Power Reactor Security Requirements, 13926-13993 [E9-6102]

Agencies

• NUCLEAR REGULATORY COMMISSION

[Federal Register Volume 74, Number 58 (Friday, March 27, 2009)]
[Rules and Regulations]
[Pages 13926-13993]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E9-6102]



[[Page 13925]]

-----------------------------------------------------------------------

Part III





Nuclear Regulatory Commission





-----------------------------------------------------------------------



10 CFR Parts 50, 52, 72 et al.



-----------------------------------------------------------------------



Power Reactor Security Requirements; Final Rule

Federal Register / Vol. 74 , No. 58 / Friday, March 27, 2009 / Rules 
and Regulations

[[Page 13926]]


-----------------------------------------------------------------------

NUCLEAR REGULATORY COMMISSION

10 CFR Parts 50, 52, 72, and 73

[NRC-2008-0019]
RIN 3150-AG63


Power Reactor Security Requirements

AGENCY: Nuclear Regulatory Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Nuclear Regulatory Commission (NRC) is amending its 
security regulations and adding new security requirements pertaining to 
nuclear power reactors. This rulemaking establishes and updates 
generically applicable security requirements similar to those 
previously imposed by Commission orders issued after the terrorist 
attacks of September 11, 2001. Additionally, this rulemaking adds 
several new requirements not derived directly from the security order 
requirements but developed as a result of insights gained from 
implementation of the security orders, review of site security plans, 
implementation of the enhanced baseline inspection program, and NRC 
evaluation of force-on-force exercises. This rulemaking also updates 
the NRC's security regulatory framework for the licensing of new 
nuclear power plants. Finally, it resolves three petitions for 
rulemaking (PRM) that were considered during the development of the 
final rule.

DATES: Effective Date: This final rule is effective on May 26, 2009. 
Compliance Date: Compliance with this final rule is required by March 
31, 2010, for licensees currently licensed to operate under 10 CFR Part 
50.

ADDRESSES: You can access publicly available documents related to this 
document using the following methods:
    Federal e-Rulemaking Portal: Go to https://www.regulations.gov and 
search for documents filed under Docket ID [NRC-2008-0019]. Address 
questions about NRC Dockets to Carol Gallagher at 301-492-3668; e-mail 
Carol.Gallagher@nrc.gov.
    NRC's Public Document Room (PDR): The public may examine and have 
copied for a fee publicly available documents at the NRC's PDR, Public 
File Area O1 F21, One White Flint North, 11555 Rockville Pike, 
Rockville, Maryland.
    NRC's Agency Wide Documents Access and Management System (ADAMS): 
Publicly available documents created or received at the NRC are 
available electronically at the NRC's Electronic Reading Room at https://www.nrc.gov/reading-rm/adams.html. From this page, the public can gain 
entry into ADAMS, which provides text and image files of the NRC's 
public documents. If you do not have access to ADAMS or if there are 
problems in accessing the documents located in ADAMS, contact the NRC's 
PDR reference staff at 1-800-397-4209, 301-415-4737 or by e-mail to 
pdr.resource@nrc.gov.

FOR FURTHER INFORMATION CONTACT: Ms. Bonnie Schnetzler, Office of 
Nuclear Security and Incident Response, U.S. Nuclear Regulatory 
Commission, Washington, DC 20555-0001; telephone 301-415-7883; e-mail: 
Bonnie.Schnetzler@nrc.gov, or Mr. Timothy Reed, Office of Nuclear 
Reactor Regulation, U.S. Nuclear Regulatory Commission, Washington, DC 
20555-0001; telephone 301-415-1462; e-mail: Timothy.Reed@nrc.gov.

SUPPLEMENTARY INFORMATION:

I. Background
II. Petitions for Rulemaking
III. Discussion of Substantive Changes and Responses to Significant 
Comments
IV. Section-by-Section Analysis
V. Guidance
VI. Criminal Penalties
VII. Availability of Documents
VIII. Voluntary Consensus Standards
IX. Finding of No Significant Environmental Impact
X. Paperwork Reduction Act Statement
XI. Regulatory Analysis
XII. Regulatory Flexibility Certification
XIII. Backfit Analysis
XIV. Congressional Review Act

I. Background

A. Historical Background and Overview

    Following the terrorist attacks on September 11, 2001, the 
Commission issued a series of orders to ensure that nuclear power 
plants and other licensed facilities continued to have effective 
security measures in place given the changing threat environment. 
Through these orders, the Commission supplemented the design basis 
threat (DBT) as well as mandated specific training enhancements, access 
authorization enhancements, and enhancements to defensive strategies, 
mitigative measures, and integrated response. Additionally, through 
generic communications, the Commission specified expectations for 
enhanced notifications to the NRC for certain security events or 
suspicious activities. The four following security orders were issued 
to licensees:
     EA-02-026, ``Interim Compensatory Measures (ICM) Order,'' 
issued February 25, 2002 (March 4, 2002; 67 FR 9792);
     EA-02-261, ``Access Authorization Order,'' issued January 
7, 2003 (January 13, 2003; 68 FR 1643);
     EA-03-039, ``Security Personnel Training and Qualification 
Requirements (Training) Order,'' issued April 29, 2003, (May 7, 2003; 
68 FR 24514); and
     EA-03-086, ``Revised Design Basis Threat Order,'' issued 
April 29, 2003, (May 7, 2003; 68 FR 24517).
    Nuclear power plant licensees revised their physical security 
plans, access authorization programs, training and qualification plans, 
and safeguards contingency plans in response to these orders. The 
Commission completed its review and approval of the revised security 
plans on October 29, 2004. These plans incorporated the enhancements 
required by the orders. While the specifics of these enhancements are 
protected as Safeguards Information consistent with 10 CFR 73.21, the 
enhancements resulted in measures such as increased patrols; augmented 
security forces and capabilities; additional security posts; additional 
physical barriers; vehicle checks at greater standoff distances; 
enhanced coordination with law enforcement authorities; augmented 
security and emergency response training, equipment, and communication; 
and more restrictive site access controls for personnel including 
expanded, expedited, and more thorough employee background 
investigations.
    The Energy Policy Act of 2005 (EPAct 2005), signed into law on 
August 8, 2005, contained several provisions relevant to security at 
nuclear power plants. Section 653, for instance, added Section 161A. to 
the Atomic Energy Act of 1954, as amended (AEA). This provision allows 
the Commission to authorize certain licensees to use, as part of their 
protective strategies, an expanded arsenal of weapons including machine 
guns and semi-automatic assault weapons. Section 653 also requires 
certain security personnel to undergo a background check that includes 
fingerprinting and a check against the Federal Bureau of 
Investigation's (FBI) National Instant Criminal Background Check System 
(NICS) database. Section 161A, however, is not effective until 
guidelines are completed by the Commission and approved by the Attorney 
General. More information on the NRC's implementation of Section 161A 
can be found below.

