Design Basis Threat, 12705-12727 [07-1317]

Agencies

• NUCLEAR REGULATORY COMMISSION

[Federal Register Volume 72, Number 52 (Monday, March 19, 2007)]
[Rules and Regulations]
[Pages 12705-12727]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 07-1317]


=======================================================================
-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Part 73

RIN 3150-AH60


Design Basis Threat

AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Nuclear Regulatory Commission (NRC) is amending its 
regulations that govern the requirements pertaining to the design basis 
threats (DBTs). This final rule makes generically applicable security 
requirements similar to those previously imposed by the Commission's 
April 29, 2003 DBT Orders, based upon experience and insights gained by 
the Commission during implementation, and redefines the level of 
security requirements necessary to ensure that the public health and 
safety and common defense and security are adequately protected. 
Pursuant to Section 170E of the Atomic Energy Act (AEA), the final rule 
revises the DBT requirements for radiological sabotage, generally 
applicable to power reactors and Category I fuel cycle facilities, and 
for theft or diversion of NRC-licensed Strategic Special Nuclear 
Material (SSNM), applicable to Category I fuel cycle facilities. 
Additionally, a petition for rulemaking (PRM-73-12), filed by the 
Committee to Bridge the Gap, was considered as part of this rulemaking. 
The NRC partially granted PRM-73-12 in the proposed rule, but deferred 
action on other aspects of the petition to the final rule. The NRC's 
final disposition of PRM-73-12 is contained in this document.

DATES: Effective Date: April 18, 2007.

FOR FURTHER INFORMATION CONTACT: Manash K. Bagchi, Office of Nuclear 
Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001, telephone 301-415-2905, e-mail MKB2@NRC.GOV.

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Background
II. Analysis of Public Comments and Consideration of the 12 Factors 
of the Energy Policy Act of 2005
III. Summary of Specific Changes Made to the Proposed Rule as a 
Result of Public Comments
IV. Section by Section Analysis
V. Guidance
VI. Resolution of Petition (PRM-73-12)
VII. Criminal Penalties
VIII. Compatibility of Agreement State Regulations
IX. Availability of Documents
X. Plain Language
XI. Voluntary Consensus Standards
XII. Finding of No Significant Environmental Impact: Environmental 
Assessment: Availability
XIII. Paperwork Reduction Act Statement
XIV. Regulatory Analysis
XV. Regulatory Flexibility Act Certification
XVI. Backfit Analysis
XVII. Congressional Review Act

I. Background

    The DBT requirements in 10 CFR 73.1 describe general adversary 
characteristics that designated licensees must defend against with high 
assurance. These NRC requirements include protection against 
radiological sabotage (generally applied to power reactors and Category 
I fuel cycle facilities) and theft or diversion of NRC-licensed SSNM 
(generally applied to Category I fuel cycle facilities). On November 7, 
2005 (70 FR 67380), the Commission published a proposed rule for public 
comment seeking to amend its regulation that governs the requirements 
pertaining to the DBTs. The DBTs are used by licensees to form the 
basis for site-specific defensive strategies implemented through 
physical security plans, safeguards contingency plans, and security 
personnel training and qualifications plans. Amendment of the DBT rule 
was influenced by a number of factors described below.
    Following the terrorist attacks on September 11, 2001, the NRC 
conducted a thorough review of security practices to ensure that 
nuclear power plants and other licensed facilities continued to have 
effective security measures in place to address the changing threat 
environment. The NRC recognized that some elements of the DBTs required 
enhancement. After soliciting and receiving comments from Federal, 
State, and local agencies, and industry stakeholders, and reviewing an 
analysis of intelligence information regarding the trends and 
capabilities of potential adversaries, the NRC imposed supplemental DBT 
requirements by order on April 29, 2003. The Commission deliberated on 
the responsibilities of the local, State, and Federal stakeholders to 
protect the nation and the responsibility of the licensees to protect 
individual nuclear facilities before issuing the April 29, 2003 DBT 
Orders.
    The April 29, 2003 DBT Orders required nuclear power reactors and 
Category I fuel cycle facility licensees to revise their physical 
security plans, security personnel training and qualification plans, 
and safeguards contingency plans to defend against the

[[Page 12706]]

supplemental DBT requirements. The orders required licensees to make 
security enhancements such as: Augmented security forces and 
capabilities; increased patrols; additional security posts and physical 
barriers; vehicle checks at greater standoff distances; enhanced 
coordination with law enforcement and military authorities; augmented 
security and emergency response training, equipment, and communication; 
and more restrictive site access controls for personnel, including 
expanded, expedited, and more thorough initial and follow-on screening 
of power reactor and Category I fuel cycle facility employees. After 
gaining experience with implementation of these orders, the Commission 
concluded that the general attributes of the orders should be 
generically imposed by regulation on certain classes of licensees.
    In addition, PRM-73-12 was filed by the Committee to Bridge the Gap 
on July 23, 2004, and was published for comment (69 FR 64690; November 
8, 2004). PRM-73-12 requests that the NRC amend its regulations to 
revise the DBT regulations (in terms of the numbers, teams, 
capabilities, planning, willingness to die, and other characteristics 
of adversaries) to a level that encompasses, with a sufficient margin 
of safety, the terrorist capabilities evidenced by the attacks of 
September 11, 2001. The petition also requests that security plans, 
systems, inspections, and force-on-force (FOF) exercises be revised in 
accordance with the amended DBTs, and that a requirement be added to 
part 73 to construct shields against air attack (the shields are 
referred to as ``beamhenges'') which the petition asserts would enable 
nuclear power plants to withstand an air attack from a jumbo jet. The 
NRC partially granted PRM-73-12 in the proposed rule, but deferred 
action on other aspects of the petition to the final rulemaking. The 
NRC's final disposition of PRM-73-12 is discussed in Section VI of this 
document.
    Finally, the Energy Policy Act (EPAct) of 2005 was signed into law 
on August 8, 2005. Section 651(a) of the EPAct amended the AEA by 
adding Section 170E, that required the Commission to initiate a 
rulemaking to revise the DBTs. In addition, Section 170E also directed 
the Commission to consider but not be limited to, the 12 factors 
specified in the statute in the course of that rulemaking. As stated in 
the proposed rule, these factors are:
    (1) The events of September 11, 2001;
    (2) An assessment of physical, cyber, biochemical, and other 
terrorist threats;
    (3) The potential for attack on facilities by multiple coordinated 
teams of a large number of individuals;
    (4) The potential for assistance in an attack from several persons 
employed at the facility;
    (5) The potential for suicide attacks;
    (6) The potential for water-based and air-based threats;
    (7) The potential use of explosive devices of considerable size and 
other modern weaponry;
    (8) The potential for attacks by persons with a sophisticated 
knowledge of facility operations;
    (9) The potential for fires, especially fires of long duration;
    (10) The potential for attacks on spent fuel shipments by multiple 
coordinated teams of a large number of individuals;
    (11) The adequacy of planning to protect the public health and 
safety at and around nuclear facilities, as appropriate, in the event 
of a terrorist attack against a nuclear facility, and
    (12) The potential for theft or diversion of nuclear material from 
such facilities;
    The Commission took into account a number of issues and sources in 
conducting this rulemaking, which included its experience in the 
implementation of the DBT Orders, the issues raised in PRM-73-12, EPAct 
requirements, and the public comments on the proposed rule. The 
Commission has considered and deliberated on the 12 factors identified 
in the EPAct. The results of its consideration are set forth in Section 
II of this document. Additionally, the Commission specifically invited 
public comments on how these factors should be addressed in the rule. 
Many of the comments received substantively focused on the 12 factors. 
Those comments and the Commission's responses are also discussed in 
Section II.
    It is important to note that the Commission was careful to set 
forth rule text in the final rule that does not compromise licensee 
security, but also acknowledges the necessity to keep the public 
informed of the types of attacks against which nuclear power plants and 
Category I fuel cycle facilities are required to defend. To this end, 
the final rule maintains a level of detail in the rule language that is 
generally comparable to the previous regulation, while updating the 
general DBT attributes in a manner consistent with the insights gained 
from the application of supplemental security requirements imposed by 
the April 29, 2003 DBT Orders, the EPAct, and consideration of public 
comments.
    The final rule contains the DBT with which licensees must legally 
comply. More specific details (e.g., specific weapons, ammunition, 
etc.) are consolidated in adversary characteristics documents (ACDs) 
which contain classified or Safeguards Information (SGI). The technical 
bases for the ACDs are derived largely from intelligence information. 
They also contain classified or SGI that cannot be publicly disclosed. 
These documents must be withheld from public disclosure and made 
available only on a need-to-know basis to those who are cleared for 
access.
    Because the regulatory guides (RGs) and the ACDs are guidance 
documents that provide details to the licensees regarding 
implementation and compliance with the DBTs, these documents may be 
updated from time to time as a result of the NRC's periodic threat 
reviews. The NRC has been conducting threat reviews since 1979. These 
threat reviews are performed in conjunction with the intelligence and 
law enforcement communities to identify changes in the threat 
environment which may, in turn, require adjustments of NRC security 
requirements. Future revisions to the ACDs would not require changes to 
the DBT regulations in 10 CFR 73.1, provided the changes remain within 
the scope of the rule text.

