commenters were unclear what the Commission means by the 
statement that the DBTs are based on a ``determination as to the 
attacks against which a private security force can reasonably be 
expected to defend.'' These commenters suggested that the Commissions's 
failure to articulate the DBT concept creates an ambiguity in 
establishing the division of responsibility between NRC licensees and 
the DOD, or DHS. Several commenters suggested that if the NRC does not 
require plants to defend against air attack because it is unreasonable 
for a private security force to be able to do so, then it has no choice 
but to federalize security by requesting that DHS or the military 
assume full responsibility for the protection of nuclear power 
facilities.
    Other commenters suggested that the NRC's rationale for limiting 
the characteristics of the DBTs to the attacks against which a private 
security force could reasonably be expected to defend appears to be 
based on cost considerations, which is not permitted for measures that 
are necessary for the protection of public safety.
    Other commenters representing the nuclear industry, while agreeing 
that the DBT scope must be clear, asserted that the DBT can not be 
greater than the largest threats against which private sector 
facilities can reasonably be requested to defend themselves, and 
threats beyond the DBT are reasonably the responsibility of the 
national defense system.
    Response to Public Comment: The Commission has determined that the 
DBTs, as articulated in the rule, are based on adversary 
characteristics against which a private security force can reasonably 
be expected to defend. This formulation provides the Commission with 
the flexibility necessary to make reasoned, well-informed decisions 
regarding the DBTs. In contrast, detailed, prescriptive criteria would 
be unduly restrictive, and would unnecessarily limit the Commission's 
judgment. This judgment is guided by the Commission's considerable 
expertise in nuclear security matters, developed over the course of 30 
years of experience regulating the physical protection of nuclear 
facilities.
    With regard to the federalization of nuclear plants security 
forces, the Commission does not have the authority to federalize 
nuclear security forces and cannot demand deployment of military forces 
to protect nuclear facilities. Nor has Congress chosen to require these 
measures. As it has stated publicly many times, the Commission is 
confident that neither measure is necessary or even prudent. A primary 
reason for this is that the introduction of a federalized nuclear 
security force or military unit to provide day-to-day security would 
create command and control issues for plant management because it would 
essentially establish two classes of employees at commercial nuclear 
facilities, both of whom would be responsible for reactor safety in the 
event of a terrorist attack. This could result in a reduction in the 
licensee's ability to ensure reactor safety. In contrast, the continued 
use of private nuclear security officers responsible to the licensee 
maintains a unitary command structure focused on a unitary objective. 
The tightly-regulated private nuclear security forces in use today are 
well trained on the unique security considerations specific to nuclear 
power facilities and through rigorous FOF training have proven 
themselves to be effective and reliable. These conclusions were also 
documented when the Commission originally studied the issue

[[Page 12714]]

in 1976 in a report to Congress titled the ``Security Agency Study.''
    The DBT rule is also guided by the Commission's knowledge that, in 
addition to being among the most robust industrial facilities in the 
world, nuclear power plants are arguably the most physically secured 
industrial facilities. No other civilian industry security force is 
subject to as much regulatory oversight as the nuclear industry. 
However, the Commission acknowledges that the use of private security 
forces to defend nuclear power facilities faces limitations. For 
instance, there are legal limitations on the types of weapons and 
tactics available to private security forces. Generally, nuclea