B. The Proposed Rule

    As noted to recipients of the post-September 11, 2001, orders, it 
was

[[Page 13927]]

always the Commission's intent to complete a thorough review of the 
existing physical protection program requirements and undertake a 
rulemaking that would codify generically-applicable security 
requirements. This rulemaking would be informed by the requirements 
previously issued by orders and includes an update of existing power 
reactor security requirements, which had not been significantly revised 
for nearly 30 years. To that end, on October 26, 2006, the Commission 
issued the proposed Power Reactor Security rulemaking (71 FR 62663). 
The proposed rule was originally published for a 75-day public comment 
period. In response to several requests for extension, the comment 
period was extended on two separate occasions (January 5, 2005; 72 FR 
480; and February 28, 2007; 72 FR 8951), eventually closing on March 
26, 2007. The Commission received 48 comment letters. In addition, the 
Commission held two public meetings to solicit public comment in 
Rockville, MD on November 15, 2006, and Las Vegas, NV on November 29, 
2006. The Commission held a third public meeting in Rockville, MD, on 
March 9, 2007, to facilitate stakeholder understanding of the proposed 
requirements, and thereby result in more informed comments on the 
proposed rule provisions.
    In addition to proposing requirements that were similar to those 
that had previously been imposed by the various orders, the proposed 
rule also contained several new provisions that the Commission 
determined would provide additional assurance of licensee capabilities 
to protect against the DBT. These new provisions were identified by the 
Commission during implementation of the security orders while reviewing 
the revised site security plans that had been submitted by licensees 
for Commission review and approval, while conducting the enhanced 
baseline inspection program, and through evaluation of the results of 
force-on-force exercises. As identified in the proposed rule, these new 
provisions included such measures as cyber security requirements, 
safety/security interface reviews, functional equivalency of the 
central and secondary alarm stations, uninterruptable backup power for 
detection and assessment equipment, and video image recording equipment 
(See 71 FR 62666-62667; October 26, 2006).
    The Commission also published a supplemental proposed rule on April 
10, 2008, (73 FR 19443) seeking additional stakeholder comment on two 
provisions of the rule for which the Commission had decided to provide 
additional detail. The supplemental proposed rule also proposed to move 
these requirements from appendix C to part 73 in the proposed rule to 
Sec.  50.54 in the final rule. More detail on those provisions and the 
comments received is provided in section III of this document.
    Three petitions for rulemaking (PRM) (PRM-50-80, PRM-73-11, PRM-73-
13) were also considered as part of this rulemaking. Consideration of 
these petitions is discussed in detail in section II of this document.

C. Significant New Requirements in the Final Rule

    This final rulemaking amends the security requirements for power 
reactors. The following existing sections and appendices in 10 CFR Part 
73 have been revised as a result:
     10 CFR 73.55, Requirements for physical protection of 
licensed activities in nuclear power reactors against radiological 
sabotage.
     10 CFR 73.56, Personnel access authorization requirements 
for nuclear power plants.
     10 CFR Part 73, appendix B, section VI, Nuclear Power 
Reactor Training and Qualification Plan for Personnel Performing 
Security Program Duties.
     10 CFR Part 73, appendix C, Licensee Safeguards 
Contingency Plans.
    The amendments also add two new sections to part 73 and a new 
paragraph to 10 CFR Part 50:
     10 CFR 73.54, Protection of digital computer and 
communication systems and networks (i.e., cyber security requirements).
     10 CFR 73.58, Safety/security interface requirements for 
nuclear power reactors.
     10 CFR 50.54(hh), Mitigative strategies and response 
procedures for potential or actual aircraft attacks.
    Specifically, this rulemaking contains a number of significant new 
requirements listed as follows:
    Safety/Security Interface Requirements. These requirements are 
located in new Sec.  73.58. The safety/security interface requirements 
explicitly require licensees to manage and assess the potential 
conflicts between security activities and other plant activities that 
could compromise either plant security or plant safety. The 
requirements direct licensees to assess and manage these interactions 
so that neither safety nor security is compromised. These requirements 
address, in part, PRM-50-80, which requested the establishment of 
regulations governing proposed changes to the facilities which could 
adversely affect the protection against radiological sabotage.
    Mixed-Oxide (MOX) Fuel Requirements. These requirements are 
codified into new Sec.  73.55(l) for reactor licensees who propose to 
use MOX fuel in concentrations of 20 percent or less. These 
requirements provide enhancements to the normal radiological sabotage-
based physical security requirements by adding the requirement that the 
MOX fuel be protected from theft or diversion. These requirements 
reflect the Commission's view that the application of security 
requirements for the protection of formula quantities of strategic 
special nuclear material set forth in Part 73, which would otherwise 
apply because of the MOX fuel's plutonium content, is, in part, 
unnecessary to provide adequate protection for this material because of 
the weight and size of the MOX fuel assemblies. The MOX fuel security 
requirements are consistent with the approach implemented at Catawba 
Nuclear Station through the MOX lead test assembly effort in 2004-2005.
    Cyber Security Requirements. These requirements are codified as new 
Sec.  73.54 and designed to provide high assurance that digital 
computer and communication systems and networks are adequately 
protected against cyber attacks up to and including the design basis 
threat as established by Sec.  73.1(a)(1)(v). These requirements are 
substantial improvements upon the requirements imposed by the February 
25, 2002 order. In addition to requiring that all new applications for 
an operating or combined license include a cyber security plan, the 
rule will also require currently operating licensees to submit a cyber 
security plan to the Commission for review and approval by way of 
license amendment pursuant to Sec.  50.90 within 180 days of the 
effective date of this final rule. In addition, applicants who have 
submitted an application for an operating license or combined license 
currently under review by the Commission must amend their applications 
to include a cyber security plan. For both current and new licensees, 
the cyber security plan will become part of the licensee's licensing 
basis in the same manner as other security plans.
    Mitigative Strategies and Response Procedures for Potential or 
Actual Aircraft Attacks. These requirements appear in new Sec.  
50.54(hh). Section 50.54(hh)(1) establishes the necessary regulatory 
framework to facilitate consistent application of Commission 
requirements for preparatory actions to be taken in the event of a 
potential or