II. Analysis of Public Comments and Consideration of the 12 Factors of 
the EPAct

    The proposed rule provided a 75-day public comment period that 
ended on January 23, 2006. The comment period was extended by another 
30 days in response to a request from the Nuclear Energy Institute 
(NEI), an industry group, to allow additional time for review of the 
proposed rule because the comment period overlapped the year-end 
holidays. The extended comment period ended on February 22, 2006. A 
total of 919 comments were received from about 903 individuals, one 
county, 13 citizen groups, one utility involved in nuclear activities, 
and two nuclear industry groups. The comments covered a range of 
issues, some of which were beyond the scope of this rulemaking because 
they were specific to protective measures but did not relate to the 
adversary characteristics. The comments have been organized under three 
groups: Group I, Consideration of the 12 Factors in the EPAct; Group 
II, In-Scope-comments, that includes comments raising issues and 
concerns directly related to the contents of the DBT rule; and Group 
III, Out-of-Scope comments, that includes comments raising issues and 
questions that are not directly related to the DBT rule, although they

[[Page 12707]]

are generally relevant to the security of nuclear facilities. Responses 
are provided in the following format:

Group I: Consideration of the 12 Factors in the Energy Policy Act

    The Commission's consideration, public comments, and responses to 
the public comments are provided for the 12 factors described in 
Section A.

Group II: In Scope Comments

    Comments in Groups II and III are organized under the following 
general categories. The Commission's responses to these comment 
categories are provided in Section B:
    1. Definition of the Design Basis Threats
    2. Applicability of the Enemy of the State Rule
    3. Compliance with Administrative Procedure Act (APA) Notice and 
Comment Requirements
    4. Ambiguous Rule Text
    5. Differentiation in Treatment of General and Specific Licenses 
for ISFSI
    6. Applicability of the Radiological Sabotage DBT to New Nuclear 
Power Plants
    7. Consideration of the Uniqueness of Each Plant in Application of 
the DBTs
    8. Continued Exemption of Research and Test Reactors from the DBT 
Requirements
    9. Changes in Security Requirements to be Addressed Under Backfit 
Rule
    10. Compliance with the Paperwork Reduction Act
    11. Adequacy of the Regulatory Analysis
    12. Compliance with the National Environmental Policy Act (NEPA)
    13. Issuance of Annual Report Card on Individual Licensees

Group III: Out of Scope Comments

    14. Federalization of Security
    15. Force-on-Force Tests of Security
    16. Screening of Workers in Nuclear Power Plants
    17. Self-Sufficient Defense Capabilities
    18. Security of Dry Cask Storage
    19. Security of Spent Fuel Pools
    20. Inherent Design Problems that make Reactors Vulnerable
    A Comments Matrix has been provided in Appendix A, that references 
each topic with comments. The NRC's response to each topic is listed 
below:

Section A

Group I. Consideration of the 12 Factors in the Energy Policy Act
    As discussed above, Section 170E of the AEA, as amended by Section 
651(a) of the EPAct, directed the Commission to consider but not be 
limited to, the 12 factors specified in the statute in the course of 
the DBT rulemaking. Many of the comments received by the Commission 
focused on one or more of these factors. Prior to discussing the 
substance of the 12 factors, the Commission notes that several 
commenters charged that the Commission violated Section 170E by not 
considering some of the 12 factors, and by deferring final 
consideration of some of the provisions to the final rule. Those 
commenters suggested that this not only violated the mandate of Section 
170E, but also the Administrative Procedure Act (APA) by not providing 
adequate notice of the substance of the rule, and thus, the rule should 
be withdrawn and re-proposed.
    To be clear, Section 170E stated that the Commission ``shall 
consider,'' but not be limited to, the 12 factors when conducting the 
DBT rulemaking. However, the EPAct did not require that the Commission 
explicitly include any of the 12 factors in the proposed or final rule 
text. The Commission carefully considered intelligence information, 
vulnerability assessments, other Commission-sponsored studies, and each 
of the 12 factors in formulating the final rule. Accordingly, a number 
of provisions or rule changes were adopted that specifically 
incorporate certain language used in the 12 factors. For instance, the 
final rule contains specific provisions related to multiple, 
coordinated groups \1\ of attackers (Factor 3), suicide attacks (Factor 
5), insider assistance (Factors 4 and 8), and waterborne attacks 
(Factor 6). Additionally, based on the 12 factors, public comment, and 
other intelligence and law enforcement information, the Commission has 
decided to explicitly include a cyber threat as an attribute of the 
DBTs (Factor 2).
---------------------------------------------------------------------------