[[Page 13928]]

actual aircraft attack and mitigation strategies for loss of large 
areas due to fire and explosions. Section 50.54(hh)(2) requires 
licensees to develop guidance and strategies for addressing the loss of 
large areas of the plant due to explosions or fires from a beyond-
design basis event through the use of readily available resources and 
identification of potential practicable areas for the use of beyond-
readily-available resources. Requirements similar to these were 
previously imposed under section B.5 of the February 25, 2002, ICM 
order; specifically, the ``B.5.a'' and the ``B.5.b'' provisions.
    Access Authorization Enhancements. Section 73.56 has been 
substantially revised to incorporate lessons learned from the 
Commission's implementation of the January 7, 2003 order requirements 
and to improve the integration of the access authorization and security 
program requirements. The final rule includes an increase in the rigor 
for many elements of the pre-existing access authorization program 
requirements. In addition, the access authorization requirements 
include new requirements for individuals who have electronic means to 
adversely impact facility safety, security, or emergency preparedness; 
enhancements to the psychological assessments requirements; requires 
information sharing between reactor licensees; expanded behavioral 
observation requirements; requirements for reinvestigations of criminal 
and credit history records for all individuals with unescorted access; 
and 5-year psychological reassessments for certain critical job 
functions.
    Training and Qualification Enhancements. These requirements are set 
forth in appendix B to part 73 and include modifications to training 
and qualification program requirements based on insights gained from 
implementation of the security orders, Commission reviews of site 
security plans, implementation of the enhanced baseline inspection 
program, and insights gained from evaluations of force-on-force 
exercises. These new requirements include additional requirements for 
unarmed security personnel to assure these personnel meet minimum 
physical requirements commensurate with their duties. The new 
requirements also include a minimum age requirement of 18 years for 
unarmed security officers, enhanced minimal qualification scores for 
testing required by the training and qualification plan, enhanced 
qualification requirements for security trainers, armorer certification 
requirements, program requirements for on-the-job training, and 
qualification requirements for drill and exercise controllers.
    Physical Security Enhancements. The rule imposes new physical 
security enhancements in the revised Sec.  73.55 that were identified 
by the Commission during implementation of the security orders, reviews 
of site security plans, implementation of the enhanced baseline 
inspection program, and NRC evaluations of force-on-force exercises. 
Significant new requirements in Sec.  73.55 include a requirement that 
the central alarm station (CAS) and secondary alarm station (SAS) have 
functionally equivalent capabilities so that no single act in 
accordance with the design basis threat of radiological sabotage could 
disable the key functions of both CAS and SAS. Additions also include 
requirements for new reactor licensees to locate the SAS within a 
site's protected area, ensure that the SAS is bullet resistant, and 
limit visibility into the SAS from the perimeter of the protected area. 
Revisions to Sec.  73.55 also include requiring uninterruptible backup 
power supplies for detection and assessment equipment, video image 
recording capability, and new requirements for protection of the 
facility against waterborne vehicles.

D. Significant Changes in the Final Rule

    A number of significant changes were made to the proposed rule as a 
result of public comments, and they are now reflected in the final 
rule. Those changes are outlined as follows:
    Separation of Enhanced Weapons and Firearms Background Check 
Requirements. As noted previously, Section 161A of the AEA permits the 
Commission to authorize the use of certain enhanced weapons in the 
protective strategies of certain designated licensees once guidelines 
are developed by the Commission and approved by the Attorney General. 
In anticipation of the completion of those guidelines and the Attorney 
General's approval, the Commission had included in the proposed rule 
several provisions that would implement its proposed requirements 
concerning application for and approval of the use of enhanced weapons 
and firearms background checks. However, because the guidelines had not 
yet received the approval of the Attorney General as the final rule was 
submitted to the Commission, the Commission decided to address that 
portion of the proposed rule in a separate rulemaking. Once the final 
guidelines are approved by the Attorney General and published in the 
Federal Register, the Commission will take appropriate action to codify 
the Section 161A. authorities.
    Cyber Security Requirements. Another change to this final 
rulemaking is the relocation of cyber security requirements. Cyber 
security requirements had been located in the proposed rule in Sec.  
73.55(m). These requirements are now placed in new Sec.  73.54 as a 
separate section within part 73. These requirements were placed in a 
stand-alone section to enable the cyber security requirements to be 
made applicable to other types of facilities and applications through 
future rulemakings.
    Establishing these requirements as a stand-alone section also 
necessitated creating accompanying licensing requirements. Because the 
cyber security requirements were originally proposed as part of the 
physical security program and thus the physical security plan, a 
licensee's cyber security plan under the proposed rule would have been 
part of the license through that licensing document. Once these 
requirements were separated from proposed Sec.  73.55, the Commission 
identified the need to establish separate licensing requirements for 
the licensee's cyber security plan that would require the plan to be 
part of a new application for a license issued under part 50 or part 
52, as well as continue to be a condition of either type of license. 
Conforming changes were therefore made to sections Sec. Sec.  50.34, 
50.54, 52.79, and 52.80 to address this consideration. As noted 
previously and in Sec.  73.54, for current reactor licensees, the rule 
requires the submission of a new cyber security plan to the Commission 
for review and approval within 180 days of the effective date of the 
final rule. Current licensees are required to submit their cyber 
security plans by way of a license amendment pursuant to 10 CFR Sec.  
50.90. In addition, applicants for an operating license or combined 
license who have submitted their applications to the Commission prior 
to the effective date of the rule are required to amend their 
applications to the extent necessary to address the requirements of 
Sec.  73.54.
    Performance Evaluation Program Requirements. The Performance 
Evaluation Program requirements that were in proposed appendix C to 
part 73, are moved in their entirety to appendix B to part 73 as these 
requirements describe the development and implementation of a training 
program for training the security force in the response to contingency 
events.
    Mitigative Strategies and Response Procedures for Potential or 
Actual Aircraft Attacks. Another significant change to this rulemaking 
is the