    \1\ For purposes of this rule, there is no substantive 
difference between the terms ``group'' and ``team'' in reference to 
the operational capabilities of the DBT adversary force. The meaning 
of the term ``group'' is the same as the meaning of the term 
``team'' used in the proposed rule. The term ``team'' was preserved 
in this final rule only when summarizing comments on the proposed 
rule or the 12 Factors of the EPAct.
---------------------------------------------------------------------------

    After careful consideration, the Commission also chose not to adopt 
elements related to some EPAct factors as part of the rule text. 
However, that decision should not be misconstrued as lack of 
consideration of the factors themselves. Nor should the Commission's 
statement in the proposed rule soliciting comments on ``whether or how 
the 12 factors should be addressed in the DBT rule'' be interpreted to 
mean that the Commission deferred consideration of the factors until 
after it received comments. Rather, the Commission proposed 
requirements that would require licensees to defend against threats the 
Commission considered appropriate at that time, subject to change in 
the final rule after further consideration of public comments.
    Several commenters specifically charged that the Commission 
deferred its consideration of air-based threats to the final rule, thus 
undermining stakeholders' abilities to know the Commission's position 
on that factor. At the time that the proposed rule was published, the 
Commission maintained its view that protection against airborne attack 
could best be provided by the strengthening of airport and airline 
security measures. Accordingly, the Commission did not propose to 
include a provision in the proposed rule that would require licensees 
to provide defense against an airborne attack but the Commission 
specifically sought comment on the issue in the proposed DBT rule and 
has remained open to changing its position. In addition to being raised 
in PRM-73-12, the Commission has received numerous comments on the 
airborne threat. It has carefully considered those comments and has 
responded to them below. The assertion about the lack of APA notice 
with regard to the EPAct's 12 factors is without merit. The proposed 
rule discussion contained, under a section designated ``Proposed 
Regulations,'' (70 FR 67381) a detailed listing and clarifying 
discussion of the 12 factors and a specific request for public comment 
on ``whether or how the 12 factors should be addressed in the DBT 
rule.'' (70 FR 67382).
Factor 1. The Events of September 11, 2001
    The Commission's Consideration: The events of September 11, 2001, 
have been central to the Commission's efforts in reevaluating the DBTs. 
As a result of these attacks, the NRC promptly reevaluated the DBTs and 
imposed additional requirements on licensees through orders, including 
the April 29, 2003 Orders on the DBTs. A number of revisions to the 
DBTs have resulted from consideration of the events of September 11, 
2001. Those revisions include increased adversaries' willingness to 
kill or be killed, and the capability to operate in several different 
modes of attack, including multiple adversary groups, and multiple 
adversary entry points.
    Public Comment: Several commenters specifically challenged the 
proposed rule's consideration of the events of September 11, 2001, 
expressing concern

[[Page 12708]]

that the DBT rule does not require licensees to defend against a number 
of attackers comparable to the number of terrorists (19) who 
participated in the attacks on September 11, 2001.
    Response to Public Comment: The Commission disagrees with the 
comment. The Commission's consideration of the number of attackers 
comprising the DBT is discussed in more detail below under Factor 3. 
However, with respect to the assertion that the number of attackers 
should be comparable to the number of September 11, 2001, attackers 
(19), the Commission notes that the official U.S. Government terrorism 
report for 2001, ``Patterns of Global Terrorism,'' states that the 
September 11, 2001, attacks consisted of ``four separate but 
coordinated aircraft hijackings,'' not a single attack involving 19 
assailants. However, in its annual terrorism report for 2001, the 
Federal Bureau of Investigation (FBI) considered the attacks as one act 
of international terrorism by ``four coordinated teams of terrorists.'' 
Consideration of seemingly inconsistent views was just one part of a 
significant statistical analysis conducted by the NRC as part of the 
post-September 11, 2001, DBT process to determine the DBT adversary 
force size. In summary:
     NRC position: Disagrees with the comment.
     Action: No action required.
Factor 2. An Assessment of Physical, Cyber, Biochemical, and Other 
Terrorist Threats
    The Commission's Consideration: Although the DBT rule does not 
elaborate on the specifics of vehicle bomb size, numbers of 
adversaries, or exact types of weapons for operational security 
purposes, the Commission believes they are appropriate. The DBTs are 
the result of the NRC's continuous evaluation of current threats. That 
evaluation is not limited to a particular kind of threat, but naturally 
includes consideration of physical threats, cyber threats, and 
biochemical threats. The DBT rule reflects the Commission's 
determination of the composite set of adversary features against which 
private security forces should reasonably have to defend.
    The DBT rule has been amended in several significant respects to 
reflect the current physical, cyber, biochemical, and other terrorist 
threats. For example, the radiological sabotage DBT has been enhanced 
to reflect the requirement that the licensees have a capability to 
defend against attackers with the ability to operate in several modes 
of attack, including as multiple groups, attacking from multiple entry 
points. Additionally, in Sec.  73.1(a)(1)(i)(C), the phrase ``up to and 
including'' was changed to simply ``including'' to provide flexibility 
in defining the range of weapons available to the composite adversary 
force.
    One significant change to the rule relates to physical threats from 
the use of vehicles, either as modes of transportation or as vehicle 
bombs. Section 73.1(a)(1)(i)(E), for example, effectively expands the 
scope of vehicles available for the transportation of adversaries by 
deleting the reference to ``four-wheel drive'' and by adding water-
based vehicles.
    In addition, Sec.  73.1(a)(1)(iii) (the land vehicle bomb 
provision) is similarly revised to delete the ``four-wheel drive'' 
limitation, and to add a capability that the vehicle bomb ``may be 
coordinated with an external assault,'' maximizing its destructive 
potential. Further, an entirely new capability has been added to the 
DBT involving a waterborne vehicle bomb, which also is encompassed in 
the coordinated attack concept.
    The Commission has also carefully considered biochemical threats 
both before and after the events of September 11, 2001. The previous 
rule already contained requirements that provided the capability of 
using ``incapacitating agents,'' and that attribute has been retained 
in the final rule. In addition, armed responders are required to be 
equipped with gas masks to effectively implement the protective 
strategy and mitigate the effects of the incapacitating agents.
    Public Comment: Although many of the public comments could 
generally be characterized as addressing Factor 2, only a few comments 
specifically fell under this factor. One commenter stated that the NRC 
needs to engage independent experts to develop a comprehensive computer 
vulnerability and cyber attack threat assessment, that must evaluate 
the vulnerability of the full range of nuclear power plant computer 
systems and the potential consequences of these vulnerabilities. The 
commenter further suggested that the revised DBTs must incorporate 
these findings and include a protocol for quickly detecting such an 
attack and recovering key computer functions in the event of an attack.
    Two other commenters stated that the regulations do not reflect 
protections against explosive devices of considerable size, other 
modern weaponry, and cyber, biochemical, and other terrorist threats. 
Another commenter did not believe the proposed DBTs protected against 
all conceivable attacks, such as launching a large explosive device 
from a boat, clogging the water intakes, dropping a conventional bomb 
into spent fuel pools, insider sabotage, etc.
    Response to Public Comment: Regarding the threat of cyber attack 
comment, the NRC agrees with the statement submitted by the commenter 
and explicitly included a cyber attack as an element of the DBTs in the 
final rule. The basis for this addition, and implications of the rule 
change are discussed further in Section III of this document. In 
addition, the proposed 10 CFR 73.55(m), ``Digital Computer and 
Communication Networks,'' that is included in the proposed rule, 
``Power Reactor Security Requirements,'' (71 FR 62664; October 26, 
2006), contains proposed measures to mitigate a cyber attack.
    With respect to the other comments regarding protection against 
explosives of considerable size and modern weaponry, as stated earlier, 
the details of the adversary capabilities can not be specified 
publicly, but the Commission believes they are appropriate. 
Furthermore, the land vehicle bomb assault may be coordinated with an 
external assault, maximizing its destructive potential.
    The NRC does not intend the DBTs to represent ``worst case'' 
scenarios or all conceivable attacks. It is impossible to address all 
possible attack scenarios, because there is no theoretical limit to 
what attack scenarios can be conceived. Therefore, the NRC staff 
considers the tactics that have been observed in use, discussed, or 
trained for by potential adversaries. These tactics and DBT provisions 
are subjected to an interagency review process where Federal law 
enforcement and intelligence community agencies comment and provide 
feedback. If changes develop in adversary tactics that could 
significantly impact nuclear facility security, the staff would request 
that the Commission consider these tactics for inclusion in the DBT 
provisions. In summary:
     NRC position: Agrees with one element of comment--include 
cyber threat as an attribute; disagrees with the other two elements.
     Action: Final rule includes cyber attack as an explicit 
element of the DBTs. No other action required.
Factor 3. The Potential for Attack on Facilities by Multiple 
Coordinated Teams of a Large Number of Individuals
    The Commission's Consideration: The number of attackers and the 
tactics used by those attackers is now and has always been a core 
consideration of the DBT. Although the NRC obviously