[[Page 13929]]

relocation of and the addition of clarifying rule language to the 
beyond-design basis mitigative measures and potential aircraft threat 
notification requirements that were previously located in proposed part 
73, appendix C. Those requirements are now set forth in 10 CFR 
50.54(hh). This change was made, in part, in response to stakeholder 
comments that part 73, appendix C, was not the appropriate location for 
these requirements because the requirements were not specific to the 
licensee's security organization. The Commission agreed and relocated 
the requirements accordingly and provided more details to the final 
rule language to ensure that the intent of these requirements is clear. 
As noted previously, the Commission issued a supplemental proposed rule 
seeking additional stakeholder comment on these proposed changes to the 
rule. More detail on this provision is provided in Section III of this 
document.
    Section 73.71 and Appendix G to Part 73. The proposed power reactor 
security rulemaking contained proposed requirements for Sec.  73.71 and 
appendix G to part 73. Based on public comments, the Commission 
intended to make few changes to these regulations. However, these 
provisions are not contained in this final rulemaking. Because the 
enhanced weapons rulemaking (discussed previously) will include 
potential changes to Sec.  73.71 and appendix G to part 73, the 
Commission decided that revisions to these regulations were better 
suited for that rulemaking.
    Security Plan Submittal Requirements. The proposed rule would have 
required current licensees to revise their physical security plan, 
training and qualification plans, and safeguards contingency plan to 
incorporate the new requirements and to submit these security plans for 
Commission review and approval. The final rule no longer requires these 
security plans (with the exception of the cyber security plan as 
discussed previously) to be submitted for prior Commission review and 
approval and instead allows licensees to make changes in accordance 
with existing licensing provisions such as Sec.  50.54(p) or Sec.  
50.90, as applicable. The Commission determined that this was an 
acceptable approach because most of the requirements established by 
this rule are substantially similar to the requirements that had been 
imposed by the security orders and because all licensee security plans 
were recently reviewed and approved by the Commission in 2004 following 
issuance of those orders. Additionally, many of the additional 
requirements in the final rule are already current practices that were 
implemented following an industry-developed, generic, security plan 
template that was reviewed and approved by the Commission. For the 
requirements that go beyond current practices, the Commission does not 
expect that changes required by this rule would result in a decrease of 
effectiveness in a licensee's security plan. For implementation of 
those new requirements, licensees should, therefore, consider whether 
their plans could be revised in accordance with the procedures 
described in Sec.  50.54(p). However, if a licensee believes that a 
plan change may reduce the effectiveness of a security plan or if the 
licensee desires Commission review and approval of the plan change, 
then the proposed plan revision should be submitted to the NRC for 
review and approval as a license amendment per Sec.  50.90.
    With respect to applicants who have already submitted an 
application to the Commission for an operating license or combined 
license as of the effective date of this rule, those applicants are 
required by this rule to amend their applications to the extent 
necessary to address the requirements of the new rule.
    Implementation of the Final Rule. The final rule is effective 30 
days following date of publication. This permits applicability of the 
rule's requirements to new reactor applicants at the earliest possible 
date. Current licensees are required to be in compliance with the rule 
requirements by March 31, 2010.
    Definitions. The proposed rule contained a number of definitions, 
primarily related to the proposed enhanced weapons requirements. As 
noted previously, the enhanced weapons provisions and firearms 
backgrounds checks have been separated into a separate rulemaking so 
codifying those definitions is no longer appropriate in this 
rulemaking. Regarding the other proposed rule definitions of safety/
security interface, security officer, and target sets, these terms are 
addressed in guidance, and accordingly the final rule does not contain 
these definitions.
    EPAct 2005 Provisions. As noted above, the proposed rule contained 
a number of proposed requirements that were designed to address 
security-related provisions of the EPAct 2005. With respect to Section 
653 of the EPAct 2005, enhanced weapons and firearms background check 
requirements have been moved to a separate rulemaking. The only other 
provisions of the EPAct 2005 that the Commission had considered during 
this rulemaking were in Section 651, which concerns matters related to 
the triennial Commission-evaluated, force-on-force exercises, the NRC's 
mitigation of potential conflicts of interest in the conduct of such 
exercises, and the submission of annual reports by the NRC to Congress. 
Because the statute requires the NRC to be directly responsible for 
implementation of those requirements, the Commission has determined 
that there is no need for them to be specifically reflected in the 
NRC's regulations. The NRC has fully complied with all of the 
requirements of Section 651 in its conduct of force-on-force 
evaluations since the EPAct 2005, and has submitted three annual 
reports to Congress during that time. Further discussion of and the 
Commission's response to a comment on this issue are provided below in 
Section III.

E. Conforming and Corrective Changes

    Conforming changes to the requirements listed below are made to 
ensure that cross-referencing between the various security regulations 
in part 73 is preserved, implement cyber security plan submittal 
requirements, and preserve requirements for licensees who are not 
within the scope of this final rule. The following requirements contain 
conforming changes:
     Section 50.34, ``Contents of construction permit and 
operating license applications; technical information,'' is revised to 
align the application requirements with appendix B to 10 CFR part 73, 
the addition of Sec.  73.54 to part 73, and the addition of Sec.  
50.54(hh) to part 50.
     Section 50.54, ``Conditions of licenses,'' is revised to 
conform with the revisions to sections in appendix C to 10 CFR Part 73. 
In accordance with the introductory text to Sec.  50.54, revisions to 
this section are also made applicable to combined licenses issued under 
part 52.
     Section 52.79, ``Contents of applications; technical 
information in the final safety analysis report,'' is revised to align 
the application requirements with the revisions to appendix C to 10 CFR 
Part 73 and the addition of Sec.  73.54 to Part 73.
     Section 52.80, ``Contents of applications; additional 
technical information,'' is revised to add the application requirements 
for Sec.  50.54(hh) to part 50.
     Section 72.212, ``Conditions of general license issued 
under Sec.  72.210,'' is revised to reference the appropriate revised 
paragraph designations in Sec.  73.55.
     Section 73.8, ``Information collection requirements: OMB 
approval,'' is revised to add the new

[[Page 13930]]

requirements (Sec. Sec.  73.54 and 73.58) to the list of sections with 
Office of Management and Budget (OMB) information collection 
requirements. A corrective revision to Sec.  73.8 is made to reflect 
OMB approval of existing information collection requirements for NRC 
Form 366 under existing Sec.  73.71.
     Section 73.70, ``Records,'' is revised to reference the 
appropriate revised paragraph designations in Sec.  73.55 regarding the 
need to retain a record of the registry of visitors.
    Additionally, Sec.  73.81, ``Criminal penalties,'' which sets forth 
the sections within part 73 that are not subject to criminal sanctions 
under the AEA, remains unchanged because willful violations of the new 
Sec. Sec.  73.54 and 73.58 may be subject to criminal sanctions.
    Appendix B to part 73 and appendix C to part 73 require special 
treatment in this final rule to preserve, with a minimum of conforming 
changes, the current requirements for licensees and applicants who are 
not within the scope of this final rule, such as Category I strategic 
special nuclear material licensees and research and test reactor 
licensees. Accordingly, Sections I through V of appendix B to part 73 
remain unchanged to preserve the current training and qualification 
requirements for all applicants, licensees, and certificate holders who 
are not within the scope of this final rule, and the new language for 
power reactor security training and qualification (revised in this 
final rule) is added as Section VI. Part 73, appendix C, is divided 
into two sections, with Section I maintaining all current requirements 
for licensees and applicants not within the scope of this final rule, 
and Section II containing all new requirements related to power reactor 
contingency response.