[[Page 12709]]

cannot comment on the size (specific number of attackers) of the DBT 
adversary force for operational security reasons, it can address the 
process how these numbers are derived. As noted in the Commission's 
consideration of Factor 1, the size of the DBT adversary force and the 
number of assault teams were derived through a careful and deliberative 
process involving not only the NRC staff, but Federal law enforcement, 
and intelligence community, and homeland security agencies using a 
variety of classified and unclassified sources. A statistical analysis 
was done on terrorist group size by looking at hundreds of terrorist 
attacks over several years, and comparing them with previous group size 
analyses for changes in long-term trends. Large ``outlier'' terrorist 
events, although few in number, were included in this analysis. This 
statistical analysis was factored into a parallel analysis of known 
terrorist attacks against protected facilities (also few in number) and 
terrorist training, tactics, and doctrinal manuals concerning armed 
assaults against facilities.
    In addition, the NRC found that the vague qualifiers (``several 
persons'' and ``small group'') in the previous adversary descriptions 
in 10 CFR 73.1 did little to add to the clarity of the rule because the 
phrases are highly subjective. Thus, the final rule now contains the 
more specific language ``by an adversary force capable of operating in 
each of the following modes: a single group attacking through one entry 
point, multiple groups attacking through multiple entry points, a 
combination of one or more groups and one or more individuals attacking 
through multiple entry points, or individuals attacking through 
separate entry points.'' By revising the language in the rule and 
eliminating the reference to ``several persons'' and ``small group,'' 
the NRC actually increased the potential flexibility of the design 
basis adversary. The use of multiple adversary groups is not 
necessarily tactically advantageous to the attacking force in all 
possible scenarios. In some instances, the adversary force, as 
simulated in Force-on-Force (FOF) exercises can, based on its analysis 
of the licensee's protective strategy, concentrate its force in a 
single group if necessary to best attack a facility. In other 
instances, a licensee's protective strategy may be more vulnerable to 
multiple groups of attackers attempting entry from different locations. 
In any event, the final DBT rule now provides enough flexibility to 
account for all of these scenarios, while the guidance provides 
sufficient specificity.
    Public Comment: Several commenters contend that for nuclear power 
plants, the regulations should provide protection against coordinated 
attacks by multiple large groups of up to two dozen sophisticated and 
knowledgeable adversaries.
    Response to Public Comment: As stated above, the Commission has 
revised the rule to reflect these considerations and to provide maximum 
flexibility in developing threat scenarios which licensees must defend 
against. In summary:
     NRC position: Agrees partially with the comment.
     Action: No additional action required, beyond adoption of 
more specific language in the final rule.
Factor 4. The Potential for Assistance in an Attack From Several 
Persons Employed at the Facility
    The Commission's Consideration: The Commission has always 
considered the threat of insider assistance to be a very real and 
significant threat. Thus, the DBTs have long contained a provision 
requiring licensees to protect against insider assistance. Also, other 
NRC regulations contain substantial requirements for access 
authorization programs (10 CFR 73.56, ``Personnel Access Authorization 
Requirements for Nuclear Power Plants,'' and 10 CFR 73.57, 
``Requirements for Criminal History Checks of Individuals Granted 
Unescorted Access to a Nuclear Power Facility or Access to Safeguards 
Information by Power Reactor Licensees''). However, the final rule has 
amended this requirement to expand the threat of insider assistance. 
For instance, 10 CFR 73.1(a)(1)(A) and (2)(i)(A) add language 
indicating that the adversaries have ``sufficient knowledge to identify 
specific equipment or locations necessary for a successful attack.'' 
Therefore, this provision suggests that this knowledge could be 
obtained from an insider who has such knowledge.
    The insider assistance provision itself has also been revised. The 
final rule deletes the term ``individual'' to provide flexibility in 
defining the number of persons who may be involved in providing inside 
assistance.
    Public Comment: One commenter stated that the insider attribute 
must include an active participant in an attack and should include the 
possibility of first responders and or National Guardsmen providing 
insider assistance.
    Response to Public Comment: The NRC agrees with part one of this 
comment. The capability of ``active'' insider assistance is clearly 
stated in both 10 CFR 73.1(a)(1)(i)(B) for radiological sabotage and 10 
CFR 73.1(a)(2)(i)(B) for theft or diversion of strategic special 
nuclear material. Further, the ``active'' assistance capability has 
long been a component of the DBTs. The use of the conjunction ``or'' 
provides for increased tactical flexibility on the part of the 
adversary, based on the specific situation. It does not preclude an 
active insider in favor of a passive one.
    The NRC disagrees with the second part of this comment. National 
Guard, local law enforcement and other non-licensee security personnel 
already stationed at the owner-controlled boundary or entry portals of 
some licensee facilities are not part of the licensee workforce and not 
subject to NRC regulatory authority; hence, they are considered beyond 
the scope of the DBTs. Typically, these organizations have their own 
internal screening procedures to determine reliability and 
trustworthiness. The NRC recognizes that those processes exist and 
provide an appropriate level of assurance against an insider threat to 
that organization. Furthermore, first responders, law enforcement, and 
National Guard personnel are not given unescorted access to the 
Protected Area (PA).
    First responders, law enforcement, and other external security 
personnel responding to an emergency or security event at a site would 
do so according to established emergency response protocols. If a 
particular responding organization had been penetrated by an adversary 
insider, then that adversary would be considered an external adversary 
for purposes of the DBTs. The requirement that licensees protect 
against ``A determined violent external assault, attack by stealth, or 
deceptive actions, including diversionary actions,'' as described in 
Sec. Sec.  73.1(a)(1)(i), and 73.1(a)(2)(i), anticipates such an 
adversary. In summary:
     NRC Position: Agrees with the first element of the 
comment, disagrees with the second element of the comment.
     Action: No action required.
Factor 5. The Potential for Suicide Attacks
    The Commission's Consideration: The final rule contains language 
reflecting the potential for suicide attacks. This level of commitment 
has been assumed since the first DBTs were established by the NRC. 
Language has been added to Sec. Sec.  73.1(1)(i)(A) and 73.1(2)(i)(A) 
indicating that potential adversaries have the attribute of a 
willingness to ``kill or be killed.''

[[Page 12710]]

    Public Comment: No public comment received.
    Response to Public Comment: No response required.
Factor 6. The Potential for Water-Based and Air-Based Threats
    a. The Commission's Consideration: Certainly one of the most 
substantial considerations of the Commission, NRC licensees, the 
Federal government, and the public is the threat of airborne attacks 
against critical infrastructures. As stated below, the vast majority of 
comments received by the Commission on the proposed DBT rule regarded 
the airborne threat. The Commission has been evaluating the issue of 
air-based threats long before it was required by the EPAct, and its 
position on the necessity to add this attribute to the DBTs prior to 
this rulemaking has been well documented. The Commission's evaluation 
of the airborne threat has been an ongoing process, and it has spent a 
significant amount of time and resources as part of this rulemaking in 
considering whether to make some type of airborne threat part of the 
DBTs. Ultimately, the Commission has determined that active protection 
against the airborne threat requires military weapons and ordnance that 
rightfully are the responsibilities of the Department of Defense (DOD), 
such as ground-based air defense missiles, and thus, the airborne 
threat is one that is beyond what a private security force can 
reasonably be expected to defend against. This does not mean that the 
Commission is discounting the airborne threat; merely that the 
responsibility for actively protecting against the threat lies with 
other organizations of the Federal government, as it does for any U.S. 
commercial infrastructures.
    Beyond active protection, the Commission believes that some 
considerations involving airborne attack relate to the development of 
specific protective strategies and physical protection measures that 
are not within the scope of the DBTs. The deployment of ground-based 
air defense weapons would be a decision for the Departments of Defense, 
Homeland Security, Transportation and Justice, not the NRC. In 
addition, the NRC believes that application of ground-based air defense 
weapons would present significant command and control challenges, 
particularly relating to the time required to identify and confirm the 
presence of a hostile aircraft and for a commercial entity to get 
permission to engage. The potential for collateral damage to the 
surrounding community also would have to be considered. Deployment of 
protective measures such as no-fly zones, combat air patrols, and 
ground-based air defenses are undertaken by many other Federal 
organizations working on preventing and protecting critical 
infrastructure from terrorist attacks, including the U.S. Northern 
Command (USNORTHCOM) and North American Aerospace Defense Command 
(NORAD), the Transportation Security Administration (TSA), and the 
Federal Aviation Administration (FAA). The FAA has issued a Notice to 
Airmen (NOTAM) strongly advising pilots to avoid the airspace above, or 
in proximity to, such sites as power plants (nuclear, hydro-electric, 
or coal), dams, refineries, industrial complexes, military facilities 
and other similar facilities. Pilots are warned not to loiter in the 
vicinity of these types of facilities. The significant increase in 
aviation security since September 11, 2001, goes a long way toward 
protecting the United States, including nuclear facilities, from an 
aerial attack. Some of these improvements include:
     Criminal history checks on flight crew;
     Reinforced cockpit doors;
     Checking of passenger lists against ``no-fly'' lists;
     Increased control of cargo;
     Random inspections;
     Increased Federal Air Marshal presence;
     Improved screening of passengers and baggage;
     Federal Flight Deck Officer Program;
     Controls on foreign passenger carriers;
     Requirements on charter aircraft;
     Enhanced vigilance of flight training; and
     Improved coordination and communication between civilian 
and military authorities.
    In February 2002, the Commission, in addition to the actions of 
other Federal entities, directed nuclear power plant licensees to 
develop specific plans and strategies to respond to a wide range of 
threats, including the impact of an aircraft attack. NRC staff 
conducted mock exercises to practice imminent air attack responses with 
each licensee. The NRC has continued to work with licensees on these 
issues and has inspected licensee actions to identify and implement 
mitigation strategies to limit the effects of such an event. The NRC 
has conducted detailed, site-specific engineering studies of a limited 
number of plants to gain insights on potential vulnerabilities of 
nuclear power plants to deliberate attacks involving large commercial 
aircraft. The results of these studies have confirmed the effectiveness 
of the February 2002 NRC-ordered mitigative measures, and have 
identified the need for some additional enhancements. For the 
facilities analyzed, the studies confirm the low likelihood of both 
damaging the reactor core and releasing radioactivity that could affect 
public health and safety. Even in the unlikely event of a radiological 
release due to a terrorist use of a large aircraft against a nuclear 
power plant, the studies indicate that there would be time to implement 
the required on-site mitigating actions. These results have also 
validated the potential radioactive source term for off-site emergency 
planning basis. Nevertheless, on June 20, 2006, the NRC issued orders 
to appropriate power reactor licensees requiring the implementation of 
additional key radiological protection and mitigation strategies to 
reduce potential consequences from the loss of large areas of the plant 
due to large fires or explosions. This information is discussed in, 
``In the Matter of Operating Power Reactor Licensees Identified in 
Attachment 1; Orders Modifying Licensees (Effective Immediately),'' (71 
FR 36554; June 27, 2006). Additional studies are being considered to 
further assess mitigative capabilities. The NRC will continue to 
coordinate with the Department of Homeland Security (DHS) on this 
initiative. (See Factor 9 for further discussion of a related topic, 
``The potential for fires, especially fires of long duration.'')
    Finally, in early March 2006, the NRC hosted an Interagency 
Aircraft Attack Tabletop Exercise at NRC Headquarters. Representatives 
from the DHS, the DOD/USNORTHCOM, and the FBI attended. The purpose of 
the exercise was to explore Federal responsibilities and interfaces, 
consistent with the National Infrastructure Protection Plan and 
National Response Plan, for terrorist incidents at nuclear power 
plants, with a focus on an aircraft attack on the facility. The 
tabletop exercise reconfirmed the respective responsibilities of the 
participating organizations (NRC, DHS, DOD, and FBI) in the event of a 
nuclear plant aircraft attack and clarified protocols for response-
related interagency communication and coordination.
    The final DBT contains two new provisions that account for the 
capability of a water-based attack, as discussed under Factor 2. These 
capabilities were included based on conclusions drawn from the NRC's 
continuing review of intelligence information and liaison with Federal 
law enforcement, intelligence community, and homeland security