II. Petitions for Rulemaking

    Three petitions for rulemaking were considered during the 
development of the final rule requirements consistent with previous 
petition resolution and closure process for these petitions (i.e., PRM-
50-80, PRM-73-11, and PRM-73-13). All three petitions are closed, and 
the discussion that follows provides the Commission's consideration of 
the issues raised in each petition as part of the development of the 
final power reactor security requirements.

A. PRM-50-80

    PRM-50-80, submitted by the Union of Concerned Scientists (UCS) and 
the San Luis Obispo Mothers for Peace (SLOMFP), was published for 
public comment on June 16, 2003, (68 FR 35568). The petition requested 
that the Commission take two actions. The first action was to amend 10 
CFR 50.54(p), ``Conditions of licenses,'' and 10 CFR 50.59, ``Changes, 
tests, and experiments,'' to require licensees to evaluate whether 
proposed changes, tests, or experiments cause protection against 
radiological sabotage to be decreased and, if so, to conduct such 
actions only with prior Commission approval. The second action 
requested that the Commission amend 10 CFR Part 50 to require licensees 
to evaluate their facilities against specified aerial hazards and make 
necessary changes to provide reasonable assurance that the ability of 
the facility to reach and maintain safe shutdown would not be 
compromised by an accidental or intentional aerial assault. The second 
action (regarding aerial hazards) was previously considered and 
resolved as part of the final design basis threat (DBT) (Sec.  73.1) 
rulemaking (March 19, 2007; 72 FR 12705). On November 17, 2005, (70 FR 
69690), the Commission decided to consider the petitioner's first 
request for rulemaking (i.e., evaluation of proposed changes, tests, or 
experiments to determine whether radiological sabotage protection is 
decreased). Proposed language addressing the issues raised in the 
petition was published as proposed Sec.  73.58, ``Safety/security 
interface requirements for nuclear power reactors.'' This section 
remains in the final rule. Refer to the section-by-section analysis in 
this document, supporting Sec.  73.58 for further discussion of the 
safety/security interface requirements.

B. PRM-73-11

    PRM-73-11, submitted by Scott Portzline, Three Mile Island Alert, 
was published for public comment on November 2, 2001 (66 FR 55603). The 
comment period closed on January 16, 2002. Eleven comment letters were 
received. Of the 11 comments filed, 7 were from governmental 
organizations, 2 were from individuals, and 2 were from industry 
organizations. The majority of the comments support the petitioner's 
recommendation.
    The petitioner requested that the NRC regulations governing 
physical protection of plants and materials be amended to require NRC 
licensees to post at least one armed guard at each entrance to the 
``owner controlled areas'' (OCA) surrounding all U.S. nuclear power 
plants. The petitioner stated that this should be accomplished by 
requiring the addition of armed site protection officers (SPO) to the 
total number of SPOs--not by simply shifting SPOs from their protected 
area (PA) posts to the OCA entrances. The petitioner believes that the 
proposed amendment would provide an additional layer of security that 
would complement existing measures against radiological sabotage and 
would be consistent with the long-standing principle of defense-in-
depth.
    In a Federal Register Notice published December 27, 2006 (72 FR 
481), the Commission informed the public that PRM-73-11 and the public 
comments filed on the petition would be considered in this final rule. 
Consideration of PRM-73-11 and the associated comments was undertaken 
as part of the effort to finalize the requirements governing security 
in the OCA.
    The Commission has concluded that prescriptively requiring armed 
security personnel in the OCA is not necessary. Instead, the final 
physical security requirements in Sec.  73.55(k) allows licensees the 
flexibility to determine the need for armed security personnel in the 
OCA, as a function of site-specific considerations, such that the 
licensee can defend against the DBT with high assurance. In reaching 
this determination, the Commission recognized that the requirements 
governing protective strategies must be more performance-based to 
enable licensees to adjust their strategies to address the site-
specific circumstances and that a prescriptive requirement for armed 
security personnel in the owner controlled area may not always be the 
most effective approach for every licensee in defending against the 
DBT. The Commission constructed the final physical security 
requirements, recognizing the range of site-specific circumstances that 
exist, to put in place the performance objectives that must be met, and 
where possible, provided flexibility to licensees to construct 
strategies that meet the objectives.

C. PRM-73-13

    PRM-73-13, submitted by David Lochbaum, Union of Concerned 
Scientists, was published for public comment on April 9, 2007 (72 FR 
17440) and the comment period closed June 25, 2007.
    The petitioner requested that the Commission amend part 73 to 
require that licensees implement procedures to ensure that, when 
information becomes known to a licensee about an individual seeking 
access to the protected area that would prevent that individual from 
gaining unescorted access to the protected area of a nuclear power 
plant, the licensee will implement measures to ensure the individual 
does not enter the protected area, whether escorted or not. Further, 
the petitioner requested that the NRC's regulations be amended to

[[Page 13931]]