[[Page 12711]]

agencies. Sections 73.1(a)(1)(i)(E) and 73.1(a)(2)(i)(E) add the 
capability to use water-based vehicles for transporting personnel and 
equipment to the proximity of vital areas. Sections 73.1(a)(1)(iv) and 
73.1(a)(2)(iv) add a new provision for a waterborne vehicle bomb 
assault. The NRC has concluded that defense against these new DBT 
provisions will provide a high-assurance of protection against the 
waterborne threat.
    Public Comment: Approximately 820 comments indicated that the 
``beamhenges'' concept or similar barrier method of protection should 
be considered for protection against airborne attacks. As generically 
described by the commenters, a ``beamhenge'' shield is constructed out 
of an interlocking series of steel I-beams and cables that would be 
built at sufficient stand-off distances from safety-related buildings 
at nuclear power plants to protect against an aircraft attack. Comments 
also indicated that a ``no-fly'' zone should be imposed around nuclear 
power plants and that ground based-air defense systems should be 
deployed to protect each site.
    Further, multiple commenters expressed concerns regarding the 
vulnerabilities of nuclear power plants and other licensed facilities 
to terrorist waterborne attacks. Commenters suggested that the revised 
DBTs should require nuclear power plants and other licensed facilities 
situated on navigable waterways to be equipped with visible, engineered 
physical barriers.
    Response to Public Comment: The Commission has spent considerable 
time and resources considering the threat of airborne and waterborne 
attacks on nuclear facilities. Based on these considerations, the NRC 
has chosen a two-track approach to respond to these threats in order to 
assure adequate protection. First, the NRC has determined that active 
protection against the airborne threat rests with other organizations 
of the Federal government, such as NORTHCOM and NORAD, TSA, and FAA. 
The NRC will continue to test these relationships through exercises. 
Second, licensees have been directed to implement certain mitigative 
measures to limit the effects of an aircraft strike. To the extent that 
commenters have suggested the imposition of specific physical security 
measures such as the ``beamhenges'' concept, the NRC has considered on 
the issue, but has rejected the concept because it believes that the 
mitigation measures in place are sufficient to ensure adequate 
protection of the public health and safety.
    With respect to the waterborne attack threat, the DBT rule has been 
revised to reflect two new water-based capabilities. However, 
requirements of physical barriers for the protection of the nuclear 
power plants and other licensed facilities under waterborne attack are 
not in the scope of DBT rule. Requirements for physical barriers are 
addressed in a separate rulemaking to amend 10 CFR 73.55. The security 
requirements in the proposed rulemaking that would amend 10 CFR 73.55 
(71 FR 62664; October 26, 2006) address protective strategies and 
security measures for nuclear power plants and other licensed 
facilities under waterborne attacks, and require licensees to defend 
against the DBTs. In summary:
     NRC Position: Agrees with the waterborne comment. 
Disagrees with ``no-fly'' zones and ``beamhenges'' concept comments.
     Action: No action required.
Factor 7. The Potential Use of Explosive Devices of Considerable Size 
and Other Modern Weaponry
    The Commission's Consideration: As part of its consideration of 
Factor 2, the Commission assessed the potential use of explosive 
devices of considerable size and other modern weaponry. The Commission 
notes that the DBTs have been revised to specifically reflect these two 
considerations. First, Sec. Sec.  73.1(a)(1)(i)(C) and 73.1(a)(2)(i)(C) 
were amended to revise the phrase ``up to and including'' to simply 
``including'' to increase the flexibility in defining the available 
range of weapons. Second, the vehicle bomb threat has been expanded to 
include waterborne vehicles. This factor has been further articulated 
in Factor 2.
    Public Comment: Refer to Factor 2.
    Response to Comment: Refer to Factor 2.
    In summary:
     NRC Position: Agrees with the comment.
     Action: No action required.
Factor 8. The Potential for Attacks by Persons With a Sophisticated 
Knowledge of Facility Operations
    The Commission's Consideration: As noted above under the discussion 
of Factor 4, Sec. Sec.  73.1(a)(1)(i)(A) and 73.1(a)(2)(i)(A) added 
language indicating that the adversaries have ``sufficient knowledge to 
identify specific equipment or locations necessary for a successful 
attack.''
    Public Comment: No public comment received.
    Response to Comment: No response required.
Factor 9. The Potential for Fires, Especially Fires of Long Duration
    The Commission's Consideration: The DBTs describe specific 
adversary characteristics against which licensees must be prepared to 
defend. Fires, in contrast, are not adversary characteristics, but 
result from a particular adversary attack. Nevertheless, the NRC 
considered fires resulting from several possible initiating events, 
both accidental and malicious in nature. The NRC conducted 
vulnerability assessments for some operating nuclear power plants in 
the 1970s and 1980s to establish the technical basis for security 
requirements. The NRC also routinely evaluated the potential impacts of 
terrorist attacks on power reactors as part of the FOF exercise program 
on a plant-by-plant basis. After the terrorist attacks on September 11, 
2001, the NRC promptly assessed the potential for and consequences of 
terrorists targeting a nuclear power plant, including its spent fuel 
storage facilities, for an aircraft attack, the physical effects of 
such a strike, and how compounding factors (e.g., fires, meteorology, 
etc.) would affect the impact of potential radioactive releases. As 
part of a comprehensive assessment, the NRC conducted detailed site-
specific engineering studies of a limited number of nuclear power 
plants to assess potential vulnerabilities of deliberate attacks 
involving a large commercial aircraft. Additional Commission 
considerations are provided under the discussion of Factor 6. A summary 
of the assessment study is available in a publicly available document.
    Public Comment: One commenter stated that the proposed rule did not 
consider the potential for fires, especially fires of long duration and 
thus asserts that the proposed rule does not comply with the 
Congressional directive because it fails to mention the fire threat.
    Response to Public Comment: The NRC disagrees with the statement 
submitted by the commenter. As stated above, the NRC considered fire to 
be a result of several possible threats. Adversary forces, bombs, and 
explosives can all result in fires, and potentials for fires have been 
considered during the DBT rulemaking process. The following is provided 
as background information related to this comment.
    As part of a larger NRC effort to enhance the safety and security 
of the Nation's nuclear power plants, an initiative was undertaken as 
part of a February 2002 NRC Order. The order required licensees to look 
at what might