require that, when sufficient information is not available to a 
licensee about an individual seeking access to the protected area to 
determine whether the criteria for unescorted access are satisfied, the 
licensee will implement measures to allow that individual to enter the 
protected area only when escorted at all times by an armed member of 
the security force who maintains communication with security 
supervision.
    The Commission determined that the issues raised in PRM-73-13 were 
appropriate for consideration and were in fact issues already being 
considered in the Power Reactor Security Requirements rulemaking. 
Accordingly, the issues raised by PRM-73-13 and the public comments 
received were considered as part of the effort to finalize the 
requirements that govern escort and access within the protected area 
(refer to requirements in Sec.  73.55(g) and Sec.  73.56(h) for the 
specific final rule requirements).
    The Nuclear Energy Institute (NEI) commented on PRM-73-13, with 11 
other industry organizations agreeing (hereafter referred to 
collectively as commenters). The commenters agreed that the 
petitioner's first request (with regard to preventing an individual to 
have access to the protected area when derogatory information becomes 
known) should be issued as a notice of proposed rulemaking. Neither NEI 
nor any of the other commenters commented on any of the specific 
language proposed by the petitioner. With regard to the second 
provision proposed by the petitioner (requiring armed escorts for 
certain visitors), the commenters did not agree with the proposal. The 
commenters argued that the use of trained individuals, though not 
necessarily armed, in conjunction with search equipment and techniques 
as well as the limitation placed on visitors (i.e., that visitors must 
have a ``work-related need'' for entry into the PA) have resulted in no 
incidents that warrant imposing this new requirement.
    The Commission has decided not to adopt either proposal. Regarding 
the petitioner's second proposal, the Commission agrees with the 
commenters that the current protective measures for escorted personnel 
are sufficient to protect against the scenario presented by the 
petitioner. Licensee escorted access programs have been in place for 
years without incident, and the petitioner has not provided a basis 
that raises questions about their sufficiency.
    With respect to the petitioner's first proposal, the Commission 
does not agree that the NRC's unescorted access requirements described 
in Sec.  73.56 and Sec.  73.57 need to contain prescriptive 
disqualifiers for access. Licensees are required by Sec.  73.56(h) in 
this final rule to consider all of the information obtained in the 
background investigation for determining whether an individual is 
trustworthy and reliable before granting unescorted access. With the 
exception of individuals who have been denied access to another 
facility, the regulation does not specify types of information obtained 
during a background investigation that would automatically disqualify 
an individual from access. The final rule Sec.  73.55(g)(7), however, 
does have several restrictions on escorted access (visitors) including 
verification of identity, verification of reason for business inside 
the protected area, and collection of information (visitor control 
register) pertaining to the visitor. In addition, there are several 
conditions that individuals who escort the visitor must adhere to 
including continuous monitoring of the visitor while inside the 
protected area, having a means of timely communication with security, 
and having received training on escort duties. Lastly, licensees may 
not allow any individual who is currently denied access at any other 
facility to be a visitor.
    Furthermore, the petitioner's suggested language that a licensee 
must act to deny escorted access when such information ``becomes known 
to the licensee'' is unworkable from a regulatory perspective. It is 
unclear what the NRC could impose on licensees as an enforceable 
standard for such a scenario. In order to avoid potential enforcement 
action, a licensee would be put in a position to conduct a full 
background investigation on a visitor each time access is requested, 
which would undermine the entire purpose behind having the ability to 
escort visitors on site, or, in accordance with the petitioner's second 
suggestion, assign an armed security officer to escort that individual. 
The Commission does not have a basis to impose either measure, and the 
petitioners have not provided a basis in support of it. Section 
73.55(g), however, does not allow individuals currently denied access 
at other facilities to be a visitor.

III. Discussion of Substantive Changes and Responses to Significant 
Comments

A. Introduction

    A detailed discussion of the public comments submitted on the 
proposed power reactor security rule and supplemental proposed rule as 
well as the Commission's responses are contained in a separate document 
(see Section VII, ``Availability of Documents,'' of this document). 
This section discusses the more significant comments submitted on the 
proposed power reactor security provisions and the substantive changes 
made to develop the final power reactor security requirements.
    The changes made to the power reactor security requirements are 
discussed by part, with changes to part 50 requirements being discussed 
first, followed by the changes to part 73 requirements, and proceeding 
in numerical order according to the section number. General topics are 
discussed first, followed by discussion of changes to individual 
sections as necessary. In addition to the substantive changes, rule 
language was revised to make conforming administrative changes, correct 
typographic errors, adopt consistent terminology, correct grammar, and 
adopt plain English. These changes are not discussed further.
    Note that some of the final rule requirements were relocated. An 
example is the cyber security requirements that were issued as proposed 
Sec.  73.55(m) and now reside in Sec.  73.54.
    Comments on the three PRMs are not explicitly addressed in the 
detailed comments response document, beyond those discussed earlier in 
Section II of this document, as this document addresses only the 
comments submitted on the proposed rule. However, the petitioner's 
comments were considered as part of the Commission's decision-making 
process and final determination of the rule requirements for each of 
the areas of concern.
    Comments on the supporting regulatory analysis of the proposed rule 
are also contained in the detailed comment response document. Revisions 
to the final rule regulatory analysis were made consistent with the 
comment responses and these comments are not addressed further in this 
section.
    The Commission solicited public comment on a number of specific 
issues but received input on only one of these specific issues. 
Specifically, the Commission requested stakeholders to provide insights 
and estimates on the feasibility, costs, and time necessary to 
implement the proposed rule changes to existing alarm stations, 
supporting systems, video systems, and cyber security. A commenter 
stated that the feasibility of establishing a cyber security program 
for industrial control systems has been demonstrated by various 
electric utilities, chemical plants, refineries, and other facilities 
with systems similar, if not identical, to those used in the balance-
of-plant in commercial nuclear plants. The

[[Page 13932]]

commenter stated that the time and cost necessary to implement a cyber 
security program is dependent on the scope and discussed the 
technologies and programmatic approaches that can be pursued to augment 
current industry-proposed generic recommendations. The Commission 
focused significant attention on the cyber requirements and supporting 
guidance during development of the final cyber security requirements in 
Sec.  73.54 as discussed below.
    In general, there was a range of stakeholder views concerning this 
rulemaking, some supporting the rulemaking, others opposing the 
rulemaking. Some stakeholders viewed this rulemaking as an effort to 
codify the insufficient status quo while others described the new 
requirements as going well beyond the post-September 11, 2001, order 
requirements. The Commission believes that commenters who suggested 
that the Commission had no basis to go beyond the requirements that 
were imposed by the security orders misunderstood the relationship of 
those orders and the rulemaking. The security orders were issued based 
on the specific knowledge and threat information available to the 
Commission at the time the orders were issued. The Commission advised 
licensees who received those orders that the requirements were interim 
and that the Commission would eventually undertake a more comprehensive 
re-evaluation of current safeguards and security programs. As noted in 
the proposed rule, there were a number of objectives for the rulemaking 
beyond simply making generically applicable security requirements 
similar to those that were imposed by Commission orders. The Commission 
intended to implement several new requirements that resulted from 
insights it gained from implementation of the security orders, review 
of site security plans, implementation of the enhanced baseline 
inspection program, and evaluation of force-on-force exercises. These 
insights were obviously not available to the Commission when it issued 
the original security orders in 2002 and 2003.
    In addition, another key objective of this rulemaking was to update 
the regulatory framework in preparation for receiving license 
applications for new reactors. The current security regulations in part 
73 have not been substantially revised for nearly 30 years. Before 
September 11, 2001, the NRC staff had already undertaken an effort to 
revise these dated requirements, but that effort was delayed (See SECY-
01-0101, June 4, 2001). Thus, this rulemaking addresses a broader 
context of security issues than the focus of the security orders of 
2002 and 2003. One significant issue in particular was the need for 
clearly articulated security requirements and a logical regulatory 
framework for new reactor applicants. The revisions to part 73 were 
also intended to provide it with needed longevity and predictability 
for current and future licensees with a measured attempt to anticipate 
future developments or needs in physical protection.