[[Page 12712]]

happen if a nuclear power plant lost large areas due to explosions or 
fires. The licensees then were required to identify and later implement 
strategies that would maintain or restore cooling for the reactor core, 
containment building, and spent fuel pool. The requirements listed in 
Section B.5.b of this order directed licensees to identify ``mitigative 
strategies'' (meaning the measures licensees could take to reduce the 
potential consequences of a large fire or explosion) that could be 
implemented with resources already existing or ``readily available.'' 
The NRC held inspections in 2002 and 2003 to identify if licensees had 
implemented the required mitigative strategies.
    These inspections, as well as additional studies, showed 
significant differences in the strategies implemented by the plants. As 
a result, the NRC developed additional mitigative strategy guidance. 
The guidance was based on ``lessons learned'' from NRC engineering 
studies and included a list of ``best practices'' for mitigating losses 
of large areas of the plant. Each plant was requested to consider 
implementation of applicable additional strategies by August 31, 2005. 
The NRC inspected each plant in 2005 to review their implementation of 
any additional mitigative measures. The NRC is continuing to ensure 
licensees appropriately implement these measures.
    Finally, aircraft attack, another threat likely to result in fires 
was also considered and studies analyzing the consequences of 
successful commercial airline attacks were performed. In conducting 
these studies, the NRC drew on national experts from several DOE 
laboratories using state-of-the-art structural and fire analyses. The 
NRC also enhanced its ability to realistically predict accident 
progression and radiological release consequences. For the facilities 
analyzed, the studies found that the likelihood of both damaging the 
reactor core and releasing radioactivity that could affect public 
health and safety is low. Even in the unlikely event of a radiological 
release due to terrorist use of a large aircraft, there would be time 
to implement mitigating actions and off-site emergency plans such that 
the NRC's emergency planning basis remains valid (71 FR 36554; June 27, 
2006). Additional site-specific studies of operating nuclear power 
plants are underway or being planned to determine the need, if any, for 
additional mitigating capability on a site-specific basis. In summary, 
the NRC considered the potential for fires during the DBT rulemaking 
process, as required by the EPAct.
     NRC position: Disagrees with the comment.
     Action: No action required.
Factor 10. The Potential for Attacks on Spent Fuel Shipments by 
Multiple Coordinated Teams of a Large Number of Individuals
    The Commission's Consideration: As stated in response to Factor 3, 
the Commission considered the potential for attacks on nuclear 
facilities by multiple coordinated groups of a large number of 
individuals. The number of attackers and the tactics used by those 
attackers is now and has always been a core consideration of the DBTs. 
In addition, the Commission has considered the potential for attacks on 
spent fuel shipments and issued an order, requiring specific protective 
measures. The Commission is planning to propose a rule on spent fuel 
shipments in the near future.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.
Factor 11. The Adequacy of Planning To Protect the Public Health and 
Safety at and Around Nuclear Facilities, as Appropriate, in the Event 
of a Terrorist Attack Against a Nuclear Facility
    The Commission's Consideration: The DBT rule does not include 
requirements imposing specific emergency planning considerations. 
Nevertheless, the Commission considered the implications of security-
related incidents on emergency planning. As part of those efforts, 
following the terrorist attacks of September 11, 2001, the NRC 
evaluated the emergency preparedness (EP) planning basis and determined 
that the planning basis for nuclear power reactors remains valid. 
Further, the NRC issued orders requiring compensatory measures for 
nuclear security and safety, and observed licensee performance during 
security-based EP drills and exercises and security FOF exercise 
evaluations. Also, the NRC reviewed current public radiological 
protective action guidance, and discussed security-based EP issues with 
various stakeholders, including licensees and Federal, State and local 
government officials. Based on the information obtained from the 
reviews and evaluations, the NRC determined that EP of nuclear power 
plants could be enhanced. The Commission approved the communication of 
enhancements to EP and response actions for security-based events to 
power reactor licensees. NRC Bulletin 2005-02, ``Emergency Preparedness 
and Response Actions for Security-Based Events,'' dated July 18, 2005, 
communicated enhancements in the following areas:
     Security-based emergency classification levels and 
emergency action levels;
     A 15 minute prompt notification to the NRC for security-
based events;
     On-site protective actions to maximize personnel safety 
during security-based events;
     Enhanced emergency response organization augmentation; and
     Development of a security-based emergency drill and 
exercise program.
    As of February 18, 2006, all power reactor licensees have 
implemented the enhancements to their EP programs with the exception of 
the drill and exercise program. A majority of nuclear power plant 
licensees indicated that adoption of the security-based EP drill and 
exercise program is contingent on NRC and the Department of Homeland 
Security (DHS) endorsement. The NRC continues to work with DHS and the 
Nuclear Energy Institute to develop and implement a security-based 
drill and exercise program at power reactor licensees. This program is 
being conducted in a phased approach. Tabletop drills at four power 
reactor sites and a facility drill were conducted successfully, and 
areas for improvement were identified and incorporated by the industry 
into draft guidelines. Over the next three years, the industry plans to 
conduct security-based EP drills at each power reactor licensee with an 
end state of the integration of security-based EP scenarios into the 
biennial EP exercise program.
    In addition to those security-related emergency planning efforts, 
the NRC and DHS worked together to develop and improve EP for a 
terrorist attack through federal initiatives such as comprehensive 
review programs and integrated response planning efforts. The NRC and 
DHS have enhanced the coordination of integrated EP programs through 
evaluations of licensee and State/local/tribal response capabilities, 
and reviews of critical infrastructure preparedness and response plans 
for commercial nuclear power plants. Our combined efforts have resulted 
in specific enhancements to security-related EP measures, and continued 
improvement in capabilities for licensees and off-site response 
organizations to respond to a wide spectrum of events.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.

[[Page 12713]]

Factor 12. The Potential for Theft or Diversion of Nuclear Material 
From Such Facilities
    The Commission's Consideration: The DBT rule includes two separate 
components, the DBT of radiological sabotage, and the DBT of theft or 
diversion of formula quantities of special nuclear materials. Although 
the legal requirements of the radiological sabotage DBT and the theft 
or diversion DBT, as embodied in the rule text of Sec. Sec.  73.1(a)(1) 
and in 73.1(a)(2), respectively, are the same, the ACDs and RGs differ 
in describing how power reactor and Category I fuel cycle facility 
licensees should implement and comply with the separate rules. These 
differences are classified and are not elaborated on here.
    As stated in 10 CFR 73.55(a), power reactor licensees are only 
required to protect against the threat of radiological sabotage. Spent 
fuel is not an attractive theft or diversion target due to its large 
physical size and high thermal heat and radioactivity (most power 
reactor spent fuel is considered ``self-protecting''). As stated in the 
response to Group III Comments No. 18 (Security of Dry Cask Storage) 
and 19 (Security of Spent Fuel Pools), the NRC has required that 
licensees take additional security and mitigating measures against a 
radioactive release of spent fuel.
    The NRC has authorized the Duke Energy Corporation, owner and 
operator of the Catawba plant, to irradiate four fuel assemblies of 
Mixed-Oxide (MOX) fuel at the Catawba plant on a test basis as part of 
its license amendment issued on March 3, 2005. MOX fuel technically 
meets the criteria of a formula quantity of Strategic Special Nuclear 
Material, in this case plutonium, and would be subject to the DBT 
provisions of Sec.  73.1(a)(2) for theft or diversion. However, the NRC 
staff found that MOX fuel is not attractive to potential adversaries 
from a theft and diversion standpoint at the reactor site due to its 
low plutonium concentration, composition, and form (size and weight). 
The MOX fuel consists of plutonium oxide particles dispersed in a 
ceramic matrix of depleted uranium oxide with a plutonium concentration 
of less than six weight percent. The MOX fuel assemblies are the same 
form as conventional fuel assemblies designed for a commercial light-
water power reactor and are over 12 feet long and weigh approximately 
1,500 pounds. A large quantity of MOX fuel and an elaborate extraction 
process would be required to yield enough material for use in an 
improvised nuclear device or weapon. On the ``attractiveness'' bases, 
the NRC staff found that the complete application of 10 CFR 
73.45(d)(1)(iv), 73.46 (C)(1), 73.46(h)(3), 73.46(b)(3)-(b)(12), 
73.46(d)(9), and 73.46(e)(3) for MOX fuel was not necessary. The staff 
therefore approved the exemptions requested to these regulations, 
finding that they were authorized by law, and will not endanger life or 
property or the common defense and security, and that are otherwise in 
the public interest. The Commission later approved this determination 
in an adjudicatory order issued on June 20, 2005. Duke Energy 
Corporation (Catawba Nuclear Station, Units 1 and 2), CLI-05-014, 61 
NRC 359,363 (2005).
    Furthermore, transportation of the MOX fuel assemblies to Catawba 
will be done by the Department of Energy's (DOE's) Office of Secure 
Transportation, that has legal responsibility for the MOX fuel 
assemblies until custody is transferred to the licensee. Afterwards, 
the spent MOX fuel is cooled and stored like other spent fuel on site 
and is subject to the radiological sabotage DBT while stored in the 
spent fuel pool inside the Protected Area of the plant.
    Public Comment: No public comment received.
    Response to Public Comment: No response required.

Section B

Group II. In Scope Comments
1. Defining the ``Design Basis Threat''
    Public Comment: Multiple commentators expressed concern that the 
NRC has not publicly defined or explained the ``design basis threat.'' 
Specifically, commenters were unclear what the Commission means by the 
statement that the DBTs are based on a ``determination as to the 
attacks against which a private security force can reasonably be 
expected to defend.'' These commenters suggested that the Commissions's 
failure to articulate the DBT concept creates an ambiguity in 
establishing the division of responsibility between NRC licensees and 
the DOD, or DHS. Several commenters suggested that if the NRC does not 
require plants to defend against air attack because it is unreasonable 
for a private security force to be able to do so, then it has no choice 
but to federalize security by requesting that DHS or the military 
assume full responsibility for the protection of nuclear power 
facilities.
    Other commenters suggested that the NRC's rationale for limiting 
the characteristics of the DBTs to the attacks against which a private 
security force could reasonably be expected to defend appears to be 
based on cost considerations, which is not permitted for measures that 
are necessary for the protection of public safety.
    Other commenters representing the nuclear industry, while agreeing 
that the DBT scope must be clear, asserted that the DBT can not be 
greater than the largest threats against which private sector 
facilities can reasonably be requested to defend themselves, and 
threats beyond the DBT are reasonably the responsibility of the 
national defense system.
    Response to Public Comment: The Commission has determined that the 
DBTs, as articulated in the rule, are based on adversary 
characteristics against which a private security force can reasonably 
be expected to defend. This formulation provides the Commission with 
the flexibility necessary to make reasoned, well-informed decisions 
regarding the DBTs. In contrast, detailed, prescriptive criteria would 
be unduly restrictive, and would unnecessarily limit the Commission's 
judgment. This judgment is guided by the Commission's considerable 
expertise in nuclear security matters, developed over the course of 30 
years of experience regulating the physical protection of nuclear 
facilities.
    With regard to the federalization of nuclear plants security 
forces, the Commission does not have the authority to federalize 
nuclear security forces and cannot demand deployment of military forces 
to protect nuclear facilities. Nor has Congress chosen to require these 
measures. As it has stated publicly many times, the Commission is 
confident that neither measure is necessary or even prudent. A primary 
reason for this is that the introduction of a federalized nuclear 
security force or military unit to provide day-to-day security would 
create command and control issues for plant management because it would 
essentially establish two classes of employees at commercial nuclear 
facilities, both of whom would be responsible for reactor safety in the 
event of a terrorist attack. This could result in a reduction in the 
licensee's ability to ensure reactor safety. In contrast, the continued 
use of private nuclear security officers responsible to the licensee 
maintains a unitary command structure focused on a unitary objective. 
The tightly-regulated private nuclear security forces in use today are 
well trained on the unique security considerations specific to nuclear 
power facilities and through rigorous FOF training have proven 
themselves to be effective and reliable. These conclusions were also 
documented when the Commission originally studied the issue

[[Page 12714]]

in 1976 in a report to Congress titled the ``Security Agency Study.''
    The DBT rule is also guided by the Commission's knowledge that, in 
addition to being among the most robust industrial facilities in the 
world, nuclear power plants are arguably the most physically secured 
industrial facilities. No other civilian industry security force is 
subject to as much regulatory oversight as the nuclear industry. 
However, the Commission acknowledges that the use of private security 
forces to defend nuclear power facilities faces limitations. For 
instance, there are legal limitations on the types of weapons and 
tactics available to private security forces. Generally, nuclea