B. Section 50.54(hh), Mitigative Strategies and Response Procedures for 
Potential or Actual Aircraft Attacks

    As noted previously, a significant change to this final rule is the 
relocation of and provision of more detailed requirements for the 
beyond-design basis mitigative measures and potential aircraft attack 
notification requirements from proposed part 73, appendix C, to 10 CFR 
50.54(hh). The Commission received several stakeholder comments that 
the proposed part 73, appendix C, was not the appropriate location for 
these requirements. During consideration of these comments, the 
Commission also decided to add additional detail to the aircraft attack 
notification portion of the requirements now located in Sec.  
50.54(hh)(1). In response, the Commission issued a supplemental 
proposed rule seeking additional stakeholder comment on these proposed 
revisions on April 10, 2008, (73 FR 19443) for a 30 day comment period. 
The Commission received six sets of comments on the supplemental 
proposed rule. The responses to those comments are discussed as 
follows.
    The Commission revised the final rule language for Sec.  
50.54(hh)(1)(ii) in response to comments that the final rule should 
only require periodic updates to applicable entities or that 
communications should be maintained ``as necessary and as resources 
allow.'' The Commission intended the continuous communication 
requirement to apply to licensees only with respect to aircraft threat 
notification sources and not to all offsite response or government 
organizations. The Federal Aviation Administration (FAA) local, 
regional, or national offices; North American Aerospace Defense Command 
(NORAD); law enforcement organizations; and the NRC Headquarters 
Operations Center are examples of threat notification sources with 
which licensees would be required to maintain a continuous 
communication capability. If a licensee encounters a situation in which 
multiple threat notification sources (e.g., FAA, NORAD, and NRC 
Headquarters Operations Center) are providing the same threat 
information, the licensee would only be required to maintain continuous 
communication with the NRC Headquarters Operations Center. Because 
licensees need to be aware when they can cease or must accelerate 
mitigative actions, it is important that licensees do not lose contact 
with aircraft threat notification sources. Periodic updates to entities 
other than threat notification sources are permitted by this final 
rule.
    In response to comments that Sec. Sec.  50.54(hh)(1)(iii), 
50.54(hh)(1)(iv), and 50.54(hh)(1)(vi) requirements were redundant to 
those found in the NRC's existing emergency preparedness rules, the 
Commission revised the final rule language for each of those paragraphs 
to clarify the Agency's intent and to eliminate the appearance of 
redundant requirements vis-[agrave]-vis the emergency preparedness 
rules, which are also currently being revised. The intent of Sec.  
50.54(hh)(1)(iii) is to ensure that licensees contact offsite response 
organizations as soon as possible after receiving aircraft threat 
notifications. There is no expectation that licensees will complete and 
disseminate notification forms as the previous rule text implied. 
Section 50.54(hh)(1)(iv) pertains to operational actions that licensees 
can take to mitigate the consequences of an aircraft impact; the 
Commission did not intend this requirement to include emergency 
preparedness-related protective actions. In Sec.  50.54(hh)(1)(vi), the 
Commission intended to require licensees to disperse essential 
personnel and equipment to pre-identified locations after receiving 
aircraft threat notifications, but before actual aircraft impacts, when 
possible. Also, the requirement for licensees to facilitate rapid entry 
into their protected areas applies only to those onsite personnel and 
offsite responders who are necessary to mitigate the event and not to 
everyone who was initially evacuated from the protected areas.
    The Commission revised the statements of consideration for Sec.  
50.54(hh)(1)(vi) in response to a comment that meeting the rule might 
require licensees to suspend security measures under 10 CFR 50.54(x). 
The Commission elaborated on the specific intent of the protected area 
evacuation timeline assessment and validation, which is to require 
licensees to establish a decision-making tool for use by shift 
operations personnel to assist them in determining the appropriate 
onsite protective action for site personnel for various warning times 
and site population conditions. The Commission

[[Page 13933]]

expects that licensees will incorporate this tool into applicable site 
procedures to reduce the need to make improvised decisions that would 
necessitate a suspension of safeguards measures during the pre-event 
notification period. However, the Commission wishes to make clear that 
the suspension of security measures to protect the health and safety of 
security force personnel during emergencies is now governed by Sec.  
73.55(p)(1)(i) as codified in this final rule. Previously, there was no 
specific provision in the Commission's regulations that would have 
permitted such a departure, because under Sec.  50.54(x), licensees are 
only permitted to suspend security measures if the health and safety of 
the public was at risk. Note that, in a Sec.  50.54(hh) scenario, 
either Sec. Sec.  50.54(x) or 73.55(p) could be applicable depending on 
the circumstances.
    The Commission revised the final rule requirements in Sec.  
50.54(hh) in response to a comment that the final rule should include 
an applicability statement that removes the requirements of Sec.  
50.54(hh) from reactor facilities currently in decommissioning and for 
which the certifications required under Sec.  50.82(a)(1) have been 
submitted. The commenter indicated that it is inappropriate that Sec.  
50.54(hh) should apply to a permanently shutdown and defueled reactor 
where the fuel was removed from the site or moved to an independent 
spent fuel storage installation (ISFSI). The NRC agrees with this 
comment and revised the final requirements in Sec.  50.54(hh) so they 
do not apply to facilities for which certifications have been filed 
under Sec.  50.82(a)(1) or Sec.  52.110(a)(1). The Commission notes 
that Sec.  50.54(hh) does not apply to any current decommissioning 
reactor facilities that have already satisfied the Sec.  50.82(a) 
requirements.
    The Commission requested stakeholder feedback on two questions in 
the supplemental proposed rule. Regarding the first question in the 
supplemental proposed rule notice where the Commission requested input 
on whether there should be additional language added to the proposed 
Sec.  50.54(hh) requirements that would limit the scope of the 
regulation (i.e., language that would constrain the requirements to a 
subset of beyond-design basis events such as beyond-design basis 
security events), commenters indicated that the Commission should 
constrain the requirements to a subset of beyond-design basis events; 
namely beyond design basis security events. The feedback suggested 
that, by limiting the rule requirements to strategies that address a 
generic set of beyond-design basis security events, the strategies 
could then be developed and proceduralized to focus on the restoration 
capabilities needed to mitigate the effects from these events. After 
careful consideration, the Commission decided to maintain the language 
from the supplemental proposed rule that recognizes that the mitigative 
strategies can address losses of large areas of a plant and the related 
losses of plant equipment from a variety of causes including aircraft 
impacts and beyond-design basis security events. The Commission also 
requested comments on whether applicants should include, as part of a 
combined license or operating license application, the Sec.  50.54(hh) 
procedures, guidance, and strategies. Commenters indicated that this 
information will not be needed until fuel load, when an aircraft threat 
would be present. The most appropriate and efficient process for the 
Commission is to review these procedures as part of the review of 
operations procedures and beyond-design basis guidelines. The 
Commission views the mitigative strategies as similar to those 
operational programs for which a description of the program is provided 
and reviewed by the Commission as part of the combined license 
application and subsequently the more detailed procedures are 
implemented by the applicant and inspected by the NRC before plant 
operation. Because the Commission finds that the most effective 
approach is for the mitigative strategies, at least at the programmatic 
level, to be developed before construction and reviewed and approved 
during licensing, a requirement for information has been added to Sec.  
52.80, ``Contents of applications; additional technical information,'' 
and Sec.  50.34, ``Contents of construction permit and operating 
license applications; technical information.''

C. Section 73.2, Definitions

    The proposed rule contained a number of definitions, primarily 
related to the proposed enhanced weapons requirements. As noted 
earlier, the enhanced weapons provisions and firearms backgrounds 
checks have been separated into a separate rulemaking, so codifying 
those definitions is no longer appropriate here. Regarding the other 
definitions of safety/security interface, security officer, and target 
sets; the Commission has determined that those terms are better defined 
through guidance.

D. Section 73.54, Protection of Digital Computer and Communication 
Systems and Networks

    General Comments. Proposed Sec.  73.55(m) is relocated in the final 
rule to a stand-alone section (10 CFR 73.54). The Commission received 
several comments that the inclusion of a cyber security program within 
the proposed Sec.  73.55(m) is not appropriate because cyber security 
is not implemented by physical security personnel. The Commission 
agrees that the cyber security program would not necessarily be 
implemented by security personnel and recognizes that a uniquely 
independent technical expertise and knowledge is required to 
effectively implement the cyber security program. Additionally, these 
requirements were placed into a stand alone section to enable the cyber 
security requirements to be made applicable to other types of 
facilities and applications through future rulemakings. The rule now 
requires that these requirements apply to nuclear power plant licensees 
in the same manner as the access authorization program required by 
Sec.  73.56; the cyber security plan is subject to the same licensing 
requirements as the licensee's physical security, training and 
qualification, and safeguards contingency plans. In relocating these 
requirements, the Commission concluded that certain administrative 
requirements, otherwise applied by inclusion in Sec.  73.55, must be 
brought forward for consistency. As a result, conforming changes were 
made to the pre-existing Sec. Sec.  50.34(c) and 50.34(e) to establish 
the appropriate regulatory framework for Commission review and approval 
of the cyber security plan required by Sec.  73.54(e). These conforming 
changes require nuclear power reactor applicants to provide a cyber 
security plan as part of the security plans currently required by 
Sec. Sec.  50.34(c) or 52.79(a)(36), as applicable. Additionally, 
conforming changes were made to Sec.  50.54(p), applicable to both 
operating and combined licensees, to require a cyber security plan as a 
condition of the license. Conforming changes were also made to 
Sec. Sec.  50.34(e) and 52.79(a)(36) to require applicants to review 
this plan against the criteria for Safeguards Information established 
in Sec.  73.21. Consistent with Sec.  73.54(b)(3), the cyber security 
program is a part of the physical protection program subject to the 
same review and approval mechanisms as the physical security plan, 
training and qualification plan, and safeguards contingency plan.

[[Page 13934]]

    The Commission has also added three (3) administrative requirements 
to the final rule (Sec. Sec.  73.54(f), 73.54(g), and 73.54(h)) to 
require written policies and procedures, program review, and records 
retention, respectively.
    In addition to the previously mentioned conforming changes, the 
Commission added an undesignated paragraph at the beginning of this 
section to require current licensees subject to Sec.  73.54 to submit a 
cyber security plan and implementation schedule for Commission review 
and approval. The licensee's cyber security plan must be submitted by 
way of a license amendment pursuant to 10 CFR 50.90.
    Section 73.54(a), Protection. The Commission received a comment 
suggesting that the term ``emergency preparedness,'' as it appears in 
the proposed Sec.  73.55(m)(1), should be replaced with the term 
``emergency response.'' In the final rule, the term ``emergency 
preparedness'' is replaced with the more generic term ``emergency 
preparedness functions.'' The equipment embodied within these 
preparedness functions as described in 10 CFR Part 50, appendix E, 
usually includes a wide variety of plant monitoring systems, protection 
systems, and the onsite and offsite emergency communications systems 
used during an emergency event.
    The term ``emergency response'' suggested by the commenter is used 
more specifically to refer only to the ``emergency response data 
system'' or ERDS, which provides a data link that transmits key plant 
parameters. Therefore, using the term ``emergency preparedness 
functions'' is considered the most appropriate term as it holistically 
addresses the equipment used during an emergency.
    The Commission revised the proposed Sec.  73.55(m)(1) which is 
renumbered in the final rule as Sec.  73.54(a). This paragraph has been 
expanded to provide a more detailed list of the types of systems and 
networks that are intended to be included consistent with the proposed 
rule. The language in Sec.  73.54(a)(1)(ii) is revised to clarify that 
``digital computer and communications systems and networks'' must be 
considered for protection. It is important to note that the Commission 
does not intend that CAS or SAS operators be responsible for cyber 
security detection and response but rather that this function will be 
performed by technically trained and qualified personnel.
    Section 73.54(b), Analysis of Digital Computer and Communication 
Systems and Networks. The requirement to document a site-specific 
analysis that identifies site-specific conditions has been brought 
forward from Sec.  73.55(b)(4). The rule is clarified to require that 
each licensee analyze the digital computer and communication systems 
and networks in use at their facility to identify those assets that 
require protection against the design basis threat.
    The proposed Sec.  73.55(m)(1) requirement to establish, implement, 
and maintain a cyber security program is renumbered in the final rule 
as Sec.  73.54(b)(2). The rule requires that the cyber security program 
will include measures for the adequate protection of the digital 
computer and communication systems and networks identified by the 
licensee through the required site-specific analysis stated in Sec.  
73.54(b)(1).
    The proposed Sec.  73.55(m)(1)(ii) is renumbered in the final rule 
as Sec.  73.54(b)(3). The Commission received several comments that the 
cyber security program is not appropriate for incorporation into the 
physical security program and, therefore, should not be implemented 
through the security organization. The Commission agrees in part. Cyber 
security, like physical security, focuses on the protection of 
equipment and systems against attacks by those individuals or 
organizations that would seek to cause harm, damage, or adversely 
affect the functions performed by such systems and networks. Cyber 
security and physical security programs are intrinsically linked and 
must be integrated to satisfy the physical protection program design 
criteria of Sec.  73.55(b). The Commission recognizes that a uniquely 
independent technical expertise and knowledge is required to implement 
the cyber security program effectively, and therefore, the specific 
training and qualification requirements for the program must focus on 
ensuring that the personnel are trained, qualified, and equipped to 
perfor